From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 08 Jul 2010 08:25:31 -0400
Subject: [refpolicy] Simplifying user content: Concept.
In-Reply-To: <4C35BB77.8050006@gmail.com>
References: <4C35BB77.8050006@gmail.com>
Message-ID: <4C35C3BB.5080708@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/08/10 07:50, Dominick Grift wrote:
> I would like your opinion on the following concept ( i actually have
> this implemented in my branch ).
>
> Making user content easier:
>
> 1. Three new attributes: user_home_type, user_tmp_type, user_tmpfs_type
> in the user domain. (fedora already had user_home_type)
>
> 2. Modify userdom_user_home_content()
>     - Attach user_home_type to userdom_user_home_content()
>     - Make userdom_user_home_content files_poly_member()
>
> 3. Create userdom_?ser_tmp_content()
>     - is files_tmp_file()
>     - Attach user_tmp_type to userdom_user_tmp_content()
>     - Make userdom_user_tmp_content() files_poly_member_tmp()
>
> 4. Modify userdom_manage_{home,tmp,tmpfs}roles
>     - allow caller (userdomain) to manage and relabel
> user_{home,tmp,tmpfs}_type
>
> 5. Replace where possible in userdomain; user_home_t, user_tmp_t,
> user_tmpfs_t declarations:
>     - userdom_user_home_content(user_home_t)
>     - userdom_user_tmp_content(userdomain, user_tmp_t)
>     - userdom_user_tmp_fs_content(user_tmpfs_t
>
> 6. Replace all "user" tmp and tmpfs content declarations in apps and
> other modules.
>
> Impact:
>
> 1. Simply use userdom_user_tmp_content(type) instead of
> files_tmp_file(type)
> files_poly_member_tmp(domain, type)
> ubac_constrained(type)
>
> or userdom_user_home_content(type) instead of
> userdom_user_home_content(type)
> files_poly_member(type)
>
> or userdom_user_tmpfs_content(type) instead of
> files_tmpfs_file(type)
> ubac_constrained(type)
>
> 2. By attaching the declared "type" attributes to the various classes of
> user content we can simplify how users can interact with this content.
> User domains should be able to manage and relabel *any* user content
> either owned by the user or by an user app or even system server. After
> all: its user content.
>
> 3. Since only user domains should call the
> userdom_manage_{home,tmp,tmpfs}_role templates we can allow the caller
> permission to manage and relabel user_home_types, user_tmp_types and
> user_tmpfs_types.
>
> This way we no longer have to implicitly define policy that allows users
> to interact with user content.
>
> If the user has access to the userdom_manage_{home, tmp, tmpfs}_role
> template, and if the content is declared userdom_user_{home, tmp,
> tmpfs}_content, then users can automatically fully control it.
>
> This saves a heap of policy writing.

Sounds good to me.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com