From: jwcart2@tycho.nsa.gov (James Carter)
Date: Tue, 24 Aug 2010 15:50:48 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to not
have caller supply the "-"
Message-ID: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
The *_except interfaces expect the caller to call it like this:
files_read_all_dirs_except(foo_t, - bar_t)
This makes the call argument hard to deal with because it is neither a
type nor a set. Also an argument like $2 -shadow_t could either be a
set or an MLS range.
The *_except interfaces are never used except for in the *_except_shadow
interfaces. The calls to the *_except_shadow interfaces never specify a
second argument.
files_manage_all_files is called only in portage.te (with no exception)
and authlogin.if.
---
policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
policy/modules/system/authlogin.if | 10 ++--
2 files changed, 79 insertions(+), 23 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..9212dea 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
+ allow $1 { file_type - $2 }:dir list_dir_perms;
')
########################################
@@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
attribute file_type;
')
- read_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
attribute file_type;
')
- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
')
########################################
@@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
########################################
##
+## Relabel all files on the filesystem
+##
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+##
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type : dir list_dir_perms;
+ relabel_dirs_pattern($1, file_type, file_type)
+ relabel_files_pattern($1, file_type, file_type)
+ relabel_lnk_files_pattern($1, file_type, file_type)
+ relabel_fifo_files_pattern($1, file_type, file_type)
+ relabel_sock_files_pattern($1, file_type, file_type)
+ relabelfrom_blk_files_pattern($1, file_type, file_type)
+ relabelfrom_chr_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+##
## Relabel all files on the filesystem, except
## the listed exceptions.
##
@@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
##
##
#
-interface(`files_relabel_all_files',`
+interface(`files_relabel_all_files_except',`
gen_require(`
attribute file_type;
')
- allow $1 { file_type $2 }:dir list_dir_perms;
- relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ allow $1 { file_type - $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# this is only relabelfrom since there should be no
# device nodes with file types.
- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
########################################
##
+## Manage all files on the filesystem.
+##
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+##
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_dirs_pattern($1, file_type, file_type)
+ manage_files_pattern($1, file_type, file_type)
+ manage_lnk_files_pattern($1, file_type, file_type)
+ manage_fifo_files_pattern($1, file_type, file_type)
+ manage_sock_files_pattern($1, file_type, file_type)
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
+########################################
+##
## Manage all files on the filesystem, except
## the listed exceptions.
##
@@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
##
##
#
-interface(`files_manage_all_files',`
+interface(`files_manage_all_files_except',`
gen_require(`
attribute file_type;
')
- manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
- manage_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
+ manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
# satisfy the assertions:
seutil_create_bin_policy($1)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7fddc24..c116df6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
type shadow_t;
')
- files_read_all_dirs_except($1,$2 -shadow_t)
+ files_read_all_dirs_except($1, shadow_t)
')
########################################
@@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
type shadow_t;
')
- files_read_all_files_except($1,$2 -shadow_t)
+ files_read_all_files_except($1, shadow_t)
')
########################################
@@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
type shadow_t;
')
- files_read_all_symlinks_except($1,$2 -shadow_t)
+ files_read_all_symlinks_except($1, shadow_t)
')
########################################
@@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
type shadow_t;
')
- files_relabel_all_files($1,$2 -shadow_t)
+ files_relabel_all_files_except($1, shadow_t)
')
########################################
@@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
type shadow_t;
')
- files_manage_all_files($1,$2 -shadow_t)
+ files_manage_all_files_except($1, shadow_t)
')
########################################
--
James Carter
National Security Agency