From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 25 Aug 2010 09:05:27 -0400
Subject: [refpolicy] [m4-isms patch 5/6] Modify *_except interfaces to
not have caller supply the "-"
In-Reply-To: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
References: <1282679448.14992.35.camel@moss-lions.epoch.ncsc.mil>
Message-ID: <4C751517.40203@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 08/24/10 15:50, James Carter wrote:
> The *_except interfaces expect the caller to call it like this:
> files_read_all_dirs_except(foo_t, - bar_t)
>
> This makes the call argument hard to deal with because it is neither a
> type nor a set. Also an argument like $2 -shadow_t could either be a
> set or an MLS range.
>
> The *_except interfaces are never used except for in the *_except_shadow
> interfaces. The calls to the *_except_shadow interfaces never specify a
> second argument.
>
> files_manage_all_files is called only in portage.te (with no exception)
> and authlogin.if.
Theres two issues with this change:
1. It breaks API stability.
2. It doesn't work if you want to specify a set, e.g.
files_read_all_dirs_except(foo_t, { bar_t baz_t })
> ---
> policy/modules/kernel/files.if | 92 +++++++++++++++++++++++++++++--------
> policy/modules/system/authlogin.if | 10 ++--
> 2 files changed, 79 insertions(+), 23 deletions(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..9212dea 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -689,7 +689,7 @@ interface(`files_read_all_dirs_except',`
> attribute file_type;
> ')
>
> - allow $1 { file_type $2 }:dir list_dir_perms;
> + allow $1 { file_type - $2 }:dir list_dir_perms;
> ')
>
> ########################################
> @@ -714,7 +714,7 @@ interface(`files_read_all_files_except',`
> attribute file_type;
> ')
>
> - read_files_pattern($1, { file_type $2 }, { file_type $2 })
> + read_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> ')
>
> ########################################
> @@ -739,7 +739,7 @@ interface(`files_read_all_symlinks_except',`
> attribute file_type;
> ')
>
> - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> + read_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> ')
>
> ########################################
> @@ -1026,6 +1026,35 @@ interface(`files_read_all_chr_files',`
>
> ########################################
> ##
> +## Relabel all files on the filesystem
> +##
> +##
> +##
> +## The type of the domain perfoming this action.
> +##
> +##
> +##
> +#
> +interface(`files_relabel_all_files',`
> + gen_require(`
> + attribute file_type;
> + ')
> +
> + allow $1 file_type : dir list_dir_perms;
> + relabel_dirs_pattern($1, file_type, file_type)
> + relabel_files_pattern($1, file_type, file_type)
> + relabel_lnk_files_pattern($1, file_type, file_type)
> + relabel_fifo_files_pattern($1, file_type, file_type)
> + relabel_sock_files_pattern($1, file_type, file_type)
> + relabelfrom_blk_files_pattern($1, file_type, file_type)
> + relabelfrom_chr_files_pattern($1, file_type, file_type)
> +
> + # satisfy the assertions:
> + seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +##
> ## Relabel all files on the filesystem, except
> ## the listed exceptions.
> ##
> @@ -1042,21 +1071,21 @@ interface(`files_read_all_chr_files',`
> ##
> ##
> #
> -interface(`files_relabel_all_files',`
> +interface(`files_relabel_all_files_except',`
> gen_require(`
> attribute file_type;
> ')
>
> - allow $1 { file_type $2 }:dir list_dir_perms;
> - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> + allow $1 { file_type - $2 }:dir list_dir_perms;
> + relabel_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabel_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> # this is only relabelfrom since there should be no
> # device nodes with file types.
> - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
> + relabelfrom_blk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + relabelfrom_chr_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
> # satisfy the assertions:
> seutil_relabelto_bin_policy($1)
> @@ -1090,6 +1119,33 @@ interface(`files_rw_all_files',`
>
> ########################################
> ##
> +## Manage all files on the filesystem.
> +##
> +##
> +##
> +## The type of the domain perfoming this action.
> +##
> +##
> +##
> +#
> +interface(`files_manage_all_files',`
> + gen_require(`
> + attribute file_type;
> + ')
> +
> + manage_dirs_pattern($1, file_type, file_type)
> + manage_files_pattern($1, file_type, file_type)
> + manage_lnk_files_pattern($1, file_type, file_type)
> + manage_fifo_files_pattern($1, file_type, file_type)
> + manage_sock_files_pattern($1, file_type, file_type)
> +
> + # satisfy the assertions:
> + seutil_create_bin_policy($1)
> + files_manage_kernel_modules($1)
> +')
> +
> +########################################
> +##
> ## Manage all files on the filesystem, except
> ## the listed exceptions.
> ##
> @@ -1106,16 +1162,16 @@ interface(`files_rw_all_files',`
> ##
> ##
> #
> -interface(`files_manage_all_files',`
> +interface(`files_manage_all_files_except',`
> gen_require(`
> attribute file_type;
> ')
>
> - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
> - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
> + manage_dirs_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_lnk_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_fifo_files_pattern($1, { file_type - $2 }, { file_type - $2 })
> + manage_sock_files_pattern($1, { file_type - $2 }, { file_type - $2 })
>
> # satisfy the assertions:
> seutil_create_bin_policy($1)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..c116df6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1113,7 +1113,7 @@ interface(`auth_read_all_dirs_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_dirs_except($1,$2 -shadow_t)
> + files_read_all_dirs_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1139,7 +1139,7 @@ interface(`auth_read_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_files_except($1,$2 -shadow_t)
> + files_read_all_files_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1164,7 +1164,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> type shadow_t;
> ')
>
> - files_read_all_symlinks_except($1,$2 -shadow_t)
> + files_read_all_symlinks_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1190,7 +1190,7 @@ interface(`auth_relabel_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_relabel_all_files($1,$2 -shadow_t)
> + files_relabel_all_files_except($1, shadow_t)
> ')
>
> ########################################
> @@ -1242,7 +1242,7 @@ interface(`auth_manage_all_files_except_shadow',`
> type shadow_t;
> ')
>
> - files_manage_all_files($1,$2 -shadow_t)
> + files_manage_all_files_except($1, shadow_t)
> ')
>
> ########################################
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com