From: domg472@gmail.com (Dominick Grift)
Date: Tue, 25 Jan 2011 19:14:47 +0100
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git
 reference policy
In-Reply-To: <1295978687.3051.3.camel@tesla.lan>
References: <1295829836.3862.62.camel@tesla.lan>	 <4D3D8B05.2050002@gmail.com>
	<1295978687.3051.3.camel@tesla.lan>
Message-ID: <4D3F1317.8000309@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> Hi Dominick,
> 
> just a quick question on one of your comments...
> 
> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>  
>>>  auth_dontaudit_read_shadow(readahead_t)
>>>  
>>> +init_read_fifo_file(readahead_t)
>>>  init_use_fds(readahead_t)
>>>  init_use_script_ptys(readahead_t)
>>>  init_getattr_initctl(readahead_t)
>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>  
>>>  ########################################
>>>  ## <summary>
>>> +##      Read init fifo file.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##      <summary>
>>> +##      Domain allowed access.
>>> +##      </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_read_fifo_file',`
>>> +		gen_require(`
>>> +		attribute init_t;
>>> +	')
>>> +
>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>> +')
>>
>> no need to for pattern here use: allow $1 init_t:fifo_file
>> r_fifo_file_perms;
> 
> Why should we avoid the use of the pattern here ? It gives better
> readability and also it grants permission to search the parent dir.

I guess you may indeed be right here. I assume that this pipe is
somewhere in /proc in an init_t directory? If that is so then the caller
indeed needs to traverse an init_t directory to get to the pipe i guess,
and in that case the pattern makes good sense.

looking at similar examples thought, like

> interface(`init_rw_script_pipes',`
> 	gen_require(`
> 		type initrc_t;
> 	')
> 
> 	allow $1 initrc_t:fifo_file { read write };
> ')

And

> interface(`init_write_script_pipes',`
> 	gen_require(`
> 		type initrc_t;
> 	')
> 
> 	allow $1 initrc_t:fifo_file write;
> ')

It appears that searching domain_type directories is not applicable here.

Can you reproduce this (and in particular the caller searching init_t
directories?)


> 
> Regards,
> 
> Guido
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0/ExcACgkQMlxVo39jgT+5NACdHO/ZysRYMxLjU0J1+8NcWT2u
nDgAn0Q4PNYqudn97HQFxHh386VDiCeV
=HaKz
-----END PGP SIGNATURE-----