From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 29 Mar 2011 10:53:40 -0400 Subject: [refpolicy] Fwd: [PATCH] checkpolicy: add support for using last path component in type transition rules In-Reply-To: <4D91EBAA.9020008@redhat.com> References: <4D91EBAA.9020008@redhat.com> Message-ID: <4D91F274.1000106@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/29/11 10:24, Daniel J Walsh wrote: > Any idea on how you what you would like to call these interfaces? > > files_etc_named_filetrans', ` > gen_require(` > type etc_t; > ') > > type_transition $1 etc_t:file $2 $3; > ') > > interface(`sysnet_etc_filetrans_resolve_conf',` > gen_require(` > type net_conf_t; > ') > > files_etc_named_filetrans($1, net_conf_t, resolv.conf) > ') > > sysnet_etc_filetrans_resolv_conf(unconfined_t) I have two thoughts: name_filetrans_pattern() and files_etc_name_filetrans() or nametrans_pattern() and files_etc_nametrans() I like the second option because its shorter, but the first option is probably the best choice as its more precise. It also is future-proof, in case the named type_transition statement is extended to some other objects (e.g. KaiGai already feels it will be useful for databases). > -------- Original Message -------- > Subject: [PATCH] checkpolicy: add support for using last path component > in type transition rules > Date: Mon, 28 Mar 2011 14:00:19 -0400 > From: Eric Paris > To: selinux at tycho.nsa.gov > CC: method at manicmethod.com, sds at tycho.nsa.gov > > This patch adds support for using the last path component as part of the > information in making labeling decisions for new objects. A example > rule looks like so: > > type_transition unconfined_t etc_t:file system_conf_t eric; > > This rule says if unconfined_t creates a file in a directory labeled > etc_t and the last path component is "eric" (no globbing, no matching > magic, just exact strcmp) it should be labeled system_conf_t. > > The kernel and policy representation does not have support for such > rules in conditionals, and thus policy explicitly notes that fact if > such a rule is added to a conditional. > > Signed-off-by: Eric Paris > --- [patch cut] -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com