From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 29 Mar 2011 16:25:08 -0400
Subject: [refpolicy] Fwd: [PATCH] checkpolicy: add support for using
 last path component in type transition rules
In-Reply-To: <4D91F274.1000106@tresys.com>
References: <4D91EBAA.9020008@redhat.com> <4D91F274.1000106@tresys.com>
Message-ID: <4D924024.7020403@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/29/2011 10:53 AM, Christopher J. PeBenito wrote:
> On 03/29/11 10:24, Daniel J Walsh wrote:
>> Any idea on how you what you would like to call these interfaces?
>>
>> files_etc_named_filetrans', `
>> 	gen_require(`
>>      		type etc_t;
>> 	')
>>
>> 	type_transition $1 etc_t:file $2 $3;
>> ')
>>
>> interface(`sysnet_etc_filetrans_resolve_conf',`
>> 	gen_require(`
>> 		type net_conf_t;
>> 	')
>>
>> 	files_etc_named_filetrans($1, net_conf_t, resolv.conf)
>> ')
>>
>> sysnet_etc_filetrans_resolv_conf(unconfined_t)
> 
> I have two thoughts:
> 
> name_filetrans_pattern() and files_etc_name_filetrans()
> 
> or
> 
> nametrans_pattern() and files_etc_nametrans()
> 
> 
> I like the second option because its shorter, but the first option is
> probably the best choice as its more precise.  It also is future-proof,
> in case the named type_transition statement is extended to some other
> objects (e.g. KaiGai already feels it will be useful for databases).
> 
> 

Another option would be to do something like:

define(`filetrans_pattern',`
	allow $1 $2:dir rw_dir_perms;
	type_transition $1 $2:$4 $3 $5;
')

interface(`files_etc_filetrans',`
	gen_require(`
		type etc_t;
	')

	filetrans_pattern($1, etc_t, $2, $3, $4)
')

interface(`sysnet_etc_filetrans_config',`
	gen_require(`
		type net_conf_t;
	')

	files_etc_filetrans($1, net_conf_t, file, $2)
')

sysnet_etc_filetrans_config(unconfined_t, resolv.conf)
sysnet_etc_filetrans_config(NetworkManager_t)

Seems to work.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2SQCAACgkQrlYvE4MpobPfWwCfakjd3wiadx6o0nnMtRsKZqr6
sjwAoKijIrw9fmj9MEc1zPvGhb5rdMdj
=PkQH
-----END PGP SIGNATURE-----