From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 07 Apr 2011 09:48:56 -0400
Subject: [refpolicy] Fwd: [PATCH] checkpolicy: add support for using
 last path component in type transition rules
In-Reply-To: <4D924024.7020403@redhat.com>
References: <4D91EBAA.9020008@redhat.com> <4D91F274.1000106@tresys.com>
	<4D924024.7020403@redhat.com>
Message-ID: <4D9DC0C8.1060304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/29/2011 4:25 PM, Daniel J Walsh wrote:
> On 03/29/2011 10:53 AM, Christopher J. PeBenito wrote:
>> On 03/29/11 10:24, Daniel J Walsh wrote:
>>> Any idea on how you what you would like to call these interfaces?
>>>
>>> files_etc_named_filetrans', `
>>> 	gen_require(`
>>>       		type etc_t;
>>> 	')
>>>
>>> 	type_transition $1 etc_t:file $2 $3;
>>> ')
>>>
>>> interface(`sysnet_etc_filetrans_resolve_conf',`
>>> 	gen_require(`
>>> 		type net_conf_t;
>>> 	')
>>>
>>> 	files_etc_named_filetrans($1, net_conf_t, resolv.conf)
>>> ')
>>>
>>> sysnet_etc_filetrans_resolv_conf(unconfined_t)
>>
>> I have two thoughts:
>>
>> name_filetrans_pattern() and files_etc_name_filetrans()
>>
>> or
>>
>> nametrans_pattern() and files_etc_nametrans()
>>
>>
>> I like the second option because its shorter, but the first option is
>> probably the best choice as its more precise.  It also is future-proof,
>> in case the named type_transition statement is extended to some other
>> objects (e.g. KaiGai already feels it will be useful for databases).
>>
>>
>
> Another option would be to do something like:
>
> define(`filetrans_pattern',`
> 	allow $1 $2:dir rw_dir_perms;
> 	type_transition $1 $2:$4 $3 $5;
> ')
>
> interface(`files_etc_filetrans',`
> 	gen_require(`
> 		type etc_t;
> 	')
>
> 	filetrans_pattern($1, etc_t, $2, $3, $4)
> ')
>
> interface(`sysnet_etc_filetrans_config',`
> 	gen_require(`
> 		type net_conf_t;
> 	')
>
> 	files_etc_filetrans($1, net_conf_t, file, $2)
> ')
>
> sysnet_etc_filetrans_config(unconfined_t, resolv.conf)
> sysnet_etc_filetrans_config(NetworkManager_t)
>
> Seems to work.

I like this idea.  It doesn't seem that there are any objections.  I'm 
checking with the CIL guys to see if it will be problematic to support 
this.  I don't think there will be a problem.  If not, we can move 
forward with this implementation.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com