From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 9 Sep 2011 11:58:02 -0400
Subject: [refpolicy] This patch removes use of
 auth*files_except_auth_files in order to shrink size of policy.
In-Reply-To: <4E57ADE0.7080908@redhat.com>
References: <4E57ADE0.7080908@redhat.com>
Message-ID: <4E6A378A.9090309@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/26/11 10:29, Daniel J Walsh wrote:
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 633d2fc..8d62407 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
>  # for installing kernel packages
>  storage_raw_read_fixed_disk(dpkg_t)
>  
> -auth_relabel_all_files_except_auth_files(dpkg_t)
> -auth_manage_all_files_except_auth_files(dpkg_t)
> +files_relabel_non_security_files(dpkg_t)
> +files_manage_non_security_files(dpkg_t)
>  auth_dontaudit_read_shadow(dpkg_t)
>  
>  files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>  
>  auth_dontaudit_getattr_shadow(dpkg_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_auth_files(dpkg_script_t)
> +files_manage_non_security_files(dpkg_script_t)
>  
>  init_domtrans_script(dpkg_script_t)
>  init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 7d964bf..ba6e400 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>  
>  term_list_ptys(rpm_t)
>  
> -auth_relabel_all_files_except_auth_files(rpm_t)
> -auth_manage_all_files_except_auth_files(rpm_t)
> +files_relabel_all_files(rpm_t)
> +files_manage_all_files(rpm_t)
>  auth_dontaudit_read_shadow(rpm_t)
>  auth_use_nsswitch(rpm_t)
>  
> @@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
>  auth_dontaudit_getattr_shadow(rpm_script_t)
>  auth_use_nsswitch(rpm_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_auth_files(rpm_script_t)
> -auth_relabel_shadow(rpm_script_t)
> +files_manage_all_files(rpm_script_t)
> +files_relabel_all_files(rpm_script_t)
>  
>  corecmd_exec_all_executables(rpm_script_t)
>  
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index ebaff2f..de6b197 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>  
>  # some config files do not have configfile attribute
>  # sosreport needs to read various files on system
> -auth_read_all_files_except_auth_files(sosreport_t)
> +files_read_non_security_files(sosreport_t)
>  auth_use_nsswitch(sosreport_t)
>  
>  init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index 045fb86..a51a92d 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>  
>  term_dontaudit_use_console(sxid_t)
>  
> -auth_read_all_files_except_auth_files(sxid_t)
> +files_read_non_security_files(sxid_t)
>  auth_dontaudit_getattr_shadow(sxid_t)
>  
>  init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index deb24b4..225c263 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
>  		attribute non_security_file_type;
>  	')
>  
> +	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
>  	read_files_pattern($1, non_security_file_type, non_security_file_type)
>  	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
>  ')
>  
>  ########################################
>  ## <summary>
> +##	Manage all non-security files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_manage_non_security_files',`
> +	gen_require(`
> +		attribute non_security_file_type;
> +	')
> +
> +	manage_files_pattern($1, non_security_file_type, non_security_file_type)
> +	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +')
> +
> +########################################
> +## <summary>
> +##	Relabel all non-security files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabel_non_security_files',`
> +	gen_require(`
> +		attribute non_security_file_type;
> +	')
> +
> +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> +	allow $1 { non_security_file_type }:dir list_dir_perms;
> +	relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +	relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +
> +	# satisfy the assertions:
> +	seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read all directories on the filesystem, except
>  ##	the listed exceptions.
>  ## </summary>
> @@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> -##	Domain allowed access.
> +##	Domain to not audit.
>  ##	</summary>
>  ## </param>
>  #
> @@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> -##	Domain allowed access.
> +##	Domain to not audit.
>  ##	</summary>
>  ## </param>
>  #
> @@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> -##	Domain not to audit.
> +##	Domain to not audit.
>  ##	</summary>
>  ## </param>
>  #
> @@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> -##	Domain not to audit.
> +##	Domain to not audit.
>  ##	</summary>
>  ## </param>
>  #
> @@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> -##	Domain not to audit.
> +##	Domain to not audit.
>  ##	</summary>
>  ## </param>
>  #
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index eac9961..797f131 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -336,7 +336,7 @@ optional_policy(`
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
>  		auth_read_all_dirs_except_auth_files(kernel_t)
> -		auth_read_all_files_except_auth_files(kernel_t)
> +		files_read_non_security_files(kernel_t)
>  		auth_read_all_symlinks_except_auth_files(kernel_t)
>  	')
>  
> @@ -346,7 +346,7 @@ optional_policy(`
>  		fs_read_noxattr_fs_files(kernel_t)
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
> -		auth_manage_all_files_except_auth_files(kernel_t)
> +		files_manage_non_security_files(kernel_t)
>  	')
>  ')
>  
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index 89ddeaa..4b5119b 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
>  mls_file_downgrade(secadm_t)
>  
>  auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_auth_files(secadm_t)
> +files_relabel_non_security_files(secadm_t)
>  auth_relabel_shadow(secadm_t)
>  
>  init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 02ffdfb..69c2d2c 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>  
>  tunable_policy(`allow_ftpd_full_access',`
>  	allow ftpd_t self:capability { dac_override dac_read_search };
> -	auth_manage_all_files_except_auth_files(ftpd_t)
> +	files_manage_non_security_files(ftpd_t)
>  ')
>  
>  tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
>  tunable_policy(`sftpd_full_access',`
>  	allow sftpd_t self:capability { dac_override dac_read_search };
>  	fs_read_noxattr_fs_files(sftpd_t)
> -	auth_manage_all_files_except_auth_files(sftpd_t)
> +	files_manage_non_security_files(sftpd_t)
>  ')
>  
>  tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 941f6e1..68985da 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
>  sysnet_run_ifconfig(puppet_t, system_r)
>  
>  tunable_policy(`puppet_manage_all_files',`
> -	auth_manage_all_files_except_auth_files(puppet_t)
> +	files_manage_non_security_files(puppet_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index c537000..52ec13b 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
>  #term_use_ptmx(rgmanager_t)
>  
>  # needed by resources scripts
> -auth_read_all_files_except_auth_files(rgmanager_t)
> +files_read_non_security_files(rgmanager_t)
>  auth_dontaudit_getattr_shadow(rgmanager_t)
>  auth_use_nsswitch(rgmanager_t)
>  
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index 62fca97..6c6d18b 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
>  	dev_getattr_all_chr_files(nfsd_t)
>  
>  	fs_read_noxattr_fs_files(nfsd_t)
> -	auth_manage_all_files_except_auth_files(nfsd_t)
> +	files_manage_non_security_files(nfsd_t)
>  ')
>  
>  tunable_policy(`nfs_export_all_ro',`
> @@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
>  	fs_read_noxattr_fs_files(nfsd_t)
>  
>  	auth_read_all_dirs_except_auth_files(nfsd_t)
> -	auth_read_all_files_except_auth_files(nfsd_t)
> +	files_read_non_security_files(nfsd_t)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 1c381e1..51cedbd 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
>  	fs_read_nfs_files(rsync_t)
>  	fs_read_cifs_files(rsync_t)
>  	auth_read_all_dirs_except_auth_files(rsync_t)
> -	auth_read_all_files_except_auth_files(rsync_t)
> +	files_read_non_security_files(rsync_t)
>  	auth_read_all_symlinks_except_auth_files(rsync_t)
>  	auth_tunable_read_shadow(rsync_t)
>  ')
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index df830cf..d1f1a15 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
>  tunable_policy(`samba_export_all_ro',`
>  	fs_read_noxattr_fs_files(smbd_t) 
>  	auth_read_all_dirs_except_auth_files(smbd_t)
> -	auth_read_all_files_except_auth_files(smbd_t)
> +	files_read_non_security_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
>  	auth_read_all_dirs_except_auth_files(nmbd_t)
> -	auth_read_all_files_except_auth_files(nmbd_t)
> +	files_read_non_security_files(nmbd_t)
>  ')
>  
>  tunable_policy(`samba_export_all_rw',`
>  	fs_read_noxattr_fs_files(smbd_t) 
> -	auth_manage_all_files_except_auth_files(smbd_t)
> +	files_manage_non_security_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
> -	auth_manage_all_files_except_auth_files(nmbd_t)
> +	files_manage_non_security_files(nmbd_t)
>  	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
>  ')
>  
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 94e49e8..fd331b9 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
>  
>  tunable_policy(`allow_mount_anyfile',`
>  	auth_read_all_dirs_except_auth_files(mount_t)
> -	auth_read_all_files_except_auth_files(mount_t)
> +	files_read_non_security_files(mount_t)
>  	files_mounton_non_security(mount_t)
>  ')
>  
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 508b206..52a5442 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
>  selinux_compute_relabel_context(restorecond_t)
>  selinux_compute_user_contexts(restorecond_t)
>  
> -auth_relabel_all_files_except_auth_files(restorecond_t )
> -auth_read_all_files_except_auth_files(restorecond_t)
> +files_relabel_non_security_files(restorecond_t )
> +files_read_non_security_files(restorecond_t)
>  auth_use_nsswitch(restorecond_t)
>  
>  locallogin_dontaudit_use_fds(restorecond_t)

Generally speaking, I'm fine with this.  However, I'm looking closely to make sure the new calls that are being made are the right ones.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com