From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 07 Jan 2013 09:46:51 -0500 Subject: [refpolicy] Interfaces in refpolicy. Message-ID: <50EADFDB.5040507@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We were have a side talk between Miroslav, Dominick and me about interfaces. Dominick has merged lots of new policy from Fedora in to the contrib directory of refpolicy but he has been only including the interfaces that are actually used. This has been the traditional way Chris has accepted interfaces into the upstream project. (Other then _admin and _domtrans). This is causing Miroslav problems merging in the lastest upstream back into Fedora, since Fedora has many interfaces defined that other domains are not currently using. I believe that we should have a standard that each file type defined in a policy. For example getattr_dir read_dir getattr_file read_file rw_inherited_file manage_file The current mechanism where we don't have a comprehensive list can cause two problems for policy writers. First it makes the chance of users/policy writers adding gen_require blocks greatly increase gen_require(` type foobar_t; ') which breaks the separation model that interfaces were built to fix. Secondly audit2allow -R will return a looser policy. For example if your domain needs to read foobar_var_lib_t, but only foobar_manage_var_lib_t exists, audit2allow -R will return foobar_manage_var_lib(mydomain_t) and users are likely to grab it. sepolicy generate (sepolgen) Always generates a group of interfaces for each type, and I believe we should add all these interfaces to upstream whether or not other domains currently use the interface. If we define a standard group of interfaces required for each type, then we could go through the policy and add all the interfaces and make tools that help in generation of policy always create the correct interface. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDq39oACgkQrlYvE4MpobNjwQCeLUBlFyjjFOBL1VYk2nfRnXS5 qh8An2qljCyKYIMxzMO02V8QGa+skpE6 =saxm -----END PGP SIGNATURE-----