From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 23 Jul 2013 14:22:07 +0200
Subject: [refpolicy] Want to make typeattribute declarations possible in
	conditionals
Message-ID: <20130723122207.GA21664@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all,

I would like to be able to assign attributes to types in a conditional
statement. Right now, this isn't allowed, and I don't know if it is feasible
to look for a solution to this or not. Is this a real design constraint that
will be hard to work around, or is this doable?

Alternatives that I see are:
- making the assignations part of separate, small SELinux modules that users can unload/load
- using interfaces that assign the permissions to the given domain, and use
  this interface against the attribute. This will probably result in two
  interfaces, foo_domain() to assign the attribute (for non-tunable usage)
  and foo_domain_privileges() to assign the rights (for tunable usage) -
  naming convention notwithstanding here.
- decouple the requirement from the policy and let administrators do this

The last approach means that the policy doesn't include the definitions
anymore, instead providing a method (in the SELinux userspace utilities or
distribution-specific) to assign attributes.

For instance (mock-up):

~# semanage attribute -a -t mailserver_domain portage_t

This would then create (or maintain) a small module that does the necessary
declarations, like "typeattribute portage_t mailserver_domain".

What is your opinion on this? Weird request?

Wkr,
	Sven Vermeulen