From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 23 Oct 2013 21:14:07 +0200
Subject: [refpolicy] I think we made a large mistake when we designed
	apache_content_template.
In-Reply-To: <52680DF1.3000700@redhat.com>
References: <52680DF1.3000700@redhat.com>
Message-ID: <CAPzO=NyXu2WUmC8xsCtZk-siM7UGBDZseoTStbGzChLSP8y_VA@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Oct 23, 2013 7:57 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>         type httpd_$1_content_t; # customizable;
>         typeattribute httpd_$1_content_t httpd_content_type;
>         typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
>         files_type(httpd_$1_content_t)
>
>         # This type is used for .htaccess files
>         type httpd_$1_htaccess_t, httpd_content_type; # customizable;
>         typeattribute httpd_$1_htaccess_t httpd_content_type;
>         files_type(httpd_$1_htaccess_t)
>
> THe problem I believe is we prefix the types with httpd_, I would like to
> remove this and change the code to something like
>
>
>         type $1_http_content_t; # customizable;
>         typeattribute $1_http_content_t httpd_content_type;
>         files_type($1_http_content_t)
>
>         # This type is used for .htaccess files
>         type $1_http_htaccess_t, httpd_content_type; # customizable;
>         typeattribute $1_http_htaccess_t httpd_content_type;
>         files_type($1_http_htaccess_t)
>
>         # Type that CGI scripts run as
>         type $1_cgi_t,  httpd_script_type;
>         domain_type($1_cgi_t)
>         role system_r types $1_cgi_t;
>         type $1_cgi_exec_t, httpd_script_exec_type; # customizable;
>         typeattribute $1_cgi_exec_t httpd_content_type;
>         typeattribute httpd_$1_rw_content_t httpd_content_type;
>
>         typealias $1_http_rw_content_t alias { httpd_$1_script_rw_t
> httpd_$1_content_rw_t };
>         files_type($1_http_rw_content_t)
>
> ...
>
> Then tools can look for all content which begins bugzilla and have the
correct
> types drawn.
>
> http://danwalsh.livejournal.com/67007.html
>
> Shows the problem of begging all apache cgi domains with httpd_

Is it sensible to assume such logic in type names? It also works
vice-versa: not having web content (or http-related) starting with httpd_
suddenly might trigger similar "issues".

If we would do so though, I expect that we can use aliases for the duration
of one or two major releases?

But another thought: isn't it sufficient to base logic on attributes here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20131023/3ebe3473/attachment.html