From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 23 Oct 2013 15:40:52 -0400 Subject: [refpolicy] I think we made a large mistake when we designed apache_content_template. In-Reply-To: <1382556579.3041.114.camel@d30> References: <52680DF1.3000700@redhat.com> <1382556579.3041.114.camel@d30> Message-ID: <52682644.3050705@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/23/2013 03:29 PM, Dominick Grift wrote: > On Wed, 2013-10-23 at 21:14 +0200, Sven Vermeulen wrote: > >> >> But another thought: isn't it sufficient to base logic on attributes >> here? > > Boolean identifiers are just as configurable as any other identifiers > > The only thing you can rely on is access vectors, and keywords > > You cannot do as much with those as you could, in theory, with the addition > of identifiers > >> _______________________________________________ refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > Yes I think we could attempt to do all of these things, and I agree that it is somwhat flimsy, but it is the best we have right now. In Fedora right now we have seinfo -t | awk '{ print $1 }'| grep ^http | wc -l 183 One potential idea would be to have the tooling create an attribute based on the module name (Not good for non Modular policy). Then we could assign the attribute to all types defined within the module. httpd_module_attribue for example. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJoJkQACgkQrlYvE4MpobOhJwCbB5SQp0FncpZFkffvKlikh6jn zqQAnRFWEZmRRhCyFmHO2AGpN8czOWPs =YJx1 -----END PGP SIGNATURE-----