From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 23 Oct 2013 15:44:01 -0400
Subject: [refpolicy] I think we made a large mistake when we designed
 apache_content_template.
In-Reply-To: <1382557103.3041.120.camel@d30>
References: <52680DF1.3000700@redhat.com> <1382557103.3041.120.camel@d30>
Message-ID: <52682701.6030900@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2013 03:38 PM, Dominick Grift wrote:
> On Wed, 2013-10-23 at 13:57 -0400, Daniel J Walsh wrote:
>> type httpd_$1_content_t; # customizable;
> 
>> 
>> Then tools can look for all content which begins bugzilla and have the
>> correct types drawn.
> 
> How about one teaches ones tool to use seinfo and sesearch instead?
> 
> Depending on the policy model it might not even be an issue to label files
> with process type ( although i does not make sense to do it )
> 
> But its just a property of the policy you are using
> 
> People might have a policy implemented that has different properties, and a
> meaningful tool would have the ability to determine characteristics no
> matter what the policies properties are
> 
> 
Well we do have some tooling that understands seinfo and sesearch.

But the ability for xyz_t to write to abc_file_t and xyz_file_t are probably
two different concepts.  By convention is is more likely that we would want to
have a man page generated mentioning the relationship between xyz_t process
type and xyz_file_t, but ignore abc_file_t, or at least treat it as a second
class relationship.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJoJwAACgkQrlYvE4MpobMoywCg5g2mfK+XFIcBhd5/w+gHP68u
mkUAoOpChzHM4LBZroz6hHjLxApiEx6r
=H8Le
-----END PGP SIGNATURE-----