From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 14 Aug 2014 15:35:47 -0400
Subject: [refpolicy] [PATCH 1/5] Introduce interface allowing relabeling
 from/to non-security file types
In-Reply-To: <1407434738-11937-2-git-send-email-sven.vermeulen@siphos.be>
References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be>
	<1407434738-11937-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <53ED0F93.8080905@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> This interface can be used by domains that have a need for broad
> privileges towards the system, but should not need any privileges
> towards security-sensitive types.
[..]
> +interface(`files_relabel_all_non_security_file_types',`
> +	gen_require(`
> +		attribute non_security_file_type;
> +	')
> +
> +	allow $1 non_security_file_type:dir list_dir_perms;
> +
> +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> +
> +	# This is only relabelfrom as there should be no device nodes marked with a type
> +	# associated with the non_security_file_type attribute
> +	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> +')

While there are a few interfaces that are like this with broad object
class usage, I'd rather not have them.  I'd prefer that they are broken
up into individual interfaces.  #3 patch is like this too.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com