From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 15 Aug 2014 11:31:46 +0200
Subject: [refpolicy] [PATCH 1/5] Introduce interface allowing relabeling
 from/to non-security file types
In-Reply-To: <53ED0F93.8080905@tresys.com>
References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be>
	<1407434738-11937-2-git-send-email-sven.vermeulen@siphos.be>
	<53ED0F93.8080905@tresys.com>
Message-ID: <20140815093146.GA5715@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote:
> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > This interface can be used by domains that have a need for broad
> > privileges towards the system, but should not need any privileges
> > towards security-sensitive types.
> [..]
> > +interface(`files_relabel_all_non_security_file_types',`
> > +	gen_require(`
> > +		attribute non_security_file_type;
> > +	')
> > +
> > +	allow $1 non_security_file_type:dir list_dir_perms;
> > +
> > +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> > +
> > +	# This is only relabelfrom as there should be no device nodes marked with a type
> > +	# associated with the non_security_file_type attribute
> > +	relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> > +	relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> > +')
> 
> While there are a few interfaces that are like this with broad object
> class usage, I'd rather not have them.  I'd prefer that they are broken
> up into individual interfaces.  #3 patch is like this too.

As in, iterate over all the various types that would be matched?

Although I can do that, that might result in many, many more interfaces
being necessary and having updates on the domain as users configure
tmpfiles.

Or we can go the other route and not include the broad privileges to start
with (only the basic resource types such as the pidfiles) until users
start complaining about tmpfiles not creating the directory, socket or file,
and adapt the policy as things go along.

Wkr,
	Sven Vermeulen