From: dac.override@gmail.com (Dominick Grift) Date: Wed, 3 Dec 2014 16:41:45 +0100 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> <547F168F.2000109@tresys.com> <1417616847.29096.1.camel@joe.localdomain> Message-ID: <20141203154143.GB29001@e145.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Dec 03, 2014 at 07:29:13PM +0400, Jason Zaman wrote: > On 3 Dec 2014 18:27, "Dominick Grift" wrote: > > > > On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote: > > > On 12/3/2014 8:42 AM, Jason Zaman wrote: > > > > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito > wrote: > > > >> On 12/3/2014 7:28 AM, Jason Zaman wrote: > > > >>> Lots of the foo_admin() interfaces were not applied to sysadm. This > > > >>> patch adds all the ones that were missing. Interfaces are added > together > > > >>> with the matching _role() interface if it was already present. > > > >>> > > > >>> Make all && make validate passes, but anyone else that can run any > test > > > >>> suites on this would be appreciated too. > > > >> > > > >> I'm not opposed to this change, but I wonder about cases like these: > > > >> > > > >>> + > > > >>> +optional_policy(` > > > >>> + asterisk_admin(sysadm_t, sysadm_r) > > > >>> asterisk_stream_connect(sysadm_t) > > > >>> ') > > > >> > > > >>> optional_policy(` > > > >>> + bacula_admin(sysadm_t, sysadm_r) > > > >>> bacula_run_admin(sysadm_t, sysadm_r) > > > >>> ') > > > >> > > > >> Since I would assume that the admin interface would already include > the > > > >> existing rule. > > > > > > > > Bacula_admin does indeed call _run_admin so i'll take that away, > > > > asterisk does not call _stream_connect so that one is correct. I will > > > > > > I think there is still the question, should the stream connect be added > > > to the admin interface? > > > > > > > I would argue, no > > > > The application use to stream connect should instead be confined and > > _admin should run that application with a domain transition instead > > > I think admining something and using it are not necessarily the same so I > agree with Dominick, they should be separate. > > Along with stream connect, should _admin always call _role? It makes things > complicated and was the reason I removed in the earlier patches. > > The problem with having things in the admin interface is that if someone > wants to give foo_admin to staff_t which already has foo_role applied then > there are problems cuz named filetrans can't be applied twice and a number > of role interfaces have them. > I think you misunderstood me. in my view there should not be a asterisk_stream_connect() called directly by a strict user domain at all be it admin user domain or otherwise -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/02c4d895/attachment-0001.bin