From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 27 Sep 2017 20:18:12 +0200
Subject: [refpolicy] [PATCH 4/4] tunable-managed user content access
	template
In-Reply-To: <a3f3a0d7-d4b4-e459-4feb-a18f2c923172@ieee.org>
References: <20170522161139.9602-1-sven.vermeulen@siphos.be>
	<20170522161139.9602-5-sven.vermeulen@siphos.be>
	<a3f3a0d7-d4b4-e459-4feb-a18f2c923172@ieee.org>
Message-ID: <CAPzO=NxDe8x2diusGHO_9qT8rx_TZ9TJ=+Qp7N_eqepMoir94A@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Sorry for the (very) late answer, I somehow missed this feedback and I
am currently rebase'ing and updating the patchset to match the
comments and found that this is still an open issue (the other changes
you suggested I agree on and have a 2nd patch ready).

On Tue, May 23, 2017 at 1:57 AM, Chris PeBenito via refpolicy
<refpolicy@oss.tresys.com> wrote:
>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>> index 160f3bbf..6f844726 100644
>> --- a/policy/modules/system/userdomain.if
>> +++ b/policy/modules/system/userdomain.if
>> @@ -144,6 +144,81 @@ template(`userdom_base_user_template',`
>>
>>  #######################################
>>  ## <summary>
>> +##   Template for handling user content through standard tunables
>> +## </summary>
>> +## <desc>
>> +##   <p>
>> +##   This template generates the tunable blocks for accessing
>> +##   end user content, either the generic one (user_home_t)
>> +##   or the complete one (based on user_home_content_type).
>> +##   </p>
>> +##   <p>
>> +##   It calls the *_read_generic_user_content,
>> +##   *_read_all_user_content, *_manage_generic_user_content, and
>> +##   *_manage_all_user_content booleans.
>> +##   </p>
>> +## </desc>
>> +## <param name="prefix">
>> +##   <summary>
>> +##   The application domain prefix to use, meant for the boolean
>> +##   calls
>> +##   </summary>
>> +## </param>
>> +## <param name="domain">
>> +##   <summary>
>> +##   The application domain which is granted the necessary privileges
>> +##   </summary>
>> +## </param>
>> +## <rolebase/>
>> +#
>> +template(`userdom_user_content_access_template',`
>
> I don't think userdomain is the right place for this.  This is a new
> abstraction intended mainly for application use, so it might make more
> sense for this to actually go in the application module.

I understand the intention of the use, but the owner of the rules is
the user domain. It is about granting access to various user content
types, which are declared in the userdomain module. Hence, the
userdomain interface should be positioned, not?

Or am I misinterpreting your suggestion?

>> +     gen_require(`
>> +             bool $1_read_generic_user_content;
>> +             bool $1_read_all_user_content;
>> +             bool $1_manage_generic_user_content;
>> +             bool $1_manage_all_user_content;
>> +     ')
>
> I appreciate the reasoning for not having the declarations here, but I
> think that's where they should be.  I'd take a patch that would add
> support for documentation in the template XML which describes the
> booleans/tunables being created.

I'll try to put this in. When we looked at this from Gentoo, I didn't
immediately find the right approach, and settled with a separate XML
file. But it's worth putting some more effort in, even if just to
understand the build pipeline better :)

Wkr,
  Sven Vermeulen