From: jason@perfinion.com (Jason Zaman)
Date: Thu, 2 Nov 2017 19:08:20 +0800
Subject: [refpolicy] [PATCH 1/3] kerberos: Introduce
 kerberos_filetrans_named_content interface
In-Reply-To: <e1d869b6-5fed-68f6-3a73-4d26c3d98019@ieee.org>
References: <20171031053758.7816-1-jason@perfinion.com>
	<e1d869b6-5fed-68f6-3a73-4d26c3d98019@ieee.org>
Message-ID: <20171102110820.GA8319@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Nov 01, 2017 at 06:54:25PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > ---
> >   kerberos.if | 35 +++++++++++++++++++++++++++++++++++
> >   1 file changed, 35 insertions(+)
> > 
> > diff --git a/kerberos.if b/kerberos.if
> > index c8c5a37..8b46c1b 100644
> > --- a/kerberos.if
> > +++ b/kerberos.if
> > @@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
> >   
> >   ########################################
> >   ## <summary>
> > +##	Transition to kerberos named content
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##      Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`kerberos_filetrans_named_content',`
> > +	gen_require(`
> > +		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> > +		type krb5kdc_principal_t;
> > +	')
> > +
> > +	files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
> > +	filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
> > +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
> > +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
> > +	filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
> > +
> > +	kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
> > +
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
> > +	kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
> > +')
> 
> Can we do something better than this?  It's ugly.  Are all the named 
> transitions really needed?

There are actually a few similar things around in the NFS and kerberos
modules. it is kinda ugly tho yeah. I'll take a look at all the places
they're done and see if i can make them all the same and a bit less
ugly. it likely wont be that much better tho since NFS and kerberos like
to put stuff in /tmp a lot.