pipefs AVC

Dominick Grift domg472 at gmail.com
Sun Aug 29 12:44:11 UTC 2010 

On 08/29/2010 02:30 PM, Mr Dash Four wrote:
> 
>>> Is 'rw_fifo_file_perms' custom-defined somewhere?
>>>
>>> All I can see on the fifo_file is { append create execute getattr ioctl
>>> link lock mounton quotaon read relabelfrom relabelto rename setattr
>>> swapon unlink write }, of which, 'read' and 'write' are the relevant
>>> ones. If I do 'allow voip_sandbox_t self:fifo_file { read write }' would
>>> that be the same thing or am I missing something?
>>>     
>>
>> http://oss.tresys.com/projects/refpolicy/browser/policy/support/obj_perm_sets.spt
>>
>>
>> line 241:
>>
>> define(`rw_fifo_file_perms',`{ getattr open read write append ioctl
>> lock }')
>>
>> Basically a set of common permissions to read and write fifo files. Not
>> quite the same as just  { read write } but not too excessive either.
>>   
> That would do, thanks!
> 
>> I always use "macros" where ever possible that will make policy
>> maintenance much easier.
>>   
> Maintenance - yes, but finding where it comes from and what it does
> (essential for people like me!) is a right nightmare!
> 
> Every time I stumble across something like this I have to do a 'grep' on
> the whole serefpolicy directory to see where it comes from and what it
> does - this does take time and I find it very frustrating, not to
> mention that this search is not always successful (there are macros with
> $1 and $2 in their names and finding this is not as straight forward job
> as it first seems!)

After a while you know these things without looking them up. That why it
is also important to use consistent interface names. So that you can
easily make the right guess.

As for looking stuff up, i use eclipse-slide. Basically i have refpolicy
imported into slide and build in slide that will expose the macros so
you can just hover over them and see their contents or alter click and
choose open declaration or just click them and look in the declaration
pane. Theres also a filter window which lets you easily search for
interfaces.

But again, after a while, one just knows what to use. the refpolicy
project tree is not so big. except the services section which has quite
a lot of modules.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100829/3881609f/attachment.bin

More information about the selinux mailing list