-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marcelo Klein wrote:
Is there any possibility of writing bundles of policies that can be
"imported" into other configurations?
Such as defining a package for a set of policies like "shared-libs", and
then when writing the policy putting "import shared-libs" or something like
that?
Is this too much complex to do?
Marcelo.
No, this is what interfaces do, although they are more like functions calls.
We have two ways of grouping access to a domain, either directory though
allow rules, or by adding an attribute.
For example
type httpd_t, domain;
allow domain self:file read;
or
allow httpd_t self:file read;
Both generate the same policy.
In refpolicy we have a interface domain_type() which adds the domain
attribute.
So we could move all
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
And eliminate these rules from all te files.
The question is what granularity do you do this at.
Almost every confined domain needs to read etc_t so if we added
files_read_etc_files(domain)
We could remove those, but now if someone wanted to write a confined
domain without access to etc_t, his policy is a lot harder to write.
2008/2/22, Daniel J Walsh <dwalsh(a)redhat.com>:
Bill Nottingham wrote:
>>> I was writing policy today, and I couldn't help notice a lot of
>>> repetitiveness in our policy:
>
>
>>> libs_use_ld_so(...)
>>> libs_use_shared_libs(...)
>
>
>>> These are needed by, well, everything.
Can't they be
assumed-unless-denied?
>>> Similarly, 99% of confined apps need:
>
>
>>> miscfiles_read_localization()
>>> files_read_etc_files(.)
>>> pipes & stream sockets
>
>
>>> Is there a way to streamline policy so there
is a lot less
>>> repetition?
>
>
>>> Bill
>
>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have talked about this in the past, and so far it has not gone
anywhere. The original goal when refpolicy policy was first written was
to allow more fine grained control then the example policy, which
grouped large amounts of access rules within a single macro.
(can_network) for example. So we wanted to avoid this, and perhaps the
pendulum swung too far to the opposite degree.
>
>
- --
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAke+/vYACgkQrlYvE4MpobODXgCgqIz5SV2TRH9LIt3LFePsQkXa
tjsAoNACxe2ftqUHZhxRyDo70/c3Oa4Q
=MJG/
-----END PGP SIGNATURE-----