Policy redundancy and layout
Dominick Grift
domg472 at gmail.com
Mon Mar 1 18:27:33 UTC 2010
On 03/01/2010 06:46 PM, Scott Salley wrote:
> I have a project with multiple daemons (around 6) which share many
> common features (they access the network, create and maintain daemon
> specific files, access random numbers, etc...), though they each deal
> with a different set of tasks (monitoring network resources, providing
> network file sharing services, providing network authentication
> services, etc).
>
>
>
> Is it okay to use the interface file to define a set of common
> properties for these daemons to avoid listing everything out for each
> daemon? If not the interface file, then how should a common set of
> patterns for these daemons be defined?
>
>
>
> I found listing the rules for each daemon to be bug prone and tedious.
>
>
And you can also use attributes in interfaces.
For example (from telepathy.if):
########################################
## <summary>
## Send DBus messages to and from
## all Telepathy domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_dbus_chat', `
gen_require(`
attribute tp_domains;
class dbus send_msg;
')
allow $1 tp_domains:dbus send_msg;
allow tp_domains $1:dbus send_msg;
')
(from telepathy.te):
optional_policy(`
telepathy_dbus_chat(tp_domains)
')
Meaning each domain type that has the tp_domains attribute assigned can
dbus chat to each domain type that has the tp_domains attribute assigned.
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100301/86bc6c7d/attachment.bin
More information about the selinux
mailing list