-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Klein wrote: > Is there any possibility of writing bundles of policies that can be > "imported" into other configurations? > Such as defining a package for a set of policies like "shared-libs", and > then when writing the policy putting "import shared-libs" or something like > that? > Is this too much complex to do? > > Marcelo. > No, this is what interfaces do, although they are more like functions calls. We have two ways of grouping access to a domain, either directory though allow rules, or by adding an attribute. For example type httpd_t, domain; allow domain self:file read; or allow httpd_t self:file read; Both generate the same policy. In refpolicy we have a interface domain_type() which adds the domain attribute. So we could move all libs_use_ld_so(domain) libs_use_shared_libs(domain) And eliminate these rules from all te files. The question is what granularity do you do this at. Almost every confined domain needs to read etc_t so if we added files_read_etc_files(domain) We could remove those, but now if someone wanted to write a confined domain without access to etc_t, his policy is a lot harder to write. > 2008/2/22, Daniel J Walsh <dwalsh@xxxxxxxxxx>: > > Bill Nottingham wrote: >>>> I was writing policy today, and I couldn't help notice a lot of >>>> repetitiveness in our policy: >>>> >>>> libs_use_ld_so(...) >>>> libs_use_shared_libs(...) >>>> >>>> These are needed by, well, everything. Can't they be > assumed-unless-denied? >>>> Similarly, 99% of confined apps need: >>>> >>>> miscfiles_read_localization() >>>> files_read_etc_files(.) >>>> pipes & stream sockets >>>> >>>> Is there a way to streamline policy so there is a lot less >>>> repetition? >>>> >>>> Bill >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > We have talked about this in the past, and so far it has not gone > anywhere. The original goal when refpolicy policy was first written was > to allow more fine grained control then the example policy, which > grouped large amounts of access rules within a single macro. > (can_network) for example. So we wanted to avoid this, and perhaps the > pendulum swung too far to the opposite degree. > > >> >> - -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAke+/vYACgkQrlYvE4MpobODXgCgqIz5SV2TRH9LIt3LFePsQkXa tjsAoNACxe2ftqUHZhxRyDo70/c3Oa4Q =MJG/ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
