Chris PeBenito <pebenito@xxxxxxxx> writes:
> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>> From: Henrik Grindal Bakken <henribak@xxxxxxxxx>
>>
>> This is the same behavious as files_*_non_auth_types have.
[...]
> NAK. Access per object class is already split up across separate
> interfaces, so doing this would be confusing and prevent someone from
> getting file-only access.
Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a
bit, because today it has a serious amount of AVC violations for pretty
standard usage.
There are no matching interfaces for lnk_files, at least. Any
suggestions as to how to set up the tmpfiles rules?
A new interface like this:
interface(`manage_non_security_somethingsomething',`
gen_require(`
attribute non_security_file_type;
')
manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
or
interface(`manage_stuff',`
manage_dirs_pattern($1, $2, $2)
manage_files_pattern($1, $2, $2)
manage_lnk_files_pattern($1, $2, $2)
manage_fifo_files_pattern($1, $2, $2)
manage_sock_files_pattern($1, $2, $2)
')
or call the manage_*_pattern() stuff directly from systemd.te?
(I guess one should add stuff for chr_file, etc)
--
Henrik Grindal Bakken <hgb@xxxxxxxxxx>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
