Re: [refpolicy] Patch: Create non_security_file_type attribute

"Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> · Fri, 18 Jul 2008 10:15:53 -0400

On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> This patch eliminates the expansion of the file_type attribute (due to
> the "-" set operation) for the *_non_security interfaces by creating a
> non_security_file_type attribute.
> 
> On my system the resulting binary policy is almost 20% smaller.  The
> difference is so large because there are over 1000 types labeled with
> the file_type attribute.

I'm hesitant to attach non_security_file_type to the files_type
attribute, since its not clear to me that it makes conceptual sense.  In
fact a sediff of the policy reveals that auidtd_log_t gains
non_security_file_type while it already has security_file_type, which
results in rule additions with this patch added.

>  files.if |   61 ++++++++++++++++++++++++++++++-------------------------------
>  files.te |    2 ++
>  2 files changed, 32 insertions(+), 31 deletions(-)
> 
> Index: policy/modules/kernel/files.if
> ===================================================================
> --- policy/modules/kernel/files.if	(revision 2739)
> +++ policy/modules/kernel/files.if	(working copy)
> @@ -32,10 +32,10 @@
>  #
>  interface(`files_type',`
>  	gen_require(`
> -		attribute file_type;
> +		attribute file_type, non_security_file_type;
>  	')
>  
> -	typeattribute $1 file_type;
> +	typeattribute $1 file_type, non_security_file_type;
>  ')
>  
>  ########################################
> @@ -217,11 +217,10 @@
>  #
>  interface(`files_security_file',`
>  	gen_require(`
> -		attribute security_file_type;
> +		attribute file_type, security_file_type;
>  	')
>  
> -	files_type($1)
> -	typeattribute $1 security_file_type;
> +	typeattribute $1 file_type, security_file_type;
>  ')
>  
>  ########################################
> @@ -316,10 +315,10 @@
>  #
>  interface(`files_list_non_security',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> +	list_dirs_pattern($1,non_security_file_type,non_security_file_type)
>  ')
>  
>  ########################################
> @@ -335,10 +334,10 @@
>  #
>  interface(`files_dontaudit_list_non_security',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
> +	dontaudit $1 non_security_file_type:dir list_dir_perms;
>  ')
>  
>  ########################################
> @@ -354,11 +353,11 @@
>  #
>  interface(`files_mounton_non_security',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	allow $1 { file_type -security_file_type }:dir mounton;
> -	allow $1 { file_type -security_file_type }:file mounton;
> +	allow $1 non_security_file_type:dir mounton;
> +	allow $1 non_security_file_type:file mounton;
>  ')
>  
>  ########################################
> @@ -373,10 +372,10 @@
>  #
>  interface(`files_write_non_security_dirs',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	allow $1 { file_type -security_file_type }:dir write;
> +	allow $1 non_security_file_type:dir write;
>  ')
>  
>  ########################################
> @@ -430,10 +429,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_files',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:file getattr;
> +	dontaudit $1 non_security_file_type:file getattr;
>  ')
>  
>  ########################################
> @@ -498,11 +497,11 @@
>  #
>  interface(`files_read_non_security_files',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> -	read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> +	read_files_pattern($1,non_security_file_type,non_security_file_type)
> +	read_lnk_files_pattern($1,non_security_file_type,non_security_file_type)
>  ')
>  
>  ########################################
> @@ -648,10 +647,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_symlinks',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
> +	dontaudit $1 non_security_file_type:lnk_file getattr;
>  ')
>  
>  ########################################
> @@ -667,10 +666,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_blk_files',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:blk_file getattr;
> +	dontaudit $1 non_security_file_type:blk_file getattr;
>  ')
>  
>  ########################################
> @@ -686,10 +685,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_chr_files',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:chr_file getattr;
> +	dontaudit $1 non_security_file_type:chr_file getattr;
>  ')
>  
>  ########################################
> @@ -763,10 +762,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_pipes',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
> +	dontaudit $1 non_security_file_type:fifo_file getattr;
>  ')
>  
>  ########################################
> @@ -820,10 +819,10 @@
>  #
>  interface(`files_dontaudit_getattr_non_security_sockets',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
> +	dontaudit $1 non_security_file_type:sock_file getattr;
>  ')
>  
>  ########################################
> @@ -4763,8 +4762,8 @@
>  #
>  interface(`files_manage_non_security_dirs',`
>  	gen_require(`
> -		attribute file_type, security_file_type;
> +		attribute non_security_file_type;
>  	')
>  
> -	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
> +	allow $1 non_security_file_type:dir manage_dir_perms;
>  ')
> Index: policy/modules/kernel/files.te
> ===================================================================
> --- policy/modules/kernel/files.te	(revision 2739)
> +++ policy/modules/kernel/files.te	(working copy)
> @@ -26,6 +26,8 @@
>  # sensitive security files whose accesses should
>  # not be dontaudited for uses
>  attribute security_file_type;
> +# and its opposite
> +attribute non_security_file_type;
>  
>  attribute tmpfile;
>  attribute tmpfsfile;
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.