This patch eliminates the expansion of the file_type attribute (due to
the "-" set operation) for the *_non_security interfaces by creating a
non_security_file_type attribute.
It also creates a files_security_mountpoint interface that is used for
auditd_log_t so that it does not get both the security_file_type and the
non_security_file_type attributes.
On my system the resulting binary policy is almost 20% smaller. The
difference is so large because there are over 1000 types labeled with
the file_type attribute.
Comparing the binary policies with sediff before and after applying this
patch shows no differences.
kernel/files.if | 81 +++++++++++++++++++++++++++++++++---------------------
kernel/files.te | 2 +
system/logging.te | 3 --
3 files changed, 53 insertions(+), 33 deletions(-)
Index: policy/modules/kernel/files.if
===================================================================
--- policy/modules/kernel/files.if (revision 2767)
+++ policy/modules/kernel/files.if (working copy)
@@ -32,10 +32,10 @@
#
interface(`files_type',`
gen_require(`
- attribute file_type;
+ attribute file_type, non_security_file_type;
')
- typeattribute $1 file_type;
+ typeattribute $1 file_type, non_security_file_type;
')
########################################
@@ -217,15 +217,34 @@
#
interface(`files_security_file',`
gen_require(`
- attribute security_file_type;
+ attribute file_type, security_file_type;
')
- files_type($1)
- typeattribute $1 security_file_type;
+ typeattribute $1 file_type, security_file_type;
')
########################################
## <summary>
+## Make the specified type usable for
+## security file filesystem mount points.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for mount points.
+## </summary>
+## </param>
+#
+interface(`files_security_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_security_file($1)
+ typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
## Make the specified type a file
## used for temporary files.
## </summary>
@@ -316,10 +335,10 @@
#
interface(`files_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- list_dirs_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -335,10 +354,10 @@
#
interface(`files_dontaudit_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
+ dontaudit $1 non_security_file_type:dir list_dir_perms;
')
########################################
@@ -354,11 +373,11 @@
#
interface(`files_mounton_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir mounton;
- allow $1 { file_type -security_file_type }:file mounton;
+ allow $1 non_security_file_type:dir mounton;
+ allow $1 non_security_file_type:file mounton;
')
########################################
@@ -373,10 +392,10 @@
#
interface(`files_write_non_security_dirs',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 non_security_file_type:dir write;
')
########################################
@@ -430,10 +449,10 @@
#
interface(`files_dontaudit_getattr_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:file getattr;
+ dontaudit $1 non_security_file_type:file getattr;
')
########################################
@@ -498,11 +517,11 @@
#
interface(`files_read_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- read_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
- read_lnk_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -648,10 +667,10 @@
#
interface(`files_dontaudit_getattr_non_security_symlinks',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+ dontaudit $1 non_security_file_type:lnk_file getattr;
')
########################################
@@ -667,10 +686,10 @@
#
interface(`files_dontaudit_getattr_non_security_blk_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+ dontaudit $1 non_security_file_type:blk_file getattr;
')
########################################
@@ -686,10 +705,10 @@
#
interface(`files_dontaudit_getattr_non_security_chr_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+ dontaudit $1 non_security_file_type:chr_file getattr;
')
########################################
@@ -763,10 +782,10 @@
#
interface(`files_dontaudit_getattr_non_security_pipes',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+ dontaudit $1 non_security_file_type:fifo_file getattr;
')
########################################
@@ -820,10 +839,10 @@
#
interface(`files_dontaudit_getattr_non_security_sockets',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+ dontaudit $1 non_security_file_type:sock_file getattr;
')
########################################
@@ -4763,8 +4782,8 @@
#
interface(`files_manage_non_security_dirs',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir manage_dir_perms;
+ allow $1 non_security_file_type:dir manage_dir_perms;
')
Index: policy/modules/kernel/files.te
===================================================================
--- policy/modules/kernel/files.te (revision 2767)
+++ policy/modules/kernel/files.te (working copy)
@@ -26,6 +26,8 @@
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;
attribute tmpfile;
attribute tmpfsfile;
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te (revision 2767)
+++ policy/modules/system/logging.te (working copy)
@@ -17,8 +17,7 @@
files_security_file(auditd_etc_t)
type auditd_log_t;
-files_security_file(auditd_log_t)
-files_mountpoint(auditd_log_t)
+files_security_mountpoint(auditd_log_t)
type auditd_t;
type auditd_exec_t;
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
