-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/25/2011 09:35 AM, James Carter wrote:
> On Thu, 2011-08-25 at 09:04 -0400, Daniel J Walsh wrote:
>> On 08/25/2011 02:17 AM, Harry Ciao wrote:
>>> Hi Eric,
>>>
>>> Eric Paris 写道:
>>>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao
>>>> <qingtao.cao@xxxxxxxxxxxxx> wrote:
>>>>
>>>>
>>>>> With this patchset, the size of policy.X would drop
>>>>> significantly from 600+k down to 322+k bytes(since most of
>>>>> tunables are default to false, and there is no else branch
>>>>> of most conditionals).
>>>>>
>>>>
>>>> I should point out that I think you're off by one order of
>>>> magnitude. You went from a 6M policy to a 3.2M policy. But
>>>> still.
>>>>
>>>> I decided to do a little playing with this yesterday in
>>>> Fedora policy (where Dan already DRASTICALLY reduced the
>>>> policy size by changing from type sets with removal to using
>>>> all attributes. My numbers weren't quite as impressive as
>>>> yours (and I'm not certain I did one thing correctly)
>>>>
>>>> Pre Patch: 2148552 bytes 89383 allow rules 193 booleans
>>>> Post Patch (no policy changes) 2166328 bytes 89383 allow
>>>> rules 193 booleans Post Patch WITH policy changes 2031150
>>>> bytes 79685 allow rules 4 booleans
>>>>
>>>> So our policy grows 0.8% with only the tools change. Our
>>>> policy shrinks 5.5% with this change. So it certainly
>>>> doesn't look like bad news.
>>>>
>>>>
>>>>
>>> No problem. I am using refpolicy from tresys tree and I have
>>> applied my test patch to introduce a new keyword of "tunable"
>>> and change tunable_policy() to use this tunable keyword rather
>>> than the current "bool" keyword. Since your number of booleans
>>> has jumped from 193 down to 4, you must have applied this patch
>>> correctly :-)
>>>
>>> Since most tunables declared by tunable_policy() would default
>>> to false and most of these tunable_policy() just has one if
>>> branch, then in practice none rules would ever be expanded and
>>> written to raw policy for them, that's why I have witnessed a
>>> significant drop from 6M to 3.22M.
>>>
>>> So I could only guess in Fedora policy perhaps most tunables
>>> default to true, or many tunable conditionals have two
>>> branches, then the logically true branch would be expanded as
>>> normal. By whatever, the size of policy.X would decrease when
>>> all disabled branch of rules are discarded.
>>>
>>
>> The Fedora policy has removed all calls that do stuff like
>>
>> allow XYZ_t { file_type -shadow_t }:file read;
>>
<<snip>>
I left the interfaces but I stopped using them.
I replaced them with files calls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5XrZYACgkQrlYvE4MpobMBhQCeMu/rdbhb6c17fgZeGbQW0I1I
OkYAoNW5RAAyiCTvtwz4KO5FuK1NEnx+
=u+94
-----END PGP SIGNATURE-----
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 633d2fc..8d62407 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
-auth_relabel_all_files_except_auth_files(dpkg_t)
-auth_manage_all_files_except_auth_files(dpkg_t)
+files_relabel_non_security_files(dpkg_t)
+files_manage_non_security_files(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
@@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(dpkg_script_t)
+files_manage_non_security_files(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 7d964bf..ba6e400 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-auth_relabel_all_files_except_auth_files(rpm_t)
-auth_manage_all_files_except_auth_files(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
@@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(rpm_script_t)
-auth_relabel_shadow(rpm_script_t)
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index ebaff2f..de6b197 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_auth_files(sosreport_t)
+files_read_non_security_files(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 045fb86..a51a92d 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-auth_read_all_files_except_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..225c263 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
## <summary>
+## Manage all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ allow $1 { non_security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
@@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac9961..797f131 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -336,7 +336,7 @@ optional_policy(`
fs_read_noxattr_fs_symlinks(kernel_t)
auth_read_all_dirs_except_auth_files(kernel_t)
- auth_read_all_files_except_auth_files(kernel_t)
+ files_read_non_security_files(kernel_t)
auth_read_all_symlinks_except_auth_files(kernel_t)
')
@@ -346,7 +346,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_manage_all_files_except_auth_files(kernel_t)
+ files_manage_non_security_files(kernel_t)
')
')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 89ddeaa..4b5119b 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_auth_files(secadm_t)
+files_relabel_non_security_files(secadm_t)
auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02ffdfb..69c2d2c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_auth_files(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
@@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_auth_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 941f6e1..68985da 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
- auth_manage_all_files_except_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
')
optional_policy(`
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index c537000..52ec13b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
#term_use_ptmx(rgmanager_t)
# needed by resources scripts
-auth_read_all_files_except_auth_files(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 62fca97..6c6d18b 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_auth_files(nfsd_t)
+ files_manage_non_security_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
auth_read_all_dirs_except_auth_files(nfsd_t)
- auth_read_all_files_except_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
')
########################################
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 1c381e1..51cedbd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_auth_files(rsync_t)
- auth_read_all_files_except_auth_files(rsync_t)
+ files_read_non_security_files(rsync_t)
auth_read_all_symlinks_except_auth_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index df830cf..d1f1a15 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_dirs_except_auth_files(smbd_t)
- auth_read_all_files_except_auth_files(smbd_t)
+ files_read_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_read_all_dirs_except_auth_files(nmbd_t)
- auth_read_all_files_except_auth_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
- auth_manage_all_files_except_auth_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_auth_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 94e49e8..fd331b9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_auth_files(mount_t)
- auth_read_all_files_except_auth_files(mount_t)
+ files_read_non_security_files(mount_t)
files_mounton_non_security(mount_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..52a5442 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
-auth_relabel_all_files_except_auth_files(restorecond_t )
-auth_read_all_files_except_auth_files(restorecond_t)
+files_relabel_non_security_files(restorecond_t )
+files_read_non_security_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
