On 11/18/19 4:10 AM, Ondrej Mosnacek wrote:
A couple comments below...
On Fri, Nov 15, 2019 at 12:44 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
<snip>
+########### Allow these domains to be entered from sysadm domain ############
+#
+miscfiles_domain_entry_test_files(finitmoddomain)
+userdom_sysadm_entry_spec_domtrans_to(finitmoddomain)
+miscfiles_domain_entry_test_files(initmoddomain)
+userdom_sysadm_entry_spec_domtrans_to(initmoddomain)
It seems that the finitmoddomain and initmoddomain type sets are
exactly the same except for names - can they be merged into just one
set of types? The AVC denials should be still easily distinguishable
by the comm= field if that's the intended purpose of the separation.
Do you just mean coalesce the type attributes together or coalesce the
individual types to which they refer?
If the former, then the denials will still be distinguishable based on
individual types; the attribute names are only used in policy not
denials. Coalescing the attributes makes sense to me too.
If the latter, the individual types differ in that test_finitmod_t is
only allowed module_load to a specific file type (test_file_t), i.e. it
can only load modules from files with that type via the finit_module(2),
whereas test_initmod_t is allowed module_load to self as the fallback
when using init_module(2) and hence can load a module content at all.
So coalescing those would detract from testing.
