On Mon, Nov 18, 2019 at 4:51 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 11/18/19 4:10 AM, Ondrej Mosnacek wrote: > > A couple comments below... > > > > On Fri, Nov 15, 2019 at 12:44 PM Richard Haines > > <richard_c_haines@xxxxxxxxxxxxxx> wrote: > <snip> > >> +########### Allow these domains to be entered from sysadm domain ############ > >> +# > >> +miscfiles_domain_entry_test_files(finitmoddomain) > >> +userdom_sysadm_entry_spec_domtrans_to(finitmoddomain) > >> +miscfiles_domain_entry_test_files(initmoddomain) > >> +userdom_sysadm_entry_spec_domtrans_to(initmoddomain) > > > > It seems that the finitmoddomain and initmoddomain type sets are > > exactly the same except for names - can they be merged into just one > > set of types? The AVC denials should be still easily distinguishable > > by the comm= field if that's the intended purpose of the separation. > > Do you just mean coalesce the type attributes together or coalesce the > individual types to which they refer? I meant the latter. > > If the former, then the denials will still be distinguishable based on > individual types; the attribute names are only used in policy not > denials. Coalescing the attributes makes sense to me too. > > If the latter, the individual types differ in that test_finitmod_t is > only allowed module_load to a specific file type (test_file_t), i.e. it > can only load modules from files with that type via the finit_module(2), > whereas test_initmod_t is allowed module_load to self as the fallback > when using init_module(2) and hence can load a module content at all. > So coalescing those would detract from testing. Ah, so there was a difference between them that I was missing :) In that case please disregard my comment. I don't have an opinion on whether to coalesce the attributes. It can stay as it is as far as I'm concerned. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
