trunk: Policy size optimization with a non-security file attribute from James Carter.

2008-07-31 14:05:46 +00:00 · 2008-07-31 14:05:46 +00:00 · 3338f231d5
commit 3338f231d5
parent d13f876df7
4 changed files with 73 additions and 50 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Policy size optimization with a non-security file attribute from James
+  Carter.
 - Database labeled networking update from KaiGai Kohei.
 - Several misc changes from the Fedora policy, cherry picked by David
  Hrdeman.
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -32,10 +32,10 @@
 #
 interface(`files_type',`
 	gen_require(`
-		attribute file_type;
+		attribute file_type, non_security_file_type;
 	')

-	typeattribute $1 file_type;
+	typeattribute $1 file_type, non_security_file_type;
 ')

 ########################################
@ -217,11 +217,30 @@ interface(`files_poly_member_tmp',`
 #
 interface(`files_security_file',`
 	gen_require(`
-		attribute security_file_type;
+		attribute file_type, security_file_type;
 	')

-	files_type($1)
-	typeattribute $1 security_file_type;
+	typeattribute $1 file_type, security_file_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for
+##	security file filesystem mount points.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for mount points.
+##	</summary>
+## </param>
+#
+interface(`files_security_mountpoint',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	files_security_file($1)
+	typeattribute $1 mountpoint;
 ')

 ########################################
@ -316,10 +335,10 @@ interface(`files_dontaudit_getattr_all_dirs',`
 #
 interface(`files_list_non_security',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	list_dirs_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
 ')

 ########################################
@ -335,10 +354,10 @@ interface(`files_list_non_security',`
 #
 interface(`files_dontaudit_list_non_security',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
+	dontaudit $1 non_security_file_type:dir list_dir_perms;
 ')

 ########################################
@ -354,11 +373,11 @@ interface(`files_dontaudit_list_non_security',`
 #
 interface(`files_mounton_non_security',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	allow $1 { file_type -security_file_type }:dir mounton;
-	allow $1 { file_type -security_file_type }:file mounton;
+	allow $1 non_security_file_type:dir mounton;
+	allow $1 non_security_file_type:file mounton;
 ')

 ########################################
@ -373,10 +392,28 @@ interface(`files_mounton_non_security',`
 #
 interface(`files_write_non_security_dirs',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	allow $1 { file_type -security_file_type }:dir write;
+	allow $1 non_security_file_type:dir write;
+')
+
+########################################
+## <summary>
+##	Allow attempts to manage non-security directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`files_manage_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	allow $1 non_security_file_type:dir manage_dir_perms;
 ')

 ########################################
@ -430,10 +467,10 @@ interface(`files_dontaudit_getattr_all_files',`
 #
 interface(`files_dontaudit_getattr_non_security_files',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:file getattr;
+	dontaudit $1 non_security_file_type:file getattr;
 ')

 ########################################
@ -498,11 +535,11 @@ interface(`files_execmod_all_files',`
 #
 interface(`files_read_non_security_files',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	read_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
-	read_lnk_files_pattern($1, { file_type -security_file_type }, { file_type -security_file_type })
+	read_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 ')

 ########################################
@ -648,10 +685,10 @@ interface(`files_dontaudit_read_all_symlinks',`
 #
 interface(`files_dontaudit_getattr_non_security_symlinks',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+	dontaudit $1 non_security_file_type:lnk_file getattr;
 ')

 ########################################
@ -667,10 +704,10 @@ interface(`files_dontaudit_getattr_non_security_symlinks',`
 #
 interface(`files_dontaudit_getattr_non_security_blk_files',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+	dontaudit $1 non_security_file_type:blk_file getattr;
 ')

 ########################################
@ -686,10 +723,10 @@ interface(`files_dontaudit_getattr_non_security_blk_files',`
 #
 interface(`files_dontaudit_getattr_non_security_chr_files',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+	dontaudit $1 non_security_file_type:chr_file getattr;
 ')

 ########################################
@ -763,10 +800,10 @@ interface(`files_dontaudit_getattr_all_pipes',`
 #
 interface(`files_dontaudit_getattr_non_security_pipes',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+	dontaudit $1 non_security_file_type:fifo_file getattr;
 ')

 ########################################
@ -820,10 +857,10 @@ interface(`files_dontaudit_getattr_all_sockets',`
 #
 interface(`files_dontaudit_getattr_non_security_sockets',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute non_security_file_type;
 	')

-	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+	dontaudit $1 non_security_file_type:sock_file getattr;
 ')

 ########################################
@ -4750,21 +4787,3 @@ interface(`files_unconfined',`

 	typeattribute $1 files_unconfined_type;
 ')
-
-########################################
-## <summary>
-##	Allow attempts to monage any directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to allow
-##	</summary>
-## </param>
-#
-interface(`files_manage_non_security_dirs',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
-')
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@

-policy_module(files, 1.9.0)
+policy_module(files, 1.9.1)

 ########################################
 #
@ -26,6 +26,8 @@ attribute polymember;
 # sensitive security files whose accesses should
 # not be dontaudited for uses
 attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;

 attribute tmpfile;
 attribute tmpfsfile;
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@

-policy_module(logging, 1.11.0)
+policy_module(logging, 1.11.1)

 ########################################
 #
@ -18,7 +18,7 @@ files_security_file(auditd_etc_t)

 type auditd_log_t;
 files_security_file(auditd_log_t)
-files_mountpoint(auditd_log_t)
+files_security_mountpoint(auditd_log_t)

 type auditd_t;
 type auditd_exec_t;