[DSE-Dev] refpolicy: domains need access to the apt's pty and fifos
vaclav.ovsik at i.cz
Thu Apr 24 08:42:52 UTC 2008
On Wed, Apr 23, 2008 at 12:30:42PM +0200, Václav Ovsík wrote:
> Thanks for the exhaustive explanation Christopher. It seemed to me, that
> your idea can be done at least for types (a roleattribute keyword not
> exist yet), but I was wrong about attributes :(. Attribute can't have
> attribute (recursively). With an attached nonfunctional patch I ended
> /usr/bin/checkmodule -M -m tmp/apt.tmp -o tmp/apt.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/apt.tmp
> policy/modules/admin/apt.te":135:ERROR 'unknown type dpkg_inherited_fd' at token ';' on line 7686:
> typeattribute dpkg_inherited_fd apt_inherited_fd;
> #line 135
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/apt.mod] Error 1
> Of course dpkg_inherited_fd is the attribute and not the type, shame.
> You are right, with current policy language this can't be done easily.
> Maybe wee can do this job using m4. This would require an additional
> pass to process sources or modification of processing a bit. My rough
> idea for modular policy:
> * To include the third new parameter of interface/template macro
> used by run interfaces. This parameter will accept what and how
> should be inherited in some notation parse able fine by m4. The
> information "what" should describe the class (fd, pipe...), the
> type. The information "how" should describe passing down (to pass
> inheritance down or to stop inheritance there).
> * To split module preprocessing (m4) and compilation (checkmodule)
> * All modules must by m4 processed at first to create the
> meta-information about all inheritances. The compilation
> (checkmodule) of any module (with some run interface) should
> depend on meta-information from all other packages.
> * Updating of inheritance meta-information must be updated only when
> the content is really different, so Make will not restart
> rebuilding things unnecessarily.
> * To build allow rules from inheritance meta-information and append
> this rules to already preprocessed .te product and compile it by
I see at least one flaw - the policy build in such a way will be
somewhat "static" concerning adding modules into pre-build policy. That
is when someone will take policy headers and compile an own local
module, then all other pre-build modules affected by inheritance will be
obsolete. So, there is no improvement in this area against current
The only benefit from the proposal is, that policy sources will be a bit
more clean (I hope) and ready for introducing inheritance in the policy
language (I hope only macros and processing will need change).
More information about the SELinux-devel