fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: pipefs AVC

Re: pipefs AVC

From: Dominick Grift <domg472_at_nospam>
Date: Sun Aug 29 2010 - 12:44:11 GMT
To: Mr Dash Four <mr.dash.four@googlemail.com>

On 08/29/2010 02:30 PM, Mr Dash Four wrote:
>
>>> Is 'rw_fifo_file_perms' custom-defined somewhere?
>>>
>>> All I can see on the fifo_file is { append create execute getattr ioctl
>>> link lock mounton quotaon read relabelfrom relabelto rename setattr
>>> swapon unlink write }, of which, 'read' and 'write' are the relevant
>>> ones. If I do 'allow voip_sandbox_t self:fifo_file { read write }' would
>>> that be the same thing or am I missing something?
>>>
>>
>> http://oss.tresys.com/projects/refpolicy/browser/policy/support/obj_perm_sets.spt
>>
>>
>> line 241:
>>
>> define(`rw_fifo_file_perms',`{ getattr open read write append ioctl
>> lock }')
>>
>> Basically a set of common permissions to read and write fifo files. Not
>> quite the same as just { read write } but not too excessive either.
>>
> That would do, thanks!
>
>> I always use "macros" where ever possible that will make policy
>> maintenance much easier.
>>
> Maintenance - yes, but finding where it comes from and what it does
> (essential for people like me!) is a right nightmare!
>
> Every time I stumble across something like this I have to do a 'grep' on
> the whole serefpolicy directory to see where it comes from and what it
> does - this does take time and I find it very frustrating, not to
> mention that this search is not always successful (there are macros with
> $1 and $2 in their names and finding this is not as straight forward job
> as it first seems!)

After a while you know these things without looking them up. That why it
is also important to use consistent interface names. So that you can
easily make the right guess.

As for looking stuff up, i use eclipse-slide. Basically i have refpolicy
imported into slide and build in slide that will expose the macros so
you can just hover over them and see their contents or alter click and
choose open declaration or just click them and look in the declaration
pane. Theres also a filter window which lets you easily search for
interfaces.

But again, after a while, one just knows what to use. the refpolicy
project tree is not so big. except the services section which has quite
a lot of modules.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux