From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 798A05A0272; Fri, 10 Mar 2023 19:12:02 +0100 (CET)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 3/3] contrib/selinux: Split interfaces into smaller bits
Date: Fri, 10 Mar 2023 19:12:02 +0100
Message-Id: <20230310181202.3448630-4-sbrivio@redhat.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230310181202.3448630-1-sbrivio@redhat.com>
References: <20230310181202.3448630-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: JHEHRMIHA6RLX24RWFEKEP254VRYOYPM
X-Message-ID-Hash: JHEHRMIHA6RLX24RWFEKEP254VRYOYPM
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230310181202.3448630-4-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/JHEHRMIHA6RLX24RWFEKEP254VRYOYPM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

...to fit accepted Fedora practices.

Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/passt.if | 71 ++++++++++++++++++++++++++++++++++------
 1 file changed, 61 insertions(+), 10 deletions(-)

diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 3e37c5b..f7560a7 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -17,37 +17,88 @@ interface(`passt_domtrans',`
 	domtrans_pattern($1, passt_exec_t, passt_t)
 ')
 
-interface(`passt_socket',`
+interface(`passt_socket_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_socket_create',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:sock_file create;
+')
+
+interface(`passt_socket_use',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:sock_file write;
 	allow $1 passt_t:unix_stream_socket connectto;
+	allow $1 $2:sock_file { read write };
+	allow passt_t $2:sock_file { read write };
+')
+
+interface(`passt_socket_delete',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow $1 $2:sock_file unlink;
+')
+
+interface(`passt_logfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
 
-	allow passt_t $2:sock_file { create read write unlink };
+	allow passt_t $1:dir add_entry_dir_perms;
 ')
 
-interface(`passt_logfile',`
+interface(`passt_logfile_use',`
 	gen_require(`
 		type passt_t;
 	')
 
 	logging_log_file($1);
-	allow passt_t $1:dir { search write add_name };
 	allow passt_t $1:file { create open read write };
 ')
 
-interface(`passt_pidfile',`
+interface(`passt_pidfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_pidfile_write',`
+	gen_require(`
+		type passt_t;
+	')
+
+	files_pid_file($1);
+	allow passt_t $1:file { create open write };
+')
+
+interface(`passt_pidfile_read',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:file { open read unlink };
+	allow $1 $2:file { open read };
+')
+
+interface(`passt_pidfile_delete',`
+	gen_require(`
+		type passt_t;
+	')
 
-	files_pid_file($2);
-	allow passt_t $2:dir { search write add_name };
-	allow passt_t $2:file { create open write };
+	allow $1 $2:file unlink;
 ')
 
 interface(`passt_kill',`
-- 
2.39.2