[PATCH 0/3] Clean up SELinux policy, split interface in smaller bits

[PATCH 0/3] Clean up SELinux policy, split interface in smaller bits

[Stefano Brivio]

Stefano Brivio (3):
  contrib/selinux: Drop "example" from headers: this is the actual
    policy
  contrib/selinux: Drop unused passt_read_data() interface
  contrib/selinux: Split interfaces into smaller bits

 contrib/selinux/passt.fc |  2 +-
 contrib/selinux/passt.if | 81 ++++++++++++++++++++++++++++++----------
 contrib/selinux/passt.te |  2 +-
 contrib/selinux/pasta.fc |  2 +-
 contrib/selinux/pasta.if |  2 +-
 contrib/selinux/pasta.te |  2 +-
 6 files changed, 67 insertions(+), 24 deletions(-)

-- 
2.39.2

[PATCH 1/3] contrib/selinux: Drop "example" from headers: this is the actual policy

[Stefano Brivio]

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/passt.fc | 2 +-
 contrib/selinux/passt.if | 2 +-
 contrib/selinux/passt.te | 2 +-
 contrib/selinux/pasta.fc | 2 +-
 contrib/selinux/pasta.if | 2 +-
 contrib/selinux/pasta.te | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc
index 286c868..88e388e 100644
--- a/contrib/selinux/passt.fc
+++ b/contrib/selinux/passt.fc
@@ -3,7 +3,7 @@
 # PASST - Plug A Simple Socket Transport
 #  for qemu/UNIX domain socket mode
 #
-# contrib/selinux/passt.fc - SELinux profile example: File Context for passt
+# contrib/selinux/passt.fc - SELinux profile: File Context for passt
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 6a6105c..a79a8ec 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -3,7 +3,7 @@
 # PASST - Plug A Simple Socket Transport
 #  for qemu/UNIX domain socket mode
 #
-# contrib/selinux/passt.if - SELinux profile example: Interface File for passt
+# contrib/selinux/passt.if - SELinux profile: Interface File for passt
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 438155d..590ad40 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -3,7 +3,7 @@
 # PASST - Plug A Simple Socket Transport
 #  for qemu/UNIX domain socket mode
 #
-# contrib/selinux/passt.te - SELinux profile example: Type Enforcement for passt
+# contrib/selinux/passt.te - SELinux profile: Type Enforcement for passt
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc
index f8fa0fa..e72b4ac 100644
--- a/contrib/selinux/pasta.fc
+++ b/contrib/selinux/pasta.fc
@@ -3,7 +3,7 @@
 # PASTA - Pack A Subtle Tap Abstraction
 #  for network namespace/tap device mode
 #
-# contrib/selinux/pasta.fc - SELinux profile example: File Context for pasta
+# contrib/selinux/pasta.fc - SELinux profile: File Context for pasta
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
diff --git a/contrib/selinux/pasta.if b/contrib/selinux/pasta.if
index a42bfcd..149045a 100644
--- a/contrib/selinux/pasta.if
+++ b/contrib/selinux/pasta.if
@@ -3,7 +3,7 @@
 # PASTA - Pack A Subtle Tap Abstraction
 #  for network namespace/tap device mode
 #
-# contrib/selinux/pasta.if - SELinux profile example: Interface File for pasta
+# contrib/selinux/pasta.if - SELinux profile: Interface File for pasta
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 8986c0c..7856019 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -3,7 +3,7 @@
 # PASTA - Pack A Subtle Tap Abstraction
 #  for network namespace/tap device mode
 #
-# contrib/selinux/pasta.te - SELinux profile example: Type Enforcement for pasta
+# contrib/selinux/pasta.te - SELinux profile: Type Enforcement for pasta
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
-- 
@@ -3,7 +3,7 @@
 # PASTA - Pack A Subtle Tap Abstraction
 #  for network namespace/tap device mode
 #
-# contrib/selinux/pasta.te - SELinux profile example: Type Enforcement for pasta
+# contrib/selinux/pasta.te - SELinux profile: Type Enforcement for pasta
 #
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
-- 
2.39.2

[PATCH 2/3] contrib/selinux: Drop unused passt_read_data() interface

[Stefano Brivio]

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/passt.if | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index a79a8ec..3e37c5b 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -8,14 +8,6 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-interface(`passt_read_data',`
-	gen_require(`
-		type passt_data_t;
-	')
-	allow $1 passt_t:dir { search add_name };
-	allow $1 passt_t:file { open read getattr };
-')
-
 interface(`passt_domtrans',`
 	gen_require(`
 		type passt_t, passt_exec_t;
-- 
@@ -8,14 +8,6 @@
 # Copyright (c) 2022 Red Hat GmbH
 # Author: Stefano Brivio <sbrivio@redhat.com>
 
-interface(`passt_read_data',`
-	gen_require(`
-		type passt_data_t;
-	')
-	allow $1 passt_t:dir { search add_name };
-	allow $1 passt_t:file { open read getattr };
-')
-
 interface(`passt_domtrans',`
 	gen_require(`
 		type passt_t, passt_exec_t;
-- 
2.39.2

[PATCH 3/3] contrib/selinux: Split interfaces into smaller bits

[Stefano Brivio]

...to fit accepted Fedora practices.

Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/passt.if | 71 ++++++++++++++++++++++++++++++++++------
 1 file changed, 61 insertions(+), 10 deletions(-)

diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 3e37c5b..f7560a7 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -17,37 +17,88 @@ interface(`passt_domtrans',`
 	domtrans_pattern($1, passt_exec_t, passt_t)
 ')
 
-interface(`passt_socket',`
+interface(`passt_socket_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_socket_create',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:sock_file create;
+')
+
+interface(`passt_socket_use',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:sock_file write;
 	allow $1 passt_t:unix_stream_socket connectto;
+	allow $1 $2:sock_file { read write };
+	allow passt_t $2:sock_file { read write };
+')
+
+interface(`passt_socket_delete',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow $1 $2:sock_file unlink;
+')
+
+interface(`passt_logfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
 
-	allow passt_t $2:sock_file { create read write unlink };
+	allow passt_t $1:dir add_entry_dir_perms;
 ')
 
-interface(`passt_logfile',`
+interface(`passt_logfile_use',`
 	gen_require(`
 		type passt_t;
 	')
 
 	logging_log_file($1);
-	allow passt_t $1:dir { search write add_name };
 	allow passt_t $1:file { create open read write };
 ')
 
-interface(`passt_pidfile',`
+interface(`passt_pidfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_pidfile_write',`
+	gen_require(`
+		type passt_t;
+	')
+
+	files_pid_file($1);
+	allow passt_t $1:file { create open write };
+')
+
+interface(`passt_pidfile_read',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:file { open read unlink };
+	allow $1 $2:file { open read };
+')
+
+interface(`passt_pidfile_delete',`
+	gen_require(`
+		type passt_t;
+	')
 
-	files_pid_file($2);
-	allow passt_t $2:dir { search write add_name };
-	allow passt_t $2:file { create open write };
+	allow $1 $2:file unlink;
 ')
 
 interface(`passt_kill',`
-- 
@@ -17,37 +17,88 @@ interface(`passt_domtrans',`
 	domtrans_pattern($1, passt_exec_t, passt_t)
 ')
 
-interface(`passt_socket',`
+interface(`passt_socket_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_socket_create',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:sock_file create;
+')
+
+interface(`passt_socket_use',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:sock_file write;
 	allow $1 passt_t:unix_stream_socket connectto;
+	allow $1 $2:sock_file { read write };
+	allow passt_t $2:sock_file { read write };
+')
+
+interface(`passt_socket_delete',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow $1 $2:sock_file unlink;
+')
+
+interface(`passt_logfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
 
-	allow passt_t $2:sock_file { create read write unlink };
+	allow passt_t $1:dir add_entry_dir_perms;
 ')
 
-interface(`passt_logfile',`
+interface(`passt_logfile_use',`
 	gen_require(`
 		type passt_t;
 	')
 
 	logging_log_file($1);
-	allow passt_t $1:dir { search write add_name };
 	allow passt_t $1:file { create open read write };
 ')
 
-interface(`passt_pidfile',`
+interface(`passt_pidfile_dir',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow passt_t $1:dir add_entry_dir_perms;
+')
+
+interface(`passt_pidfile_write',`
+	gen_require(`
+		type passt_t;
+	')
+
+	files_pid_file($1);
+	allow passt_t $1:file { create open write };
+')
+
+interface(`passt_pidfile_read',`
 	gen_require(`
 		type passt_t;
 	')
 
-	allow $1 $2:file { open read unlink };
+	allow $1 $2:file { open read };
+')
+
+interface(`passt_pidfile_delete',`
+	gen_require(`
+		type passt_t;
+	')
 
-	files_pid_file($2);
-	allow passt_t $2:dir { search write add_name };
-	allow passt_t $2:file { create open write };
+	allow $1 $2:file unlink;
 ')
 
 interface(`passt_kill',`
-- 
2.39.2