From 2b40255a61b7bb3e56185d823e205281b69f0910 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 16 Mar 2023 18:36:26 -0500
Subject: [PATCH] selinux: Simplify policy for init-storage

As the scope of Aimee OS grows, and other applications are added to it,
the `init-storage` command will have an ever-growing list of file and
directory types to copy from the rootfs image.  Originally, I wanted to
explicitly allow it to only copy files that are found in `/var`, but
this will become untenable very quickly.  As such, to avoid having to
constantly update the SELinux policy for every new application that
stores anything in `/var` at install time, the `aimee_storinit_t` domain
can now manage all "non-security" files, directories, and symbolic
links.  This covers pretty much everything in `/var` except
`/var/log/audit`, while still excluding the most sensitive files (e.g.
`/etc/shadow`),
---
 .../selinux-aimee-os/files/aimee-os.te        | 76 +++----------------
 1 file changed, 11 insertions(+), 65 deletions(-)

diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 5cce26a..9e132b1 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -71,76 +71,22 @@ seutil_domtrans_setfiles(aimee_storinit_t)
 
 kernel_manage_unlabeled_dirs(aimee_storinit_t)
 
+files_manage_non_security_dirs(aimee_storinit_t)
+files_relabel_non_security_dirs(aimee_storinit_t)
+files_manage_non_security_files(aimee_storinit_t)
+files_relabel_non_security_files(aimee_storinit_t)
+logging_manage_audit_log(aimee_storinit_t)
+gen_require(`
+	attribute non_security_file_type;
+')
+manage_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
+relabel_lnk_files_pattern(aimee_storinit_t, non_security_file_type, non_security_file_type)
+
 auth_manage_shadow(aimee_storinit_t)
 auth_relabel_shadow(aimee_storinit_t)
-
-files_manage_var_dirs(aimee_storinit_t)
-files_relabel_var_dirs(aimee_storinit_t)
-files_manage_var_files(aimee_storinit_t)
-files_manage_var_symlinks(aimee_storinit_t)
-
 gen_require(`
-	type var_lib_t, var_lock_t, var_run_t;
-	type semanage_store_t;
-	type semanage_read_lock_t, semanage_trans_lock_t;
-	type system_dbusd_var_lib_t;
-	type init_var_lib_t;
-	type auditd_log_t;
-	type tmp_t;
-	type etc_t;
 	type shadow_t;
-	attribute logfile;
 ')
-manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
-manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
-relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
-manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
-relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
-manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
-relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
-manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
-relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
-manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
-relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
-manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
-relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
-manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
-relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
-manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
-relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
-manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
-relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
-manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
-relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
-manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
-relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
-manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
-relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
-manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
-relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
-manage_files_pattern(aimee_storinit_t, logfile, logfile)
-relabel_files_pattern(aimee_storinit_t, logfile, logfile)
-manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
-relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
-manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
-relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
-manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
-relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
-manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
-relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
-manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
-relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
 allow aimee_storinit_t shadow_t:file mounton;
 
 ########################################