Suggest to change template to interface if appropriate

Question

Suggest to change template to interface if appropriate

Opened this issue 3 years ago · 4 comments

If a template does not define anything (type, attribute, ...) and does not call a template, suggest to change to an interface.

Find SELinuxProject/refpolicy@bf6cc10

Answer 1 · 2021-05-07T16:57:49.000Z

I had thought we already had this, but it looks like we only have the other way around (S-004 and S-005 show definitions or template calls in interfaces).

One thing to consider here is this: https://github.com/SELinuxProject/refpolicy/blob/0c5a622fea7ebe660465da6296460b7e7b1a9d08/policy/modules/services/xserver.if#L310

This is a template rather than an interface because it uses a prefix, but it doesn't declare any types. Refpolicy does selint-disable:S-004 in an interface that calls it to accomodate.

I believe I spoke to @pebenito about this back when we were implementing selint in refpolicy and my recollection is that he said that in his view the definition of template was the use of prefixes rather than types, attributes etc in arguments. It might be preferable if we do a check as you suggest to implement it based on the prefix definition rather than the declaration definition.

Answer 2 · 2021-05-07T17:22:25.000Z

The main differences between interfaces and templates is interfaces cannot:

declare anything (no side effects)
use prefixes.

Answer 3 · 2021-05-07T17:25:29.000Z

With this classification, was the commit SELinuxProject/refpolicy@bf6cc10 correct, cause systemd_user_daemon_domain() takes a prefix as first argument?

Answer 4 · 2021-05-07T17:40:25.000Z

You're correct, I missed that. I reverted the change.