Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C321C43387 for ; Sun, 6 Jan 2019 02:22:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BE5CC2229F for ; Sun, 6 Jan 2019 02:22:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="z0JJEd+9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726372AbfAFCWJ (ORCPT ); Sat, 5 Jan 2019 21:22:09 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:39244 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726368AbfAFCWJ (ORCPT ); Sat, 5 Jan 2019 21:22:09 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 7AD57EBA9; Sun, 6 Jan 2019 13:22:07 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546741327; bh=fop2RKrgLCMpw53hnuhwgIvaXvqVdogp+/QqQVL94Uk=; l=1987; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=z0JJEd+9Yg6ow/c6X91EyIaGHlZFOtPCaJcJ+SNhrmAaEx1zbU1xU0gFWHTpZmQLQ 3sO0/eMlRN2Ai+WAGqG+vXbzm5on4p5kCHkrOHwwWQNCqpZq5RQ2iGWrvj429e1z1z dOdugiUzA7pZGcmEotW12xX/jeIBc++cXAQy1LO0= Received: by xev.coker.com.au (Postfix, from userid 1001) id CC844C3CEAA; Sun, 6 Jan 2019 13:22:02 +1100 (AEDT) From: Russell Coker To: Chris PeBenito Reply-To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] last misc stuff Date: Sun, 06 Jan 2019 13:22:02 +1100 Message-ID: <13114899.BBxJTFboZp@xev> In-Reply-To: References: <20190104073503.GC11256@aaa.coker.com.au> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote: > > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc > > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc > > @@ -1,9 +1,12 @@ > > /etc/cron\.daily/apt -- > > gen_context(system_u:object_r:apt_exec_t,s0) > > > > -ifndef(`distro_redhat',` > > +/usr/bin/apt -- > > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get -- > > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell > > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude > > -- gen_context(system_u:object_r:apt_exec_t,s0) > > +/usr/sbin/update-apt-xapian-index -- > > gen_context(system_u:object_r:apt_exec_t,s0) + > > +ifndef(`distro_redhat',` > > +/usr/bin/apt-shell -- > > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic -- > > gen_context(system_u:object_r:apt_exec_t,s0) > > /usr/lib/packagekit/packagekitd -- > > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)? > > gen_context(system_u:object_r:apt_var_cache_t,s0) > I modified some of these changes, as it results in file context > conflicts with the RPM module. More accurately, I removed the fc > entries in RPM that label the apt executables. I moved the apt-shell > back out of the ifndef block. > > I think the synaptic and packagekit fc entries, which are in both apt > and rpm modules, may need to be dropped and move to the distro's > patches. Either that, or this ifndef needs to turn into ifdef debian > (or something else). > > Otherwise merged. I agree that things should be reconsidered with apt policy. Do we even need separate apt and rpm policy given that both package managers have access to write everything and change config files? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/