Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp3006028ybe; Sun, 15 Sep 2019 05:38:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwQp+3o9OSFvdJ7I7iAbZdvpugjZ+AHZ77wOT/YnHHVjln/klnpCMqdv5YnAK+LIZUG7b+W X-Received: by 2002:aa7:da59:: with SMTP id w25mr55092656eds.143.1568551095363; Sun, 15 Sep 2019 05:38:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568551095; cv=none; d=google.com; s=arc-20160816; b=KEzjL9jCkYt04iP9kEuCkHSYzYHIR5U493Ed33/ItGlHRm1wClVhoMFG4XeXQ+235F 3ehxbaTZuASAu+oQ56lXG1m3JpVFid+5N2SGryLM60R9KGFK42kWCM72fQbpHuYaAf2G jkBjN31r7Tzq8GDyVCgsCKX0k/Kv37RgOgsKa5/IxODamAEkp8ZARnrY2UW1mIh8a7DP QCPuQ+vHrXlRZOW/b1yLoHVD8yZ4RCVG0jCcF+3C2jz+usk8Ui8jnHZ9up/MM9xmZnkv JVv2NcLlODTYjrznuMuBD9zd8JvHgjdeXiOjE+jEals70W/l5Yl025lO/KFNebvC6Chs TCGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=z4dVYIABrzU2UHP7i2FOIucITrE2ppdquyYlzbS7iUQ=; b=HE6pO9/hcoefhC/PaQPg+/YrSoZzyBf16AMA9HPjrF9AF5U5tIx8q5djv7cKkYLAVu f/yo54zcfqpDmzoWFJOuug+ThTl9KxgYvJXLcqPcFHzR2sN4XMpgH00QKERRG/LfdI7e 9CwgAbYQoa5sb0Vxe4sVpcRzUCKsccxVvxstnCSdBn8rBy3B7wCIsYwXfNm07ttjsmLf QqGVwsqdcKZsJUosCO2UGBcTPdLLGIt5+H5IjkrRTX69/bA1+Vve/YU2ki70xiijzsoy CwpY7lquh4kMzN9I43nmGLnQBg4g74s8yzVjHLaVcsKhiIQFvX6CCi1yFibqk/p1M6be POZg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z10si17293138ejx.208.2019.09.15.05.38.10; Sun, 15 Sep 2019 05:38:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726146AbfIOKd0 (ORCPT + 11 others); Sun, 15 Sep 2019 06:33:26 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:55749 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725845AbfIOKd0 (ORCPT ); Sun, 15 Sep 2019 06:33:26 -0400 Received: from mail-oi1-f176.google.com (mail-oi1-f176.google.com [209.85.167.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 89644564900 for ; Sun, 15 Sep 2019 12:33:21 +0200 (CEST) Received: by mail-oi1-f176.google.com with SMTP id 7so6074337oip.5 for ; Sun, 15 Sep 2019 03:33:21 -0700 (PDT) X-Gm-Message-State: APjAAAW0I2VO7GQb9ezGxqKhsJP8+XA+6ANoJ1hnSoXjtu5+zq7sJ5DY /nx33wkEwriThAH5sZp1NSrALacE7tJLmWhZhv8= X-Received: by 2002:aca:4a41:: with SMTP id x62mr10064222oia.172.1568543600484; Sun, 15 Sep 2019 03:33:20 -0700 (PDT) MIME-Version: 1.0 References: <581e9bcc-b5f9-1219-c520-d4dbf2b5f9eb@ieee.org> In-Reply-To: <581e9bcc-b5f9-1219-c520-d4dbf2b5f9eb@ieee.org> From: Nicolas Iooss Date: Sun, 15 Sep 2019 12:33:08 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC] Rename *_var_run_t to *_runtime_t To: Chris PeBenito Cc: refpolicy Content-Type: text/plain; charset="UTF-8" X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Sep 15 12:33:22 2019 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.000001, queueID=07B08564904 X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sat, Sep 14, 2019 at 11:52 PM Chris PeBenito wrote: > > /var/run has moved to /run on most systems and it's use has increased > beyond pid files and sockets. Because of this, new types used in /run > have for some time followed the convention *_runtime_t. This change > would rename all *_var_run_t types to *_runtime_t. > > Since this adds many aliases to the policy, the patch set also drops all > old backwards-compatibility aliases. > > https://github.com/SELinuxProject/refpolicy/pull/106 > > Any objections to this? Hello, I agree with this change. When I loaded the policy with your patch on my test system, my kernel logs issued a warning: SELinux: Context sysadm_u:sysadm_r:samba_net_t became invalid (unmapped). SELinux: Context sysadm_u:sysadm_r:smbcontrol_t became invalid (unmapped). SELinux: Context sysadm_u:sysadm_r:winbind_helper_t became invalid (unmapped). This is because the following optional block from sysadm.te is now dropped: optional_policy(` samba_admin(sysadm_t, sysadm_r) samba_run_smbcontrol(sysadm_t, sysadm_r) samba_run_smbmount(sysadm_t, sysadm_r) samba_run_net(sysadm_t, sysadm_r) samba_run_winbind_helper(sysadm_t, sysadm_r) ') This block is dropped because it required two types that are not defined: nmbd_runtime_t and smbd_runtime_t. In the current refpolicy (git master), there is: typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t }; Your pull request changes this to: typealias samba_runtime_t alias { nmbd_var_run_t smbd_var_run_t }; Should nmbd_runtime_t and smbd_runtime_t be changed to samba_runtime_t in interface samba_admin()? Other than that, I did not find other issues. Thanks, Nicolas