Some file patterns look very strange, like:
/var/log/cluster/.*\.*log
I've found such patterns while writing a script that parses the file patterns.
Hence I haven't tested if the new file contexts apply to the existing files.
For example, this patch changes
/var/run/*.fingerd\.pid
to
/var/run/fingerd\.pid
because "/*" seems weird to me, but this also changes the semantic of the
pattern. Another possibility which doesn't change the meaning is:
/var/run/?.fingerd\.pid
I send this patch as an RFC because what I consider abnormal may in fact be
something expected or a workaround to fix some bugs I'm not aware of.
---
finger.fc | 2 +-
rhcs.fc | 2 +-
setroubleshoot.fc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/finger.fc b/finger.fc
index 843940b..623421d 100644
--- a/finger.fc
+++ b/finger.fc
@@ -7,4 +7,4 @@
/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
-/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
+/var/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d6..c619502 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -14,7 +14,7 @@
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/setroubleshoot.fc b/setroubleshoot.fc
index 0b3a971..e89c06f 100644
--- a/setroubleshoot.fc
+++ b/setroubleshoot.fc
@@ -1,6 +1,6 @@
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
--
1.9.1
I'm OK with the changes. I am not aware of a finger implementation that
uses a single character prefix to "fingerd" that would match the expression
as well.
With kind regard,
Sven Vermeulen
On Apr 5, 2014 10:38 PM, "Nicolas Iooss" <[email protected]> wrote:
> Some file patterns look very strange, like:
>
> /var/log/cluster/.*\.*log
>
> I've found such patterns while writing a script that parses the file
> patterns.
> Hence I haven't tested if the new file contexts apply to the existing
> files.
> For example, this patch changes
>
> /var/run/*.fingerd\.pid
>
> to
>
> /var/run/fingerd\.pid
>
> because "/*" seems weird to me, but this also changes the semantic of the
> pattern. Another possibility which doesn't change the meaning is:
>
> /var/run/?.fingerd\.pid
>
> I send this patch as an RFC because what I consider abnormal may in fact be
> something expected or a workaround to fix some bugs I'm not aware of.
> ---
> finger.fc | 2 +-
> rhcs.fc | 2 +-
> setroubleshoot.fc | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/finger.fc b/finger.fc
> index 843940b..623421d 100644
> --- a/finger.fc
> +++ b/finger.fc
> @@ -7,4 +7,4 @@
>
> /var/log/cfingerd\.log.* --
> gen_context(system_u:object_r:fingerd_log_t,s0)
>
> -/var/run/*.fingerd\.pid --
> gen_context(system_u:object_r:fingerd_var_run_t,s0)
> +/var/run/fingerd\.pid --
> gen_context(system_u:object_r:fingerd_var_run_t,s0)
> diff --git a/rhcs.fc b/rhcs.fc
> index 47de2d6..c619502 100644
> --- a/rhcs.fc
> +++ b/rhcs.fc
> @@ -14,7 +14,7 @@
>
> /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
>
> -/var/log/cluster/.*\.*log <<none>>
> +/var/log/cluster/.*\.log <<none>>
> /var/log/cluster/dlm_controld\.log.* --
> gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
> /var/log/cluster/fenced\.log.* --
> gen_context(system_u:object_r:fenced_var_log_t,s0)
> /var/log/cluster/gfs_controld\.log.* --
> gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
> diff --git a/setroubleshoot.fc b/setroubleshoot.fc
> index 0b3a971..e89c06f 100644
> --- a/setroubleshoot.fc
> +++ b/setroubleshoot.fc
> @@ -1,6 +1,6 @@
> /usr/sbin/setroubleshootd --
> gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
>
> -/usr/share/setroubleshoot/SetroubleshootFixit\.py* --
> gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
> +/usr/share/setroubleshoot/SetroubleshootFixit\.py --
> gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>
> /var/run/setroubleshoot(/.*)?
> gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
>
> --
> 1.9.1
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140408/f0dbccb1/attachment.html
Dan/Miroslav, do you have any feedback on these? They seem like reasonable changes to me.
On 04/08/2014 10:21 AM, Sven Vermeulen wrote:
> I'm OK with the changes. I am not aware of a finger implementation that uses a single character prefix to "fingerd" that would match the expression as well.
>
> With kind regard,
> Sven Vermeulen
>
> On Apr 5, 2014 10:38 PM, "Nicolas Iooss" <nicolas.iooss at m4x.org <mailto:[email protected]>> wrote:
>
> Some file patterns look very strange, like:
>
> /var/log/cluster/.*\.*log
>
> I've found such patterns while writing a script that parses the file patterns.
> Hence I haven't tested if the new file contexts apply to the existing files.
> For example, this patch changes
>
> /var/run/*.fingerd\.pid
>
> to
>
> /var/run/fingerd\.pid
>
> because "/*" seems weird to me, but this also changes the semantic of the
> pattern. Another possibility which doesn't change the meaning is:
>
> /var/run/?.fingerd\.pid
>
> I send this patch as an RFC because what I consider abnormal may in fact be
> something expected or a workaround to fix some bugs I'm not aware of.
> ---
> finger.fc | 2 +-
> rhcs.fc | 2 +-
> setroubleshoot.fc | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/finger.fc b/finger.fc
> index 843940b..623421d 100644
> --- a/finger.fc
> +++ b/finger.fc
> @@ -7,4 +7,4 @@
>
> /var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
>
> -/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
> +/var/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
> diff --git a/rhcs.fc b/rhcs.fc
> index 47de2d6..c619502 100644
> --- a/rhcs.fc
> +++ b/rhcs.fc
> @@ -14,7 +14,7 @@
>
> /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
>
> -/var/log/cluster/.*\.*log <<none>>
> +/var/log/cluster/.*\.log <<none>>
> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
> /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
> /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
> diff --git a/setroubleshoot.fc b/setroubleshoot.fc
> index 0b3a971..e89c06f 100644
> --- a/setroubleshoot.fc
> +++ b/setroubleshoot.fc
> @@ -1,6 +1,6 @@
> /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
>
> -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
> +/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>
> /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
>
> --
> 1.9.1
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/2014 05:03 PM, Christopher J. PeBenito wrote:
> Dan/Miroslav, do you have any feedback on these? They seem like reasonable changes to me.
>
> On 04/08/2014 10:21 AM, Sven Vermeulen wrote:
>> I'm OK with the changes. I am not aware of a finger implementation that uses a single character prefix to "fingerd" that would match the expression as well.
>>
>> With kind regard,
>> Sven Vermeulen
>>
>> On Apr 5, 2014 10:38 PM, "Nicolas Iooss" <nicolas.iooss at m4x.org <mailto:[email protected]>> wrote:
>>
>> Some file patterns look very strange, like:
>>
>> /var/log/cluster/.*\.*log
>>
>> I've found such patterns while writing a script that parses the file patterns.
>> Hence I haven't tested if the new file contexts apply to the existing files.
>> For example, this patch changes
>>
>> /var/run/*.fingerd\.pid
>>
>> to
>>
>> /var/run/fingerd\.pid
>>
>> because "/*" seems weird to me, but this also changes the semantic of the
>> pattern. Another possibility which doesn't change the meaning is:
>>
>> /var/run/?.fingerd\.pid
>>
>> I send this patch as an RFC because what I consider abnormal may in fact be
>> something expected or a workaround to fix some bugs I'm not aware of.
>> ---
>> finger.fc | 2 +-
>> rhcs.fc | 2 +-
>> setroubleshoot.fc | 2 +-
>> 3 files changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/finger.fc b/finger.fc
>> index 843940b..623421d 100644
>> --- a/finger.fc
>> +++ b/finger.fc
>> @@ -7,4 +7,4 @@
>>
>> /var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
>>
>> -/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
>> +/var/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
>> diff --git a/rhcs.fc b/rhcs.fc
>> index 47de2d6..c619502 100644
>> --- a/rhcs.fc
>> +++ b/rhcs.fc
>> @@ -14,7 +14,7 @@
>>
>> /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
>>
>> -/var/log/cluster/.*\.*log <<none>>
>> +/var/log/cluster/.*\.log <<none>>
>> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
>> /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
>> /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
>> diff --git a/setroubleshoot.fc b/setroubleshoot.fc
>> index 0b3a971..e89c06f 100644
>> --- a/setroubleshoot.fc
>> +++ b/setroubleshoot.fc
>> @@ -1,6 +1,6 @@
>> /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
>>
>> -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>> +/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>>
>> /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
>>
>> --
>> 1.9.1
I am fine with these fixes.
On 04/05/2014 04:37 PM, Nicolas Iooss wrote:
> Some file patterns look very strange, like:
>
> /var/log/cluster/.*\.*log
>
> I've found such patterns while writing a script that parses the file patterns.
> Hence I haven't tested if the new file contexts apply to the existing files.
> For example, this patch changes
>
> /var/run/*.fingerd\.pid
>
> to
>
> /var/run/fingerd\.pid
>
> because "/*" seems weird to me, but this also changes the semantic of the
> pattern. Another possibility which doesn't change the meaning is:
>
> /var/run/?.fingerd\.pid
>
> I send this patch as an RFC because what I consider abnormal may in fact be
> something expected or a workaround to fix some bugs I'm not aware of.
Merged.
> ---
> finger.fc | 2 +-
> rhcs.fc | 2 +-
> setroubleshoot.fc | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/finger.fc b/finger.fc
> index 843940b..623421d 100644
> --- a/finger.fc
> +++ b/finger.fc
> @@ -7,4 +7,4 @@
>
> /var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
>
> -/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
> +/var/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
> diff --git a/rhcs.fc b/rhcs.fc
> index 47de2d6..c619502 100644
> --- a/rhcs.fc
> +++ b/rhcs.fc
> @@ -14,7 +14,7 @@
>
> /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
>
> -/var/log/cluster/.*\.*log <<none>>
> +/var/log/cluster/.*\.log <<none>>
> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
> /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
> /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
> diff --git a/setroubleshoot.fc b/setroubleshoot.fc
> index 0b3a971..e89c06f 100644
> --- a/setroubleshoot.fc
> +++ b/setroubleshoot.fc
> @@ -1,6 +1,6 @@
> /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
>
> -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
> +/usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>
> /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com