The attached patch has some Debian specific patches to the policy.
I've put in a couple of ifdef(`distro_redhat' entries, in some of those cases
we might want to make either the Debian or the Red Hat way the default for
other distributions.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian.diff
Type: text/x-patch
Size: 8847 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100707/63de32ba/attachment.bin
On Wed, 07/07/2010 at 17.02 +1000, Russell Coker wrote:
> The attached patch has some Debian specific patches to the policy.
>
> I've put in a couple of ifdef(`distro_redhat' entries, in some of those cases
> we might want to make either the Debian or the Red Hat way the default for
> other distributions.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
After applying the patch I get the following errors (using the latest
release of userspace tools and refpolicy):
/etc/selinux/refpolicy-mcs/contexts/files/file_contexts: Multiple same
specifications for /var/lib/dcc(/.*)?.
/etc/selinux/refpolicy-mcs/contexts/files/file_contexts: Multiple same
specifications for /var/lib/dcc/map.
/etc/selinux/refpolicy-mcs/contexts/files/file_contexts: Invalid
argument
libsemanage.semanage_install_active: setfiles returned error code 1.
/usr/sbin/semodule: Failed!
In fact, after applying the patch the same two definitions are repeated
twice (for the debian define) in policy/modules/services/dcc.fc. Thus
the whole "ifdef(`distro_debian'..." should be probably removed from the
modified version...
Regards,
Guido
On Thu, 8 Jul 2010, Guido Trentalancia <[email protected]> wrote:
> In fact, after applying the patch the same two definitions are repeated
> twice (for the debian define) in policy/modules/services/dcc.fc. Thus
> the whole "ifdef(`distro_debian'..." should be probably removed from the
> modified version...
Good point. I've attached a new patch for dcc.fc. Do you agree with all the
other Debian changes from my previous patch?
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian-dcc.diff
Type: text/x-patch
Size: 1455 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100708/b8818077/attachment.bin
On Thu, 08/07/2010 at 23.53 +1000, Russell Coker wrote:
> On Thu, 8 Jul 2010, Guido Trentalancia <[email protected]> wrote:
> > In fact, after applying the patch the same two definitions are repeated
> > twice (for the debian define) in policy/modules/services/dcc.fc. Thus
> > the whole "ifdef(`distro_debian'..." should be probably removed from the
> > modified version...
>
> Good point. I've attached a new patch for dcc.fc. Do you agree with all the
> other Debian changes from my previous patch?
>
I am testing it out. Have not checked everything toughrouly...
In policy//modules/admin/apt.fc I have not removed the following:
"/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)"
Guido
On Wed 7 Jul 08:02:17 2010, Russell Coker wrote:
> The attached patch has some Debian specific patches to the policy.
The following lines of dpkg.te are already upstream (indeed this patch
deletes the last two and adds them back in a different place):
apt_use_fds(dpkg_script_t)
apt_rw_pipes(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
init_use_script_ptys(dpkg_t)
The use of the userdomain attribute in dpkg.te breaks the
encapsulation rules: the correct thing to do is use dpkg_read_db in
one of the user domain templates (userdom_common_user_template seems
right to me).
I don't think the labelling of gnome-vfs-daemon belongs in dbus.fc
unless it is getting a dbus type. I don't know whether bin_t is the
correct type or not.
I am not sure, but I think it is better style to use
read_files_pattern for system_dbusd_t (the reason for that patch is
probably not obvious: it is because dbus reads /proc/X/cmdline for
processes that connect to it, so it can include their name in its log
messages).
I attach an amended patch that fixes the above issues, except for
gnome-vfs-daemon because I don't know what the correct type there is.
> I've put in a couple of ifdef(`distro_redhat' entries, in some of those cases
> we might want to make either the Debian or the Red Hat way the default for
> other distributions.
It seems to me rather pointless to put in all these distro defines,
especially in file contexts - whatever distro you are running, if you
have a file at /usr/libexec/dcc/dbclean then you probably want it
labelled as dcc_dbclean_exec_t. And fcs for files that don't exist
are harmless beyond using a few bytes.
However I leave that up to Chris, I have not touched the distro
defines in my amended patch (except as suggested by Guido).
--
Martin Orr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian.diff
Type: text/x-diff
Size: 6773 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100711/78c556e3/attachment.bin
On 07/11/10 13:48, Martin Orr wrote:
> On Wed 7 Jul 08:02:17 2010, Russell Coker wrote:
>> I've put in a couple of ifdef(`distro_redhat' entries, in some of
>> those cases
>> we might want to make either the Debian or the Red Hat way the default
>> for
>> other distributions.
>
> It seems to me rather pointless to put in all these distro defines,
> especially in file contexts - whatever distro you are running, if you
> have a file at /usr/libexec/dcc/dbclean then you probably want it
> labelled as dcc_dbclean_exec_t. And fcs for files that don't exist are
> harmless beyond using a few bytes.
>
> However I leave that up to Chris,
I tend to agree.
> I have not touched the distro defines
> in my amended patch (except as suggested by Guido).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, 13 Jul 2010, "Christopher J. PeBenito" <[email protected]> wrote:
> > It seems to me rather pointless to put in all these distro defines,
> > especially in file contexts - whatever distro you are running, if you
> > have a file at /usr/libexec/dcc/dbclean then you probably want it
> > labelled as dcc_dbclean_exec_t. And fcs for files that don't exist are
> > harmless beyond using a few bytes.
> >
> > However I leave that up to Chris,
>
> I tend to agree.
One benefit of distro defines in the file_contexts is that we know which
distributions they apply to. So if we have three distributions with different
directories used and two different versions of the daemon with different file
names then we can retire the old names in a sensible manner.
If there are no defines then it's difficult to determine who uses what.
Now we could have comments, but they aren't quite as good because there is no
requirement to keep them accurate.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog