This patchset contains the suggestion to also have a substitition for
/usr/local towards /usr since manually installed applications use /usr/local as
their destination installation directory (instead of /usr) but *should* have the
same structure otherwise.
This is not only to clean up the defined file contexts a bit (there are not that
many references to /usr/local) but mainly to support such installed applications
almost out-of-the-box with our policies.
Translate any paths towards /usr/local as if they were to /usr.
Since the substitutions aren't chained together, we need to define the rules for
the individual /usr/local/lib* directories as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
config/file_contexts.subs_dist | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 32b87a4..72a7a0f 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -4,4 +4,7 @@
/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
+/usr/local /usr
+/usr/local/lib32 /usr/lib
+/usr/local/lib64 /usr/lib
/var/run/lock /var/lock
--
1.7.8.6
Update the file contexts to match the /usr/local substitution (for core modules)
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/corecommands.fc | 9 ++++---
policy/modules/kernel/files.fc | 9 --------
policy/modules/system/ipsec.fc | 5 ----
policy/modules/system/libraries.fc | 35 ++++++++++++++++-----------------
policy/modules/system/miscfiles.fc | 5 ----
policy/modules/system/unconfined.fc | 2 +-
6 files changed, 23 insertions(+), 42 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index db981df..850b6a9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -184,6 +184,8 @@ ifdef(`distro_gentoo',`
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -251,10 +253,9 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..9f95ab2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -204,13 +204,6 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
-/usr/local/\.journal <<none>>
-
-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/usr/local/lost\+found/.* <<none>>
-
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
@@ -220,8 +213,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -27,11 +27,6 @@
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index ef8bbaf..1f41e39 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -103,6 +103,8 @@ ifdef(`distro_redhat',`
#
# /usr
#
+/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -117,6 +119,7 @@ ifdef(`distro_redhat',`
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -148,11 +151,9 @@ ifdef(`distro_redhat',`
/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -181,6 +182,8 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -240,14 +243,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -269,20 +269,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index fe3427d..7368cca 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -36,11 +36,6 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 0abaf84..25efa00 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -8,7 +8,7 @@
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
ifdef(`distro_debian',`
/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--
1.7.8.6
Use /usr instead of /usr/local to match the file substitution
Signed-off-by: Sven Vermeulen <[email protected]>
---
inetd.fc | 2 +-
java.fc | 2 --
kerberos.fc | 8 ++++----
lpd.fc | 4 ++--
4 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/inetd.fc b/inetd.fc
index 39d5baa..6107467 100644
--- a/inetd.fc
+++ b/inetd.fc
@@ -1,7 +1,7 @@
+/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
diff --git a/java.fc b/java.fc
index bc1a419..f630930 100644
--- a/java.fc
+++ b/java.fc
@@ -28,8 +28,6 @@
/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
-/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
ifdef(`distro_redhat',`
diff --git a/kerberos.fc b/kerberos.fc
index 3525d24..0a3d05a 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
diff --git a/lpd.fc b/lpd.fc
index 5c9eb68..62a8834 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -16,6 +16,8 @@
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
@@ -24,8 +26,6 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
#
--
1.7.8.6
On 07/28/12 13:06, Sven Vermeulen wrote:
> Translate any paths towards /usr/local as if they were to /usr.
>
> Since the substitutions aren't chained together, we need to define the rules for
> the individual /usr/local/lib* directories as well.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> config/file_contexts.subs_dist | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> index 32b87a4..72a7a0f 100644
> --- a/config/file_contexts.subs_dist
> +++ b/config/file_contexts.subs_dist
> @@ -4,4 +4,7 @@
> /run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
> +/usr/local /usr
I'm reluctant to make this substitution. From my experience, too many things don't seem follow this well.
> +/usr/local/lib32 /usr/lib
> +/usr/local/lib64 /usr/lib
I'd be more accepting of this change.
> /var/run/lock /var/lock
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Jul 31, 2012 at 02:51:44PM -0400, Christopher J. PeBenito wrote:
> On 07/28/12 13:06, Sven Vermeulen wrote:
> > diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> > index 32b87a4..72a7a0f 100644
> > --- a/config/file_contexts.subs_dist
> > +++ b/config/file_contexts.subs_dist
> > @@ -4,4 +4,7 @@
> > /run/lock /var/lock
> > /usr/lib32 /usr/lib
> > /usr/lib64 /usr/lib
> > +/usr/local /usr
>
> I'm reluctant to make this substitution. From my experience, too many things don't seem follow this well.
>
> > +/usr/local/lib32 /usr/lib
> > +/usr/local/lib64 /usr/lib
>
> I'd be more accepting of this change.
No problem, experience is important here ;-)
Wkr,
Sven Vermeulen