Currently, miscfiles.fc expects postgresql's files to sit in
/usr/share/postgresql/, but gentoo uses /usr/share/postgresql-$version/.
services/postgresql.fc already recognizes similarily versioned dirs in
/usr/lib/.
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index fb7e7b20..b17f8a6f 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -56,7 +56,7 @@ ifdef(`distro_redhat',`
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/share/postgresql/?[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
--
2.13.0
On 06/05/2017 04:47 PM, Luis Ressel via refpolicy wrote:
> Currently, miscfiles.fc expects postgresql's files to sit in
> /usr/share/postgresql/, but gentoo uses /usr/share/postgresql-$version/.
>
> services/postgresql.fc already recognizes similarily versioned dirs in
> /usr/lib/.
> ---
> policy/modules/system/miscfiles.fc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index fb7e7b20..b17f8a6f 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -56,7 +56,7 @@ ifdef(`distro_redhat',`
> /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
> /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> -/usr/share/postgresql/[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> +/usr/share/postgresql/?[^/]*/man(/.*)? gen_context(system_u:object_r:man_t,s0)
> /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
> /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
I wonder if it makes more sense to generalize this by changing
/usr/man(/.*)? to /usr/(.*/)?man(/.*)? instead.
--
Chris PeBenito
On Tue, 6 Jun 2017 20:09:56 -0400
Chris PeBenito <[email protected]> wrote:
> I wonder if it makes more sense to generalize this by changing
> /usr/man(/.*)? to /usr/(.*/)?man(/.*)? instead.
I suppose you mean "/usr/share/(.*/)?man(/.*)?"? Your regex would also
match "man" directories in /usr/lib/, but it wouldn't apply to them
anyway, since the "/usr/lib(/.*)?" fc supersedes it.
We could of course add a second fc for that,
"/usr/lib/(.*/)?man(/.*)?", but I'm not sure whether it's worth it,
since there are few man directories in /usr/lib
(only /usr/lib/erlang/man on my system, plus the false
positive /usr/lib/swipl-7.2.3/xpce/man), and every domain is allowed to
access lib_t anyway.
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170607/826ed5f4/attachment.bin
Sorry, I'd missed we also have fc's for /usr/man, /usr/local/man and
/usr/X11R6/man. Now I agree that "/usr/(.*/)?man(/.*)?" would make
sense.
Regards,
Luis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170607/892a537e/attachment.bin