The attached patch makes a bunch of trivial changes to file locations, most of
which are inside distro_debian blocks.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian-location.diff
Type: text/x-patch
Size: 37637 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111107/d8c1f3d0/attachment-0001.bin
On 11/07/11 07:50, Russell Coker wrote:
> The attached patch makes a bunch of trivial changes to file locations, most of
> which are inside distro_debian blocks.
I mostly merged this, with some rearrangement. Questions/notes on stuff that wasn't merged:
* Why was /etc/network/ifstate was removed but no context added elsewhere?
* The authlogin.fc changes don't make sense to me.
* From what little I could find about logsave, I can't understand why it would make sense to label it fsadm_exec_t.
* The libraries changes makes me think again about eliminating references to lib32/lib64 and using the matchpathcon substitution functions; it would seem cleaner.
* Not clear why /var/lib/alsa/asound.state should be alsa_etc_rw_t instead of alsa_var_lib_t, which it would get w/o the context you're adding. There are also dupe contexts being added.
* Instances of encapsulation breakage were removed
* Fixed tabs vs spaces whitespace errors
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, 17 Nov 2011, "Christopher J. PeBenito" <[email protected]> wrote:
> On 11/07/11 07:50, Russell Coker wrote:
> > The attached patch makes a bunch of trivial changes to file locations,
> > most of which are inside distro_debian blocks.
>
> I mostly merged this, with some rearrangement. Questions/notes on stuff
> that wasn't merged:
>
> * Why was /etc/network/ifstate was removed but no context added elsewhere?
Thanks, I've attached a patch to fix this.
> * The authlogin.fc changes don't make sense to me.
On Debian .pwd.lock is not used, passwd.lock is used instead and it is created
with type etc_t.
group.lock is created with type etc_t. I don't think that there's any reason
why a relabel should change the type of .pwd.lock, passwd.lock, or group.lock.
.gshadow.edit.swp and .shadow.edit.swp have contents of gshadow and shadow,
they MUST be labeled as shadow_t.
.passwd.edit.swp and .group.edit.swp are created as type shadow_t and there's
no benefit in relabelling them to a different type if they exist. Ideally the
processes which use such files would not have permission to write to etc_t to
reduce the possibility of granting inappropriate access to sensitive data, in
which case relabelling such files could prevent correct operation.
> * From what little I could find about logsave, I can't understand why it
> would make sense to label it fsadm_exec_t.
It's part of the e2fsprogs package and AFAIK it's only used for storing logs
from fsck.
> * The libraries changes makes
> me think again about eliminating references to lib32/lib64 and using the
> matchpathcon substitution functions; it would seem cleaner.
Sounds fine to me.
> * Not clear
> why /var/lib/alsa/asound.state should be alsa_etc_rw_t instead of
> alsa_var_lib_t, which it would get w/o the context you're adding.
OK, I'll try it and see how it goes.
Also why did you remove the distro_debian from around
/usr/share/alsa/alsa\.conf? Surely no other distribution needs that!
> * Instances of encapsulation breakage
> were removed
I've attached a patch to fix that.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ifstate.diff
Type: text/x-patch
Size: 162 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: encap.diff
Type: text/x-patch
Size: 2235 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment-0001.bin