From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 05 Mar 2010 11:46:53 -0500 Subject: [refpolicy] kernel_files.patch In-Reply-To: <1267729686.11679.58.camel@gorn.columbia.tresys.com> References: <4B8454CC.4030206@redhat.com> <1267729686.11679.58.camel@gorn.columbia.tresys.com> Message-ID: <4B91357D.6060001@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/04/2010 02:08 PM, Christopher J. PeBenito wrote: > On Tue, 2010-02-23 at 17:21 -0500, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_files.patch >> >> New file context >> >> Lots of new interfaces >> > * need explanation as to why boot_t would be a device node. > I can't find why. Might be some bizarro ia64 type machine. I will remove and see if it comes back > * need additional explanation as to the purpose of system_conf_t. > Miroslav has this one. It has to do with system-config-firewall. > * the files_relabel_all_files() change is still rejected, since block > and chr files should have regular file types. > This one comes about because of mkinitd being run by rpm in post installs. Which does not happen any longer but I do not see what the benifit of turning this off. We have several tools like mock, liveusb_creator, kernel make etc that are going to create blk_files and chr_files in places like /tmp that might run a cp -p or some other tool that is going to try to relabel. > * the the files-delete_isid_type_files() additions need their own > interfaces instead. > Fixed > * same thing for files_delete_usr_files() > Removed > * the files_read_usr_files() change is excessive > Ok can we remove src_t altogether then. It just seems to cause bugs and I see no reason for this label. It's only reason for being is to create AVC messages. ./policy/modules/services/networkmanager.te:files_read_usr_src_files(NetworkManager_t) ./policy/modules/services/virt.te:files_read_usr_src_files(virtd_t) ./policy/modules/system/userdomain.if: files_read_usr_src_files($1_usertype) ./policy/modules/system/userdomain.if: files_exec_usr_src_files($1_t) ./policy/modules/system/modutils.te:files_read_usr_src_files(depmod_t) ./policy/modules/system/modutils.te: files_getattr_usr_src_files(update_modules_t) ./policy/modules/kernel/files.if: files_read_usr_src_files($1) ./policy/modules/kernel/files.if:interface(`files_getattr_usr_src_files',` ./policy/modules/kernel/files.if:interface(`files_read_usr_src_files',` ./policy/modules/kernel/files.if:interface(`files_exec_usr_src_files',` ./policy/modules/admin/bootloader.te:files_read_usr_src_files(bootloader_t) ./policy/modules/admin/portage.if: files_exec_usr_src_files($1) Only one of these you might care about is portage.if, if that is the case then I will eliminate the label from RedHat labeling. > * files_search_var_log() is wrong, var_log_t doesn't belong to the files > module. There is already an equivalent interface in logging. > Removed > * the concept of files_dump_core() is wrong. Applications do core dumps > in the current directory, and services just happen to "cd /" at the > start. It doesn't make sense for other domains. > Fine I need a domain for creating files in the / directory which I can then allow daemon to do. Do you want to call this files_manage_root? > * files_create_default_dir() needs to be 2 interfaces. > Added files_root_filetrans_default > * I don't even know what to make of files_boot(). > > I think this is caused by early boot of the kernel, /dev/ gets labeled boot_t until it gets relabeled in the initrc scripts. Might not exist any longer with the move to dracut. I will remove and see what happens. Most people run an unconfined_domain(kernel_t) anyways.