From: martin@martinorr.name (Martin Orr)
Date: Sun, 11 Jul 2010 18:48:59 +0100
Subject: [refpolicy] some Debian specific patches
In-Reply-To: <201007071702.17347.russell@coker.com.au>
References: <201007071702.17347.russell@coker.com.au>
Message-ID: <20100711184859.57714jpvyqkmc6ww@webmail.tuffmail.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed  7 Jul 08:02:17 2010, Russell Coker wrote:

> The attached patch has some Debian specific patches to the policy.

The following lines of dpkg.te are already upstream (indeed this patch  
deletes the last two and adds them back in a different place):
apt_use_fds(dpkg_script_t)
apt_rw_pipes(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
init_use_script_ptys(dpkg_t)

The use of the userdomain attribute in dpkg.te breaks the  
encapsulation rules: the correct thing to do is use dpkg_read_db in  
one of the user domain templates (userdom_common_user_template seems  
right to me).

I don't think the labelling of gnome-vfs-daemon belongs in dbus.fc  
unless it is getting a dbus type.  I don't know whether bin_t is the  
correct type or not.

I am not sure, but I think it is better style to use  
read_files_pattern for system_dbusd_t (the reason for that patch is  
probably not obvious: it is because dbus reads /proc/X/cmdline for  
processes that connect to it, so it can include their name in its log  
messages).

I attach an amended patch that fixes the above issues, except for  
gnome-vfs-daemon because I don't know what the correct type there is.

> I've put in a couple of ifdef(`distro_redhat' entries, in some of those cases
> we might want to make either the Debian or the Red Hat way the default for
> other distributions.

It seems to me rather pointless to put in all these distro defines,  
especially in file contexts - whatever distro you are running, if you  
have a file at /usr/libexec/dcc/dbclean then you probably want it  
labelled as dcc_dbclean_exec_t.  And fcs for files that don't exist  
are harmless beyond using a few bytes.

However I leave that up to Chris, I have not touched the distro  
defines in my amended patch (except as suggested by Guido).

-- 
Martin Orr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian.diff
Type: text/x-diff
Size: 6773 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100711/78c556e3/attachment.bin