From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 09 Sep 2010 09:52:05 -0400
Subject: [refpolicy] [seutil 1/1] Redhat does not store selinux
 utilities in	/usr.
In-Reply-To: <4C88DBE3.9010607@tresys.com>
References: <20100903154927.GA27693@localhost.localdomain>
	<4C88DBE3.9010607@tresys.com>
Message-ID: <4C88E685.1040606@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2010 09:06 AM, Christopher J. PeBenito wrote:
> On 09/03/10 11:49, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift<domg472@gmail.com>
> 
> They still are in /usr on RHEL5.  Also, this doesn't matter too much 
> either way, since everything can search /usr due to libraries in /usr/lib.
> 
>> ---
>> :100644 100644 cecca76... c071664... M	policy/modules/system/selinuxutil.if
>>   policy/modules/system/selinuxutil.if |   47 ++++++++++++++++++++++++++-------
>>   1 files changed, 37 insertions(+), 10 deletions(-)
>>
>> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
>> index cecca76..c071664 100644
>> --- a/policy/modules/system/selinuxutil.if
>> +++ b/policy/modules/system/selinuxutil.if
>> @@ -1,4 +1,4 @@
>> -##<summary>Policy for SELinux policy and userland applications.</summary>
>> +##<summary>SELinux policy and userland applications.</summary>
>>
>>   #######################################
>>   ##<summary>
>> @@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
>>   		type checkpolicy_t, checkpolicy_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
>>   		type checkpolicy_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	can_exec($1, checkpolicy_exec_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   #######################################
>> @@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
>>   		type newrole_t, newrole_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, newrole_exec_t, newrole_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
>>   		type newrole_t, newrole_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	can_exec($1, newrole_exec_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
>>   		type run_init_t, run_init_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, run_init_exec_t, run_init_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
>>   		type setfiles_t, setfiles_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
>>   		type setfiles_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	can_exec($1, setfiles_exec_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
>>   		type semanage_t, semanage_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, semanage_exec_t, semanage_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>> @@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
>>   		type setsebool_t, setsebool_exec_t;
>>   	')
>>
>> -	files_search_usr($1)
>>   	corecmd_search_bin($1)
>>   	domtrans_pattern($1, setsebool_exec_t, setsebool_t)
>> +
>> +	ifndef(`distro_redhat',`
>> +		files_search_usr($1)
>> +	')
>>   ')
>>
>>   ########################################
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
Yes I do not think we need this patch.  (I believe we made a mistake
when we did not allow every domain read/execute access to usr_t,bin_t,
lib_t, var_t, var_lib_t, and probably a few others)
But I am probably in the minority.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyI5oUACgkQrlYvE4MpobNk/wCgrMeqm9ys/j6gjpilz67SuCw2
gyUAoKuZ9Zmiosz+R6gZD6oGFqmamPMS
=92Ip
-----END PGP SIGNATURE-----