From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 02 Mar 2011 14:10:40 -0500 Subject: [refpolicy] [patch 1/3] Implementation of system conf type In-Reply-To: <4D6E5523.7040001@tresys.com> References: <4D5E95C1.9080805@redhat.com> <20110219095711.GA6270@siphos.be> <1298180267.3098.11.camel@tesla.lan> <4D62875A.8060006@redhat.com> <1298319075.11119.3.camel@tesla.lan> <4D63DA61.3050705@tresys.com> <1298391526.16004.8.camel@tesla.lan> <4D6D4FBA.5040005@tresys.com> <1299012069.14035.36.camel@tesla.lan> <4D6E5523.7040001@tresys.com> Message-ID: <4D6E9630.4020405@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/02/2011 09:33 AM, Christopher J. PeBenito wrote: > On 03/01/11 15:41, Guido Trentalancia wrote: >> On Tue, 01/03/2011 at 14.57 -0500, Christopher J. PeBenito wrote: >>> On 02/22/11 11:18, Guido Trentalancia wrote: >>>> On Tue, 22/02/2011 at 10.46 -0500, Christopher J. PeBenito wrote: >>>>> On 02/21/11 15:11, Guido Trentalancia wrote: >>>>>> On Mon, 21/02/2011 at 10.40 -0500, Daniel J Walsh wrote: >>>>>>> On 02/20/2011 12:37 AM, Guido Trentalancia wrote: >>>>> I don't understand why system-config-firewall would need to write to >>>>> etc_t, the iptables rules have their own labeling: >>>>> >>>>> /etc/sysconfig/ip6?tables.* -- >>>>> gen_context(system_u:object_r:iptables_conf_t,s0) >>>>> /etc/sysconfig/system-config-firewall.* -- >>>>> gen_context(system_u:object_r:iptables_conf_t,s0) >>>>> >>>>>> Yes, this is very important. But isn't etc_runtime_t what is needed here >>>>>> then ? >>>>> >>>>> No, the purpose of that type is for generated files such as /.autofsck >>>>> and /etc/motd. >>>> >>>> Well then I think we need to check a few labels: >>>> >>>> /etc/smartd\.conf.* -- system_u:object_r:etc_runtime_t:s0 >>>> /etc/reader\.conf -- system_u:object_r:etc_runtime_t:s0 >>> >>> Right, these need to be reevaluated. >> >> I suppose you are going to take care of that. > > Dan/Miroslav, do you have any thoughts on this? I think these lines and > the below four lines should be removed. > >>>> And there is also other stuff that is not automatically-generated (if >>>> that is what you meant for "generated"): >>>> >>>> /etc/motd -- system_u:object_r:etc_runtime_t:s0 >>>> /etc/issue -- system_u:object_r:etc_runtime_t:s0 >>>> /etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0 >>>> /etc/issue\.net -- system_u:object_r:etc_runtime_t:s0 >>> >>> These can be generated out of init scripts. For example, Fedora used to >>> generate /etc/issue out of a init script. It doesn't look like they do >>> that anymore, so perhaps we should reconsider these too >>> >>>> All the above mentioned files are configuration files by all means. Not >>>> that it's an urgent matter, but according to what you just said, then >>>> etc_runtime_t is possibly misplaced there... >> >> Yes, some distributions generate very generic banners with the name of >> the distribution and the version. But they are just meant to be examples >> (similarly to generic configuration files installed by default in /etc >> by most packages). >> >> They are static, so etc_t is what we need here. > Remove them and we will see what happens. The scripts that fix them, might need to run restorecon if they need to create them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1uljAACgkQrlYvE4MpobML7ACcDfDzQLPdga3a0qX/9RfQd9yo mGAAoISVP8wZaWvU5TdUXNVEBToD7sK4 =Vx8k -----END PGP SIGNATURE-----