From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 26 Jul 2011 21:07:29 +0200 Subject: [refpolicy] new runtime udev directory tree (was Re: ANN: Reference Policy Release) In-Reply-To: <4E2F0B0D.9050206@tresys.com> References: <4E2F0B0D.9050206@tresys.com> Message-ID: <1311707249.11418.19.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks very much Christopher for the new release ! Just a quick reminder that it seems to me that latest git (and thus implicitly the new release), do not cater proper file contexts definitions yet for new udev directory /run. Latest udev releases are moving from /dev/.udev to /run (still optional at this transition stage but perhaps it will become mandatory one day). In terms of release numbers should be at least any udev-17? (but possibly also some of the udev-16?). At the moment, I see: # ls -lZ /dev/.udev/ drwxr-xr-x. root root system_u:object_r:udev_tbl_t:s0 ... # grep ^/run policy/modules/kernel/files.fc /run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /run/.* gen_context(system_u:object_r:var_run_t,s0) /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) # grep ^/var\/run policy/modules/kernel/files.fc /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) If the above is confirmed, we have an inconsistency for /run because it would just be a duplicate for /var/run which potentially conflicts with new udev. Regards, Guido On Tue, 2011-07-26 at 14:44 -0400, Christopher J. PeBenito wrote: > A new release of the SELinux Reference Policy is now available on > the Tresys OSS site, http://oss.tresys.com. This release primarily > focused on general maintenance. > > The complete change log for this release follows at the end of the > email. > > For people interested in helping Reference Policy development, the X > desktop and role separation needs testing, in addition to general > testing. > > * Tue Jul 26 2011 Chris PeBenito - 2.20110726 > - Fix role declarations to handle role attribute compilers. > - Rename audioentropy module to entropyd due to haveged support. > - Add haveged support from Sven Vermeulen. > - Authentication file patch from Matthew Ife. > - Add agent support to zabbix from Sven Vermeulen. > - Cyrus file context update for Gentoo from Corentin Labbe. > - Portage updates from Sven Vermeulen. > - Fix init_system_domain() description, pointed out by Elia Pinto. > - Postgresql selabel_lookup update from KaiGai Kohei. > - Dovecot managesieve support from Mika Pfluger. > - Semicolon after interface/template calls cleanup from Elia Pinto. > - Gentoo courier updates from Sven Vermeulen. > - Amavis patch for connecting to nslcd from Miroslav Grepl. > - Shorewall patch from Miroslav Grepl. > - Cpufreqselector dbus patch from Guido Trentalancia. > - Cron pam_namespace and pam_loginuid support from Harry Ciao. > - Xserver update for startx from Sven Vermeulen. > - Fix MLS constraint for contains permission from Harry Ciao. > - Apache user webpages fix from Dominick Grift. > - Change default build.conf to modular policy from Stephen Smalley. > - Xen refinement patch from Stephen Smalley. > - Sudo timestamp file location update from Sven Vermeulen. > - XServer keyboard event patch from Sven Vermeulen. > - RAID uevent patch from Sven Vermeulen. > - Gentoo ALSA init script usage patch from Sven Vermeulen. > - LVM semaphore usage patch from Sven Vermeulen. > - Module load request patch for insmod from Sven Vermeulen. > - Cron default contexts fix from Harry Ciao. > - Man page fixes from Justin Mattock. > - Add syslog capability. > - Support for logging in to /dev/console, from Harry Ciao. > - Database object class updates and associated SEPostgreSQL changes from > KaiGai Kohei. > - IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi. > - Mount updates from Harry Ciao. > - Semanage update for MLS systems from Harry Ciao. > - Vlock terminal use update from Harry Ciao. > - Hadoop CDH3 updates from Paul Nuzzi. > - Add sepgsql_contexts appconfig files from KaiGai Kohei. > - Added modules: > aiccu > bugzilla (Dan Walsh) > colord (Dan Walsh) > cmirrord (Miroslav Grepl) > mediawiki (Miroslav Grepl) > mpd (Miroslav Grepl) > ncftool > passenger (Miroslav Grepl) > qpid (Dan Walsh) > samhain (Harry Ciao) > telepathy (Dominick Grift) > tcsd (Stephen Smalley) > vnstatd (Dan Walsh) > zarafa (Miroslav Grepl) > >