From: russell@coker.com.au (Russell Coker) Date: Thu, 17 Nov 2011 12:18:23 +1100 Subject: [refpolicy] debian file location patch In-Reply-To: <4EC41E51.7090002@tresys.com> References: <201111072350.24188.russell@coker.com.au> <4EC41E51.7090002@tresys.com> Message-ID: <201111171218.23806.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 17 Nov 2011, "Christopher J. PeBenito" wrote: > On 11/07/11 07:50, Russell Coker wrote: > > The attached patch makes a bunch of trivial changes to file locations, > > most of which are inside distro_debian blocks. > > I mostly merged this, with some rearrangement. Questions/notes on stuff > that wasn't merged: > > * Why was /etc/network/ifstate was removed but no context added elsewhere? Thanks, I've attached a patch to fix this. > * The authlogin.fc changes don't make sense to me. On Debian .pwd.lock is not used, passwd.lock is used instead and it is created with type etc_t. group.lock is created with type etc_t. I don't think that there's any reason why a relabel should change the type of .pwd.lock, passwd.lock, or group.lock. .gshadow.edit.swp and .shadow.edit.swp have contents of gshadow and shadow, they MUST be labeled as shadow_t. .passwd.edit.swp and .group.edit.swp are created as type shadow_t and there's no benefit in relabelling them to a different type if they exist. Ideally the processes which use such files would not have permission to write to etc_t to reduce the possibility of granting inappropriate access to sensitive data, in which case relabelling such files could prevent correct operation. > * From what little I could find about logsave, I can't understand why it > would make sense to label it fsadm_exec_t. It's part of the e2fsprogs package and AFAIK it's only used for storing logs from fsck. > * The libraries changes makes > me think again about eliminating references to lib32/lib64 and using the > matchpathcon substitution functions; it would seem cleaner. Sounds fine to me. > * Not clear > why /var/lib/alsa/asound.state should be alsa_etc_rw_t instead of > alsa_var_lib_t, which it would get w/o the context you're adding. OK, I'll try it and see how it goes. Also why did you remove the distro_debian from around /usr/share/alsa/alsa\.conf? Surely no other distribution needs that! > * Instances of encapsulation breakage > were removed I've attached a patch to fix that. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -------------- next part -------------- A non-text attachment was scrubbed... Name: ifstate.diff Type: text/x-patch Size: 162 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: encap.diff Type: text/x-patch Size: 2235 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment-0001.bin