From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 08 Aug 2012 17:01:44 +0200
Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy
In-Reply-To: <1344435798.2306.41.camel@d30.localdomain>
References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
	<5022443F.2040601@trentalancia.com>
	<1344426166.2306.31.camel@d30.localdomain>
	<502266E3.8060003@tresys.com>
	<1344435798.2306.41.camel@d30.localdomain>
Message-ID: <50227F58.7040805@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/08/2012 16:23, Dominick Grift wrote:
>
>
> On Wed, 2012-08-08 at 09:17 -0400, Christopher J. PeBenito wrote:
>> On 08/08/12 07:42, Dominick Grift wrote:
>>> On Wed, 2012-08-08 at 12:49 +0200, Guido Trentalancia wrote:
>>>> On 08/08/2012 10:52, Dominick Grift wrote:
>>
>>>>> --- /dev/null
>>>>> +++ b/bird.fc
>>>>> @@ -0,0 +1,11 @@
>>>>> +/etc/bird\.conf	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>>> +
>>>>> +/etc/default/bird	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>>> +
>>>>> +/etc/rc\.d/init\.d/bird	--	gen_context(system_u:object_r:bird_initrc_exec_t,s0)
>>>>
>>>> You might want to support init script locations for other distributions
>>>> here, as in the oident module that you proposed to modify yesterday (I
>>>> am going to modify the mcelog too for this purpose).
>>>>
>>>> Debian (but also Gentoo and many others) are currently using /etc/init\.d.
>>>>
>>>> The rest is unlikely to change, if it does, it's their business to
>>>> modify the contexts, I think.
>>>
>>> You have a good point and i have been thinking abou this issue
>>> obviously. I decided to go this way because existing init daemons also
>>> only have the /etc/rc.d/init.d and not the /etc/init.d.
>>>
>>> Maybe a better solution is to just add:
>>>
>>> /etc/init.d /etc/rc.d/init.d
>>>
>>> to file_contexts.subs_dist
>>
>> Its not a bad idea.  I'd take a patch that cleaned this up across the entire policy.
>>
>
> Should be as easy as appending /etc/init.d /etc/rc.d/init.d to
> config/file_contexts.subs_dist
>
> However i am not sure if we should escape the periods

It's probably safer to escape the periods anyway.

But the point with using this, is that it would probably be a mutually 
exclusive substitution.

Therefore we might need ifdef distro conditionals (which makes the whole 
thing more robust anyway). Done in one central place should not 
constitute over-engineering, I suppose.

Regards,

Guido