From: guido@trentalancia.com (Guido Trentalancia)
Date: Thu, 09 Aug 2012 11:11:36 +0200
Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy
In-Reply-To: <50227F58.7040805@trentalancia.com>
References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
	<5022443F.2040601@trentalancia.com>
	<1344426166.2306.31.camel@d30.localdomain>
	<502266E3.8060003@tresys.com>
	<1344435798.2306.41.camel@d30.localdomain>
	<50227F58.7040805@trentalancia.com>
Message-ID: <50237EC8.5000303@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/08/2012 17:01, Guido Trentalancia wrote:
> On 08/08/2012 16:23, Dominick Grift wrote:
>>
>>
>> On Wed, 2012-08-08 at 09:17 -0400, Christopher J. PeBenito wrote:
>>> On 08/08/12 07:42, Dominick Grift wrote:
>>>> On Wed, 2012-08-08 at 12:49 +0200, Guido Trentalancia wrote:
>>>>> On 08/08/2012 10:52, Dominick Grift wrote:
>>>
>>>>>> --- /dev/null
>>>>>> +++ b/bird.fc
>>>>>> @@ -0,0 +1,11 @@
>>>>>> +/etc/bird\.conf	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>>>> +
>>>>>> +/etc/default/bird	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>>>> +
>>>>>> +/etc/rc\.d/init\.d/bird	--	gen_context(system_u:object_r:bird_initrc_exec_t,s0)
>>>>>
>>>>> You might want to support init script locations for other distributions
>>>>> here, as in the oident module that you proposed to modify yesterday (I
>>>>> am going to modify the mcelog too for this purpose).
>>>>>
>>>>> Debian (but also Gentoo and many others) are currently using /etc/init\.d.
>>>>>
>>>>> The rest is unlikely to change, if it does, it's their business to
>>>>> modify the contexts, I think.
>>>>
>>>> You have a good point and i have been thinking abou this issue
>>>> obviously. I decided to go this way because existing init daemons also
>>>> only have the /etc/rc.d/init.d and not the /etc/init.d.
>>>>
>>>> Maybe a better solution is to just add:
>>>>
>>>> /etc/init.d /etc/rc.d/init.d
>>>>
>>>> to file_contexts.subs_dist
>>>
>>> Its not a bad idea.  I'd take a patch that cleaned this up across the entire policy.
>>>
>>
>> Should be as easy as appending /etc/init.d /etc/rc.d/init.d to
>> config/file_contexts.subs_dist
>>
>> However i am not sure if we should escape the periods
>
> It's probably safer to escape the periods anyway.
>
> But the point with using this, is that it would probably be a mutually
> exclusive substitution.
>
> Therefore we might need ifdef distro conditionals (which makes the whole
> thing more robust anyway). Done in one central place should not
> constitute over-engineering, I suppose.

I have checked and file_contexts.subs_dist is a run-time configuration 
file and not a build-time configuration file. Therefore it's does not 
support conditionals such as ifdef distro, but just the simplest form of 
substitutions.

> Regards,
>
> Guido