From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 09 Aug 2012 11:59:54 +0200 Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy In-Reply-To: <50237EC8.5000303@trentalancia.com> References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com> <5022443F.2040601@trentalancia.com> <1344426166.2306.31.camel@d30.localdomain> <502266E3.8060003@tresys.com> <1344435798.2306.41.camel@d30.localdomain> <50227F58.7040805@trentalancia.com> <50237EC8.5000303@trentalancia.com> Message-ID: <1344506394.16177.2.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2012-08-09 at 11:11 +0200, Guido Trentalancia wrote: > On 08/08/2012 17:01, Guido Trentalancia wrote: > > On 08/08/2012 16:23, Dominick Grift wrote: > >> > >> > >> On Wed, 2012-08-08 at 09:17 -0400, Christopher J. PeBenito wrote: > >>> On 08/08/12 07:42, Dominick Grift wrote: > >>>> On Wed, 2012-08-08 at 12:49 +0200, Guido Trentalancia wrote: > >>>>> On 08/08/2012 10:52, Dominick Grift wrote: > >>> > >>>>>> --- /dev/null > >>>>>> +++ b/bird.fc > >>>>>> @@ -0,0 +1,11 @@ > >>>>>> +/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) > >>>>>> + > >>>>>> +/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) > >>>>>> + > >>>>>> +/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) > >>>>> > >>>>> You might want to support init script locations for other distributions > >>>>> here, as in the oident module that you proposed to modify yesterday (I > >>>>> am going to modify the mcelog too for this purpose). > >>>>> > >>>>> Debian (but also Gentoo and many others) are currently using /etc/init\.d. > >>>>> > >>>>> The rest is unlikely to change, if it does, it's their business to > >>>>> modify the contexts, I think. > >>>> > >>>> You have a good point and i have been thinking abou this issue > >>>> obviously. I decided to go this way because existing init daemons also > >>>> only have the /etc/rc.d/init.d and not the /etc/init.d. > >>>> > >>>> Maybe a better solution is to just add: > >>>> > >>>> /etc/init.d /etc/rc.d/init.d > >>>> > >>>> to file_contexts.subs_dist > >>> > >>> Its not a bad idea. I'd take a patch that cleaned this up across the entire policy. > >>> > >> > >> Should be as easy as appending /etc/init.d /etc/rc.d/init.d to > >> config/file_contexts.subs_dist > >> > >> However i am not sure if we should escape the periods > > > > It's probably safer to escape the periods anyway. > > > > But the point with using this, is that it would probably be a mutually > > exclusive substitution. > > > > Therefore we might need ifdef distro conditionals (which makes the whole > > thing more robust anyway). Done in one central place should not > > constitute over-engineering, I suppose. > > I have checked and file_contexts.subs_dist is a run-time configuration > file and not a build-time configuration file. Therefore it's does not > support conditionals such as ifdef distro, but just the simplest form of > substitutions. I do not think it matters because the paths aren't mutually exclusive i believe. The name substitution (subs) is misleading i believe, its not actually substitution but rather equivalence. > > Regards, > > > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy