From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 09 Aug 2012 13:40:08 +0200 Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy In-Reply-To: <1344506394.16177.2.camel@d30.localdomain> References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com> <5022443F.2040601@trentalancia.com> <1344426166.2306.31.camel@d30.localdomain> <502266E3.8060003@tresys.com> <1344435798.2306.41.camel@d30.localdomain> <50227F58.7040805@trentalancia.com> <50237EC8.5000303@trentalancia.com> <1344506394.16177.2.camel@d30.localdomain> Message-ID: <5023A198.307@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/08/2012 11:59, Dominick Grift wrote: > > > On Thu, 2012-08-09 at 11:11 +0200, Guido Trentalancia wrote: >> On 08/08/2012 17:01, Guido Trentalancia wrote: >>> On 08/08/2012 16:23, Dominick Grift wrote: >>>> >>>> >>>> On Wed, 2012-08-08 at 09:17 -0400, Christopher J. PeBenito wrote: >>>>> On 08/08/12 07:42, Dominick Grift wrote: >>>>>> On Wed, 2012-08-08 at 12:49 +0200, Guido Trentalancia wrote: >>>>>>> On 08/08/2012 10:52, Dominick Grift wrote: >>>>> >>>>>>>> --- /dev/null >>>>>>>> +++ b/bird.fc >>>>>>>> @@ -0,0 +1,11 @@ >>>>>>>> +/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) >>>>>>>> + >>>>>>>> +/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) >>>>>>>> + >>>>>>>> +/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) >>>>>>> >>>>>>> You might want to support init script locations for other distributions >>>>>>> here, as in the oident module that you proposed to modify yesterday (I >>>>>>> am going to modify the mcelog too for this purpose). >>>>>>> >>>>>>> Debian (but also Gentoo and many others) are currently using /etc/init\.d. >>>>>>> >>>>>>> The rest is unlikely to change, if it does, it's their business to >>>>>>> modify the contexts, I think. >>>>>> >>>>>> You have a good point and i have been thinking abou this issue >>>>>> obviously. I decided to go this way because existing init daemons also >>>>>> only have the /etc/rc.d/init.d and not the /etc/init.d. >>>>>> >>>>>> Maybe a better solution is to just add: >>>>>> >>>>>> /etc/init.d /etc/rc.d/init.d >>>>>> >>>>>> to file_contexts.subs_dist >>>>> >>>>> Its not a bad idea. I'd take a patch that cleaned this up across the entire policy. >>>>> >>>> >>>> Should be as easy as appending /etc/init.d /etc/rc.d/init.d to >>>> config/file_contexts.subs_dist >>>> >>>> However i am not sure if we should escape the periods >>> >>> It's probably safer to escape the periods anyway. >>> >>> But the point with using this, is that it would probably be a mutually >>> exclusive substitution. >>> >>> Therefore we might need ifdef distro conditionals (which makes the whole >>> thing more robust anyway). Done in one central place should not >>> constitute over-engineering, I suppose. >> >> I have checked and file_contexts.subs_dist is a run-time configuration >> file and not a build-time configuration file. Therefore it's does not >> support conditionals such as ifdef distro, but just the simplest form of >> substitutions. > > I do not think it matters because the paths aren't mutually exclusive i > believe. > > The name substitution (subs) is misleading i believe, its not actually > substitution but rather equivalence. To be honest, I did not check this. The wording "substitution" usually implies "mutually exclusive" (as in something being replaced by something else). Anway, I think each individual distribution packager can figure this out easily. I have just completed the patch suggested by Christopher, so there is now at least one specific comment reminding of the possibility to use such configuration file... >>> Regards, >>> >>> Guido