From: guido@trentalancia.com (Guido Trentalancia)
Date: Thu, 09 Aug 2012 13:44:51 +0200
Subject: [refpolicy] [PATCH]: clean up some useless duplicated file contexts
 for the initrc base directory (was Re: [PATCH] Initial BIRD Internet
 Routing Daemon policy)
In-Reply-To: <502266E3.8060003@tresys.com>
References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
	<5022443F.2040601@trentalancia.com>
	<1344426166.2306.31.camel@d30.localdomain>
	<502266E3.8060003@tresys.com>
Message-ID: <5023A2B3.2070308@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

On 08/08/2012 15:17, Christopher J. PeBenito wrote:
> On 08/08/12 07:42, Dominick Grift wrote:
>> On Wed, 2012-08-08 at 12:49 +0200, Guido Trentalancia wrote:
>>> On 08/08/2012 10:52, Dominick Grift wrote:
>
>>>> --- /dev/null
>>>> +++ b/bird.fc
>>>> @@ -0,0 +1,11 @@
>>>> +/etc/bird\.conf	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>> +
>>>> +/etc/default/bird	--	gen_context(system_u:object_r:bird_etc_t,s0)
>>>> +
>>>> +/etc/rc\.d/init\.d/bird	--	gen_context(system_u:object_r:bird_initrc_exec_t,s0)
>>>
>>> You might want to support init script locations for other distributions
>>> here, as in the oident module that you proposed to modify yesterday (I
>>> am going to modify the mcelog too for this purpose).
>>>
>>> Debian (but also Gentoo and many others) are currently using /etc/init\.d.
>>>
>>> The rest is unlikely to change, if it does, it's their business to
>>> modify the contexts, I think.
>>
>> You have a good point and i have been thinking abou this issue
>> obviously. I decided to go this way because existing init daemons also
>> only have the /etc/rc.d/init.d and not the /etc/init.d.
>>
>> Maybe a better solution is to just add:
>>
>> /etc/init.d /etc/rc.d/init.d
>>
>> to file_contexts.subs_dist
>
> Its not a bad idea.  I'd take a patch that cleaned this up across the entire policy.

Here is a possible patch:

Maintenance patch to remove some ambiguity and disomogeneity introduced
by the file contexts for the init scripts. The standard location for such
files is assumed by the Reference Policy to be /etc/rc.d/init.d and
distributions can customize such location by using the 
file_contexts.subs_dist
file appropriately.

- modify file contexts definitions for the hadoop contributed module;
- improve a comment for the timidity contributed module;
- clarify some comments in the init system interfaces.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
  policy/modules/contrib/hadoop.fc   |    8 +-------
  policy/modules/contrib/timidity.te |    2 +-
  policy/modules/system/init.if      |   34 
++++++++++++++++++++++++----------
  3 files changed, 26 insertions(+), 18 deletions(-)

diff -pruN refpolicy-08082012/policy/modules/contrib/hadoop.fc 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/contrib/hadoop.fc
--- refpolicy-08082012/policy/modules/contrib/hadoop.fc	2012-06-21 
20:18:45.722498642 +0200
+++ 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/contrib/hadoop.fc 
2012-08-09 15:01:30.698380454 +0200
@@ -1,18 +1,12 @@
  /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)

-/etc/init\.d/hadoop-(.*-)?datanode			-- 
gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?jobtracker			-- 
gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?namenode			-- 
gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?secondarynamenode		-- 
gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?tasktracker			-- 
gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
-/etc/init\.d/zookeeper					-- 
gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
-
  /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		-- 
gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker		-- 
gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/hadoop-(.*-)?namenode		-- 
gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/hadoop-(.*-)?secondarynamenode	-- 
gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/hadoop-(.*-)?tasktracker		-- 
gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/hadoop-zookeeper			-- 
gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zookeeper				-- 
gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)

  /etc/zookeeper(/.*)?					 
gen_context(system_u:object_r:zookeeper_etc_t,s0)
  /etc/zookeeper\.dist(/.*)?				 
gen_context(system_u:object_r:zookeeper_etc_t,s0)
diff -pruN refpolicy-08082012/policy/modules/contrib/timidity.te 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/contrib/timidity.te
--- refpolicy-08082012/policy/modules/contrib/timidity.te	2012-06-21 
20:18:45.757497382 +0200
+++ 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/contrib/timidity.te 
2012-08-09 15:06:45.923204027 +0200
@@ -72,7 +72,7 @@ sysnet_read_config(timidity_t)
  userdom_dontaudit_use_unpriv_user_fds(timidity_t)

  # stupid timidity won't start if it can't search its current directory.
-# allow this so /etc/init.d/alsasound start works from /root
+# allow this so the initrc script alsasound can be started from /root
  # cjp: this should be fixed if possible so this rule can be removed.
  userdom_search_user_home_dirs(timidity_t)

diff -pruN refpolicy-08082012/policy/modules/system/init.if 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/system/init.if
--- refpolicy-08082012/policy/modules/system/init.if	2012-06-21 
20:10:29.029804243 +0200
+++ 
refpolicy-08082012-remove-duplicate-initd-fc/policy/modules/system/init.if 
2012-08-09 15:21:12.996017552 +0200
@@ -8,7 +8,9 @@
  ##	<p>
  ##	Create a file type used for init scripts.  It can not be
  ##	used in conjunction with init_script_domain(). These
-##	script files are typically stored in the /etc/init.d directory.
+##	script files are typically stored in either the /etc/init.d
+##	or the /etc/rc.d/init.d directory (depending on the
+##	specific distribution).
  ##	</p>
  ##	<p>
  ##	Typically this is used to constrain what services an
@@ -21,6 +23,15 @@
  ##	This also makes the type usable for files; thus an
  ##	explicit call to files_type() is redundant.
  ##	</p>
+##	<p>
+##	A quick and convenient way of adapting the location of the
+##	init scripts (and in general any other base directory) for
+##	different distributions is to edit the run-time configuration
+##	file file_contexts.subs_dist. This file is located under the
+##	subdirectory config/ of the Reference Policy build tree and
+##	it is then available after installation in the subdirectory
+##	contexts/files/ of the installed policy.
+##	</p>
  ## </desc>
  ## <param name="script_file">
  ##	<summary>
@@ -165,8 +176,8 @@ interface(`init_ranged_domain',`
  ##	which are started by init scripts. Short running processes
  ##	should use the init_system_domain() interface instead.
  ##	Typically all long running processes started by an init
-##	script (usually in /etc/init.d) will need to use this
-##	interface.
+##	script (usually in /etc/init.d or /etc/rc.d/init.d, depending
+##	on the distribution) will need to use this interface.
  ##	</p>
  ##	<p>
  ##	The types will be made usable as a domain and file, making
@@ -251,8 +262,9 @@ interface(`init_daemon_domain',`
  ##	MLS/MCS range. Short running processes
  ##	should use the init_ranged_system_domain() interface instead.
  ##	Typically all long running processes started by an init
-##	script (usually in /etc/init.d) will need to use this
-##	interface if they need to run in a specific MLS/MCS range.
+##	script (usually in /etc/init.d or /etc/rc.d/init.d, depending
+##	on the distribution) will need to use this interface if
+##	they need to run in a specific MLS/MCS range.
  ##	</p>
  ##	<p>
  ##	The types will be made usable as a domain and file, making
@@ -310,8 +322,8 @@ interface(`init_ranged_daemon_domain',`
  ##	Long running processes, such as daemons/services
  ##	should use the init_daemon_domain() interface instead.
  ##	Typically all short running processes started by an init
-##	script (usually in /etc/init.d) will need to use this
-##	interface.
+##	script (usually in /etc/init.d or /etc/rc.d/init.d, depending on the
+##	distribution) will need to use this interface.
  ##	</p>
  ##	<p>
  ##	The types will be made usable as a domain and file, making
@@ -369,8 +381,9 @@ interface(`init_system_domain',`
  ##	Long running processes
  ##	should use the init_ranged_system_domain() interface instead.
  ##	Typically all short running processes started by an init
-##	script (usually in /etc/init.d) will need to use this
-##	interface if they need to run in a specific MLS/MCS range.
+##	script (usually in /etc/init.d or /etc/rc.d/init.d, depending
+##	on the distribution) will need to use this interface if they
+##	need to run in a specific MLS/MCS range.
  ##	</p>
  ##	<p>
  ##	The types will be made usable as a domain and file, making
@@ -939,7 +952,8 @@ interface(`init_all_labeled_script_domtr
  ##	<p>
  ##	Start and stop daemon programs directly
  ##	in the traditional "/etc/init.d/daemon start"
-##	style, and do not require run_init.
+##	or "/etc/rc.d/init.d/daemon start" style,
+##	and do not require run_init.
  ##	</p>
  ## </desc>
  ## <param name="domain">