From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 09 Aug 2012 20:28:58 +0200 Subject: [refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d In-Reply-To: <20120809174458.GB32628@siphos.be> References: <20120809174351.GA32628@siphos.be> <20120809174458.GB32628@siphos.be> Message-ID: <5024016A.5060700@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/08/2012 19:44, Sven Vermeulen wrote: > > Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib) > and /etc/init.d (towards /etc/rc.d/init.d). > > Update the file contexts of the translated locations. > > Signed-off-by: Sven Vermeulen > --- > config/file_contexts.subs_dist | 4 ++++ > policy/modules/kernel/corecommands.fc | 3 --- > policy/modules/kernel/files.fc | 2 +- > policy/modules/services/xserver.fc | 4 ++-- > policy/modules/system/init.fc | 2 -- > policy/modules/system/ipsec.fc | 5 ----- > policy/modules/system/libraries.fc | 1 - > 7 files changed, 7 insertions(+), 14 deletions(-) > > diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist > index 32b87a4..5c93bb4 100644 > --- a/config/file_contexts.subs_dist > +++ b/config/file_contexts.subs_dist > @@ -1,7 +1,11 @@ > +/etc/init.d /etc/rc.d/init.d > /lib32 /lib > /lib64 /lib > /run /var/run > /run/lock /var/lock > /usr/lib32 /usr/lib > /usr/lib64 /usr/lib > +/usr/local/lib32 /usr/lib > +/usr/local/lib64 /usr/lib > +/usr/local/lib/ /usr/lib/ > /var/run/lock /var/lock > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > index 16b3f1b..9020aa1 100644 > --- a/policy/modules/kernel/corecommands.fc > +++ b/policy/modules/kernel/corecommands.fc > @@ -66,8 +66,6 @@ ifdef(`distro_redhat',` > /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) > /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) > > -/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) > - My advice is to leave this (and a couple more) for safety, as it would probably do more good than harm. The substitution file is a configuration file and it can be edited erroneously. > /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) > /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > > @@ -257,7 +255,6 @@ ifdef(`distro_gentoo',` > > /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) > > -/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) > diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc > index 8796ca3..1975fc4 100644 > --- a/policy/modules/kernel/files.fc > +++ b/policy/modules/kernel/files.fc > @@ -84,7 +84,7 @@ ifdef(`distro_redhat',` > > ifdef(`distro_suse',` > /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) > -/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) My advice is to leave this (and a couple more) for safety, as it would probably do more good than harm. The substitution file is a configuration file and it can be edited erroneously. Also, I think it's dangerous to edit inside the distribution ifdefs. > +/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) > ') > > # > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc > index fc86b7c..be8f670 100644 > --- a/policy/modules/services/xserver.fc > +++ b/policy/modules/services/xserver.fc > @@ -22,13 +22,13 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) > /etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > > -/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) > - > /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) > > +/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) > + > /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) > diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc > index d2e40b8..03e27db 100644 > --- a/policy/modules/system/init.fc > +++ b/policy/modules/system/init.fc > @@ -1,8 +1,6 @@ > # > # /etc > # > -/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > - My advice is to leave this (and a couple more) for safety, as it would probably do more good than harm. The substitution file is a configuration file and it can be edited erroneously. > /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) > /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) > > diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc > index ec85acb..662e79b 100644 > --- a/policy/modules/system/ipsec.fc > +++ b/policy/modules/system/ipsec.fc > @@ -27,11 +27,6 @@ > /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > > -/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) > -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) > -/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) > -/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > - You have not replaced the above four entries with anything... Even if it was obsolete stuff, I would recommend not removing them completely unless, say, the obsolete source code is no longer available at the main distribution point. > /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) > /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) > diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc > index ef8bbaf..f302477 100644 > --- a/policy/modules/system/libraries.fc > +++ b/policy/modules/system/libraries.fc > @@ -242,7 +242,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ > /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > -/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > > HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) > HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) >