From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 9 Aug 2012 20:44:07 +0200 Subject: [refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d In-Reply-To: <5024016A.5060700@trentalancia.com> References: <20120809174351.GA32628@siphos.be> <20120809174458.GB32628@siphos.be> <5024016A.5060700@trentalancia.com> Message-ID: <20120809184406.GB2643@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 09, 2012 at 08:28:58PM +0200, Guido Trentalancia wrote: > > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > > index 16b3f1b..9020aa1 100644 > > --- a/policy/modules/kernel/corecommands.fc > > +++ b/policy/modules/kernel/corecommands.fc > > @@ -66,8 +66,6 @@ ifdef(`distro_redhat',` > > /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) > > /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) > > > > -/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) > > - > > My advice is to leave this (and a couple more) for safety, as it would > probably do more good than harm. The substitution file is a > configuration file and it can be edited erroneously. I disagree. If we would leave in these file context definitions - which will never be hit in the first place if the file context substitution file is correct - it would give a false sense towards the policy administrators that it is a "good" rule. Say some policy editor wants to have /etc/init.d/functions labeled shell_exec_t or so instead. If he would do /etc/init\.d/functions-- gen_context(system_u:object_r:shell_exec_t,s0) he'll have a hard time figuring out why it still labels as bin_t. > > ifdef(`distro_suse',` > > /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) > > -/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) > > My advice is to leave this (and a couple more) for safety, as it would > probably do more good than harm. The substitution file is a > configuration file and it can be edited erroneously. > > Also, I think it's dangerous to edit inside the distribution ifdefs. Why would it be dangerous? The substitutions are done regardless of the distro_suse value. Keeping it for /etc/init.d would again yield the impression that it is a valid one. > > diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc > > index ec85acb..662e79b 100644 > > --- a/policy/modules/system/ipsec.fc > > +++ b/policy/modules/system/ipsec.fc > > @@ -27,11 +27,6 @@ > > /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) > > > > -/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > -/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > -/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) > > - > > You have not replaced the above four entries with anything... Even if it > was obsolete stuff, I would recommend not removing them completely > unless, say, the obsolete source code is no longer available at the main > distribution point. They don't need to. A bit higher in the file context file, you'll find definitions for /usr/lib/ipsec/eroute. That is the destination of the file substitutions anyhow. In other words, the above ones are obsolete. What do you mean with "obsolete source code is no longer available at the main distribution point"? Wkr, Sven Vermeulen