From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 10 Aug 2012 00:16:34 +0200 Subject: [refpolicy] [PATCH v2 2/2] Update with new substitutions In-Reply-To: <20120809184756.GC2643@siphos.be> References: <20120809174351.GA32628@siphos.be> <20120809174531.GC32628@siphos.be> <50240255.1030004@trentalancia.com> <20120809184756.GC2643@siphos.be> Message-ID: <502436C2.3030801@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Sven. On 09/08/2012 20:47, Sven Vermeulen wrote: > On Thu, Aug 09, 2012 at 08:32:53PM +0200, Guido Trentalancia wrote: >>> diff --git a/hadoop.fc b/hadoop.fc >>> index 633c470..8bc8a78 100644 >>> --- a/hadoop.fc >>> +++ b/hadoop.fc >>> @@ -1,12 +1,5 @@ >>> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) >>> >>> -/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >>> -/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) >>> -/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) >>> -/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) >>> -/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) >>> -/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) >>> - >> >> zookeeper would not appear anymore if you remove it completely instead >> of translating it (look three lines further below). > > You're right, I was a bit too zealous with deleting lines here. To say it all, in my opinion, there should only be one if the original package only installs one (1:1) and all the rest should go under customizations from the various distributions, because otherwise it might one day become unmanageable and even lead to errors. But I was too lazy to go and find out what the original naming actually is. >>> diff --git a/tmpreaper.fc b/tmpreaper.fc >>> index fcc10e8..42ee122 100644 >>> --- a/tmpreaper.fc >>> +++ b/tmpreaper.fc >>> @@ -1,6 +1,6 @@ >>> ifdef(`distro_debian',` >>> -/etc/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) >>> -/etc/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) >>> +/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) >>> +/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) >> >> Personally speaking, I would not touch what's inside the ifdefs, unless >> it's a very well known distribution that one is regularly and actively >> using. > > If I didn't, then the rules for tmpreaper_exec_t would never be hit, and in > this case the Debian distribution would fail to have a properly labeled > /etc/init.d/mountall-bootclean.sh script. I am not following you here... The above are not rules but file contexts. And more specifically the above means, only the Debian distribution has mount{all,nfs}-bootclean.sh (and it is located in standard init dir, assumed by refpolicy to be /etc/rc.d/init.d for omogeneity) which would be a wrong location. But then, if the file_contexts.sub_dist file is modified appropriately by the Debian distribution it all comes up as expected, I suppose. Not very important anyway, just a bit risky I think, unless you're involved with it. > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Regards, Guido