From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 10 Aug 2012 00:42:01 +0200 Subject: [refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d In-Reply-To: <20120809184406.GB2643@siphos.be> References: <20120809174351.GA32628@siphos.be> <20120809174458.GB32628@siphos.be> <5024016A.5060700@trentalancia.com> <20120809184406.GB2643@siphos.be> Message-ID: <50243CB9.8030306@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Sven. On 09/08/2012 20:44, Sven Vermeulen wrote: > On Thu, Aug 09, 2012 at 08:28:58PM +0200, Guido Trentalancia wrote: >>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc >>> index 16b3f1b..9020aa1 100644 >>> --- a/policy/modules/kernel/corecommands.fc >>> +++ b/policy/modules/kernel/corecommands.fc >>> @@ -66,8 +66,6 @@ ifdef(`distro_redhat',` >>> /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) >>> /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) >>> >>> -/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) >>> - >> >> My advice is to leave this (and a couple more) for safety, as it would >> probably do more good than harm. The substitution file is a >> configuration file and it can be edited erroneously. > > I disagree. If we would leave in these file context definitions - which will > never be hit in the first place if the file context substitution file is > correct - it would give a false sense towards the policy administrators that > it is a "good" rule. "Substitution of /etc/rc.d/init.d with /etc/init.d" should leave /etc/init.d unmodified (thus producing only a duplicate entry in the worst case). If a duplicate entry with the same context is detected as an error by setfiles, perhaps the latter should be modified (so that it produces at most a warning). > Say some policy editor wants to have /etc/init.d/functions labeled > shell_exec_t or so instead. If he would do > /etc/init\.d/functions-- gen_context(system_u:object_r:shell_exec_t,s0) > he'll have a hard time figuring out why it still labels as bin_t. Do you mean perhaps that if he or she only modifies the first one and then leaves the second one as it is and also inadvertently modifies file_contexts.sub_dist so that is substitutes /etc/rc.d/init.d with /etc/init.d, the result is inconsistent ? If so, I think that setfiles would detect it. I can't remember exactly now whether it just prints out a warning or if it counts as an error, although there is a minimum number of errors that are "tolerated" at present... >>> ifdef(`distro_suse',` >>> /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) >>> -/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) >> >> My advice is to leave this (and a couple more) for safety, as it would >> probably do more good than harm. The substitution file is a >> configuration file and it can be edited erroneously. >> >> Also, I think it's dangerous to edit inside the distribution ifdefs. > > Why would it be dangerous? The substitutions are done regardless of the > distro_suse value. Keeping it for /etc/init.d would again yield the > impression that it is a valid one. Substituting inside the ifdef distro values might not be desirable, however I am not a distribution packager/maintainer, therefore I don't know exactly. If I was a distribution packager/maintainer however, I would not push for that. >>> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc >>> index ec85acb..662e79b 100644 >>> --- a/policy/modules/system/ipsec.fc >>> +++ b/policy/modules/system/ipsec.fc >>> @@ -27,11 +27,6 @@ >>> /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) >>> /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) >>> >>> -/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) >>> -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) >>> -/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) >>> -/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) >>> - >> >> You have not replaced the above four entries with anything... Even if it >> was obsolete stuff, I would recommend not removing them completely >> unless, say, the obsolete source code is no longer available at the main >> distribution point. ...and by all distributions actually. > They don't need to. A bit higher in the file context file, you'll find > definitions for /usr/lib/ipsec/eroute. That is the destination of the file > substitutions anyhow. In other words, the above ones are obsolete. Well, that's fine then, my short-sight ! > What do you mean with "obsolete source code is no longer available at the > main distribution point"? I mean when the source code for a given piece of software is no longer available from anywhere, including from any distribution (which still bears some risk). > Wkr, > Sven Vermeulen Kind regards, Guido