From: mgrepl@redhat.com (Miroslav Grepl)
Date: Fri, 11 Apr 2014 17:11:27 +0200
Subject: [refpolicy] [PATCH] [RFC] Fix strange file patterns
In-Reply-To: <53480428.8070200@tresys.com>
References: <1396730265-10523-1-git-send-email-nicolas.iooss@m4x.org>
	<CAPzO=Nz4y8i8HEcNo3BVM21Qoos_5m-pjb+Bf3b+R_7rzDarMA@mail.gmail.com>
	<53480428.8070200@tresys.com>
Message-ID: <5348061F.1030602@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/11/2014 05:03 PM, Christopher J. PeBenito wrote:
> Dan/Miroslav, do you have any feedback on these?  They seem like reasonable changes to me.
>
> On 04/08/2014 10:21 AM, Sven Vermeulen wrote:
>> I'm OK with the changes. I am not aware of a finger  implementation that uses a single character prefix to "fingerd" that would match the expression as well.
>>
>> With kind regard,
>>    Sven Vermeulen
>>
>> On Apr 5, 2014 10:38 PM, "Nicolas Iooss" <nicolas.iooss at m4x.org <mailto:nicolas.iooss@m4x.org>> wrote:
>>
>>      Some file patterns look very strange, like:
>>
>>          /var/log/cluster/.*\.*log
>>
>>      I've found such patterns while writing a script that parses the file patterns.
>>      Hence I haven't tested if the new file contexts apply to the existing files.
>>      For example, this patch changes
>>
>>          /var/run/*.fingerd\.pid
>>
>>      to
>>
>>          /var/run/fingerd\.pid
>>
>>      because "/*" seems weird to me, but this also changes the semantic of the
>>      pattern.  Another possibility which doesn't change the meaning is:
>>
>>          /var/run/?.fingerd\.pid
>>
>>      I send this patch as an RFC because what I consider abnormal may in fact be
>>      something expected or a workaround to fix some bugs I'm not aware of.
>>      ---
>>       finger.fc         | 2 +-
>>       rhcs.fc           | 2 +-
>>       setroubleshoot.fc | 2 +-
>>       3 files changed, 3 insertions(+), 3 deletions(-)
>>
>>      diff --git a/finger.fc b/finger.fc
>>      index 843940b..623421d 100644
>>      --- a/finger.fc
>>      +++ b/finger.fc
>>      @@ -7,4 +7,4 @@
>>
>>       /var/log/cfingerd\.log.*       --      gen_context(system_u:object_r:fingerd_log_t,s0)
>>
>>      -/var/run/*.fingerd\.pid        --      gen_context(system_u:object_r:fingerd_var_run_t,s0)
>>      +/var/run/fingerd\.pid  --      gen_context(system_u:object_r:fingerd_var_run_t,s0)
>>      diff --git a/rhcs.fc b/rhcs.fc
>>      index 47de2d6..c619502 100644
>>      --- a/rhcs.fc
>>      +++ b/rhcs.fc
>>      @@ -14,7 +14,7 @@
>>
>>       /var/lib/qdiskd(/.*)?  gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
>>
>>      -/var/log/cluster/.*\.*log      <<none>>
>>      +/var/log/cluster/.*\.log       <<none>>
>>       /var/log/cluster/dlm_controld\.log.*   --      gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
>>       /var/log/cluster/fenced\.log.* --      gen_context(system_u:object_r:fenced_var_log_t,s0)
>>       /var/log/cluster/gfs_controld\.log.*   --      gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
>>      diff --git a/setroubleshoot.fc b/setroubleshoot.fc
>>      index 0b3a971..e89c06f 100644
>>      --- a/setroubleshoot.fc
>>      +++ b/setroubleshoot.fc
>>      @@ -1,6 +1,6 @@
>>       /usr/sbin/setroubleshootd      --      gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
>>
>>      -/usr/share/setroubleshoot/SetroubleshootFixit\.py*     --      gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>>      +/usr/share/setroubleshoot/SetroubleshootFixit\.py      --      gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
>>
>>       /var/run/setroubleshoot(/.*)?  gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
>>
>>      --
>>      1.9.1
I am fine with these fixes.