From: russell@coker.com.au (Russell Coker)
Date: Thu, 26 Jan 2017 19:43:47 +1100
Subject: [refpolicy] [PATCH] usrmerge
In-Reply-To: <20170126074148.GA17568@meriadoc.perfinion.com>
References: <20170110073005.zagcy5zo3dus3bgn@athena.coker.com.au>
	<a5fd429a-3cc3-28c5-a410-1f9fb4bc19db@ieee.org>
	<20170126074148.GA17568@meriadoc.perfinion.com>
Message-ID: <2228231.YUz2k8M6iZ@russell.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thursday, 26 January 2017 3:41:48 PM AEDT Jason Zaman wrote:
> > > These changes have been tested in Debian and found to give the same
> > > labelling as the policy without this patch in almost all cases.  The
> > > exceptions were files where the .fc files in question used one of /bin
> > > or /usr/bin that didn't match what was done in Debian.  The small
> > > number of changes to the policy caused by this patch FIXED outstanding
> > > bugs.
> > > 
> > > I expect that this won't give any changes to Fedora and it might fix
> > > some bugs for Gentoo and SUSE.
> > > 
> > > What it does is remove all duplicates in /bin and /usr/bin etc and uses
> > > a
> > > subs_dist change to make the /usr change not affect policy.
> > 
> > I don't have a problem with merging this patch; however, I will delay it 
> > at least until after the next release (which is in a few weeks or so). 
> > I'd also like to hear from Gentoo people on any impacts this may have.
> 
> Sorry its taken so long, I've been busy lately. I will test it on my
> machine soon and get back to you hopefully on the weekend so I get some
> testing in.

It's ok.
 
> Also Nicolas Iooss did some work recently and has a script that goes
> through to verify that everything in /bin has an equivalent in /usr/bin.
>
> going this subs_dist route would make the fcontexts smaller tho which is
> a plus and less confusion. I just need to be a bit extra careful since
> gentoo is rolling but I dont forsee any issues.

I'd rather have subs_dist than have to run a script against the policy to 
verify it.

I've attached a tiny patch with changes I made after sending the first 
usrmerge patch.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0170-usrmerge2
Type: text/x-patch
Size: 3330 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170126/b091b36f/attachment.bin