From: cgzones@googlemail.com (cgzones)
Date: Thu, 16 Feb 2017 15:17:21 +0100
Subject: [refpolicy] [PATCH] tiny mon patch
In-Reply-To: <e0036fa5-5ea0-b524-abbb-43b12679d711@ieee.org>
References: <20170214092214.34skcrjynny264h6@athena.coker.com.au>
	<e0036fa5-5ea0-b524-abbb-43b12679d711@ieee.org>
Message-ID: <CAJ2a_DcuE0cNamHsViEqvj4GqPzk9K+vR-SRwxuqyOpsKKa7Kw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

2017-02-16 0:52 GMT+01:00 Chris PeBenito via refpolicy
<refpolicy@oss.tresys.com>:
> On 02/14/17 04:22, Russell Coker via refpolicy wrote:
>> When you merged the mon patch you removed the ability for mon_t to execute
>> lib_t files.
>>
>> The following patch re-enables the ability to execute alert scripts.
>>
>> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>> ===================================================================
>> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc
>> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
>>  /usr/bin/zsh.*                       --      gen_context(system_u:object_r:shell_exec_t,s0)
>>
>>  /usr/lib/(.*/)?bin(/.*)?             gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/mon/alert.d(/.*)?           gen_context(system_u:object_r:bin_t,s0)
>>  /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>>
>>  /usr/(.*/)?sbin(/.*)?                        gen_context(system_u:object_r:bin_t,s0)
>
> Merged, though I moved the line.
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

I have two annotations about the new module:
* It uses the deprecated interface miscfiles_read_certs, which is just
a wrapper for miscfiles_read_generic_certs
* The runtime file contexts starts with /var/run, but after the
runtime-filecontext transition it should start with /run

Maybe you could consider the following patch?

---
policy/modules/contrib/mon.fc | 4 ++--
policy/modules/contrib/mon.te | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index fa179dd..a2c2817 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,3 +1,5 @@
+/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
/usr/lib/mon/mon-local.d/.* --
gen_context(system_u:object_r:mon_local_test_exec_t,s0)
/usr/lib/mon-contrib/mon.d/.* --
gen_context(system_u:object_r:mon_net_test_exec_t,s0)
@@ -5,7 +7,5 @@
/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
-
/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index c685ac2..5575aa2 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -136,7 +136,7 @@ fs_getattr_xattr_fs(mon_net_test_t)
auth_use_nsswitch(mon_net_test_t)
-miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_generic_certs(mon_net_test_t)
miscfiles_read_localization(mon_net_test_t)
netutils_domtrans_ping(mon_net_test_t)