From: cgzones@googlemail.com (cgzones) Date: Thu, 16 Feb 2017 15:17:21 +0100 Subject: [refpolicy] [PATCH] tiny mon patch In-Reply-To: References: <20170214092214.34skcrjynny264h6@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-02-16 0:52 GMT+01:00 Chris PeBenito via refpolicy : > On 02/14/17 04:22, Russell Coker via refpolicy wrote: >> When you merged the mon patch you removed the ability for mon_t to execute >> lib_t files. >> >> The following patch re-enables the ability to execute alert scripts. >> >> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc >> =================================================================== >> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc >> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc >> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',` >> /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) >> >> /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0) >> >> /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > > Merged, though I moved the line. > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy I have two annotations about the new module: * It uses the deprecated interface miscfiles_read_certs, which is just a wrapper for miscfiles_read_generic_certs * The runtime file contexts starts with /var/run, but after the runtime-filecontext transition it should start with /run Maybe you could consider the following patch? --- policy/modules/contrib/mon.fc | 4 ++-- policy/modules/contrib/mon.te | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc index fa179dd..a2c2817 100644 --- a/policy/modules/contrib/mon.fc +++ b/policy/modules/contrib/mon.fc @@ -1,3 +1,5 @@ +/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) + /usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) /usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) /usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) @@ -5,7 +7,5 @@ /usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) -/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) - /var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) /var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te index c685ac2..5575aa2 100644 --- a/policy/modules/contrib/mon.te +++ b/policy/modules/contrib/mon.te @@ -136,7 +136,7 @@ fs_getattr_xattr_fs(mon_net_test_t) auth_use_nsswitch(mon_net_test_t) -miscfiles_read_certs(mon_net_test_t) +miscfiles_read_generic_certs(mon_net_test_t) miscfiles_read_localization(mon_net_test_t) netutils_domtrans_ping(mon_net_test_t)