From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 18 Feb 2017 10:54:11 -0500 Subject: [refpolicy] [PATCH] tiny mon patch In-Reply-To: References: <20170214092214.34skcrjynny264h6@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/16/17 09:17, cgzones wrote: > 2017-02-16 0:52 GMT+01:00 Chris PeBenito via refpolicy > : >> On 02/14/17 04:22, Russell Coker via refpolicy wrote: >>> When you merged the mon patch you removed the ability for mon_t to execute >>> lib_t files. >>> >>> The following patch re-enables the ability to execute alert scripts. >>> >>> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc >>> =================================================================== >>> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc >>> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc >>> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',` >>> /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) >>> >>> /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) >>> +/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0) >>> /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0) >>> >>> /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) >> >> Merged, though I moved the line. >> > > I have two annotations about the new module: > * It uses the deprecated interface miscfiles_read_certs, which is just > a wrapper for miscfiles_read_generic_certs > * The runtime file contexts starts with /var/run, but after the > runtime-filecontext transition it should start with /run I've fixed the deprecated interface usage. I've also implemented a WERROR build option which will, like gcc, treat warnings as errors. I've enabled it on the Travis-CI builds. -- Chris PeBenito