From: russell@coker.com.au (Russell Coker)
Date: Tue, 4 Apr 2017 17:49:35 +1000
Subject: [refpolicy] [PATCH] misc fc changes
In-Reply-To: <20170404073248.GB10685@t450.enp8s0.d30>
References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au>
	<20170404073248.GB10685@t450.enp8s0.d30>
Message-ID: <201704041749.35398.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 4 Apr 2017 05:32:48 PM Dominick Grift via refpolicy wrote:
> > +/etc/network/if-pre-up.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-up.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-down.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-post-down.d/.* --
> > gen_context(system_u:object_r:initrc_exec_t,s0)
> 
> I would probably use bin_t here if possible but regardless: you might want
> to escape the periods there to avoid possible regex issues later on

If bin_t was used then we wouldn't get the domain transitions needed to start 
daemons in the correct context.

If at some future time we have something like a /etc/network/if-up-d directory 
then we probably want the same context for the files it contains.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/