From: dac.override@gmail.com (Dominick Grift) Date: Tue, 4 Apr 2017 10:02:47 +0200 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <201704041749.35398.russell@coker.com.au> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> <20170404073248.GB10685@t450.enp8s0.d30> <201704041749.35398.russell@coker.com.au> Message-ID: <20170404080247.GE10685@t450.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Apr 04, 2017 at 05:49:35PM +1000, Russell Coker wrote: > On Tue, 4 Apr 2017 05:32:48 PM Dominick Grift via refpolicy wrote: > > > +/etc/network/if-pre-up.d/.* > > > -- gen_context(system_u:object_r:initrc_exec_t,s0) > > > +/etc/network/if-up.d/.* > > > -- gen_context(system_u:object_r:initrc_exec_t,s0) > > > +/etc/network/if-down.d/.* > > > -- gen_context(system_u:object_r:initrc_exec_t,s0) > > > +/etc/network/if-post-down.d/.* -- > > > gen_context(system_u:object_r:initrc_exec_t,s0) > > > > I would probably use bin_t here if possible but regardless: you might want > > to escape the periods there to avoid possible regex issues later on > > If bin_t was used then we wouldn't get the domain transitions needed to start > daemons in the correct context. > > If at some future time we have something like a /etc/network/if-up-d directory > then we probably want the same context for the files it contains. Oops misunderstood your argument in my previous reply. I suppose you are right to argue that its pretty unlikely to happen in this case. Just saying though that escaping the periods consistently has my preference, if only for consistency and to always be as specific as possible. > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/e683c101/attachment.bin