From: dac.override@gmail.com (Dominick Grift) Date: Fri, 7 Apr 2017 09:58:40 +0200 Subject: [refpolicy] [PATCH] misc fc changes again In-Reply-To: <75bd6c89-f2ed-ca74-2c4a-ef5383e02850@ieee.org> References: <20170405042415.2rrwzlifetkasgbo@athena.coker.com.au> <75bd6c89-f2ed-ca74-2c4a-ef5383e02850@ieee.org> Message-ID: <20170407075840.GA27499@markus> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Apr 06, 2017 at 04:58:24PM -0400, Chris PeBenito via refpolicy wrote: > On 04/05/2017 02:21 PM, cgzones via refpolicy wrote: > > 2017-04-05 6:24 GMT+02:00 Russell Coker via refpolicy > > : > > >> --- refpolicy-2.20170402.orig/policy/modules/kernel/files.fc > >> +++ refpolicy-2.20170402/policy/modules/kernel/files.fc > >> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <> > >> ifdef(`distro_debian',` > >> # on Debian /lib/init/rw is a tmpfs used like /run > >> /usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > >> +/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0) > > This only mentions the directories, which I think should remain etc_t, > whereas below it only matches the files, so the files remain net_conf_t. > I think this is ok. > I actually yesterday had to explicitly label /etc/sysconfig/network-scripts "network-config" where it use to be "etc_t" this is because networkmanager creates various files in /etc that have random names (and then renames them) resolv.conf.XXXX ifcfg-IFNAME keys-IFNAME and i want to be able to differentiate between resolv.conf and ifcfg-/keys- they are not eager to use setfscreatecon (and I also prefer transparency) I think fedora (and maybe refpolicy) also has /etc/sysconfig/network-scripts labeled net_conf_t It works but its kind of ugly. But legacy issue. they shouldnt have put scripts in /etc/sysconfig/network-scripts in the first place these issues can be tricky... > > > in sysnetwork.fc there is an entry: > > /run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) > > this seems a bit inconvenient > > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170407/c38d8fa3/attachment-0001.bin