From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 7 Apr 2017 09:58:40 +0200
Subject: [refpolicy] [PATCH] misc fc changes again
In-Reply-To: <75bd6c89-f2ed-ca74-2c4a-ef5383e02850@ieee.org>
References: <20170405042415.2rrwzlifetkasgbo@athena.coker.com.au>
	<CAJ2a_Dd-wJaAvUJBM3HB9iJ2WtpJPOfiEG765tACNL4NguyaoA@mail.gmail.com>
	<75bd6c89-f2ed-ca74-2c4a-ef5383e02850@ieee.org>
Message-ID: <20170407075840.GA27499@markus>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Apr 06, 2017 at 04:58:24PM -0400, Chris PeBenito via refpolicy wrote:
> On 04/05/2017 02:21 PM, cgzones via refpolicy wrote:
> > 2017-04-05 6:24 GMT+02:00 Russell Coker via refpolicy
> > <refpolicy@oss.tresys.com>:
> 
> >> --- refpolicy-2.20170402.orig/policy/modules/kernel/files.fc
> >> +++ refpolicy-2.20170402/policy/modules/kernel/files.fc
> >> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*    <<none>>
> >>  ifdef(`distro_debian',`
> >>  # on Debian /lib/init/rw is a tmpfs used like /run
> >>  /usr/lib/init/rw(/.*)?         gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> >> +/run/resolvconf(/.*)? -d       gen_context(system_u:object_r:etc_t,s0)
> 
> This only mentions the directories, which I think should remain etc_t, 
> whereas below it only matches the files, so the files remain net_conf_t. 
>   I think this is ok.
> 

I actually yesterday had to explicitly label /etc/sysconfig/network-scripts "network-config" where it use to be "etc_t"

this is because networkmanager creates various files in /etc that have random names (and then renames them)

resolv.conf.XXXX ifcfg-IFNAME keys-IFNAME

and i want to be able to differentiate between resolv.conf and ifcfg-/keys-

they are not eager to use setfscreatecon (and I also prefer transparency)

I think fedora (and maybe refpolicy) also has /etc/sysconfig/network-scripts labeled net_conf_t
It works but its kind of ugly.

But legacy issue. they shouldnt have put scripts in /etc/sysconfig/network-scripts in the first place

these issues can be tricky...

> 
> > in sysnetwork.fc there is an entry:
> > /run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
> > this seems a bit inconvenient
> 
> 
> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170407/c38d8fa3/attachment-0001.bin