LinuxLists.cc - [refpolicy] apr build tools

2015-08-08 10:53:03

Subject: [refpolicy] apr build tools

The Apache Portable Runtime (apr.apache.org), used by their httpd and
various other packages, installs some build tools
to /usr/share/build-1/, among them the two shell scripts "libtool" and
"mkdir.sh". These need a bin_t context.

In the gentoo policy, we mark them as such in contrib/apache.fc and
kernel/corecommands.fc. I'd like to move those markings to refpolicy,
but I'm not sure which *.fc is appropriate (I'd prefer something like
corecommands.fc which ends up in the base policy; it shouldn't be in
the apache module because the APR and these build scripts are used by
some programs which don't depend on a locally running httpd and
therefore shouldn't require the apache policy). I guess corecommands.fc
is an acceptable place?

Regards,
Luis Ressel

2015-08-08 11:16:24

by sven.vermeulen

[permalink] [raw]

Subject: [refpolicy] apr build tools

The corecommands one is actually the place that refpolicy requires. In
Gentoo we allow types of the base policy to be used in modular .fc files so
that everything related to a module stays within that module.

Apr is a special case though. I thought it was apache specific but I have
been proven wrong on that.

Wkr,
Sven Vermeulen
On Aug 8, 2015 12:53 PM, "Luis Ressel" <[email protected]> wrote:

> The Apache Portable Runtime (apr.apache.org), used by their httpd and
> various other packages, installs some build tools
> to /usr/share/build-1/, among them the two shell scripts "libtool" and
> "mkdir.sh". These need a bin_t context.
>
> In the gentoo policy, we mark them as such in contrib/apache.fc and
> kernel/corecommands.fc. I'd like to move those markings to refpolicy,
> but I'm not sure which *.fc is appropriate (I'd prefer something like
> corecommands.fc which ends up in the base policy; it shouldn't be in
> the apache module because the APR and these build scripts are used by
> some programs which don't depend on a locally running httpd and
> therefore shouldn't require the apache policy). I guess corecommands.fc
> is an acceptable place?
>
>
> Regards,
> Luis Ressel
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150808/3cb40a09/attachment.html