When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.
The following patch re-enables the ability to execute alert scripts.
Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
@@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
On 02/14/17 04:22, Russell Coker via refpolicy wrote:
> When you merged the mon patch you removed the ability for mon_t to execute
> lib_t files.
>
> The following patch re-enables the ability to execute alert scripts.
>
> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
> /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
>
> /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>
> /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Merged, though I moved the line.
--
Chris PeBenito
2017-02-16 0:52 GMT+01:00 Chris PeBenito via refpolicy
<[email protected]>:
> On 02/14/17 04:22, Russell Coker via refpolicy wrote:
>> When you merged the mon patch you removed the ability for mon_t to execute
>> lib_t files.
>>
>> The following patch re-enables the ability to execute alert scripts.
>>
>> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>> ===================================================================
>> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc
>> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
>> /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
>>
>> /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
>> /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>>
>> /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> Merged, though I moved the line.
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I have two annotations about the new module:
* It uses the deprecated interface miscfiles_read_certs, which is just
a wrapper for miscfiles_read_generic_certs
* The runtime file contexts starts with /var/run, but after the
runtime-filecontext transition it should start with /run
Maybe you could consider the following patch?
---
policy/modules/contrib/mon.fc | 4 ++--
policy/modules/contrib/mon.te | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib/mon.fc b/policy/modules/contrib/mon.fc
index fa179dd..a2c2817 100644
--- a/policy/modules/contrib/mon.fc
+++ b/policy/modules/contrib/mon.fc
@@ -1,3 +1,5 @@
+/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
/usr/lib/mon/mon-local.d/.* --
gen_context(system_u:object_r:mon_local_test_exec_t,s0)
/usr/lib/mon-contrib/mon.d/.* --
gen_context(system_u:object_r:mon_net_test_exec_t,s0)
@@ -5,7 +7,5 @@
/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
-/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
-
/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index c685ac2..5575aa2 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -136,7 +136,7 @@ fs_getattr_xattr_fs(mon_net_test_t)
auth_use_nsswitch(mon_net_test_t)
-miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_generic_certs(mon_net_test_t)
miscfiles_read_localization(mon_net_test_t)
netutils_domtrans_ping(mon_net_test_t)
On Fri, 17 Feb 2017 01:17:21 AM cgzones via refpolicy wrote:
> * The runtime file contexts starts with /var/run, but after the
> runtime-filecontext transition it should start with /run
Last time I tested it the algorithm used for labelling files matched the
expression with the longest non-regex part and didn't take the subs_dist into
account. So an expression starting with /run would often lose out to one
starting with /var/run in situations where you didn't want it to.
If nothing has changed in this regard then a change to /run instead of
/var/run requires changing everything at once. This isn't impossible or even
that difficult (my usrmerge patch was essentially the same thing for /usr), but
it has to be done all at once.
Are all the other distributions using /run nowadays? If so you could make a
patch to change everything and send it to the list.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 02/16/17 09:17, cgzones wrote:
> 2017-02-16 0:52 GMT+01:00 Chris PeBenito via refpolicy
> <[email protected]>:
>> On 02/14/17 04:22, Russell Coker via refpolicy wrote:
>>> When you merged the mon patch you removed the ability for mon_t to execute
>>> lib_t files.
>>>
>>> The following patch re-enables the ability to execute alert scripts.
>>>
>>> Index: refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>>> ===================================================================
>>> --- refpolicy-2.20170212.orig/policy/modules/kernel/corecommands.fc
>>> +++ refpolicy-2.20170212/policy/modules/kernel/corecommands.fc
>>> @@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
>>> /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
>>>
>>> /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>> +/usr/lib/mon/alert.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>> /usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>>>
>>> /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>
>> Merged, though I moved the line.
>>
>
> I have two annotations about the new module:
> * It uses the deprecated interface miscfiles_read_certs, which is just
> a wrapper for miscfiles_read_generic_certs
> * The runtime file contexts starts with /var/run, but after the
> runtime-filecontext transition it should start with /run
I've fixed the deprecated interface usage. I've also implemented a
WERROR build option which will, like gcc, treat warnings as errors.
I've enabled it on the Travis-CI builds.
--
Chris PeBenito
On Sun, 19 Feb 2017 02:54:11 AM Chris PeBenito wrote:
> I've fixed the deprecated interface usage. I've also implemented a
> WERROR build option which will, like gcc, treat warnings as errors.
> I've enabled it on the Travis-CI builds.
Great! I've changed the Debian build configuration to use WERROR all the time.
There's no reason for distributions to use obsolete interfaces.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/