Re: Some questions regarding RedHat refpolicy patches

["Christopher J. PeBenito" <cpebenito@tresys.com>]

On Mon, 2008-08-04 at 00:44 +0200, David Härdeman wrote:
> Going through the RedHat patches trying to find more stuff to send 
> upstream for merge, I've come across a few things that I don't quite 
> understand and I'd appreciate if someone could explain them to me :)
> 
> a)
> 
> There are quite a lot of changes like this:
> 
> --- ./upstream/refpolicy/policy/modules/apps/uml.fc     2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/uml.fc       2008-08-03 12:29:42.000000000 +0200
> @@ -1,7 +1,7 @@
>   #
>   # HOME_DIR/
>   #
> -HOME_DIR/\.uml(/.*)?           gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
> +HOME_DIR/\.uml(/.*)?           gen_context(system_u:object_r:user_uml_rw_t,s0)
> 
> What is the purpose of these changes and is it something that makes 
> sense upstream? The upstream SVN version seems to contain quite a lot of 
> "ROLE" contexts already

No, it removes role separations on these uml files.  It is a
Fedora-specific change that isn't upstreamable.

> ...then again, other parts of the patch do the 
> reverse:
> 
> --- ./upstream/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/mplayer.fc   2008-08-03 12:29:42.000000000 +0200
> @@ -10,4 +10,4 @@
>   /usr/bin/mencoder      --      gen_context(system_u:object_r:mencoder_exec_t,s0)
>   /usr/bin/xine          --      gen_context(system_u:object_r:mplayer_exec_t,s0)
>   
> -HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
> +HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:user_mplayer_home_t,s0)

This isn't the reverse of the previous example, its also removing the
separation.

> b)
> 
> There are also quite a lot of changes like this:
> 
> --- ./upstream/refpolicy/policy/modules/apps/awstats.if 2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/awstats.if   2008-05-15 15:10:34.000000000 +0200
> @@ -33,7 +33,8 @@
>   #
>   interface(`awstats_cgi_exec',`
>          gen_require(`
> -               type httpd_awstats_script_exec_t, httpd_awstats_content_t;
> +               type httpd_awstats_script_exec_t;
> +               type httpd_awstats_content_t;
> 
> Are these only noise (and in that case, would you (Dan) like a patch to 
> remove that noise) or something which is actually wanted upstream?

The types being required should match the types being used in the body
of the interface.  If the change doesn't make them match up, then its
wrong.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.