From mboxrd@z Thu Jan  1 00:00:00 1970
From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 26 Sep 2013 14:41:44 +0200
Subject: [refpolicy] [PATCH 04/20] seutils: restorecon wants to read
 /run symbolic link
In-Reply-To: <52442AD5.5020701@tresys.com>
References: <1380029956-24978-1-git-send-email-dominick.grift@gmail.com>
	<52442AD5.5020701@tresys.com>
Message-ID: <1380199304.2561.5.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote:
> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
> > Do not audit attempts by fixfiles to read all symbolic links
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> >  policy/modules/system/selinuxutil.te | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> > index 5622246..ff19d75 100644
> > --- a/policy/modules/system/selinuxutil.te
> > +++ b/policy/modules/system/selinuxutil.te
> > @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
> >  files_read_etc_files(setfiles_t)
> >  files_list_all(setfiles_t)
> >  files_relabel_all_files(setfiles_t)
> > -files_read_usr_symlinks(setfiles_t)
> > +files_dontaudit_read_all_symlinks(setfiles_t)
> >
> >  fs_getattr_xattr_fs(setfiles_t)
> >  fs_list_all(setfiles_t)
> 
> Can you further clarify this?  Setfiles hasn't changed much in years, 
> so I'm unclear on why this change is necessary.

This is not so much related to setfiles

its related to recent changes of locations. for example /var/run
-> /run, /bin -> /usr/bin etc.

So now /var/run is a symlink to /run.

setfiles doesnt follow symlinks so we might as well silently deny access
to read all symlinks

> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com