From mboxrd@z Thu Jan 1 00:00:00 1970 From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 27 Sep 2013 23:03:27 +0200 Subject: [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link In-Reply-To: <5245F164.8000904@tresys.com> References: <1380029956-24978-1-git-send-email-dominick.grift@gmail.com> <52442AD5.5020701@tresys.com> <1380199304.2561.5.camel@d30> <5245F164.8000904@tresys.com> Message-ID: <1380315807.23967.5.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-09-27 at 16:58 -0400, Christopher J. PeBenito wrote: > On Thu 26 Sep 2013 08:41:44 AM EDT, Dominick Grift wrote: > > On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote: > >> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote: > >>> Do not audit attempts by fixfiles to read all symbolic links > >>> > >>> Signed-off-by: Dominick Grift > >>> --- > >>> policy/modules/system/selinuxutil.te | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > >>> index 5622246..ff19d75 100644 > >>> --- a/policy/modules/system/selinuxutil.te > >>> +++ b/policy/modules/system/selinuxutil.te > >>> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t) > >>> files_read_etc_files(setfiles_t) > >>> files_list_all(setfiles_t) > >>> files_relabel_all_files(setfiles_t) > >>> -files_read_usr_symlinks(setfiles_t) > >>> +files_dontaudit_read_all_symlinks(setfiles_t) > >>> > >>> fs_getattr_xattr_fs(setfiles_t) > >>> fs_list_all(setfiles_t) > >> > >> Can you further clarify this? Setfiles hasn't changed much in years, > >> so I'm unclear on why this change is necessary. > > > > This is not so much related to setfiles > > > > its related to recent changes of locations. for example /var/run > > -> /run, /bin -> /usr/bin etc. > > > > So now /var/run is a symlink to /run. > > > > setfiles doesnt follow symlinks so we might as well silently deny access > > to read all symlinks > > I'm reluctant to remove the usr_t access, since it might be needed from > one of the libs setfiles uses, rather than setfiles itself. ok thats fine , then please just add the donaudit for the others > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com