[refpolicy] [PATCH v2 0/2] Introduce substitution for /usr/local/lib* and /etc/init.d

[refpolicy] [PATCH v2 0/2] Introduce substitution for /usr/local/lib* and /etc/init.d

[Sven Vermeulen]

This patchset contains the suggestion to also have a substitition for
/usr/local/lib* towards /usr/lib since manually installed applications use
/usr/local/lib* for their libraries (instead of /usr/lib) but *should* have the
same structure otherwise.

This is not only to clean up the defined file contexts a bit (there are not that
many references to /usr/local) but mainly to support such installed applications
almost out-of-the-box with our policies.

A second substitution is for init scripts defined in /etc/init\.d, which we now
map to /etc/rc\.d/init\.d (already used in the majority of cases in the policy).
For those distributions that do use /etc/init\.d though they need to take care
to always use /etc/rc\.d/init\.d since the translation (substitution) takes
precedence before the file contexts are looked at.

Changelog since v1
------------------

- Removed translation of /usr/local to /usr
- Added translation for /etc/init.d to /etc/rc.d/init.d

[refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d

[Sven Vermeulen]

Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).

Update the file contexts of the translated locations.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 config/file_contexts.subs_dist        |    4 ++++
 policy/modules/kernel/corecommands.fc |    3 ---
 policy/modules/kernel/files.fc        |    2 +-
 policy/modules/services/xserver.fc    |    4 ++--
 policy/modules/system/init.fc         |    2 --
 policy/modules/system/ipsec.fc        |    5 -----
 policy/modules/system/libraries.fc    |    1 -
 7 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 32b87a4..5c93bb4 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -1,7 +1,11 @@
+/etc/init.d /etc/rc.d/init.d
 /lib32 /lib
 /lib64 /lib
 /run /var/run
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
+/usr/local/lib32 /usr/lib
+/usr/local/lib64 /usr/lib
+/usr/local/lib/ /usr/lib/
 /var/run/lock /var/lock
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 16b3f1b..9020aa1 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -66,8 +66,6 @@ ifdef(`distro_redhat',`
 /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
 /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
 
-/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
-
 /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
@@ -257,7 +255,6 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..1975fc4 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -84,7 +84,7 @@ ifdef(`distro_redhat',`
 
 ifdef(`distro_suse',`
 /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
 #
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index fc86b7c..be8f670 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -22,13 +22,13 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
-/etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
-
 /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
+/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index d2e40b8..03e27db 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -1,8 +1,6 @@
 #
 # /etc
 #
-/etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
-
 /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -27,11 +27,6 @@
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
-/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index ef8bbaf..f302477 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -242,7 +242,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
 /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d

[Guido Trentalancia]

On 09/08/2012 19:44, Sven Vermeulen wrote:
>
> Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
> and /etc/init.d (towards /etc/rc.d/init.d).
>
> Update the file contexts of the translated locations.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>   config/file_contexts.subs_dist        |    4 ++++
>   policy/modules/kernel/corecommands.fc |    3 ---
>   policy/modules/kernel/files.fc        |    2 +-
>   policy/modules/services/xserver.fc    |    4 ++--
>   policy/modules/system/init.fc         |    2 --
>   policy/modules/system/ipsec.fc        |    5 -----
>   policy/modules/system/libraries.fc    |    1 -
>   7 files changed, 7 insertions(+), 14 deletions(-)
>
> diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> index 32b87a4..5c93bb4 100644
> --- a/config/file_contexts.subs_dist
> +++ b/config/file_contexts.subs_dist
> @@ -1,7 +1,11 @@
> +/etc/init.d /etc/rc.d/init.d
>   /lib32 /lib
>   /lib64 /lib
>   /run /var/run
>   /run/lock /var/lock
>   /usr/lib32 /usr/lib
>   /usr/lib64 /usr/lib
> +/usr/local/lib32 /usr/lib
> +/usr/local/lib64 /usr/lib
> +/usr/local/lib/ /usr/lib/
>   /var/run/lock /var/lock
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 16b3f1b..9020aa1 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -66,8 +66,6 @@ ifdef(`distro_redhat',`
>   /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
>   /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
>
> -/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
> -

My advice is to leave this (and a couple more) for safety, as it would 
probably do more good than harm. The substitution file is a 
configuration file and it can be edited erroneously.

>   /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>   /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>
> @@ -257,7 +255,6 @@ ifdef(`distro_gentoo',`
>
>   /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
>
> -/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
>   /usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>   /usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>   /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index 8796ca3..1975fc4 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -84,7 +84,7 @@ ifdef(`distro_redhat',`
>
>   ifdef(`distro_suse',`
>   /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)

My advice is to leave this (and a couple more) for safety, as it would 
probably do more good than harm. The substitution file is a 
configuration file and it can be edited erroneously.

Also, I think it's dangerous to edit inside the distribution ifdefs.

> +/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
>   ')
>
>   #
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index fc86b7c..be8f670 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -22,13 +22,13 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>   /etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/gdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
> -/etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
> -
>   /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> +/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
> +
>   /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index d2e40b8..03e27db 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -1,8 +1,6 @@
>   #
>   # /etc
>   #
> -/etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
> -

My advice is to leave this (and a couple more) for safety, as it would 
probably do more good than harm. The substitution file is a 
configuration file and it can be edited erroneously.

>   /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
>   /etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>
> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
> index ec85acb..662e79b 100644
> --- a/policy/modules/system/ipsec.fc
> +++ b/policy/modules/system/ipsec.fc
> @@ -27,11 +27,6 @@
>   /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>   /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>
> -/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
> -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> -/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
> -/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> -

You have not replaced the above four entries with anything... Even if it 
was obsolete stuff, I would recommend not removing them completely 
unless, say, the obsolete source code is no longer available at the main 
distribution point.

>   /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>   /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
>   /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
> diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
> index ef8bbaf..f302477 100644
> --- a/policy/modules/system/libraries.fc
> +++ b/policy/modules/system/libraries.fc
> @@ -242,7 +242,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
>   /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>   /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>   /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
> -/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>
>   HOME_DIR/.*/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>   HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>

[refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d

[Sven Vermeulen]

On Thu, Aug 09, 2012 at 08:28:58PM +0200, Guido Trentalancia wrote:
> > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> > index 16b3f1b..9020aa1 100644
> > --- a/policy/modules/kernel/corecommands.fc
> > +++ b/policy/modules/kernel/corecommands.fc
> > @@ -66,8 +66,6 @@ ifdef(`distro_redhat',`
> >   /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
> >   /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
> >
> > -/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
> > -
> 
> My advice is to leave this (and a couple more) for safety, as it would 
> probably do more good than harm. The substitution file is a 
> configuration file and it can be edited erroneously.

I disagree. If we would leave in these file context definitions - which will
never be hit in the first place if the file context substitution file is
correct - it would give a false sense towards the policy administrators that
it is a "good" rule.

Say some policy editor wants to have /etc/init.d/functions labeled
shell_exec_t or so instead. If he would do
  /etc/init\.d/functions-- gen_context(system_u:object_r:shell_exec_t,s0)
he'll have a hard time figuring out why it still labels as bin_t.

> >   ifdef(`distro_suse',`
> >   /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> > -/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> 
> My advice is to leave this (and a couple more) for safety, as it would 
> probably do more good than harm. The substitution file is a 
> configuration file and it can be edited erroneously.
> 
> Also, I think it's dangerous to edit inside the distribution ifdefs.

Why would it be dangerous? The substitutions are done regardless of the
distro_suse value. Keeping it for /etc/init.d would again yield the
impression that it is a valid one.

> > diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
> > index ec85acb..662e79b 100644
> > --- a/policy/modules/system/ipsec.fc
> > +++ b/policy/modules/system/ipsec.fc
> > @@ -27,11 +27,6 @@
> >   /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> >   /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
> >
> > -/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
> > -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
> > -/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
> > -/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
> > -
> 
> You have not replaced the above four entries with anything... Even if it 
> was obsolete stuff, I would recommend not removing them completely 
> unless, say, the obsolete source code is no longer available at the main 
> distribution point.

They don't need to. A bit higher in the file context file, you'll find
definitions for /usr/lib/ipsec/eroute. That is the destination of the file
substitutions anyhow. In other words, the above ones are obsolete.

What do you mean with "obsolete source code is no longer available at the
main distribution point"? 

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d

[Guido Trentalancia]

Hello Sven.

On 09/08/2012 20:44, Sven Vermeulen wrote:
> On Thu, Aug 09, 2012 at 08:28:58PM +0200, Guido Trentalancia wrote:
>>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
>>> index 16b3f1b..9020aa1 100644
>>> --- a/policy/modules/kernel/corecommands.fc
>>> +++ b/policy/modules/kernel/corecommands.fc
>>> @@ -66,8 +66,6 @@ ifdef(`distro_redhat',`
>>>    /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
>>>    /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
>>>
>>> -/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
>>> -
>>
>> My advice is to leave this (and a couple more) for safety, as it would
>> probably do more good than harm. The substitution file is a
>> configuration file and it can be edited erroneously.
>
> I disagree. If we would leave in these file context definitions - which will
> never be hit in the first place if the file context substitution file is
> correct - it would give a false sense towards the policy administrators that
> it is a "good" rule.

"Substitution of /etc/rc.d/init.d with /etc/init.d" should leave 
/etc/init.d unmodified (thus producing only a duplicate entry in the 
worst case). If a duplicate entry with the same context is detected as 
an error by setfiles, perhaps the latter should be modified (so that it 
produces at most a warning).

> Say some policy editor wants to have /etc/init.d/functions labeled
> shell_exec_t or so instead. If he would do
>    /etc/init\.d/functions-- gen_context(system_u:object_r:shell_exec_t,s0)
> he'll have a hard time figuring out why it still labels as bin_t.

Do you mean perhaps that if he or she only modifies the first one and 
then leaves the second one as it is and also inadvertently modifies 
file_contexts.sub_dist so that is substitutes /etc/rc.d/init.d with 
/etc/init.d, the result is inconsistent ?

If so, I think that setfiles would detect it. I can't remember exactly 
now whether it just prints out a warning or if it counts as an error, 
although there is a minimum number of errors that are "tolerated" at 
present...

>>>    ifdef(`distro_suse',`
>>>    /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
>>> -/etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
>>
>> My advice is to leave this (and a couple more) for safety, as it would
>> probably do more good than harm. The substitution file is a
>> configuration file and it can be edited erroneously.
>>
>> Also, I think it's dangerous to edit inside the distribution ifdefs.
>
> Why would it be dangerous? The substitutions are done regardless of the
> distro_suse value. Keeping it for /etc/init.d would again yield the
> impression that it is a valid one.

Substituting inside the ifdef distro values might not be desirable, 
however I am not a distribution packager/maintainer, therefore I don't 
know exactly. If I was a distribution packager/maintainer however, I 
would not push for that.

>>> diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
>>> index ec85acb..662e79b 100644
>>> --- a/policy/modules/system/ipsec.fc
>>> +++ b/policy/modules/system/ipsec.fc
>>> @@ -27,11 +27,6 @@
>>>    /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>>>    /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
>>>
>>> -/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> -/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> -/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> -/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
>>> -
>>
>> You have not replaced the above four entries with anything... Even if it
>> was obsolete stuff, I would recommend not removing them completely
>> unless, say, the obsolete source code is no longer available at the main
>> distribution point.

...and by all distributions actually.

> They don't need to. A bit higher in the file context file, you'll find
> definitions for /usr/lib/ipsec/eroute. That is the destination of the file
> substitutions anyhow. In other words, the above ones are obsolete.

Well, that's fine then, my short-sight !

> What do you mean with "obsolete source code is no longer available at the
> main distribution point"?

I mean when the source code for a given piece of software is no longer 
available from anywhere, including from any distribution (which still 
bears some risk).

> Wkr,
> 	Sven Vermeulen

Kind regards,

Guido

[refpolicy] [PATCH v2 1/2] Use substititions for /usr/local/lib and /etc/init.d

[Sven Vermeulen]

On Fri, Aug 10, 2012 at 12:42:01AM +0200, Guido Trentalancia wrote:
> >>> --- a/policy/modules/kernel/corecommands.fc
> >>> +++ b/policy/modules/kernel/corecommands.fc
> >>> @@ -66,8 +66,6 @@ ifdef(`distro_redhat',`
> >>>    /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
> >>>    /etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
> >>>
> >>> -/etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
> >>> -
> >>
> >> My advice is to leave this (and a couple more) for safety, as it would
> >> probably do more good than harm. The substitution file is a
> >> configuration file and it can be edited erroneously.
> >
> > I disagree. If we would leave in these file context definitions - which will
> > never be hit in the first place if the file context substitution file is
> > correct - it would give a false sense towards the policy administrators that
> > it is a "good" rule.
> 
> "Substitution of /etc/rc.d/init.d with /etc/init.d" should leave 
> /etc/init.d unmodified (thus producing only a duplicate entry in the 
> worst case). If a duplicate entry with the same context is detected as 
> an error by setfiles, perhaps the latter should be modified (so that it 
> produces at most a warning).

Setfiles doesn't see this as a duplicate entry as far as I can remember. It
looks at the file path and tries to match it against the file contexts
/after/ substitution. In other words, the file contexts that use a path that
is substituted away from (like /etc/init.d) are just dead code.

> > Say some policy editor wants to have /etc/init.d/functions labeled
> > shell_exec_t or so instead. If he would do
> >    /etc/init\.d/functions-- gen_context(system_u:object_r:shell_exec_t,s0)
> > he'll have a hard time figuring out why it still labels as bin_t.
> 
> Do you mean perhaps that if he or she only modifies the first one and 
> then leaves the second one as it is and also inadvertently modifies 
> file_contexts.sub_dist so that is substitutes /etc/rc.d/init.d with 
> /etc/init.d, the result is inconsistent ?

No, what I mean is the following.

Before my commit, you have both /etc/init.d/blabla and
/etc/rc.d/init.d/blabla rules in the file contexts. In the commit, a
substitution rule is added stating that every file path with /etc/init.d
should be looked at as if it was /etc/rc.d/init.d in the file contexts.

So what you now have is that each and every /etc/init.d line in the file
contexts is never going to be used anymore. It is also never really looked
at.

However, if I as a policy editor see both /etc/init.d and /etc/rc.d/init.d
used in the policy, I would *assume* that they are still both valid - which
isn't the case.

By only seeing /etc/rc.d/init.d in the entire code, it makes more sense to
me to not just quickly add in a /etc/init.d (because that would be the
first, even though "it works") and I will remember that a file context
substitution entry is in place.


> >> You have not replaced the above four entries with anything... Even if it
> >> was obsolete stuff, I would recommend not removing them completely
> >> unless, say, the obsolete source code is no longer available at the main
> >> distribution point.
> 
> ...and by all distributions actually.

The moment a distribution pulls in from refpolicy, the substitutions are in
place.

Don't forget that, what I did here in the patch (i.e. introduce the
substitution and update all file contexts to match it) is no different from
the substitution for /usr/lib64 and /usr/lib32 to /usr/lib a while ago.

There too, all contexts were updated to reflect the new, "substituted"
situation. I don't see why the substitutions for /etc/init.d would be any
different.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 2/2] Update with new substitutions

[Sven Vermeulen]

The recently introduced substitutions for /usr/local/lib* and /etc/init.d also
reflect in the file contexts of a few contrib modules.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 hadoop.fc    |    7 -------
 inetd.fc     |    2 +-
 tmpreaper.fc |    4 ++--
 3 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/hadoop.fc b/hadoop.fc
index 633c470..8bc8a78 100644
--- a/hadoop.fc
+++ b/hadoop.fc
@@ -1,12 +1,5 @@
 /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
 
-/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
-/etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
-
 /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker		--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/hadoop-(.*-)?namenode		--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
diff --git a/inetd.fc b/inetd.fc
index 39d5baa..6107467 100644
--- a/inetd.fc
+++ b/inetd.fc
@@ -1,7 +1,7 @@
+/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
 /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
diff --git a/tmpreaper.fc b/tmpreaper.fc
index fcc10e8..42ee122 100644
--- a/tmpreaper.fc
+++ b/tmpreaper.fc
@@ -1,6 +1,6 @@
 ifdef(`distro_debian',`
-/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/rc\.d/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/rc\.d/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
 ')
 
 /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH v2 2/2] Update with new substitutions

[Guido Trentalancia]

On 09/08/2012 19:45, Sven Vermeulen wrote:
> The recently introduced substitutions for /usr/local/lib* and /etc/init.d also
> reflect in the file contexts of a few contrib modules.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>   hadoop.fc    |    7 -------
>   inetd.fc     |    2 +-
>   tmpreaper.fc |    4 ++--
>   3 files changed, 3 insertions(+), 10 deletions(-)
>
> diff --git a/hadoop.fc b/hadoop.fc
> index 633c470..8bc8a78 100644
> --- a/hadoop.fc
> +++ b/hadoop.fc
> @@ -1,12 +1,5 @@
>   /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
>
> -/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> -/etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
> -

zookeeper would not appear anymore if you remove it completely instead 
of translating it (look three lines further below).

>   /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/hadoop-(.*-)?jobtracker		--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/hadoop-(.*-)?namenode		--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> diff --git a/inetd.fc b/inetd.fc
> index 39d5baa..6107467 100644
> --- a/inetd.fc
> +++ b/inetd.fc
> @@ -1,7 +1,7 @@
> +/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
>
>   /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
>   /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
> -/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
>
>   /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
>   /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
> diff --git a/tmpreaper.fc b/tmpreaper.fc
> index fcc10e8..42ee122 100644
> --- a/tmpreaper.fc
> +++ b/tmpreaper.fc
> @@ -1,6 +1,6 @@
>   ifdef(`distro_debian',`
> -/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> -/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> +/etc/rc\.d/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> +/etc/rc\.d/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)

Personally speaking, I would not touch what's inside the ifdefs, unless 
it's a very well known distribution that one is regularly and actively 
using.

>   ')
>
>   /usr/sbin/tmpreaper		--	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
>

[refpolicy] [PATCH v2 2/2] Update with new substitutions

[Sven Vermeulen]

On Thu, Aug 09, 2012 at 08:32:53PM +0200, Guido Trentalancia wrote:
> > diff --git a/hadoop.fc b/hadoop.fc
> > index 633c470..8bc8a78 100644
> > --- a/hadoop.fc
> > +++ b/hadoop.fc
> > @@ -1,12 +1,5 @@
> >   /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
> >
> > -/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> > -/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> > -/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> > -/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> > -/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> > -/etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
> > -
> 
> zookeeper would not appear anymore if you remove it completely instead 
> of translating it (look three lines further below).

You're right, I was a bit too zealous with deleting lines here.

> > diff --git a/tmpreaper.fc b/tmpreaper.fc
> > index fcc10e8..42ee122 100644
> > --- a/tmpreaper.fc
> > +++ b/tmpreaper.fc
> > @@ -1,6 +1,6 @@
> >   ifdef(`distro_debian',`
> > -/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> > -/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> > +/etc/rc\.d/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> > +/etc/rc\.d/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
> 
> Personally speaking, I would not touch what's inside the ifdefs, unless 
> it's a very well known distribution that one is regularly and actively 
> using.

If I didn't, then the rules for tmpreaper_exec_t would never be hit, and in
this case the Debian distribution would fail to have a properly labeled
/etc/init.d/mountall-bootclean.sh script.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 2/2] Update with new substitutions

[Guido Trentalancia]

Hello Sven.

On 09/08/2012 20:47, Sven Vermeulen wrote:
> On Thu, Aug 09, 2012 at 08:32:53PM +0200, Guido Trentalancia wrote:
>>> diff --git a/hadoop.fc b/hadoop.fc
>>> index 633c470..8bc8a78 100644
>>> --- a/hadoop.fc
>>> +++ b/hadoop.fc
>>> @@ -1,12 +1,5 @@
>>>    /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
>>>
>>> -/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>>> -/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>>> -/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>>> -/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>>> -/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>>> -/etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>>> -
>>
>> zookeeper would not appear anymore if you remove it completely instead
>> of translating it (look three lines further below).
>
> You're right, I was a bit too zealous with deleting lines here.

To say it all, in my opinion, there should only be one if the original 
package only installs one (1:1) and all the rest should go under 
customizations from the various distributions, because otherwise it 
might one day become unmanageable and even lead to errors.

But I was too lazy to go and find out what the original naming actually is.

>>> diff --git a/tmpreaper.fc b/tmpreaper.fc
>>> index fcc10e8..42ee122 100644
>>> --- a/tmpreaper.fc
>>> +++ b/tmpreaper.fc
>>> @@ -1,6 +1,6 @@
>>>    ifdef(`distro_debian',`
>>> -/etc/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
>>> -/etc/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
>>> +/etc/rc\.d/init\.d/mountall-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
>>> +/etc/rc\.d/init\.d/mountnfs-bootclean.sh --	gen_context(system_u:object_r:tmpreaper_exec_t,s0)
>>
>> Personally speaking, I would not touch what's inside the ifdefs, unless
>> it's a very well known distribution that one is regularly and actively
>> using.
>
> If I didn't, then the rules for tmpreaper_exec_t would never be hit, and in
> this case the Debian distribution would fail to have a properly labeled
> /etc/init.d/mountall-bootclean.sh script.

I am not following you here... The above are not rules but file contexts.

And more specifically the above means, only the Debian distribution has 
mount{all,nfs}-bootclean.sh (and it is located in standard init dir, 
assumed by refpolicy to be /etc/rc.d/init.d for omogeneity) which would 
be a wrong location. But then, if the file_contexts.sub_dist file is 
modified appropriately by the Debian distribution it all comes up as 
expected, I suppose.

Not very important anyway, just a bit risky I think, unless you're 
involved with it.

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

Regards,

Guido