[patch] types.fc

[patch] types.fc

[Chris PeBenito]

[-- Attachment #1.1: Type: text/plain, Size: 390 bytes --]

Here's an update of types.fc with a some Gentoo-specific entries,
against CVS.  Also enclose a few entries with other distro tunables.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #1.2: types.fc.diff --]
[-- Type: text/x-patch, Size: 2917 bytes --]

Index: file_contexts/types.fc
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/file_contexts/types.fc,v
retrieving revision 1.40
diff -u -r1.40 types.fc
--- file_contexts/types.fc	23 Sep 2004 19:08:59 -0000	1.40
+++ file_contexts/types.fc	24 Sep 2004 01:00:59 -0000
@@ -275,6 +275,11 @@
 /etc/sysconfig/firstboot --	system_u:object_r:etc_runtime_t
 /etc/asound\.state	--	system_u:object_r:etc_runtime_t
 /etc/ptal/ptal-printd-like -- 	system_u:object_r:etc_runtime_t
+ifdef(`distro_gentoo', `
+/etc/profile\.env	--	system_u:object_r:etc_runtime_t
+/etc/csh\.env		--	system_u:object_r:etc_runtime_t
+/etc/env\.d/.*		--	system_u:object_r:etc_runtime_t
+')
 /etc/ld\.so\.cache	--	system_u:object_r:ld_so_cache_t
 /etc/ld\.so\.preload	--	system_u:object_r:ld_so_cache_t
 /etc/yp\.conf.*		--	system_u:object_r:net_conf_t
@@ -303,6 +308,9 @@
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 /lib(64)?/tls/i.86/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
+ifdef(`distro_gentoo', `
+/lib(64)?/rcscripts/.*\.so.*		--	system_u:object_r:shlib_t
+')
 
 #
 # /sbin
@@ -327,7 +335,9 @@
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
 /usr/share/texmf/teTeX/bin(/.*)?	system_u:object_r:bin_t
+ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?	system_u:object_r:policy_src_t
+')
 
 #
 # /usr/bin
@@ -352,11 +362,14 @@
 /usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
 /usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 
+#
 # /usr/.*redhat-linux/lib(64)?
 #
+ifdef(`distro_redhat', `
 /usr/.*redhat-linux/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
 /usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+')
 
 #
 # /usr/.*linux-libc.*/lib(64)?
@@ -366,6 +379,14 @@
 /usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)*	-- system_u:object_r:shlib_t
 
 #
+# /usr/.*-.*-linux-gnu
+#
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/bin(/.*)?		system_u:object_r:bin_t
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	system_u:object_r:bin_t
+')
+
+#
 # /usr/local
 #
 /usr/local/etc(/.*)?		system_u:object_r:etc_t
@@ -493,10 +514,12 @@
 #
 # The Sun Java development kit, RPM install
 #
+ifdef(`distro_redhat', `
 /usr/java/j2.*/bin(/.*)?		system_u:object_r:bin_t
 /usr/java/j2.*/jre/lib(64)?/i386(/.*)?	system_u:object_r:lib_t
 /usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
 /usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+')
 
 #
 #  The krb5.conf file is always being tested for writability, so

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] types.fc

[James Carter]

Merged, except for the ifdef around the java sdk stuff.  This is not
part of Fedora or RHEL (AFAIK), so I don't think that we want the
ifdef.  


 On Thu, 2004-09-23 at 21:02, Chris PeBenito wrote:
> Here's an update of types.fc with a some Gentoo-specific entries,
> against CVS.  Also enclose a few entries with other distro tunables.

> Index: file_contexts/types.fc
> ===================================================================
> RCS file:
> /cvsroot/selinux/nsa/selinux-usr/policy/file_contexts/types.fc,v
> retrieving revision 1.40
> diff -u -r1.40 types.fc
> --- file_contexts/types.fc      23 Sep 2004 19:08:59 -0000      1.40
> +++ file_contexts/types.fc      24 Sep 2004 01:00:59 -0000


> @@ -493,10 +514,12 @@
>  #
>  # The Sun Java development kit, RPM install
>  #
> +ifdef(`distro_redhat', `
>  /usr/java/j2.*/bin(/.*)?               system_u:object_r:bin_t
>  /usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t
>  /usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* --
> system_u:object_r:shlib_t
>  /usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* --
> system_u:object_r:shlib_t
> +')
>  
>  #
>  #  The krb5.conf file is always being tested for writability, so

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[James Carter]

Also, I don't see anything that matches /usr/.*redhat-linux/lib(64)? on
FC2 or FC3 test2 (or RH8 for that matter).  What version of Fedora or
Red Hat Linux are they for?  Are they for something that maybe I don't
have installed?  Or are they now obsolete and can be removed?  
Dan or Russell, do you know?

Index: file_contexts/types.fc
> ===================================================================
> RCS file:
> /cvsroot/selinux/nsa/selinux-usr/policy/file_contexts/types.fc,v
> retrieving revision 1.40
> diff -u -r1.40 types.fc
> --- file_contexts/types.fc      23 Sep 2004 19:08:59 -0000      1.40
> +++ file_contexts/types.fc      24 Sep 2004 01:00:59 -0000


> @@ -352,11 +362,14 @@
>  /usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*    --      system_u:object_r:ld_so_t
>  /usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*   --      system_u:object_r:shlib_t
>  
> +#
>  # /usr/.*redhat-linux/lib(64)?
>  #
> +ifdef(`distro_redhat', `
>  /usr/.*redhat-linux/lib(64)?(/.*)?     system_u:object_r:lib_t
>  /usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*     --      system_u:object_r:ld_so_t
>  /usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*    --      system_u:object_r:shlib_t
> +')
>  
>  #
> # /usr/.*linux-libc.*/lib(64)?

On Thu, 2004-09-23 at 21:02, Chris PeBenito wrote:
> Here's an update of types.fc with a some Gentoo-specific entries,
> against CVS.  Also enclose a few entries with other distro tunables.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[Daniel J Walsh]

James Carter wrote:

>Also, I don't see anything that matches /usr/.*redhat-linux/lib(64)? on
>FC2 or FC3 test2 (or RH8 for that matter).  What version of Fedora or
>Red Hat Linux are they for?  Are they for something that maybe I don't
>have installed?  Or are they now obsolete and can be removed?  
>Dan or Russell, do you know?
>  
>
I don't know what they are so I would remove them.

>Index: file_contexts/types.fc
>  
>
>>===================================================================
>>RCS file:
>>/cvsroot/selinux/nsa/selinux-usr/policy/file_contexts/types.fc,v
>>retrieving revision 1.40
>>diff -u -r1.40 types.fc
>>--- file_contexts/types.fc      23 Sep 2004 19:08:59 -0000      1.40
>>+++ file_contexts/types.fc      24 Sep 2004 01:00:59 -0000
>>    
>>
>
>
>  
>
>>@@ -352,11 +362,14 @@
>> /usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*    --      system_u:object_r:ld_so_t
>> /usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*   --      system_u:object_r:shlib_t
>> 
>>+#
>> # /usr/.*redhat-linux/lib(64)?
>> #
>>+ifdef(`distro_redhat', `
>> /usr/.*redhat-linux/lib(64)?(/.*)?     system_u:object_r:lib_t
>> /usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*     --      system_u:object_r:ld_so_t
>> /usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*    --      system_u:object_r:shlib_t
>>+')
>> 
>> #
>># /usr/.*linux-libc.*/lib(64)?
>>    
>>
>
>On Thu, 2004-09-23 at 21:02, Chris PeBenito wrote:
>  
>
>>Here's an update of types.fc with a some Gentoo-specific entries,
>>against CVS.  Also enclose a few entries with other distro tunables.
>>    
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[Colin Walters]

On Tue, 2004-09-28 at 14:35 -0400, James Carter wrote:
> Merged, except for the ifdef around the java sdk stuff.  This is not
> part of Fedora or RHEL (AFAIK), so I don't think that we want the
> ifdef.  

Right, that's just the place that Sun's JDK typically installs to, not
specific to Fedora or RHEL.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch] types.fc

[Greg Norris]

[-- Attachment #1.1: Type: text/plain, Size: 295 bytes --]

The attached patch against types.fc is needed by Debian, which currently
supports only a single policy type.  At present "make relabel" mislabels
the binary policy file, which as you can probably imagine is somewhat
inconvenient. ;-)  The patch was generated against current CVS.

Please apply.

[-- Attachment #1.2: types.fc.diff --]
[-- Type: text/plain, Size: 592 bytes --]

--- types.fc.orig	2005-01-03 20:38:22.000000000 -0600
+++ types.fc	2005-01-03 20:49:39.000000000 -0600
@@ -307,7 +307,7 @@
 /etc/security/default_contexts.*	system_u:object_r:default_context_t
 /etc/services		--	system_u:object_r:etc_t
 
-/etc/selinux/[^/]*/policy(/.*)?	system_u:object_r:policy_config_t
+/etc/selinux/([^/]*/)?policy(/.*)?	system_u:object_r:policy_config_t
 /etc/selinux/[^/]*/src(/.*)?	system_u:object_r:policy_src_t
 /etc/selinux/[^/]*/contexts(/.*)?	system_u:object_r:default_context_t
 /etc/selinux/[^/]*/contexts/files(/.*)? system_u:object_r:file_context_t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] types.fc

[Russell Coker]

On Tuesday 04 January 2005 13:59, Greg Norris <haphazard@kc.rr.com> wrote:
> The attached patch against types.fc is needed by Debian, which currently
> supports only a single policy type.  At present "make relabel" mislabels
> the binary policy file, which as you can probably imagine is somewhat
> inconvenient. ;-)  The patch was generated against current CVS.

You also need the same for the three lines that follow.  I posted a patch at 
about the same time as your message which made the appropriate change.

But I have been considering just moving to the locations that are used in 
Fedora.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[Greg Norris]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

On Wed, Jan 05, 2005 at 12:32:26AM +1100, Russell Coker wrote:
> You also need the same for the three lines that follow.  I posted a patch at 
> about the same time as your message which made the appropriate change.

OK, I'll keep an eye open... it doesn't seem to have gotten here yet.

> But I have been considering just moving to the locations that are used in 
> Fedora.

This seems like a good idea to me.  If nothing else, it would make it 
easier to support multiple policies in the future... should we decide to 
do something similar to Fedora's strict/targeted scheme.  Personally, I 
rather like their approach.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] types.fc

[Russell Coker]

On Wednesday 05 January 2005 02:17, Greg Norris <haphazard@kc.rr.com> wrote:
> > But I have been considering just moving to the locations that are used in
> > Fedora.
>
> This seems like a good idea to me.  If nothing else, it would make it
> easier to support multiple policies in the future... should we decide to
> do something similar to Fedora's strict/targeted scheme.  Personally, I
> rather like their approach.

The way things currently work in Debian is that the policy source files are 
copied to locations under /etc/selinux.  This means that you can have either 
strict or targeted policy and just choose a different source for copying.  My 
design for Debian always supported multiple policies, it's just that I never 
had time to write more than one policy and no-one else wrote one for Debian.

The advantage of the Fedora method is that you can quickly and easily switch 
between different policies by just changing one config file, creating a flag 
file, and rebooting.  This allows you to easily change policies and then 
change back if you wish.  With Debian changing policies is a significant 
matter to undertake and not something that you want to do often.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[James Carter]

Merged.

On Mon, 2005-01-03 at 21:59, Greg Norris wrote:
> The attached patch against types.fc is needed by Debian, which currently
> supports only a single policy type.  At present "make relabel" mislabels
> the binary policy file, which as you can probably imagine is somewhat
> inconvenient. ;-)  The patch was generated against current CVS.
> 
> Please apply.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] types.fc

[James Carter]

Changed the next three /etc/selinux lines as well.

/etc/selinux/([^/]*/)?src(/.*)?	system_u:object_r:policy_src_t
/etc/selinux/([^/]*/)?contexts(/.*)?	system_u:object_r:default_context_t
/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t

On Tue, 2005-01-04 at 10:17, Greg Norris wrote:
> On Wed, Jan 05, 2005 at 12:32:26AM +1100, Russell Coker wrote:
> > You also need the same for the three lines that follow.  I posted a patch at 
> > about the same time as your message which made the appropriate change.
> 
> OK, I'll keep an eye open... it doesn't seem to have gotten here yet.
> 
> > But I have been considering just moving to the locations that are used in 
> > Fedora.
> 
> This seems like a good idea to me.  If nothing else, it would make it 
> easier to support multiple policies in the future... should we decide to 
> do something similar to Fedora's strict/targeted scheme.  Personally, I 
> rather like their approach.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.