* Some questions regarding RedHat refpolicy patches
@ 2008-08-03 22:44 David Härdeman
2008-08-04 13:16 ` Christopher J. PeBenito
2008-08-04 17:09 ` Daniel J Walsh
0 siblings, 2 replies; 3+ messages in thread
From: David Härdeman @ 2008-08-03 22:44 UTC (permalink / raw)
To: dwalsh; +Cc: selinux
Going through the RedHat patches trying to find more stuff to send
upstream for merge, I've come across a few things that I don't quite
understand and I'd appreciate if someone could explain them to me :)
a)
There are quite a lot of changes like this:
--- ./upstream/refpolicy/policy/modules/apps/uml.fc 2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/uml.fc 2008-08-03 12:29:42.000000000 +0200
@@ -1,7 +1,7 @@
#
# HOME_DIR/
#
-HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0)
What is the purpose of these changes and is it something that makes
sense upstream? The upstream SVN version seems to contain quite a lot of
"ROLE" contexts already...then again, other parts of the patch do the
reverse:
--- ./upstream/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:29:42.000000000 +0200
@@ -10,4 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
b)
There are also quite a lot of changes like this:
--- ./upstream/refpolicy/policy/modules/apps/awstats.if 2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/awstats.if 2008-05-15 15:10:34.000000000 +0200
@@ -33,7 +33,8 @@
#
interface(`awstats_cgi_exec',`
gen_require(`
- type httpd_awstats_script_exec_t, httpd_awstats_content_t;
+ type httpd_awstats_script_exec_t;
+ type httpd_awstats_content_t;
Are these only noise (and in that case, would you (Dan) like a patch to
remove that noise) or something which is actually wanted upstream?
c)
A lot of changes only alter whitespace, would it be possible to avoid
these by generating the fedora diff with the appropriate options to
diff?
d)
Why does postgrey_t need to be able to restart apache? (and the same
goes for many many other service module changes in the patch, such as
canna, ldap, etc, etc)
--
David Härdeman
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Some questions regarding RedHat refpolicy patches
2008-08-03 22:44 Some questions regarding RedHat refpolicy patches David Härdeman
@ 2008-08-04 13:16 ` Christopher J. PeBenito
2008-08-04 17:09 ` Daniel J Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2008-08-04 13:16 UTC (permalink / raw)
To: David Härdeman; +Cc: dwalsh, selinux
On Mon, 2008-08-04 at 00:44 +0200, David Härdeman wrote:
> Going through the RedHat patches trying to find more stuff to send
> upstream for merge, I've come across a few things that I don't quite
> understand and I'd appreciate if someone could explain them to me :)
>
> a)
>
> There are quite a lot of changes like this:
>
> --- ./upstream/refpolicy/policy/modules/apps/uml.fc 2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/uml.fc 2008-08-03 12:29:42.000000000 +0200
> @@ -1,7 +1,7 @@
> #
> # HOME_DIR/
> #
> -HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
> +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:user_uml_rw_t,s0)
>
> What is the purpose of these changes and is it something that makes
> sense upstream? The upstream SVN version seems to contain quite a lot of
> "ROLE" contexts already
No, it removes role separations on these uml files. It is a
Fedora-specific change that isn't upstreamable.
> ...then again, other parts of the patch do the
> reverse:
>
> --- ./upstream/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:29:42.000000000 +0200
> @@ -10,4 +10,4 @@
> /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
> /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
>
> -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
> +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
This isn't the reverse of the previous example, its also removing the
separation.
> b)
>
> There are also quite a lot of changes like this:
>
> --- ./upstream/refpolicy/policy/modules/apps/awstats.if 2008-08-03 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/awstats.if 2008-05-15 15:10:34.000000000 +0200
> @@ -33,7 +33,8 @@
> #
> interface(`awstats_cgi_exec',`
> gen_require(`
> - type httpd_awstats_script_exec_t, httpd_awstats_content_t;
> + type httpd_awstats_script_exec_t;
> + type httpd_awstats_content_t;
>
> Are these only noise (and in that case, would you (Dan) like a patch to
> remove that noise) or something which is actually wanted upstream?
The types being required should match the types being used in the body
of the interface. If the change doesn't make them match up, then its
wrong.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Some questions regarding RedHat refpolicy patches
2008-08-03 22:44 Some questions regarding RedHat refpolicy patches David Härdeman
2008-08-04 13:16 ` Christopher J. PeBenito
@ 2008-08-04 17:09 ` Daniel J Walsh
1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2008-08-04 17:09 UTC (permalink / raw)
To: David Härdeman; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Härdeman wrote:
> Going through the RedHat patches trying to find more stuff to send
> upstream for merge, I've come across a few things that I don't quite
> understand and I'd appreciate if someone could explain them to me :)
>
> a)
>
> There are quite a lot of changes like this:
>
> --- ./upstream/refpolicy/policy/modules/apps/uml.fc 2008-08-03
> 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/uml.fc 2008-08-03
> 12:29:42.000000000 +0200
> @@ -1,7 +1,7 @@
> #
> # HOME_DIR/
> #
> -HOME_DIR/\.uml(/.*)?
> gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
> +HOME_DIR/\.uml(/.*)?
> gen_context(system_u:object_r:user_uml_rw_t,s0)
>
These are the elimination of role separation on types in the homedir.
Upstream is experimenting with this and hopefully at some point we can
merge these changes together. I would figure in the final version user_
would be eliminated and it would just be uml_rw_t.
> What is the purpose of these changes and is it something that makes
> sense upstream? The upstream SVN version seems to contain quite a lot of
> "ROLE" contexts already...then again, other parts of the patch do the
> reverse:
>
> --- ./upstream/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03
> 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03
> 12:29:42.000000000 +0200
> @@ -10,4 +10,4 @@
> /usr/bin/mencoder --
> gen_context(system_u:object_r:mencoder_exec_t,s0)
> /usr/bin/xine --
> gen_context(system_u:object_r:mplayer_exec_t,s0)
>
> -HOME_DIR/\.mplayer(/.*)?
> gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
> +HOME_DIR/\.mplayer(/.*)?
> gen_context(system_u:object_r:user_mplayer_home_t,s0)
>
>
> b)
>
> There are also quite a lot of changes like this:
>
> --- ./upstream/refpolicy/policy/modules/apps/awstats.if 2008-08-03
> 12:31:17.000000000 +0200
> +++ ./fedora/refpolicy/policy/modules/apps/awstats.if 2008-05-15
> 15:10:34.000000000 +0200
> @@ -33,7 +33,8 @@
> #
> interface(`awstats_cgi_exec',`
> gen_require(`
> - type httpd_awstats_script_exec_t, httpd_awstats_content_t;
> + type httpd_awstats_script_exec_t;
> + type httpd_awstats_content_t;
>
> Are these only noise (and in that case, would you (Dan) like a patch to
> remove that noise) or something which is actually wanted upstream?
>
>
These are reforting by Chris that I missed. Chris wants these on the
same line, which I am fine with.
> c)
>
> A lot of changes only alter whitespace, would it be possible to avoid
> these by generating the fedora diff with the appropriate options to diff?
>
>
> d)
>
> Why does postgrey_t need to be able to restart apache? (and the same
> goes for many many other service module changes in the patch, such as
> canna, ldap, etc, etc)
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiXN90ACgkQrlYvE4MpobMcAwCgrIUpI2GqFeuvl4Oeko9Tt1b2
jsQAoNjI2+X5cj0mrHHXapjp2O0XYnFI
=lcbF
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-08-04 17:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-03 22:44 Some questions regarding RedHat refpolicy patches David Härdeman
2008-08-04 13:16 ` Christopher J. PeBenito
2008-08-04 17:09 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.