[refpolicy] Debian has mailman lock files too

[refpolicy] Debian has mailman lock files too

[Manoj Srivastava]

diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 839017f..3199d21 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@@ -31,3 +31,8 @@ ifdef(`distro_redhat', `
 /var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/spool/mailman(/.*)?               gen_context(system_u:object_r:mailman_data_t,s0)
 ')
+
+ifdef(`distro_debian', `
+/var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
+')
+

-- 
A beautiful woman is a blessing from Heaven, but a good cigar is a
smoke. Kipling
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

[refpolicy] Debian has mailman lock files too

[Daniel J Walsh]

On 07/01/2009 11:21 AM, Manoj Srivastava wrote:
> diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
> index 839017f..3199d21 100644
> --- a/policy/modules/services/mailman.fc
> +++ b/policy/modules/services/mailman.fc
> @@ -31,3 +31,8 @@ ifdef(`distro_redhat', `
>   /var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
>   /var/spool/mailman(/.*)?               gen_context(system_u:object_r:mailman_data_t,s0)
>   ')
> +
> +ifdef(`distro_debian', `
> +/var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
> +')
> +
>
Why not remove the ifdef distro...*

We should not be adding ifdef distro unless the distros conflict on 
labels.  I don't imagine any distro is going to have /var/lock/mailman 
be anything other them mailman_lock_t.

Several times I have had to move a label out of ifdef...debian because 
fedora moved to the same labeling.

I think we should add as few ifdef(`disto into fc files as possible.

[refpolicy] Debian has mailman lock files too

[Christopher J. PeBenito]

On Wed, 2009-07-01 at 12:54 -0400, Daniel J Walsh wrote:
> On 07/01/2009 11:21 AM, Manoj Srivastava wrote:
> > diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
> > index 839017f..3199d21 100644
> > --- a/policy/modules/services/mailman.fc
> > +++ b/policy/modules/services/mailman.fc
> > @@ -31,3 +31,8 @@ ifdef(`distro_redhat', `
> >   /var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
> >   /var/spool/mailman(/.*)?               gen_context(system_u:object_r:mailman_data_t,s0)
> >   ')
> > +
> > +ifdef(`distro_debian', `
> > +/var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
> > +')
> > +
> >
> Why not remove the ifdef distro...*
> 
> We should not be adding ifdef distro unless the distros conflict on 
> labels.  I don't imagine any distro is going to have /var/lock/mailman 
> be anything other them mailman_lock_t.
> 
> Several times I have had to move a label out of ifdef...debian because 
> fedora moved to the same labeling.
> 
> I think we should add as few ifdef(`disto into fc files as possible.

I would tend to agree, though I suspect I'm a little more liberal with
their usage than Dan is.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] Debian has mailman lock files too

[Manoj Srivastava]

On Mon, Jul 06 2009, Christopher J. PeBenito wrote:

> On Wed, 2009-07-01 at 12:54 -0400, Daniel J Walsh wrote:
>> On 07/01/2009 11:21 AM, Manoj Srivastava wrote:
>> > diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
>> > index 839017f..3199d21 100644
>> > --- a/policy/modules/services/mailman.fc
>> > +++ b/policy/modules/services/mailman.fc
>> > @@ -31,3 +31,8 @@ ifdef(`distro_redhat', `
>> >   /var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
>> >   /var/spool/mailman(/.*)?               gen_context(system_u:object_r:mailman_data_t,s0)
>> >   ')
>> > +
>> > +ifdef(`distro_debian', `
>> > +/var/lock/mailman(/.*)?                        gen_context(system_u:object_r:mailman_lock_t,s0)
>> > +')
>> > +
>> >
>> Why not remove the ifdef distro...*
>> 
>> We should not be adding ifdef distro unless the distros conflict on 
>> labels.  I don't imagine any distro is going to have /var/lock/mailman 
>> be anything other them mailman_lock_t.
>> 
>> Several times I have had to move a label out of ifdef...debian because 
>> fedora moved to the same labeling.
>> 
>> I think we should add as few ifdef(`disto into fc files as possible.
>
> I would tend to agree, though I suspect I'm a little more liberal with
> their usage than Dan is.

        Fair enough. Do I need to resubmit?

        Were the other patches submitted OK?

        manoj
-- 
What does it mean if there is no fortune for you?
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

[refpolicy] Debian has mailman lock files too

[Christopher J. PeBenito]

On Wed, 2009-07-01 at 11:21 -0400, Manoj Srivastava wrote:
> diff --git a/policy/modules/services/mailman.fc
> b/policy/modules/services/mailman.fc
> index 839017f..3199d21 100644
> --- a/policy/modules/services/mailman.fc
> +++ b/policy/modules/services/mailman.fc
> @@ -31,3 +31,8 @@ ifdef(`distro_redhat', `
>  /var/lock/mailman(/.*)?
> gen_context(system_u:object_r:mailman_lock_t,s0)
>  /var/spool/mailman(/.*)?
> gen_context(system_u:object_r:mailman_data_t,s0)
>  ')
> +
> +ifdef(`distro_debian', `
> +/var/lock/mailman(/.*)?
> gen_context(system_u:object_r:mailman_lock_t,s0)
> +')
> +

Merged without distro_debian.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [PATCH] Remove duplicate distro_redhat context

[Manoj Srivastava]

From: Manoj Srivastava <srivasta@debian.org>

A recent update added an generic context for the lock files, so the
entry in distro_redhat can be removed.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
---
 policy/modules/services/mailman.fc |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index e57c713..92afb44 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@@ -29,6 +29,5 @@ ifdef(`distro_redhat', `
 /usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
 /usr/lib/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
 ')
-- 
1.6.3.3

[refpolicy] [PATCH] Remove duplicate distro_redhat context

[Christopher J. PeBenito]

On Tue, 2009-07-14 at 12:17 -0500, Manoj Srivastava wrote:
> From: Manoj Srivastava <srivasta@debian.org>
> 
> A recent update added an generic context for the lock files, so the
> entry in distro_redhat can be removed.

Merged.

> Signed-off-by: Manoj Srivastava <srivasta@debian.org>
> ---
>  policy/modules/services/mailman.fc |    1 -
>  1 files changed, 0 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
> index e57c713..92afb44 100644
> --- a/policy/modules/services/mailman.fc
> +++ b/policy/modules/services/mailman.fc
> @@ -29,6 +29,5 @@ ifdef(`distro_redhat', `
>  /usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
>  /usr/lib/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>  
> -/var/lock/mailman(/.*)?			gen_context(system_u:object_r:mailman_lock_t,s0)
>  /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
>  ')
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] Debian has mailman lock files too

[Russell Coker]

On Mon, 13 Jul 2009, Manoj Srivastava <srivasta@golden-gryphon.com> wrote:
> >> I think we should add as few ifdef(`disto into fc files as possible.
> >
> > I would tend to agree, though I suspect I'm a little more liberal with
> > their usage than Dan is.
>
> ? ? ? ? Fair enough. Do I need to resubmit?

I think that whenever an entry only applies to one distribution we should have 
an ifdef for it.

For example if an application might store some data in /var/cache and then 
change to /var/lib.  This sort of change happens periodically.  If the old 
directory has an ifdef entry for the distribution you use then you can be 
certain that removing the old entry will not impact anyone else.  If however 
there is no ifdef then you will not know how many other people might be 
impacted by removing the old fc entry so you will be inclined to leave it 
there.

To avoid accumulating old fc rules I think we should aim to have as many 
distro-specific ifdef entries as reasonably possible.  If a certain entry is 
used by multiple distributions then make it unconditional, this will still 
lead to some accumulation of needless entries, but it will be slower.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog