[refpolicy] kernel_files.patch

[dwalsh@redhat.com (Daniel J Walsh)]

On 03/04/2010 02:08 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:21 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_files.patch
>>
>> New file context
>>
>> Lots of new interfaces
>>      
> * need explanation as to why boot_t would be a device node.
>    
I can't find why.  Might be some bizarro ia64 type machine.  I will 
remove and see if it comes back
> * need additional explanation as to the purpose of system_conf_t.
>    
Miroslav has this one.  It has to do with system-config-firewall.

> * the files_relabel_all_files() change is still rejected, since block
> and chr files should have regular file types.
>    
This one comes about because of mkinitd being run by rpm in post installs.
Which does not happen any longer but I do not see what the benifit of 
turning this off.
We have several tools like mock, liveusb_creator, kernel make etc that 
are going to create blk_files
and chr_files in places like /tmp that might run a cp -p or some other 
tool that is going to try to relabel.

> * the the files-delete_isid_type_files() additions need their own
> interfaces instead.
>    
Fixed
> * same thing for files_delete_usr_files()
>    
Removed
> * the files_read_usr_files() change is excessive
>    
Ok can we remove src_t altogether then.  It just seems to cause bugs and 
I see no reason for this label.

It's only reason for being is to create AVC messages.
./policy/modules/services/networkmanager.te:files_read_usr_src_files(NetworkManager_t)
./policy/modules/services/virt.te:files_read_usr_src_files(virtd_t)
./policy/modules/system/userdomain.if:    
files_read_usr_src_files($1_usertype)
./policy/modules/system/userdomain.if:    files_exec_usr_src_files($1_t)
./policy/modules/system/modutils.te:files_read_usr_src_files(depmod_t)
./policy/modules/system/modutils.te:    
files_getattr_usr_src_files(update_modules_t)
./policy/modules/kernel/files.if:    files_read_usr_src_files($1)
./policy/modules/kernel/files.if:interface(`files_getattr_usr_src_files',`
./policy/modules/kernel/files.if:interface(`files_read_usr_src_files',`
./policy/modules/kernel/files.if:interface(`files_exec_usr_src_files',`
./policy/modules/admin/bootloader.te:files_read_usr_src_files(bootloader_t)
./policy/modules/admin/portage.if:    files_exec_usr_src_files($1)

Only one of these you might care about is portage.if,  if that is the 
case then I will eliminate the label from RedHat labeling.

> * files_search_var_log() is wrong, var_log_t doesn't belong to the files
> module.  There is already an equivalent interface in logging.
>    
Removed
> * the concept of files_dump_core() is wrong.  Applications do core dumps
> in the current directory, and services just happen to "cd /" at the
> start.  It doesn't make sense for other domains.
>    
Fine I need a domain for creating files in the / directory which I can 
then allow daemon to do.
Do you want to call this files_manage_root?

> * files_create_default_dir() needs to be 2 interfaces.
>    
Added files_root_filetrans_default
> * I don't even know what to make of files_boot().
>
>    
I think this is caused by early boot of the kernel, /dev/ gets labeled 
boot_t until it gets relabeled in the initrc scripts.  Might not exist 
any longer with the move to dracut.

I will remove and see what happens.

Most people run an unconfined_domain(kernel_t) anyways.