* [refpolicy] [seutil 1/1] Redhat does not store selinux utilities in /usr.
@ 2010-09-03 15:49 Dominick Grift
2010-09-09 13:06 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2010-09-03 15:49 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
1 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index cecca76..c071664 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1,4 +1,4 @@
-## <summary>Policy for SELinux policy and userland applications.</summary>
+## <summary>SELinux policy and userland applications.</summary>
#######################################
## <summary>
@@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
type checkpolicy_t, checkpolicy_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
type checkpolicy_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, checkpolicy_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
#######################################
@@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
type newrole_t, newrole_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, newrole_exec_t, newrole_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
type newrole_t, newrole_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, newrole_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
type run_init_t, run_init_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, run_init_exec_t, run_init_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
type setfiles_t, setfiles_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
type setfiles_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, setfiles_exec_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
type semanage_t, semanage_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, semanage_exec_t, semanage_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
@@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
type setsebool_t, setsebool_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/f754768e/attachment.bin
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [refpolicy] [seutil 1/1] Redhat does not store selinux utilities in /usr.
2010-09-03 15:49 [refpolicy] [seutil 1/1] Redhat does not store selinux utilities in /usr Dominick Grift
@ 2010-09-09 13:06 ` Christopher J. PeBenito
2010-09-09 13:52 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2010-09-09 13:06 UTC (permalink / raw)
To: refpolicy
On 09/03/10 11:49, Dominick Grift wrote:
> Signed-off-by: Dominick Grift<domg472@gmail.com>
They still are in /usr on RHEL5. Also, this doesn't matter too much
either way, since everything can search /usr due to libraries in /usr/lib.
> ---
> :100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
> policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
> 1 files changed, 37 insertions(+), 10 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
> index cecca76..c071664 100644
> --- a/policy/modules/system/selinuxutil.if
> +++ b/policy/modules/system/selinuxutil.if
> @@ -1,4 +1,4 @@
> -##<summary>Policy for SELinux policy and userland applications.</summary>
> +##<summary>SELinux policy and userland applications.</summary>
>
> #######################################
> ##<summary>
> @@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
> type checkpolicy_t, checkpolicy_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
> type checkpolicy_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, checkpolicy_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> #######################################
> @@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
> type newrole_t, newrole_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, newrole_exec_t, newrole_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
> type newrole_t, newrole_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, newrole_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
> type run_init_t, run_init_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, run_init_exec_t, run_init_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
> type setfiles_t, setfiles_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, setfiles_exec_t, setfiles_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
> type setfiles_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> can_exec($1, setfiles_exec_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
> type semanage_t, semanage_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, semanage_exec_t, semanage_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
> @@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
> type setsebool_t, setsebool_exec_t;
> ')
>
> - files_search_usr($1)
> corecmd_search_bin($1)
> domtrans_pattern($1, setsebool_exec_t, setsebool_t)
> +
> + ifndef(`distro_redhat',`
> + files_search_usr($1)
> + ')
> ')
>
> ########################################
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [seutil 1/1] Redhat does not store selinux utilities in /usr.
2010-09-09 13:06 ` Christopher J. PeBenito
@ 2010-09-09 13:52 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2010-09-09 13:52 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/09/2010 09:06 AM, Christopher J. PeBenito wrote:
> On 09/03/10 11:49, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift<domg472@gmail.com>
>
> They still are in /usr on RHEL5. Also, this doesn't matter too much
> either way, since everything can search /usr due to libraries in /usr/lib.
>
>> ---
>> :100644 100644 cecca76... c071664... M policy/modules/system/selinuxutil.if
>> policy/modules/system/selinuxutil.if | 47 ++++++++++++++++++++++++++-------
>> 1 files changed, 37 insertions(+), 10 deletions(-)
>>
>> diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
>> index cecca76..c071664 100644
>> --- a/policy/modules/system/selinuxutil.if
>> +++ b/policy/modules/system/selinuxutil.if
>> @@ -1,4 +1,4 @@
>> -##<summary>Policy for SELinux policy and userland applications.</summary>
>> +##<summary>SELinux policy and userland applications.</summary>
>>
>> #######################################
>> ##<summary>
>> @@ -15,9 +15,12 @@ interface(`seutil_domtrans_checkpolicy',`
>> type checkpolicy_t, checkpolicy_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -63,9 +66,12 @@ interface(`seutil_exec_checkpolicy',`
>> type checkpolicy_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, checkpolicy_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> #######################################
>> @@ -167,9 +173,12 @@ interface(`seutil_domtrans_newrole',`
>> type newrole_t, newrole_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, newrole_exec_t, newrole_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -216,9 +225,12 @@ interface(`seutil_exec_newrole',`
>> type newrole_t, newrole_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, newrole_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -374,9 +386,12 @@ interface(`seutil_domtrans_runinit',`
>> type run_init_t, run_init_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, run_init_exec_t, run_init_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -511,9 +526,12 @@ interface(`seutil_domtrans_setfiles',`
>> type setfiles_t, setfiles_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, setfiles_exec_t, setfiles_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -558,9 +576,12 @@ interface(`seutil_exec_setfiles',`
>> type setfiles_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> can_exec($1, setfiles_exec_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -1002,9 +1023,12 @@ interface(`seutil_domtrans_semanage',`
>> type semanage_t, semanage_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, semanage_exec_t, semanage_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>> @@ -1051,9 +1075,12 @@ interface(`seutil_domtrans_setsebool',`
>> type setsebool_t, setsebool_exec_t;
>> ')
>>
>> - files_search_usr($1)
>> corecmd_search_bin($1)
>> domtrans_pattern($1, setsebool_exec_t, setsebool_t)
>> +
>> + ifndef(`distro_redhat',`
>> + files_search_usr($1)
>> + ')
>> ')
>>
>> ########################################
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
Yes I do not think we need this patch. (I believe we made a mistake
when we did not allow every domain read/execute access to usr_t,bin_t,
lib_t, var_t, var_lib_t, and probably a few others)
But I am probably in the minority.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyI5oUACgkQrlYvE4MpobNk/wCgrMeqm9ys/j6gjpilz67SuCw2
gyUAoKuZ9Zmiosz+R6gZD6oGFqmamPMS
=92Ip
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-09 13:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03 15:49 [refpolicy] [seutil 1/1] Redhat does not store selinux utilities in /usr Dominick Grift
2010-09-09 13:06 ` Christopher J. PeBenito
2010-09-09 13:52 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.