[refpolicy] debian file location patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] debian file location patch
@ 2011-11-07 12:50 Russell Coker
  2011-11-16 20:34 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2011-11-07 12:50 UTC (permalink / raw)
  To: refpolicy

The attached patch makes a bunch of trivial changes to file locations, most of 
which are inside distro_debian blocks.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian-location.diff
Type: text/x-patch
Size: 37637 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111107/d8c1f3d0/attachment-0001.bin 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [refpolicy] debian file location patch
  2011-11-07 12:50 [refpolicy] debian file location patch Russell Coker
@ 2011-11-16 20:34 ` Christopher J. PeBenito
  2011-11-17  1:18   ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2011-11-16 20:34 UTC (permalink / raw)
  To: refpolicy

On 11/07/11 07:50, Russell Coker wrote:
> The attached patch makes a bunch of trivial changes to file locations, most of 
> which are inside distro_debian blocks.

I mostly merged this, with some rearrangement.  Questions/notes on stuff that wasn't merged:

* Why was /etc/network/ifstate was removed but no context added elsewhere?
* The authlogin.fc changes don't make sense to me.
* From what little I could find about logsave, I can't understand why it would make sense to label it fsadm_exec_t.
* The libraries changes makes me think again about eliminating references to lib32/lib64 and using the matchpathcon substitution functions; it would seem cleaner.
* Not clear why /var/lib/alsa/asound.state should be alsa_etc_rw_t instead of alsa_var_lib_t, which it would get w/o the context you're adding.  There are also dupe contexts being added.
* Instances of encapsulation breakage were removed
* Fixed tabs vs spaces whitespace errors

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [refpolicy] debian file location patch
  2011-11-16 20:34 ` Christopher J. PeBenito
@ 2011-11-17  1:18   ` Russell Coker
  0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2011-11-17  1:18 UTC (permalink / raw)
  To: refpolicy

On Thu, 17 Nov 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On 11/07/11 07:50, Russell Coker wrote:
> > The attached patch makes a bunch of trivial changes to file locations,
> > most of which are inside distro_debian blocks.
> 
> I mostly merged this, with some rearrangement.  Questions/notes on stuff
> that wasn't merged:
> 
> * Why was /etc/network/ifstate was removed but no context added elsewhere?

Thanks, I've attached a patch to fix this.

> * The authlogin.fc changes don't make sense to me.

On Debian .pwd.lock is not used, passwd.lock is used instead and it is created 
with type etc_t.

group.lock is created with type etc_t.  I don't think that there's any reason 
why a relabel should change the type of .pwd.lock, passwd.lock, or group.lock.

.gshadow.edit.swp and .shadow.edit.swp have contents of gshadow and shadow, 
they MUST be labeled as shadow_t.

.passwd.edit.swp and .group.edit.swp are created as type shadow_t and there's 
no benefit in relabelling them to a different type if they exist.  Ideally the 
processes which use such files would not have permission to write to etc_t to 
reduce the possibility of granting inappropriate access to sensitive data, in 
which case relabelling such files could prevent correct operation.

> * From what little I could find about logsave, I can't understand why it
> would make sense to label it fsadm_exec_t.

It's part of the e2fsprogs package and AFAIK it's only used for storing logs 
from fsck.

> * The libraries changes makes
> me think again about eliminating references to lib32/lib64 and using the
> matchpathcon substitution functions; it would seem cleaner.

Sounds fine to me.

> * Not clear
> why /var/lib/alsa/asound.state should be alsa_etc_rw_t instead of
> alsa_var_lib_t, which it would get w/o the context you're adding.

OK, I'll try it and see how it goes.

Also why did you remove the distro_debian from around 
/usr/share/alsa/alsa\.conf?  Surely no other distribution needs that!

> * Instances of encapsulation breakage
> were removed

I've attached a patch to fix that.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ifstate.diff
Type: text/x-patch
Size: 162 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: encap.diff
Type: text/x-patch
Size: 2235 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111117/762e38f3/attachment-0001.bin 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-11-17  1:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-07 12:50 [refpolicy] debian file location patch Russell Coker
2011-11-16 20:34 ` Christopher J. PeBenito
2011-11-17  1:18   ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.