From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 26 Jun 2012 09:44:57 -0400
Subject: [refpolicy] [PATCH v2]: fix packagekit file context (standard
 location for the daemon)
In-Reply-To: <1340240971.2940.2.camel@vortex>
References: <1340207771.3570.11.camel@vortex> <1340240971.2940.2.camel@vortex>
Message-ID: <4FE9BCD9.7010307@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/20/12 21:09, Guido Trentalancia wrote:
> Hello again.
> 
> I also noticed that the working directories that it needs to access as a
> minimum condition also seems broken, according to the latest version
> available:

Merged.

> --- refpolicy-04062012/policy/modules/contrib/rpm.fc	2012-06-21 01:58:45.505739558 +0200
> +++ refpolicy-04062012-packagekit-fc-standard/policy/modules/contrib/rpm.fc	2012-06-21 02:06:21.475277343 +0200
> @@ -7,13 +7,13 @@
>  
>  /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
>  
> +/usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
>  /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
>  
>  /usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
>  
>  /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
>  /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
> -/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>  
>  /usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
>  /usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
> @@ -27,9 +27,11 @@ ifdef(`distro_redhat', `
>  /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>  ')
>  
> +/var/cache/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
>  /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
>  
>  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
> +/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
>  /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
>  /var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
>  
> Besides that, it might need permissions related to the network, but I
> suppose that can be managed on a per-site or per-distribution basis (or
> otherwise by using booleans).
> 
> On Wed, 2012-06-20 at 17:56 +0200, Guido Trentalancia wrote:
>> It seems that the current refpolicy file contexts are using a wrong (or
>> at least rather obsolete) location for the PackageKit daemon executable.
>>
>> It's standard location is in /usr/libexec and not /usr/sbin (FC17 also
>> apparently uses the latter).
>>
>> Finally, consider that PackageKit should now ship also with
>> distributions other than Redhat.
>>
>> So, either of these two patches, would probably be a good move:
>>
>> --- refpolicy-04062012/policy/modules/contrib/rpm.fc	2011-09-09 18:29:23.592611047 +0200
>> +++ refpolicy-04062012-packagekit-fc/policy/modules/contrib/rpm.fc	2012-06-19 19:12:07.420661407 +0200
>> @@ -13,7 +13,13 @@
>>  
>>  /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
>>  /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>> +
>> +ifndef(`distro_redhat', `
>> +/usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
>> +')
>> +ifdef(`distro_redhat', `
>>  /usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>> +')
>>  
>>  /usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
>>  /usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
>>
>> Or:
>>
>> --- refpolicy-04062012/policy/modules/contrib/rpm.fc	2012-06-20 17:47:29.249999920 +0200
>> +++ refpolicy-04062012-packagekit-fc-standard/policy/modules/contrib/rpm.fc	2012-06-20 17:46:05.436179710 +0200
>> @@ -13,7 +13,8 @@
>>  
>>  /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
>>  /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>> -/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
>> +
>> +/usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
>>  
>>  /usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
>>  /usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com