[refpolicy] [PATCH 0/3] Introduce substitution for /usr/local

[refpolicy] [PATCH 0/3] Introduce substitution for /usr/local

[Sven Vermeulen]

This patchset contains the suggestion to also have a substitition for
/usr/local towards /usr since manually installed applications use /usr/local as
their destination installation directory (instead of /usr) but *should* have the
same structure otherwise.

This is not only to clean up the defined file contexts a bit (there are not that
many references to /usr/local) but mainly to support such installed applications
almost out-of-the-box with our policies.

[refpolicy] [PATCH 1/3] Add in substitutions for /usr/local

[Sven Vermeulen]

Translate any paths towards /usr/local as if they were to /usr.

Since the substitutions aren't chained together, we need to define the rules for
the individual /usr/local/lib* directories as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 config/file_contexts.subs_dist |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 32b87a4..72a7a0f 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -4,4 +4,7 @@
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
+/usr/local /usr
+/usr/local/lib32 /usr/lib
+/usr/local/lib64 /usr/lib
 /var/run/lock /var/lock
-- 
1.7.8.6

[refpolicy] [PATCH 2/3] Update file contexts to match substitution

[Sven Vermeulen]

Update the file contexts to match the /usr/local substitution (for core modules)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/corecommands.fc |    9 ++++---
 policy/modules/kernel/files.fc        |    9 --------
 policy/modules/system/ipsec.fc        |    5 ----
 policy/modules/system/libraries.fc    |   35 ++++++++++++++++-----------------
 policy/modules/system/miscfiles.fc    |    5 ----
 policy/modules/system/unconfined.fc   |    2 +-
 6 files changed, 23 insertions(+), 42 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index db981df..850b6a9 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -184,6 +184,8 @@ ifdef(`distro_gentoo',`
 /usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/Brother(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -251,10 +253,9 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/linuxprinter/filters(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/usr/Printer(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..9f95ab2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -204,13 +204,6 @@ ifdef(`distro_debian',`
 
 /usr/inclu.e(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
-/usr/local/\.journal		<<none>>
-
-/usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
-/usr/local/lost\+found/.*	<<none>>
-
 /usr/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
 
@@ -220,8 +213,6 @@ ifdef(`distro_debian',`
 /usr/tmp/.*			<<none>>
 
 ifndef(`distro_redhat',`
-/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
-
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -27,11 +27,6 @@
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
-/usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto --	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index ef8bbaf..1f41e39 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -103,6 +103,8 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
+/usr/.*\.so(\.[^/]*)*			--	gen_context(system_u:object_r:lib_t,s0)
+
 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -117,6 +119,7 @@ ifdef(`distro_redhat',`
 
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -148,11 +151,9 @@ ifdef(`distro_redhat',`
 /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/wine/.+\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -181,6 +182,8 @@ ifdef(`distro_redhat',`
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
 HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nprhapengine\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/allegro/(.*/)?alleg-vga\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -240,14 +243,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 /usr/lib.*/libmpg123\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 HOME_DIR/.*/plugins/nppdf\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/.*/nprhapengine\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Jai, Sun Microsystems (Jpackage SPRM)
 /usr/lib/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -269,20 +269,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?Adobe/.*\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib/xchat/plugins/systray\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/nppdf\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?intellinux/sidecars/*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/acroread/(.*/)?intellinux/nppdf\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/Adobe/.*\.api			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xchat/plugins/systray\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/libmwlapack\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index fe3427d..7368cca 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -36,11 +36,6 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
-/usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-/usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
-
-/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
-
 /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
 
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 0abaf84..25efa00 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -8,7 +8,7 @@
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
-/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 
 ifdef(`distro_debian',`
 /usr/bin/gcj-dbtool-4\.1	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH 3/3] Update file contexts to match /usr/local transition

[Sven Vermeulen]

Use /usr instead of /usr/local to match the file substitution

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 inetd.fc    |    2 +-
 java.fc     |    2 --
 kerberos.fc |    8 ++++----
 lpd.fc      |    4 ++--
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/inetd.fc b/inetd.fc
index 39d5baa..6107467 100644
--- a/inetd.fc
+++ b/inetd.fc
@@ -1,7 +1,7 @@
+/usr/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/identd	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
 /usr/sbin/in\..*d	--	gen_context(system_u:object_r:inetd_child_exec_t,s0)
-/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
 
 /usr/sbin/inetd		--	gen_context(system_u:object_r:inetd_exec_t,s0)
 /usr/sbin/rlinetd	--	gen_context(system_u:object_r:inetd_exec_t,s0)
diff --git a/java.fc b/java.fc
index bc1a419..f630930 100644
--- a/java.fc
+++ b/java.fc
@@ -28,8 +28,6 @@
 /usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/lib/opera(/.*)?/works	--	gen_context(system_u:object_r:java_exec_t,s0)
 
-/usr/local/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
-
 /usr/matlab.*/bin.*/MATLAB.*	--	gen_context(system_u:object_r:java_exec_t,s0)
 
 ifdef(`distro_redhat',`
diff --git a/kerberos.fc b/kerberos.fc
index 3525d24..0a3d05a 100644
--- a/kerberos.fc
+++ b/kerberos.fc
@@ -13,13 +13,13 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 
-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kadmin\.local --	gen_context(system_u:object_r:kadmind_exec_t,s0)
 /usr/kerberos/sbin/kpropd	--	gen_context(system_u:object_r:kpropd_exec_t,s0)
 
-/usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
 /var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
diff --git a/lpd.fc b/lpd.fc
index 5c9eb68..62a8834 100644
--- a/lpd.fc
+++ b/lpd.fc
@@ -16,6 +16,8 @@
 /usr/bin/lprm(\.cups)?	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/bin/lpstat(\.cups)? --	gen_context(system_u:object_r:lpr_exec_t,s0)
 
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
 /usr/sbin/accept	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/checkpc	--	gen_context(system_u:object_r:checkpc_exec_t,s0)
 /usr/sbin/lpd		--	gen_context(system_u:object_r:lpd_exec_t,s0)
@@ -24,8 +26,6 @@
 /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
 
-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
-
 /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
 
 #
-- 
1.7.8.6

[refpolicy] [PATCH 1/3] Add in substitutions for /usr/local

[Christopher J. PeBenito]

On 07/28/12 13:06, Sven Vermeulen wrote:
> Translate any paths towards /usr/local as if they were to /usr.
> 
> Since the substitutions aren't chained together, we need to define the rules for
> the individual /usr/local/lib* directories as well.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  config/file_contexts.subs_dist |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> index 32b87a4..72a7a0f 100644
> --- a/config/file_contexts.subs_dist
> +++ b/config/file_contexts.subs_dist
> @@ -4,4 +4,7 @@
>  /run/lock /var/lock
>  /usr/lib32 /usr/lib
>  /usr/lib64 /usr/lib
> +/usr/local /usr

I'm reluctant to make this substitution.  From my experience, too many things don't seem follow this well.

> +/usr/local/lib32 /usr/lib
> +/usr/local/lib64 /usr/lib

I'd be more accepting of this change.

>  /var/run/lock /var/lock
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/3] Add in substitutions for /usr/local

[Sven Vermeulen]

On Tue, Jul 31, 2012 at 02:51:44PM -0400, Christopher J. PeBenito wrote:
> On 07/28/12 13:06, Sven Vermeulen wrote:
> > diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
> > index 32b87a4..72a7a0f 100644
> > --- a/config/file_contexts.subs_dist
> > +++ b/config/file_contexts.subs_dist
> > @@ -4,4 +4,7 @@
> >  /run/lock /var/lock
> >  /usr/lib32 /usr/lib
> >  /usr/lib64 /usr/lib
> > +/usr/local /usr
> 
> I'm reluctant to make this substitution.  From my experience, too many things don't seem follow this well.
> 
> > +/usr/local/lib32 /usr/lib
> > +/usr/local/lib64 /usr/lib
> 
> I'd be more accepting of this change.

No problem, experience is important here ;-)

Wkr,
	Sven Vermeulen