[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

The file context for /var/cache/man will be handled by mandb

Change various miscfiles man interfaces to include relevant mandb
interface calls

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9116567..016974b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -77,7 +77,6 @@
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..518f940 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -491,6 +491,10 @@
 
 	allow $1 man_t:dir search_dir_perms;
 	files_search_usr($1)
+
+	optional_policy(`
+		mandb_search_cache($1)
+	')
 ')
 
 ########################################
@@ -531,6 +535,10 @@
 	allow $1 man_t:dir list_dir_perms;
 	read_files_pattern($1, man_t, man_t)
 	read_lnk_files_pattern($1, man_t, man_t)
+
+	optional_policy(`
+		mandb_read_cache_content($1)
+	')
 ')
 
 ########################################
@@ -557,6 +565,10 @@
 	delete_dirs_pattern($1, man_t, man_t)
 	delete_files_pattern($1, man_t, man_t)
 	delete_lnk_files_pattern($1, man_t, man_t)
+
+	optional_policy(`
+		mandb_delete_cache_content($1)
+	')
 ')
 
 ########################################
@@ -578,6 +590,10 @@
 	manage_dirs_pattern($1, man_t, man_t)
 	manage_files_pattern($1, man_t, man_t)
 	read_lnk_files_pattern($1, man_t, man_t)
+
+	optional_policy(`
+		mandb_manage_cache_content($1)
+	')
 ')
 
 ########################################

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Christopher J. PeBenito]

On 10/05/12 08:56, Dominick Grift wrote:
> The file context for /var/cache/man will be handled by mandb
> 
> Change various miscfiles man interfaces to include relevant mandb
> interface calls

I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?

> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 9116567..016974b 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -77,7 +77,6 @@
>  
>  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
>  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
> -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
>  
>  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>  
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 926ba65..518f940 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -491,6 +491,10 @@
>  
>  	allow $1 man_t:dir search_dir_perms;
>  	files_search_usr($1)
> +
> +	optional_policy(`
> +		mandb_search_cache($1)
> +	')
>  ')
>  
>  ########################################
> @@ -531,6 +535,10 @@
>  	allow $1 man_t:dir list_dir_perms;
>  	read_files_pattern($1, man_t, man_t)
>  	read_lnk_files_pattern($1, man_t, man_t)
> +
> +	optional_policy(`
> +		mandb_read_cache_content($1)
> +	')
>  ')
>  
>  ########################################
> @@ -557,6 +565,10 @@
>  	delete_dirs_pattern($1, man_t, man_t)
>  	delete_files_pattern($1, man_t, man_t)
>  	delete_lnk_files_pattern($1, man_t, man_t)
> +
> +	optional_policy(`
> +		mandb_delete_cache_content($1)
> +	')
>  ')
>  
>  ########################################
> @@ -578,6 +590,10 @@
>  	manage_dirs_pattern($1, man_t, man_t)
>  	manage_files_pattern($1, man_t, man_t)
>  	read_lnk_files_pattern($1, man_t, man_t)
> +
> +	optional_policy(`
> +		mandb_manage_cache_content($1)
> +	')
>  ')
>  
>  ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

On Tue, 2012-10-09 at 10:14 -0400, Christopher J. PeBenito wrote:
> On 10/05/12 08:56, Dominick Grift wrote:
> > The file context for /var/cache/man will be handled by mandb
> > 
> > Change various miscfiles man interfaces to include relevant mandb
> > interface calls
> 
> I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?

mandb owns and installs /var/cache/man

# yum whatprovides /var/cache/man
Loaded plugins: langpacks, presto, refresh-packagekit
rpmfusion-free-updates/filelists_db
| 136 kB     00:00     
rpmfusion-nonfree-updates/filelists_db
|  72 kB     00:00     
man-db-2.6.0.2-6.fc17.x86_64 : Tools for searching and reading man pages
Repo        : fedora
Matched from:
Filename    : /var/cache/man

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

On Tue, 2012-10-09 at 16:18 +0200, Dominick Grift wrote:
> 
> On Tue, 2012-10-09 at 10:14 -0400, Christopher J. PeBenito wrote:
> > On 10/05/12 08:56, Dominick Grift wrote:
> > > The file context for /var/cache/man will be handled by mandb
> > > 
> > > Change various miscfiles man interfaces to include relevant mandb
> > > interface calls
> > 
> > I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?
> 

It's a system cronjob that runs daily

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

On Tue, 2012-10-09 at 10:14 -0400, Christopher J. PeBenito wrote:
> On 10/05/12 08:56, Dominick Grift wrote:
> > The file context for /var/cache/man will be handled by mandb
> > 
> > Change various miscfiles man interfaces to include relevant mandb
> > interface calls
> 
> I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?
> 

Further explained

/etc/cron.daily/man-db.cron
/etc/man_db.conf
/etc/sysconfig/man-db
/usr/bin/apropos
/usr/bin/catman
/usr/bin/lexgrog
/usr/bin/man
/usr/bin/mandb
/usr/bin/manpath
/usr/bin/whatis
...
/var/cache/man

That is part of the list of files installed by man-db

Fedora labels /usr/bin/mandb with the mandb executable type and makes
that a cron system entry

In refpolicy however i label the /etc/cron.daily/man-db.cron so
that /usr/bin/mandb stays bin_t.

Then i have a mandb_run and mandb_admin to allow privi users to run the
script in the privileged domain

This is the content of the script:

#! /bin/bash

if [ -e /etc/sysconfig/man-db ]; then
    . /etc/sysconfig/man-db
fi

if [ "$CRON" = "no" ]; then
   exit 0
fi

renice +19 -p $$ >/dev/null 2>&1
ionice -c3 -p $$ >/dev/null 2>&1

LOCKFILE=/var/lock/man-db.lock

# the lockfile is not meant to be perfect, it's just in case the
# two man-db cron scripts get run close to each other to keep
# them from stepping on each other's toes.  The worst that will
# happen is that they will temporarily corrupt the database
[ -f $LOCKFILE ] && exit 0

trap "{ rm -f $LOCKFILE ; exit 0; }" EXIT
touch $LOCKFILE
# create/update the mandb database
mandb $OPTS

exit 0

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

On Tue, 2012-10-09 at 10:14 -0400, Christopher J. PeBenito wrote:
> On 10/05/12 08:56, Dominick Grift wrote:
> > The file context for /var/cache/man will be handled by mandb
> > 
> > Change various miscfiles man interfaces to include relevant mandb
> > interface calls
> 
> I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?

Ok how about we require mandb module by the miscfiles module instead?

I can remove the optional(`')

That way one cannot have the misfiles module without the mandb module

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[dominick.grift at gmail.com]

From: Dominick Grift <dominick.grift@gmail.com>


If you use the miscfiles policy module then you depend on the mandv policy module

Change various miscfiles man interfaces to include relevant mandb
interface calls

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9116567..016974b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -77,7 +77,6 @@
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..0a504f0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -491,6 +491,8 @@
 
 	allow $1 man_t:dir search_dir_perms;
 	files_search_usr($1)
+
+	mandb_search_cache($1)
 ')
 
 ########################################
@@ -531,6 +533,8 @@
 	allow $1 man_t:dir list_dir_perms;
 	read_files_pattern($1, man_t, man_t)
 	read_lnk_files_pattern($1, man_t, man_t)
+
+	mandb_read_cache_content($1)
 ')
 
 ########################################
@@ -557,6 +561,8 @@
 	delete_dirs_pattern($1, man_t, man_t)
 	delete_files_pattern($1, man_t, man_t)
 	delete_lnk_files_pattern($1, man_t, man_t)
+
+	mandb_delete_cache_content($1)
 ')
 
 ########################################
@@ -578,6 +584,8 @@
 	manage_dirs_pattern($1, man_t, man_t)
 	manage_files_pattern($1, man_t, man_t)
 	read_lnk_files_pattern($1, man_t, man_t)
+
+	mandb_manage_cache_content($1)
 ')
 
 ########################################

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Christopher J. PeBenito]

On 10/09/12 10:57, Dominick Grift wrote:
> On Tue, 2012-10-09 at 10:14 -0400, Christopher J. PeBenito wrote:
>> On 10/05/12 08:56, Dominick Grift wrote:
>>> The file context for /var/cache/man will be handled by mandb
>>>
>>> Change various miscfiles man interfaces to include relevant mandb
>>> interface calls
>>
>> I'm not sure that this is the right way to do.  If you have miscfiles and not mandb, then you have a mislabeled /var/cache/man.  I looked at your mandb.fc, and the entrypoint looks like a script; what is actually running?  makewhatis?
> 
> Ok how about we require mandb module by the miscfiles module instead?
> 
> I can remove the optional(`')
> 
> That way one cannot have the misfiles module without the mandb module
 
No, modules can't unconditionally depend on modules at higher layers.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

I changed this so that miscfiles policy module depends on it.

I think this should take away your previous concerns.

Can this be merged now?

On Sun, 2012-10-14 at 18:31 +0200, dominick.grift at gmail.com wrote:
> From: Dominick Grift <dominick.grift@gmail.com>
> 
> 
> If you use the miscfiles policy module then you depend on the mandv policy module
> 
> Change various miscfiles man interfaces to include relevant mandb
> interface calls
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 9116567..016974b 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -77,7 +77,6 @@
>  
>  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
>  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
> -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
>  
>  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>  
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 926ba65..0a504f0 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -491,6 +491,8 @@
>  
>  	allow $1 man_t:dir search_dir_perms;
>  	files_search_usr($1)
> +
> +	mandb_search_cache($1)
>  ')
>  
>  ########################################
> @@ -531,6 +533,8 @@
>  	allow $1 man_t:dir list_dir_perms;
>  	read_files_pattern($1, man_t, man_t)
>  	read_lnk_files_pattern($1, man_t, man_t)
> +
> +	mandb_read_cache_content($1)
>  ')
>  
>  ########################################
> @@ -557,6 +561,8 @@
>  	delete_dirs_pattern($1, man_t, man_t)
>  	delete_files_pattern($1, man_t, man_t)
>  	delete_lnk_files_pattern($1, man_t, man_t)
> +
> +	mandb_delete_cache_content($1)
>  ')
>  
>  ########################################
> @@ -578,6 +584,8 @@
>  	manage_dirs_pattern($1, man_t, man_t)
>  	manage_files_pattern($1, man_t, man_t)
>  	read_lnk_files_pattern($1, man_t, man_t)
> +
> +	mandb_manage_cache_content($1)
>  ')
>  
>  ########################################

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Christopher J. PeBenito]

On 10/30/12 15:27, Dominick Grift wrote:
> I changed this so that miscfiles policy module depends on it.
> 
> I think this should take away your previous concerns.
> 
> Can this be merged now?

This is actually the reverse of what I was saying.  Miscfiles shouldn't be unconditionally depending on a higher layer module.  I think the only solution is to have the cache type be in miscfiles so the files will be labeled right, even if mandb isn't installed.
 
> On Sun, 2012-10-14 at 18:31 +0200, dominick.grift at gmail.com wrote:
>> From: Dominick Grift <dominick.grift@gmail.com>
>>
>>
>> If you use the miscfiles policy module then you depend on the mandv policy module
>>
>> Change various miscfiles man interfaces to include relevant mandb
>> interface calls
>>
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
>> index 9116567..016974b 100644
>> --- a/policy/modules/system/miscfiles.fc
>> +++ b/policy/modules/system/miscfiles.fc
>> @@ -77,7 +77,6 @@
>>  
>>  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
>>  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
>> -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
>>  
>>  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>>  
>> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
>> index 926ba65..0a504f0 100644
>> --- a/policy/modules/system/miscfiles.if
>> +++ b/policy/modules/system/miscfiles.if
>> @@ -491,6 +491,8 @@
>>  
>>  	allow $1 man_t:dir search_dir_perms;
>>  	files_search_usr($1)
>> +
>> +	mandb_search_cache($1)
>>  ')
>>  
>>  ########################################
>> @@ -531,6 +533,8 @@
>>  	allow $1 man_t:dir list_dir_perms;
>>  	read_files_pattern($1, man_t, man_t)
>>  	read_lnk_files_pattern($1, man_t, man_t)
>> +
>> +	mandb_read_cache_content($1)
>>  ')
>>  
>>  ########################################
>> @@ -557,6 +561,8 @@
>>  	delete_dirs_pattern($1, man_t, man_t)
>>  	delete_files_pattern($1, man_t, man_t)
>>  	delete_lnk_files_pattern($1, man_t, man_t)
>> +
>> +	mandb_delete_cache_content($1)
>>  ')
>>  
>>  ########################################
>> @@ -578,6 +584,8 @@
>>  	manage_dirs_pattern($1, man_t, man_t)
>>  	manage_files_pattern($1, man_t, man_t)
>>  	read_lnk_files_pattern($1, man_t, man_t)
>> +
>> +	mandb_manage_cache_content($1)
>>  ')
>>  
>>  ########################################
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v1] Changes to the miscfiles policy module

[Dominick Grift]

On Wed, 2012-10-31 at 10:43 -0400, Christopher J. PeBenito wrote:
> On 10/30/12 15:27, Dominick Grift wrote:
> > I changed this so that miscfiles policy module depends on it.
> > 
> > I think this should take away your previous concerns.
> > 
> > Can this be merged now?
> 
> This is actually the reverse of what I was saying.  Miscfiles shouldn't be unconditionally depending on a higher layer module.  I think the only solution is to have the cache type be in miscfiles so the files will be labeled right, even if mandb isn't installed.

But if mandb is not installed then the location that is labeled with the
cache type is not installed either

But ok if that is really what you want then i guess i can work on that
instead

> > On Sun, 2012-10-14 at 18:31 +0200, dominick.grift at gmail.com wrote:
> >> From: Dominick Grift <dominick.grift@gmail.com>
> >>
> >>
> >> If you use the miscfiles policy module then you depend on the mandv policy module
> >>
> >> Change various miscfiles man interfaces to include relevant mandb
> >> interface calls
> >>
> >> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> >> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> >> index 9116567..016974b 100644
> >> --- a/policy/modules/system/miscfiles.fc
> >> +++ b/policy/modules/system/miscfiles.fc
> >> @@ -77,7 +77,6 @@
> >>  
> >>  /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
> >>  /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
> >> -/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
> >>  
> >>  /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
> >>  
> >> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> >> index 926ba65..0a504f0 100644
> >> --- a/policy/modules/system/miscfiles.if
> >> +++ b/policy/modules/system/miscfiles.if
> >> @@ -491,6 +491,8 @@
> >>  
> >>  	allow $1 man_t:dir search_dir_perms;
> >>  	files_search_usr($1)
> >> +
> >> +	mandb_search_cache($1)
> >>  ')
> >>  
> >>  ########################################
> >> @@ -531,6 +533,8 @@
> >>  	allow $1 man_t:dir list_dir_perms;
> >>  	read_files_pattern($1, man_t, man_t)
> >>  	read_lnk_files_pattern($1, man_t, man_t)
> >> +
> >> +	mandb_read_cache_content($1)
> >>  ')
> >>  
> >>  ########################################
> >> @@ -557,6 +561,8 @@
> >>  	delete_dirs_pattern($1, man_t, man_t)
> >>  	delete_files_pattern($1, man_t, man_t)
> >>  	delete_lnk_files_pattern($1, man_t, man_t)
> >> +
> >> +	mandb_delete_cache_content($1)
> >>  ')
> >>  
> >>  ########################################
> >> @@ -578,6 +584,8 @@
> >>  	manage_dirs_pattern($1, man_t, man_t)
> >>  	manage_files_pattern($1, man_t, man_t)
> >>  	read_lnk_files_pattern($1, man_t, man_t)
> >> +
> >> +	mandb_manage_cache_content($1)
> >>  ')
> >>  
> >>  ########################################
> > 
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> 
>