* [refpolicy] [PATCH 01/13] Label /var/run/shm as tmpfs_t for Debian
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:29 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t Laurent Bigonville
` (11 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
the same way.
---
policy/modules/kernel/filesystem.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index cda5588..3d67e80 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -14,3 +14,8 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
+
+ifdef(`distro_debian',`
+/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/var/run/shm/.* <<none>>
+')
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 01/13] Label /var/run/shm as tmpfs_t for Debian
2013-01-12 21:32 ` [refpolicy] [PATCH 01/13] Label /var/run/shm as tmpfs_t for Debian Laurent Bigonville
@ 2013-01-23 12:29 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:29 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
> the same way.
> ---
> policy/modules/kernel/filesystem.fc | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index cda5588..3d67e80 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -14,3 +14,8 @@
> # for systemd systems:
> /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> /sys/fs/cgroup/.* <<none>>
> +
> +ifdef(`distro_debian',`
> +/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> +/var/run/shm/.* <<none>>
> +')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 01/13] Label /var/run/shm as tmpfs_t for Debian Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-13 20:05 ` Dominick Grift
2013-01-14 13:32 ` [refpolicy] [PATCH v2 " Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 03/13] Label /var/run/initctl as initctl_t Laurent Bigonville
` (10 subsequent siblings)
12 siblings, 2 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/files.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..ed67663 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/motd.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t
2013-01-12 21:32 ` [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t Laurent Bigonville
@ 2013-01-13 20:05 ` Dominick Grift
2013-01-14 13:32 ` [refpolicy] [PATCH v2 " Laurent Bigonville
1 sibling, 0 replies; 38+ messages in thread
From: Dominick Grift @ 2013-01-13 20:05 UTC (permalink / raw)
To: refpolicy
On Sat, 2013-01-12 at 22:32 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
Best to escape the period
> ---
> policy/modules/kernel/files.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index c2c6e05..ed67663 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
>
> ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/motd.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH v2 02/13] Label /var/run/motd.dynamic as initrc_var_run_t
2013-01-12 21:32 ` [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t Laurent Bigonville
2013-01-13 20:05 ` Dominick Grift
@ 2013-01-14 13:32 ` Laurent Bigonville
2013-01-23 12:29 ` Christopher J. PeBenito
1 sibling, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-14 13:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/files.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..b876c48 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH v2 02/13] Label /var/run/motd.dynamic as initrc_var_run_t
2013-01-14 13:32 ` [refpolicy] [PATCH v2 " Laurent Bigonville
@ 2013-01-23 12:29 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:29 UTC (permalink / raw)
To: refpolicy
On 01/14/13 08:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/kernel/files.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index c2c6e05..b876c48 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
>
> ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 03/13] Label /var/run/initctl as initctl_t
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 01/13] Label /var/run/shm as tmpfs_t for Debian Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 02/13] Label /var/run/motd.dynamic as initrc_var_run_t Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 04/13] udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files Laurent Bigonville
` (9 subsequent siblings)
12 siblings, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, the initctl pipe has been moved from /dev/initctl to
/run/initctl
---
policy/modules/system/init.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9a4d3a7..bc0ffc8 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -51,6 +51,7 @@ ifdef(`distro_gentoo', `
#
# /var
#
+/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 04/13] udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (2 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 03/13] Label /var/run/initctl as initctl_t Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:28 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 05/13] Label executables in /usr/lib/NetworkManager/ as bin_t Laurent Bigonville
` (8 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
udev_manage_pid_files is supposed to manage files that are located in
/var/run, allow to search files in this directory instead of /var/lib
---
policy/modules/system/udev.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 0f64692..9a1650d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -296,7 +296,7 @@ interface(`udev_manage_pid_files',`
type udev_var_run_t;
')
- files_search_var_lib($1)
+ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 04/13] udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files
2013-01-12 21:32 ` [refpolicy] [PATCH 04/13] udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files Laurent Bigonville
@ 2013-01-23 12:28 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:28 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> udev_manage_pid_files is supposed to manage files that are located in
> /var/run, allow to search files in this directory instead of /var/lib
> ---
> policy/modules/system/udev.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 0f64692..9a1650d 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -296,7 +296,7 @@ interface(`udev_manage_pid_files',`
> type udev_var_run_t;
> ')
>
> - files_search_var_lib($1)
> + files_search_pids($1)
> manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 05/13] Label executables in /usr/lib/NetworkManager/ as bin_t
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (3 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 04/13] udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:28 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 06/13] Add support for rsyslog Laurent Bigonville
` (7 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..097b2f0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -217,6 +217,7 @@ ifdef(`distro_gentoo',`
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 05/13] Label executables in /usr/lib/NetworkManager/ as bin_t
2013-01-12 21:32 ` [refpolicy] [PATCH 05/13] Label executables in /usr/lib/NetworkManager/ as bin_t Laurent Bigonville
@ 2013-01-23 12:28 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:28 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 644d4d7..097b2f0 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -217,6 +217,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 06/13] Add support for rsyslog
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (4 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 05/13] Label executables in /usr/lib/NetworkManager/ as bin_t Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:28 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian Laurent Bigonville
` (6 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
---
policy/modules/system/logging.te | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..b642262 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -353,13 +353,15 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
+# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+# setsched for rsyslog
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
kernel_read_system_state(syslogd_t)
+kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 06/13] Add support for rsyslog
2013-01-12 21:32 ` [refpolicy] [PATCH 06/13] Add support for rsyslog Laurent Bigonville
@ 2013-01-23 12:28 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:28 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Allow sys_nice capability, setsched, allow to search in /var/spool and
> syslog_t domain to read network state files in /proc
>
> squash! Add support for rsyslog
Merged.
> ---
> policy/modules/system/logging.te | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 39ea221..b642262 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -353,13 +353,15 @@ optional_policy(`
>
> # chown fsetid for syslog-ng
> # sys_admin for the integrated klog of syslog-ng and metalog
> +# sys_nice for rsyslog
> # cjp: why net_admin!
> -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
> +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
> dontaudit syslogd_t self:capability sys_tty_config;
> # setpgid for metalog
> # setrlimit for syslog-ng
> # getsched for syslog-ng
> -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
> +# setsched for rsyslog
> +allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
> # receive messages to be logged
> allow syslogd_t self:unix_dgram_socket create_socket_perms;
> allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
> @@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
> # create/append log files.
> manage_files_pattern(syslogd_t, var_log_t, var_log_t)
> rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
> +files_search_spool(syslogd_t)
>
> # Allow access for syslog-ng
> allow syslogd_t var_log_t:dir { create setattr };
> @@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
>
> kernel_read_system_state(syslogd_t)
> +kernel_read_network_state(syslogd_t)
> kernel_read_kernel_sysctls(syslogd_t)
> kernel_read_proc_symlinks(syslogd_t)
> # Allow access to /proc/kmsg for syslog-ng
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (5 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 06/13] Add support for rsyslog Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-13 18:30 ` Sven Vermeulen
2013-01-15 10:23 ` [refpolicy] [PATCH v2 07/13] Label var_lock_t as a mountpoint Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories Laurent Bigonville
` (5 subsequent siblings)
12 siblings, 2 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
mount.
---
policy/modules/kernel/files.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..a5554e8 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')
+
+ifdef(`distro_debian',`
+ files_mountpoint(var_lock_t)
+')
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian
2013-01-12 21:32 ` [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian Laurent Bigonville
@ 2013-01-13 18:30 ` Sven Vermeulen
2013-01-13 20:03 ` Dominick Grift
2013-01-15 10:23 ` [refpolicy] [PATCH v2 07/13] Label var_lock_t as a mountpoint Laurent Bigonville
1 sibling, 1 reply; 38+ messages in thread
From: Sven Vermeulen @ 2013-01-13 18:30 UTC (permalink / raw)
To: refpolicy
Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs) mountpoint
and the lock subdirectory just that - a subdirectory?
I've seen 5 distributions using /var/run as either be a tmpfs, or a symlink
to /run which is a tmpfs.
On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <bigon@debian.org>wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/files.te
> b/policy/modules/kernel/files.te
> index 148d87a..a5554e8 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
> tunable_policy(`allow_execmod',`
> allow files_unconfined_type file_type:file execmod;
> ')
> +
> +ifdef(`distro_debian',`
> + files_mountpoint(var_lock_t)
> +')
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130113/02f64557/attachment.html
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian
2013-01-13 18:30 ` Sven Vermeulen
@ 2013-01-13 20:03 ` Dominick Grift
2013-01-14 13:12 ` Laurent Bigonville
2013-01-14 16:51 ` Daniel J Walsh
0 siblings, 2 replies; 38+ messages in thread
From: Dominick Grift @ 2013-01-13 20:03 UTC (permalink / raw)
To: refpolicy
On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs) mountpoint
> and the lock subdirectory just that - a subdirectory?
>
> I've seen 5 distributions using /var/run as either be a tmpfs, or a symlink
> to /run which is a tmpfs.
>
>
They both are mountpoints in debian (/run and /run/lock)
At least that is what i saw from Laurents mount command output
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <bigon@debian.org>wrote:
>
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> > mount.
> > ---
> > policy/modules/kernel/files.te | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/policy/modules/kernel/files.te
> > b/policy/modules/kernel/files.te
> > index 148d87a..a5554e8 100644
> > --- a/policy/modules/kernel/files.te
> > +++ b/policy/modules/kernel/files.te
> > @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
> > tunable_policy(`allow_execmod',`
> > allow files_unconfined_type file_type:file execmod;
> > ')
> > +
> > +ifdef(`distro_debian',`
> > + files_mountpoint(var_lock_t)
> > +')
> > --
> > 1.7.10.4
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
> mountpoint and the lock subdirectory just that - a subdirectory?
>
>
> I've seen 5 distributions using /var/run as either be a tmpfs, or a
> symlink to /run which is a tmpfs.
>
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
> <bigon@debian.org> wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a
> tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/files.te
> b/policy/modules/kernel/files.te
> index 148d87a..a5554e8 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -232,3 +232,7 @@ allow files_unconfined_type
> file_type:filesystem *;
> tunable_policy(`allow_execmod',`
> allow files_unconfined_type file_type:file execmod;
> ')
> +
> +ifdef(`distro_debian',`
> + files_mountpoint(var_lock_t)
> +')
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian
2013-01-13 20:03 ` Dominick Grift
@ 2013-01-14 13:12 ` Laurent Bigonville
2013-01-14 16:51 ` Daniel J Walsh
1 sibling, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-14 13:12 UTC (permalink / raw)
To: refpolicy
Le Sun, 13 Jan 2013 21:03:05 +0100,
Dominick Grift <dominick.grift@gmail.com> a ?crit :
> On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
> > Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
> > mountpoint and the lock subdirectory just that - a subdirectory?
> >
> > I've seen 5 distributions using /var/run as either be a tmpfs, or a
> > symlink to /run which is a tmpfs.
> >
> >
>
> They both are mountpoints in debian (/run and /run/lock)
>
> At least that is what i saw from Laurents mount command output
Indeed on all the wheezy/sid machines I've running ATM (well that
mades 3, but they have been installed at different time), I have
(output of mount|grep tmpfs):
udev on /dev type devtmpfs (rw,relatime,seclabel,size=10240k,nr_inodes=1016576,mode=755)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,seclabel,size=814752k,mode=755)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,size=1629480k)
and (ls -lad /var/*)
lrwxrwxrwx. 1 root root 4 oct 19 20:33 /var/run -> /run
lrwxrwxrwx. 1 root root 9 oct 19 20:33 /var/lock -> /run/lock
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian
2013-01-13 20:03 ` Dominick Grift
2013-01-14 13:12 ` Laurent Bigonville
@ 2013-01-14 16:51 ` Daniel J Walsh
1 sibling, 0 replies; 38+ messages in thread
From: Daniel J Walsh @ 2013-01-14 16:51 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2013 03:03 PM, Dominick Grift wrote:
> On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
>> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
>> mountpoint and the lock subdirectory just that - a subdirectory?
>>
>> I've seen 5 distributions using /var/run as either be a tmpfs, or a
>> symlink to /run which is a tmpfs.
>>
>>
>
> They both are mountpoints in debian (/run and /run/lock)
>
> At least that is what i saw from Laurents mount command output
>
>> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
>> <bigon@debian.org>wrote:
>>
>>> From: Laurent Bigonville <bigon@bigon.be>
>>>
>>> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
>>> mount. --- policy/modules/kernel/files.te | 4 ++++ 1 file changed, 4
>>> insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/files.te
>>> b/policy/modules/kernel/files.te index 148d87a..a5554e8 100644 ---
>>> a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te
>>> @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem
>>> *; tunable_policy(`allow_execmod',` allow files_unconfined_type
>>> file_type:file execmod; ') + +ifdef(`distro_debian',` +
>>> files_mountpoint(var_lock_t) +') -- 1.7.10.4
>>>
>>> _______________________________________________ refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
>> mountpoint and the lock subdirectory just that - a subdirectory?
>>
>>
>> I've seen 5 distributions using /var/run as either be a tmpfs, or a
>> symlink to /run which is a tmpfs.
>>
>>
>>
>> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <bigon@debian.org>
>> wrote: From: Laurent Bigonville <bigon@bigon.be>
>>
>> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
>> mount. --- policy/modules/kernel/files.te | 4 ++++ 1 file changed, 4
>> insertions(+)
>>
>> diff --git a/policy/modules/kernel/files.te
>> b/policy/modules/kernel/files.te index 148d87a..a5554e8 100644 ---
>> a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@
>> -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
>> tunable_policy(`allow_execmod',` allow files_unconfined_type
>> file_type:file execmod; ') + +ifdef(`distro_debian',` +
>> files_mountpoint(var_lock_t) +') -- 1.7.10.4
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
I see no reason to wrap this in a ifdef block.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0N4UACgkQrlYvE4MpobOI8gCdG3IZQaI/q14VS9e/G8BkxjG7
RrYAoIIcGndvqlI7mmgDxA7snYhm7yXc
=4p6K
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH v2 07/13] Label var_lock_t as a mountpoint
2013-01-12 21:32 ` [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian Laurent Bigonville
2013-01-13 18:30 ` Sven Vermeulen
@ 2013-01-15 10:23 ` Laurent Bigonville
2013-01-23 12:27 ` Christopher J. PeBenito
1 sibling, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-15 10:23 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
mount.
---
policy/modules/kernel/files.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..4a59c76 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -173,6 +173,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
+files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH v2 07/13] Label var_lock_t as a mountpoint
2013-01-15 10:23 ` [refpolicy] [PATCH v2 07/13] Label var_lock_t as a mountpoint Laurent Bigonville
@ 2013-01-23 12:27 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:27 UTC (permalink / raw)
To: refpolicy
On 01/15/13 05:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 148d87a..4a59c76 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -173,6 +173,7 @@ files_mountpoint(var_lib_t)
> #
> type var_lock_t;
> files_lock_file(var_lock_t)
> +files_mountpoint(var_lock_t)
>
> #
> # var_run_t is the type of /var/run, usually
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (6 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 07/13] Label var_lock_t as a mountpoint in Debian Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:27 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads Laurent Bigonville
` (4 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
In Debian, mount store some information (a utab file) under
/var/run/mount directory.
This is inspired by the fedora policy.
---
policy/modules/system/mount.fc | 2 ++
policy/modules/system/mount.te | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..a38605e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,3 +2,5 @@
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..8fcd782 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -26,6 +26,9 @@ files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
# causes problems with interfaces when
# this is optionally declared in monolithic
# policy--duplicate type declaration
@@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories
2013-01-12 21:32 ` [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories Laurent Bigonville
@ 2013-01-23 12:27 ` Christopher J. PeBenito
0 siblings, 0 replies; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:27 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, mount store some information (a utab file) under
> /var/run/mount directory.
>
> This is inspired by the fedora policy.
Merged.
> ---
> policy/modules/system/mount.fc | 2 ++
> policy/modules/system/mount.te | 8 ++++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index 72c746e..a38605e 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -2,3 +2,5 @@
> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
>
> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
> +
> +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 6a50270..8fcd782 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -26,6 +26,9 @@ files_type(mount_loopback_t)
> type mount_tmp_t;
> files_tmp_file(mount_tmp_t)
>
> +type mount_var_run_t;
> +files_pid_file(mount_var_run_t)
> +
> # causes problems with interfaces when
> # this is optionally declared in monolithic
> # policy--duplicate type declaration
> @@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
>
> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> +create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
> +
> kernel_read_system_state(mount_t)
> kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (7 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:17 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files Laurent Bigonville
` (3 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 8fcd782..7a58d79 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
+kernel_setsched(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads
2013-01-12 21:32 ` [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads Laurent Bigonville
@ 2013-01-23 12:17 ` Christopher J. PeBenito
2013-01-23 20:35 ` Laurent Bigonville
0 siblings, 1 reply; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:17 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/system/mount.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 8fcd782..7a58d79 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
> +kernel_setsched(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
Any idea why this is required?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads
2013-01-23 12:17 ` Christopher J. PeBenito
@ 2013-01-23 20:35 ` Laurent Bigonville
0 siblings, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-23 20:35 UTC (permalink / raw)
To: refpolicy
Le Wed, 23 Jan 2013 07:17:40 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > ---
> > policy/modules/system/mount.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 8fcd782..7a58d79 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
> > kernel_dontaudit_write_proc_dirs(mount_t)
> > # To load binfmt_misc kernel module
> > kernel_request_load_module(mount_t)
> > +kernel_setsched(mount_t)
> >
> > # required for mount.smbfs
> > corecmd_exec_bin(mount_t)
>
> Any idea why this is required?
>
During (early) boot I get this AVC:
[ 8.452944] type=1400 audit(1358970896.236:59): avc: denied { setsched } for pid=1327 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process
I'm not too sure why this is require, I see nothing in the code, it's
maybe coming from a dep?
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (8 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 09/13] Allow mount_t to set priority of kernel threads Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-23 12:17 ` Christopher J. PeBenito
2013-01-12 21:32 ` [refpolicy] [PATCH 11/13] Add initrc_t to use block_suspend capability Laurent Bigonville
` (2 subsequent siblings)
12 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/system/mount.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 7a58d79..d412797 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t)
+modutils_read_module_deps(mount_t)
+
sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files
2013-01-12 21:32 ` [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files Laurent Bigonville
@ 2013-01-23 12:17 ` Christopher J. PeBenito
2013-01-23 20:42 ` Laurent Bigonville
0 siblings, 1 reply; 38+ messages in thread
From: Christopher J. PeBenito @ 2013-01-23 12:17 UTC (permalink / raw)
To: refpolicy
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
> policy/modules/system/mount.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 7a58d79..d412797 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
>
> miscfiles_read_localization(mount_t)
>
> +modutils_read_module_deps(mount_t)
> +
> sysnet_use_portmap(mount_t)
>
> seutil_read_config(mount_t)
Any idea why this is required?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files
2013-01-23 12:17 ` Christopher J. PeBenito
@ 2013-01-23 20:42 ` Laurent Bigonville
2013-01-24 18:07 ` Laurent Bigonville
0 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-23 20:42 UTC (permalink / raw)
To: refpolicy
Le Wed, 23 Jan 2013 07:17:43 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > ---
> > policy/modules/system/mount.te | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> >
> > miscfiles_read_localization(mount_t)
> >
> > +modutils_read_module_deps(mount_t)
> > +
> > sysnet_use_portmap(mount_t)
> >
> > seutil_read_config(mount_t)
>
> Any idea why this is required?
>
Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
laptop.
BTW this is already in the fedora policy (in an optional_policy block)
with the following commit message:
"Allow mount to read modutils_dep_t, probably a leak but not worth
blocking"
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files
2013-01-23 20:42 ` Laurent Bigonville
@ 2013-01-24 18:07 ` Laurent Bigonville
2013-01-29 22:17 ` Russell Coker
0 siblings, 1 reply; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-24 18:07 UTC (permalink / raw)
To: refpolicy
Le Wed, 23 Jan 2013 21:42:07 +0100,
Laurent Bigonville <bigon@debian.org> a ?crit :
> Le Wed, 23 Jan 2013 07:17:43 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
>
> > On 01/12/13 16:32, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <bigon@bigon.be>
> > >
> > > ---
> > > policy/modules/system/mount.te | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/policy/modules/system/mount.te
> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > > --- a/policy/modules/system/mount.te
> > > +++ b/policy/modules/system/mount.te
> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> > >
> > > miscfiles_read_localization(mount_t)
> > >
> > > +modutils_read_module_deps(mount_t)
> > > +
> > > sysnet_use_portmap(mount_t)
> > >
> > > seutil_read_config(mount_t)
> >
> > Any idea why this is required?
> >
>
> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
> laptop.
OK so I tried again, and I see these during early boot:
[ 32.330243] type=1400 audit(1359049424.759:27): avc: denied
{ read } for pid=2090 comm="mount" name="modules.dep" dev="dm-1"
ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330265]
type=1400 audit(1359049424.759:27): avc: denied { open } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330306]
type=1400 audit(1359049424.759:28): avc: denied { getattr } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files
2013-01-24 18:07 ` Laurent Bigonville
@ 2013-01-29 22:17 ` Russell Coker
0 siblings, 0 replies; 38+ messages in thread
From: Russell Coker @ 2013-01-29 22:17 UTC (permalink / raw)
To: refpolicy
This looks like an inherited file handle. What process is executing mount? Maybe auditallow rules on executing mount and opening the dep file will reveal what is going wrong.
Laurent Bigonville <bigon@debian.org> wrote:
>Le Wed, 23 Jan 2013 21:42:07 +0100,
>Laurent Bigonville <bigon@debian.org> a ?crit :
>
>> Le Wed, 23 Jan 2013 07:17:43 -0500,
>> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
>>
>> > On 01/12/13 16:32, Laurent Bigonville wrote:
>> > > From: Laurent Bigonville <bigon@bigon.be>
>> > >
>> > > ---
>> > > policy/modules/system/mount.te | 2 ++
>> > > 1 file changed, 2 insertions(+)
>> > >
>> > > diff --git a/policy/modules/system/mount.te
>> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
>> > > --- a/policy/modules/system/mount.te
>> > > +++ b/policy/modules/system/mount.te
>> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
>> > >
>> > > miscfiles_read_localization(mount_t)
>> > >
>> > > +modutils_read_module_deps(mount_t)
>> > > +
>> > > sysnet_use_portmap(mount_t)
>> > >
>> > > seutil_read_config(mount_t)
>> >
>> > Any idea why this is required?
>> >
>>
>> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on
>my
>> laptop.
>
>OK so I tried again, and I see these during early boot:
>
>[ 32.330243] type=1400 audit(1359049424.759:27): avc: denied
>{ read } for pid=2090 comm="mount" name="modules.dep" dev="dm-1"
>ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330265]
>type=1400 audit(1359049424.759:27): avc: denied { open } for
>pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
>dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330306]
>type=1400 audit(1359049424.759:28): avc: denied { getattr } for
>pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
>dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
>
>
>Cheers
>
>Laurent Bigonville
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
--
My blog http://etbe.coker.com.au
Sent from a Galaxy S3
Android phone with K-9 Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130130/959f2d83/attachment.html
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 11/13] Add initrc_t to use block_suspend capability
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (9 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 13/13] Label nut drivers that are installed in /lib/nut on Debian " Laurent Bigonville
12 siblings, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
This is needed by nm-dispatcher.action witch is labeled as
NetworkManager_initc_exec_t and is transitioned to initrc_t
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..eb18638 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -226,6 +226,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability2 block_suspend;
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (10 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 11/13] Add initrc_t to use block_suspend capability Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
2013-01-13 18:28 ` Sven Vermeulen
2013-01-14 13:29 ` [refpolicy] [PATCH v2 " Laurent Bigonville
2013-01-12 21:32 ` [refpolicy] [PATCH 13/13] Label nut drivers that are installed in /lib/nut on Debian " Laurent Bigonville
12 siblings, 2 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
On Debian, part of gnome-settings-daemon is installed in that
directory
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 097b2f0..7a5f35a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gnome-settings-daemon/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread* [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
2013-01-12 21:32 ` [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t Laurent Bigonville
@ 2013-01-13 18:28 ` Sven Vermeulen
2013-01-13 20:04 ` Dominick Grift
2013-01-14 13:18 ` Laurent Bigonville
2013-01-14 13:29 ` [refpolicy] [PATCH v2 " Laurent Bigonville
1 sibling, 2 replies; 38+ messages in thread
From: Sven Vermeulen @ 2013-01-13 18:28 UTC (permalink / raw)
To: refpolicy
Are all files in that location binaries to be executed?
On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <bigon@debian.org>wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> On Debian, part of gnome-settings-daemon is installed in that
> directory
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc
> b/policy/modules/kernel/corecommands.fc
> index 097b2f0..7a5f35a 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/dpkg/.+ --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/emacsen-common/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gimp/.*/plug-ins(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/gnome-settings-daemon/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gvfs/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ipsec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/kde4/libexec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130113/cd5710dc/attachment.html
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
2013-01-13 18:28 ` Sven Vermeulen
@ 2013-01-13 20:04 ` Dominick Grift
2013-01-14 13:18 ` Laurent Bigonville
1 sibling, 0 replies; 38+ messages in thread
From: Dominick Grift @ 2013-01-13 20:04 UTC (permalink / raw)
To: refpolicy
On Sun, 2013-01-13 at 19:28 +0100, Sven Vermeulen wrote:
> Are all files in that location binaries to be executed?
Also it needs a --
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <bigon@debian.org>wrote:
>
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > On Debian, part of gnome-settings-daemon is installed in that
> > directory
> > ---
> > policy/modules/kernel/corecommands.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/kernel/corecommands.fc
> > b/policy/modules/kernel/corecommands.fc
> > index 097b2f0..7a5f35a 100644
> > --- a/policy/modules/kernel/corecommands.fc
> > +++ b/policy/modules/kernel/corecommands.fc
> > @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> > /usr/lib/dpkg/.+ --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/emacsen-common/.*
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/gimp/.*/plug-ins(/.*)?
> > gen_context(system_u:object_r:bin_t,s0)
> > +/usr/lib/gnome-settings-daemon/.*
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/gvfs/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/ipsec/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/kde4/libexec/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > --
> > 1.7.10.4
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Are all files in that location binaries to be executed?
>
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
> <bigon@debian.org> wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> On Debian, part of gnome-settings-daemon is installed in that
> directory
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc
> b/policy/modules/kernel/corecommands.fc
> index 097b2f0..7a5f35a 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/dpkg/.+ --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/emacsen-common/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gimp/.*/plug-ins(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/gnome-settings-daemon/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gvfs/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ipsec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/kde4/libexec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
2013-01-13 18:28 ` Sven Vermeulen
2013-01-13 20:04 ` Dominick Grift
@ 2013-01-14 13:18 ` Laurent Bigonville
1 sibling, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-14 13:18 UTC (permalink / raw)
To: refpolicy
Le Sun, 13 Jan 2013 19:28:18 +0100,
Sven Vermeulen <sven.vermeulen@siphos.be> a ?crit :
> Are all files in that location binaries to be executed?
Yes
apt-file search /usr/lib/gnome-settings-daemon/ command shows me that
there are 23 files installed in that directory all by g-s-d and all
being executables.
Cheers
Laurent Bigonville
^ permalink raw reply [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH v2 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
2013-01-12 21:32 ` [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t Laurent Bigonville
2013-01-13 18:28 ` Sven Vermeulen
@ 2013-01-14 13:29 ` Laurent Bigonville
1 sibling, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-14 13:29 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
On Debian, part of gnome-settings-daemon is installed in that
directory
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..332c3c4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [refpolicy] [PATCH 13/13] Label nut drivers that are installed in /lib/nut on Debian as bin_t
2013-01-12 21:32 [refpolicy] [PATCH 00/13] Add more Debian support Laurent Bigonville
` (11 preceding siblings ...)
2013-01-12 21:32 ` [refpolicy] [PATCH 12/13] Label executables under /usr/lib/gnome-settings-daemon/ as bin_t Laurent Bigonville
@ 2013-01-12 21:32 ` Laurent Bigonville
12 siblings, 0 replies; 38+ messages in thread
From: Laurent Bigonville @ 2013-01-12 21:32 UTC (permalink / raw)
To: refpolicy
From: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7a5f35a..4b7f9ee 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -132,6 +132,7 @@ ifdef(`distro_debian',`
# /lib
#
+/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 38+ messages in thread