[refpolicy] some Debian specific patches
martin at martinorr.name
Sun Jul 11 12:48:59 CDT 2010
On Wed 7 Jul 08:02:17 2010, Russell Coker wrote:
> The attached patch has some Debian specific patches to the policy.
The following lines of dpkg.te are already upstream (indeed this patch
deletes the last two and adds them back in a different place):
The use of the userdomain attribute in dpkg.te breaks the
encapsulation rules: the correct thing to do is use dpkg_read_db in
one of the user domain templates (userdom_common_user_template seems
right to me).
I don't think the labelling of gnome-vfs-daemon belongs in dbus.fc
unless it is getting a dbus type. I don't know whether bin_t is the
correct type or not.
I am not sure, but I think it is better style to use
read_files_pattern for system_dbusd_t (the reason for that patch is
probably not obvious: it is because dbus reads /proc/X/cmdline for
processes that connect to it, so it can include their name in its log
I attach an amended patch that fixes the above issues, except for
gnome-vfs-daemon because I don't know what the correct type there is.
> I've put in a couple of ifdef(`distro_redhat' entries, in some of those cases
> we might want to make either the Debian or the Red Hat way the default for
> other distributions.
It seems to me rather pointless to put in all these distro defines,
especially in file contexts - whatever distro you are running, if you
have a file at /usr/libexec/dcc/dbclean then you probably want it
labelled as dcc_dbclean_exec_t. And fcs for files that don't exist
are harmless beyond using a few bytes.
However I leave that up to Chris, I have not touched the distro
defines in my amended patch (except as suggested by Guido).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6773 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100711/78c556e3/attachment.bin
More information about the refpolicy