[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7
vaclav.ovsik at i.cz
Wed Aug 13 10:09:04 UTC 2008
On Wed, Aug 13, 2008 at 11:32:45AM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 01:30, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > there is a message with a patch
> > http://marc.info/?l=selinux&m=120369420620609&w=2
> > in February 2008.
> I've uploaded a new policy package to unstable (and also in my own repository
> as described in the above URL).
I just trying it (2:0.0.20080702-6), but something is wrong still.
File context for /var/cache/ldconfig is not in
/etc/selinux/default/contexts/files/file_contexts and I don't know why.
sid:~# fgrep /var/cache/ldconfig /etc/selinux/default/contexts/files/file_contexts
/var/cache/ldconfig/aux-cache -- system_u:object_r:ld_so_cache_t:s0
So running ldconfig emits denials still.
Nevertheless, I think we should use the solution from Fedora now
already upstream. Why to do common thing in some special way?
On Wed, Aug 13, 2008 at 06:11:18PM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 16:57, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > Sorry for bad formulation. I mean version control of packaging. SE Linux
> There is none.
> > packages you are maintaining currently contain control file VCS-* fields
> > with Manoj Srivastava old GNU Arch repositories. Manoj started migration
> > into Git, but it is not complete I suppose.
> I don't know, I never checked.
> > I will be happy to report problems and to send patches for refpolicy.
> > It could be worth to see Debian patches to upstream refpolicy separately
> > (not only one big Debian patch of source package).
> Yes, if you would like to start on that then please go for it.
I must to try something in the future. Manoj wrote on debian-devel some
interesting ideas (with a graphical presentation) about a versioning and
handling patches with Git and there was a big thread about it "How to
cope with patches sanely". Manoj uses package repository + repository of
package building rules (in debian/common/), which is IMHO to
complicated. I think switching to CDBS can eliminate this. CDBS is doing
a similar job, but has a public interface and more people knows it.
> > On the other hand I think, that I can live with my Quilt patch serie over
> > selinux-policy-src. I started to work this way yesterday
> > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494827)
> Incidentally what is the benefit of having that new type defined in that
ldconfig_cache_t? Different purpose?
zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name .pc -prune -o -type f -regex '.*\.(if|te|fc)' -print|xargs grep ldconfig_cache_t
./policy/modules/system/libraries.te:manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
zito at bobek:~/SELinux/refpolicy-svn$
zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name .pc -prune -o -type f -regex '.*\.(if|te|fc)' -print|xargs grep ld_so_cache_t
./policy/modules/system/libraries.fc:/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
./policy/modules/system/libraries.fc:/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
./policy/modules/system/libraries.te:# ld_so_cache_t is the type of /etc/ld.so.cache.
./policy/modules/system/libraries.te:allow ldconfig_t ld_so_cache_t:file manage_file_perms;
./policy/modules/system/libraries.if: type lib_t, ld_so_t, ld_so_cache_t;
./policy/modules/system/libraries.if: allow $1 ld_so_cache_t:file read_file_perms;
./policy/modules/system/libraries.if: type ld_so_t, ld_so_cache_t;
./policy/modules/system/libraries.if: allow $1 ld_so_cache_t:file execute;
./policy/modules/system/libraries.if: type ld_so_cache_t;
./policy/modules/system/libraries.if: allow $1 ld_so_cache_t:file rw_file_perms;
./tmp/libraries.mod.fc:/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0
./tmp/libraries.mod.fc:/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0
zito at bobek:~/SELinux/refpolicy-svn$
Hmm, I didn't analyse this. I just took already done work by Dan Walsh.
More information about the SELinux-devel