[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7

Václav Ovsík vaclav.ovsik at i.cz
Wed Aug 13 10:09:04 UTC 2008 

On Wed, Aug 13, 2008 at 11:32:45AM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 01:30, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > there is a message with a patch
> > http://marc.info/?l=selinux&m=120369420620609&w=2
> > in February 2008.
> 
> http://doc.coker.com.au/computers/installing-se-linux-on-lenny/
> 
> I've uploaded a new policy package to unstable (and also in my own repository 
> as described in the above URL).

I just trying it (2:0.0.20080702-6), but something is wrong still.
File context for /var/cache/ldconfig is not in
/etc/selinux/default/contexts/files/file_contexts and I don't know why.

sid:~# fgrep /var/cache/ldconfig /etc/selinux/default/contexts/files/file_contexts
/var/cache/ldconfig/aux-cache   -- system_u:object_r:ld_so_cache_t:s0
sid:~# 

So running ldconfig emits denials still.

Nevertheless, I think we should use the solution from Fedora now
already upstream. Why to do common thing in some special way?


On Wed, Aug 13, 2008 at 06:11:18PM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 16:57, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> >...
> > Sorry for bad formulation. I mean version control of packaging. SE Linux
> 
> There is none.
> 
> > packages you are maintaining currently contain control file VCS-* fields
> > with Manoj Srivastava old GNU Arch repositories. Manoj started migration
> > into Git, but it is not complete I suppose.
> 
> I don't know, I never checked.
>
> > I will be happy to report problems and to send patches for refpolicy.
> 
> Thanks.
> 
> > It could be worth to see Debian patches to upstream refpolicy separately
> > (not only one big Debian patch of source package).
> 
> Yes, if you would like to start on that then please go for it.

I must to try something in the future. Manoj wrote on debian-devel some
interesting ideas (with a graphical presentation) about a versioning and
handling patches with Git and there was a big thread about it "How to
cope with patches sanely". Manoj uses package repository + repository of
package building rules (in debian/common/), which is IMHO to
complicated. I think switching to CDBS can eliminate this. CDBS is doing
a similar job, but has a public interface and more people knows it.

> > On the other hand I think, that I can live with my Quilt patch serie over
> > selinux-policy-src. I started to work this way yesterday
> > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494827)
> 
> Incidentally what is the benefit of having that new type defined in that 
> patch?

ldconfig_cache_t? Different purpose?

zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name .pc -prune -o  -type f -regex '.*\.(if|te|fc)' -print|xargs grep ldconfig_cache_t
./policy/modules/system/libraries.fc:/var/cache/ldconfig(/.*)?                  gen_context(system_u:object_r:ldconfig_cache_t,s0)
./policy/modules/system/libraries.te:type ldconfig_cache_t;
./policy/modules/system/libraries.te:files_type(ldconfig_cache_t)
./policy/modules/system/libraries.te:manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
./tmp/libraries.mod.fc:/var/cache/ldconfig(/.*)?                        system_u:object_r:ldconfig_cache_t:s0
zito at bobek:~/SELinux/refpolicy-svn$ 

zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name .pc -prune -o  -type f -regex '.*\.(if|te|fc)' -print|xargs grep ld_so_cache_t
./policy/modules/system/libraries.fc:/etc/ld\.so\.cache                 --      gen_context(system_u:object_r:ld_so_cache_t,s0)
./policy/modules/system/libraries.fc:/etc/ld\.so\.preload                       --      gen_context(system_u:object_r:ld_so_cache_t,s0)
./policy/modules/system/libraries.te:# ld_so_cache_t is the type of /etc/ld.so.cache.
./policy/modules/system/libraries.te:type ld_so_cache_t;
./policy/modules/system/libraries.te:files_type(ld_so_cache_t)
./policy/modules/system/libraries.te:allow ldconfig_t ld_so_cache_t:file manage_file_perms;
./policy/modules/system/libraries.te:files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
./policy/modules/system/libraries.if:           type lib_t, ld_so_t, ld_so_cache_t;
./policy/modules/system/libraries.if:   allow $1 ld_so_cache_t:file read_file_perms;
./policy/modules/system/libraries.if:           type ld_so_t, ld_so_cache_t;
./policy/modules/system/libraries.if:   allow $1 ld_so_cache_t:file execute;
./policy/modules/system/libraries.if:           type ld_so_cache_t;
./policy/modules/system/libraries.if:   allow $1 ld_so_cache_t:file rw_file_perms;
./tmp/libraries.mod.fc:/etc/ld\.so\.cache                       --      system_u:object_r:ld_so_cache_t:s0
./tmp/libraries.mod.fc:/etc/ld\.so\.preload                     --      system_u:object_r:ld_so_cache_t:s0
zito at bobek:~/SELinux/refpolicy-svn$ 

Hmm, I didn't analyse this. I just took already done work by Dan Walsh.

-- 
Zito

More information about the SELinux-devel mailing list