[refpolicy] [PATCH] misc fc changes

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t

Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like this
but the presence of a device /dev/ptmx concealed it.  With a container
created by systemd-nspawn (and possibly other situations) /dev/ptmx is a
symlink and we need correct labelling of /dev/pts/ptmx.

Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can
run it without a domain transition.

Also lots of little changes that are obvious.


--- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
+++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
@@ -1,5 +1,3 @@
-/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
-
 /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
 
 /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc
+++ refpolicy-2.20170329/policy/modules/contrib/apache.fc
@@ -86,6 +86,7 @@ ifdef(`distro_suse',`
 /usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/postfixadmin/templates_c(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc
+++ refpolicy-2.20170329/policy/modules/contrib/apt.fc
@@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
 
 /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
 
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
--- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc
+++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc
@@ -7,6 +7,7 @@
 /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
 
 /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
+/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
 
 /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
--- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc
+++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc
@@ -4,6 +4,7 @@
 /usr/bin/dpkg	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
 /usr/bin/dselect	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
 
+/var/lib/debtags(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
 /var/lib/dpkg(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
 /var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
 
--- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc
@@ -151,6 +151,7 @@ ifdef(`distro_gentoo',`
 /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -158,6 +159,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -201,6 +203,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -259,6 +262,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
@@ -289,6 +293,7 @@ ifdef(`distro_gentoo',`
 /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc
+++ refpolicy-2.20170329/policy/modules/kernel/files.fc
@@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
 ifdef(`distro_debian',`
 # on Debian /lib/init/rw is a tmpfs used like /run
 /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
 ')
 
 ifndef(`distro_redhat',`
--- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
+++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
@@ -14,6 +14,7 @@
 /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
+/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
@@ -24,7 +25,6 @@
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 
 /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
-/dev/pts/ptmx		-c	gen_context(system_u:object_r:devpts_t,s0)
 /dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
 
 /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20170329/policy/modules/services/xserver.fc
@@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -115,6 +118,7 @@ ifndef(`distro_debian',`
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
@@ -124,6 +128,7 @@ ifndef(`distro_debian',`
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 
+/run/sddm(/.*)?			gen_context(system_u:object_r:xdm_var_run_t,s0)
 /run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170329/policy/modules/system/init.fc
@@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
-/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
@@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
 ')
 
 ifdef(`distro_gentoo', `
--- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
+++ refpolicy-2.20170329/policy/modules/system/libraries.fc
@@ -105,6 +105,7 @@ ifdef(`distro_debian',`
 /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
 ')
 
+/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)
 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20170329/policy/modules/system/lvm.fc
@@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvm			--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -93,3 +94,4 @@ ifdef(`distro_gentoo',`
 /var/lock/lvm(/.*)?			gen_context(system_u:object_r:lvm_lock_t,s0)
 /run/multipathd\.sock		-s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 /run/dmevent.*				gen_context(system_u:object_r:lvm_var_run_t,s0)
+/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
--- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
+++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
@@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
-/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`
--- refpolicy-2.20170329.orig/policy/modules/system/udev.fc
+++ refpolicy-2.20170329/policy/modules/system/udev.fc
@@ -39,4 +39,5 @@ ifdef(`distro_redhat',`
 
 ifdef(`distro_debian',`
 /run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
+/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 ')

[refpolicy] [PATCH] misc fc changes

[Chris PeBenito]

On 04/02/2017 04:58 AM, Russell Coker via refpolicy wrote:
> Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t
>
> Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like this
> but the presence of a device /dev/ptmx concealed it.  With a container
> created by systemd-nspawn (and possibly other situations) /dev/ptmx is a
> symlink and we need correct labelling of /dev/pts/ptmx.
>
> Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can
> run it without a domain transition.
>
> Also lots of little changes that are obvious.
>
>
> --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> @@ -1,5 +1,3 @@
> -/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
> -
>  /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
>
>  /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apache.fc
> @@ -86,6 +86,7 @@ ifdef(`distro_suse',`
>  /usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>  /usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apt.fc
> @@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
>
>  /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc
> @@ -7,6 +7,7 @@
>  /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
>
>  /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
> +/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
>
>  /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc
> @@ -4,6 +4,7 @@
>  /usr/bin/dpkg	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  /usr/bin/dselect	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>
> +/var/lib/debtags(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
>
> --- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc
> @@ -151,6 +151,7 @@ ifdef(`distro_gentoo',`
>  /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
>
>  /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>
>  /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> @@ -158,6 +159,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> @@ -201,6 +203,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> @@ -259,6 +262,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>
> +/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
> @@ -289,6 +293,7 @@ ifdef(`distro_gentoo',`
>  /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/files.fc
> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  ifdef(`distro_debian',`
>  # on Debian /lib/init/rw is a tmpfs used like /run
>  /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> +/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
>  ')
>
>  ifndef(`distro_redhat',`
> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
> @@ -14,6 +14,7 @@
>  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
>  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
> @@ -24,7 +25,6 @@
>  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
>
>  /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
> -/dev/pts/ptmx		-c	gen_context(system_u:object_r:devpts_t,s0)
>  /dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
>
>  /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20170329/policy/modules/services/xserver.fc
> @@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>
>  /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>
>  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
> @@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
> @@ -115,6 +118,7 @@ ifndef(`distro_debian',`
>  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
>
>  /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> @@ -124,6 +128,7 @@ ifndef(`distro_debian',`
>  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
>
> +/run/sddm(/.*)?			gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170329/policy/modules/system/init.fc
> @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
>  /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>
> -/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
>  ifdef(`distro_debian',`
>  /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
>  ')
>
>  ifdef(`distro_gentoo', `
> --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
>  /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
>  ')
>
> +/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)
>  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm			--	gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
> @@ -93,3 +94,4 @@ ifdef(`distro_gentoo',`
>  /var/lock/lvm(/.*)?			gen_context(system_u:object_r:lvm_lock_t,s0)
>  /run/multipathd\.sock		-s	gen_context(system_u:object_r:lvm_var_run_t,s0)
>  /run/dmevent.*				gen_context(system_u:object_r:lvm_var_run_t,s0)
> +/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)

I think I'm ok with everything else except this.  Why shouldn't all 
those certs be protected specially?



>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>
>  ifdef(`distro_debian',`
> --- refpolicy-2.20170329.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20170329/policy/modules/system/udev.fc
> @@ -39,4 +39,5 @@ ifdef(`distro_redhat',`
>
>  ifdef(`distro_debian',`
>  /run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  ')



-- 
Chris PeBenito

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 09:11:51 AM Chris PeBenito via refpolicy wrote:
> > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
> >
> >  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> >gen_context(system_u:object_r:cert_t,s0)
> >/etc/localtime               --      gen_context(system_u:object_r:locale
> >_t,s0)
> >/etc/pki(/.*)?                       gen_context(system_u:object_r:cert_t
> >,s0)
> >
> > -/etc/ssl(/.*)?                       gen_context(system_u:object_r:cert_
> > t,s0)
> > +/etc/ssl/private(/.*)?                       gen_context(system_u:objec
> > t_r:cert_t,s0)
> 
> I think I'm ok with everything else except this.  Why shouldn't all 
> those certs be protected specially?

The private directory is for private keys that need protection.  
/etc/ssh/certs is for public keys of CAs that need to be read by many programs 
that don't need access to private keys (IE any program that wants to verify a 
SSL server).  /etc/ssh/openssl.cnf is for openssl configuration that again may 
be read by programs that don't have any particular privileges.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote:
> Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t
> 
> Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like this
> but the presence of a device /dev/ptmx concealed it.  With a container
> created by systemd-nspawn (and possibly other situations) /dev/ptmx is a
> symlink and we need correct labelling of /dev/pts/ptmx.
> 
> Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can
> run it without a domain transition.
> 
> Also lots of little changes that are obvious.
> 
> 
> --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> @@ -1,5 +1,3 @@
> -/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
> -
>  /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
>  
>  /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apache.fc
> @@ -86,6 +86,7 @@ ifdef(`distro_suse',`
>  /usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>  /usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apt.fc
> @@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
>  
>  /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc
> @@ -7,6 +7,7 @@
>  /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
>  
>  /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
> +/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
>  
>  /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc
> @@ -4,6 +4,7 @@
>  /usr/bin/dpkg	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  /usr/bin/dselect	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  
> +/var/lib/debtags(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc
> @@ -151,6 +151,7 @@ ifdef(`distro_gentoo',`
>  /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
>  /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>  
>  /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> @@ -158,6 +159,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> @@ -201,6 +203,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> @@ -259,6 +262,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
> +/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
> @@ -289,6 +293,7 @@ ifdef(`distro_gentoo',`
>  /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/files.fc
> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  ifdef(`distro_debian',`
>  # on Debian /lib/init/rw is a tmpfs used like /run
>  /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> +/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
>  ')
>  
>  ifndef(`distro_redhat',`
> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
> @@ -14,6 +14,7 @@
>  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)

This is probably going to cause issues. This file will be created with devpts_t (there is no other way) and so you will have to rely on early relabeling of /dev/pts to get this done
Not all systems relabel /dev(/pts) early on. So you might end up with devpts_t on some systems and ptmx_t on others. (inconsistency)

Leaving it devpts_t will atleast allow you to rely on the labeling to be consistent, and since that is the only file that will ever legitimately end up devpts_t that should not be a problem

>  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
> @@ -24,7 +25,6 @@
>  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
>  
>  /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
> -/dev/pts/ptmx		-c	gen_context(system_u:object_r:devpts_t,s0)
>  /dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
>  
>  /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20170329/policy/modules/services/xserver.fc
> @@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  
>  /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>  
>  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
> @@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
> @@ -115,6 +118,7 @@ ifndef(`distro_debian',`
>  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
>  
>  /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> @@ -124,6 +128,7 @@ ifndef(`distro_debian',`
>  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
>  
> +/run/sddm(/.*)?			gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170329/policy/modules/system/init.fc
> @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
>  /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  
> -/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
>  ifdef(`distro_debian',`
>  /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
>  ')
>  
>  ifdef(`distro_gentoo', `
> --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
>  /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
>  ')
>  
> +/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)
>  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm			--	gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
> @@ -93,3 +94,4 @@ ifdef(`distro_gentoo',`
>  /var/lock/lvm(/.*)?			gen_context(system_u:object_r:lvm_lock_t,s0)
>  /run/multipathd\.sock		-s	gen_context(system_u:object_r:lvm_var_run_t,s0)
>  /run/dmevent.*				gen_context(system_u:object_r:lvm_var_run_t,s0)
> +/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>  
>  ifdef(`distro_debian',`
> --- refpolicy-2.20170329.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20170329/policy/modules/system/udev.fc
> @@ -39,4 +39,5 @@ ifdef(`distro_redhat',`
>  
>  ifdef(`distro_debian',`
>  /run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/a450a109/attachment-0001.bin 

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote:
> Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t
> 
> Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like this
> but the presence of a device /dev/ptmx concealed it.  With a container
> created by systemd-nspawn (and possibly other situations) /dev/ptmx is a
> symlink and we need correct labelling of /dev/pts/ptmx.
> 
> Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can
> run it without a domain transition.
> 
> Also lots of little changes that are obvious.
> 
> 
> --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> @@ -1,5 +1,3 @@
> -/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
> -
>  /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
>  
>  /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apache.fc
> @@ -86,6 +86,7 @@ ifdef(`distro_suse',`
>  /usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>  /usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apt.fc
> @@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
>  
>  /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc
> @@ -7,6 +7,7 @@
>  /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
>  
>  /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
> +/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
>  
>  /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc
> @@ -4,6 +4,7 @@
>  /usr/bin/dpkg	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  /usr/bin/dselect	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  
> +/var/lib/debtags(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc
> @@ -151,6 +151,7 @@ ifdef(`distro_gentoo',`
>  /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
>  /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>  
>  /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> @@ -158,6 +159,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> @@ -201,6 +203,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> @@ -259,6 +262,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
> +/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
> @@ -289,6 +293,7 @@ ifdef(`distro_gentoo',`
>  /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/files.fc
> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  ifdef(`distro_debian',`
>  # on Debian /lib/init/rw is a tmpfs used like /run
>  /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> +/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
>  ')
>  
>  ifndef(`distro_redhat',`
> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
> @@ -14,6 +14,7 @@
>  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
>  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
> @@ -24,7 +25,6 @@
>  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
>  
>  /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
> -/dev/pts/ptmx		-c	gen_context(system_u:object_r:devpts_t,s0)
>  /dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
>  
>  /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20170329/policy/modules/services/xserver.fc
> @@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  
>  /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>  
>  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
> @@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
> @@ -115,6 +118,7 @@ ifndef(`distro_debian',`
>  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
>  
>  /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> @@ -124,6 +128,7 @@ ifndef(`distro_debian',`
>  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
>  
> +/run/sddm(/.*)?			gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170329/policy/modules/system/init.fc
> @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
>  /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  
> -/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
>  ifdef(`distro_debian',`
>  /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)

I would probably use bin_t here if possible but regardless: you might want to escape the periods there to avoid possible regex issues later on 

>  ')
>  
>  ifdef(`distro_gentoo', `
> --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
>  /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
>  ')
>  
> +/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)
>  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm			--	gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
> @@ -93,3 +94,4 @@ ifdef(`distro_gentoo',`
>  /var/lock/lvm(/.*)?			gen_context(system_u:object_r:lvm_lock_t,s0)
>  /run/multipathd\.sock		-s	gen_context(system_u:object_r:lvm_var_run_t,s0)
>  /run/dmevent.*				gen_context(system_u:object_r:lvm_var_run_t,s0)
> +/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>  
>  ifdef(`distro_debian',`
> --- refpolicy-2.20170329.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20170329/policy/modules/system/udev.fc
> @@ -39,4 +39,5 @@ ifdef(`distro_redhat',`
>  
>  ifdef(`distro_debian',`
>  /run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/c031e76b/attachment.bin 

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote:
> Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t
> 
> Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like this
> but the presence of a device /dev/ptmx concealed it.  With a container
> created by systemd-nspawn (and possibly other situations) /dev/ptmx is a
> symlink and we need correct labelling of /dev/pts/ptmx.
> 
> Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can
> run it without a domain transition.
> 
> Also lots of little changes that are obvious.
> 
> 
> --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> @@ -1,5 +1,3 @@
> -/etc/cron\.(daily|monthly)/acct	--	gen_context(system_u:object_r:acct_exec_t,s0)
> -

Any specific reason for removing this? system_cronjob_t is pretty broad, so i tend to move stuff out of there whenever that makes a little sense

>  /etc/rc\.d/init\.d/psacct	--	gen_context(system_u:object_r:acct_initrc_exec_t,s0)
>  
>  /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apache.fc
> @@ -86,6 +86,7 @@ ifdef(`distro_suse',`
>  /usr/share/mythtv/data(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/ntop/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/openca/htdocs(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/postfixadmin/templates_c(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /usr/share/selinux-policy[^/]*/html(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/wordpress/.*\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
>  /usr/share/wordpress-mu/wp-config\.php	--	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/apt.fc
> @@ -14,6 +14,7 @@ ifndef(`distro_redhat',`
>  
>  /var/lib/apt(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/apt-xapian-inde(x)(/.*)?	gen_context(system_u:object_r:apt_var_lib_t,s0)
>  
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc
> @@ -7,6 +7,7 @@
>  /var/log/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_log_t,s0)
>  
>  /var/lib/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
> +/var/cache/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_lib_t,s0)
>  
>  /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc
> @@ -4,6 +4,7 @@
>  /usr/bin/dpkg	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  /usr/bin/dselect	--	gen_context(system_u:object_r:dpkg_exec_t,s0)
>  
> +/var/lib/debtags(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg(/.*)?	gen_context(system_u:object_r:dpkg_var_lib_t,s0)
>  /var/lib/dpkg/(meth)?lock	--	gen_context(system_u:object_r:dpkg_lock_t,s0)
>  
> --- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc
> @@ -151,6 +151,7 @@ ifdef(`distro_gentoo',`
>  /usr/bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
>  /usr/lib/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0)
>  
>  /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> @@ -158,6 +159,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> @@ -201,6 +203,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> @@ -259,6 +262,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
> +/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/ajaxterm.py.* --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/qweb.py.* --	gen_context(system_u:object_r:bin_t,s0)
> @@ -289,6 +293,7 @@ ifdef(`distro_gentoo',`
>  /usr/share/printconf/util/print\.py --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/pk-upgrade-distro\.sh -- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/PackageKit/helpers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/files.fc
> @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
>  ifdef(`distro_debian',`
>  # on Debian /lib/init/rw is a tmpfs used like /run
>  /usr/lib/init/rw(/.*)?		gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> +/run/resolvconf(/.*)? -d	gen_context(system_u:object_r:etc_t,s0)
>  ')
>  
>  ifndef(`distro_redhat',`
> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
> @@ -14,6 +14,7 @@
>  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
>  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
> @@ -24,7 +25,6 @@
>  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
>  
>  /dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
> -/dev/pts/ptmx		-c	gen_context(system_u:object_r:devpts_t,s0)
>  /dev/pts/[0-9]+		-c	gen_context(system_u:object_r:user_devpts_t,s0)
>  
>  /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20170329/policy/modules/services/xserver.fc
> @@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  
>  /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/etc/sddm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
>  
>  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
> @@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
> @@ -115,6 +118,7 @@ ifndef(`distro_debian',`
>  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
>  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
> +/var/lib/sddm(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
>  
>  /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
> @@ -124,6 +128,7 @@ ifndef(`distro_debian',`
>  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
>  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
>  
> +/run/sddm(/.*)?			gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
>  /run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170329/policy/modules/system/init.fc
> @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', `
>  /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  
> -/usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', `
>  ifdef(`distro_debian',`
>  /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
>  /run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/etc/network/if-pre-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-up.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-down.d/.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
>  ')
>  
>  ifdef(`distro_gentoo', `
> --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
>  /usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
>  ')
>  
> +/usr/lib/postfix/lib.*so.*		--	gen_context(system_u:object_r:lib_t,s0)

That looks like it might be redundant or that there is some other spec that should probably ideally be more specific for this location

>  /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
>  /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
>  /usr/sbin/lvdisplay		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvextend		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvm			--	gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)

Fedora does this as well and i am wonder whether this is a good idea in the longer run

lvm is short running, lvmetad is long running
lvm probably needs permission to raw storage? it remains to be seen whether this daemon needs access to raw storage as well (if it doesnt then that to me is reason enough to move it out of lvm_t)

>  /usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
> @@ -93,3 +94,4 @@ ifdef(`distro_gentoo',`
>  /var/lock/lvm(/.*)?			gen_context(system_u:object_r:lvm_lock_t,s0)
>  /run/multipathd\.sock		-s	gen_context(system_u:object_r:lvm_var_run_t,s0)
>  /run/dmevent.*				gen_context(system_u:object_r:lvm_var_run_t,s0)
> +/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)?			gen_context(system_u:object_r:cert_t,s0)

There probably should not be private keys on a production system in the first place? Regardless, atleast be consistent and apply this to /etc/pki as well

>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>  
>  ifdef(`distro_debian',`
> --- refpolicy-2.20170329.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20170329/policy/modules/system/udev.fc
> @@ -39,4 +39,5 @@ ifdef(`distro_redhat',`
>  
>  ifdef(`distro_debian',`
>  /run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/04deb34c/attachment.bin 

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 05:23:28 PM Dominick Grift via refpolicy wrote:
> > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
> > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
> > @@ -14,6 +14,7 @@
> > 
> >  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> >  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> >  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> > 
> > +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
> 
> This is probably going to cause issues. This file will be created with
> devpts_t (there is no other way) and so you will have to rely on early
> relabeling of /dev/pts to get this done Not all systems relabel /dev(/pts)
> early on.

That will only be an issue on systems that don't relabel it early enough and 
don't create a /dev/ptmx device node.  Such systems wouldn't work properly 
with the current policy, so probably don't exist.  In this case "early enough" 
means "before the first inbound ssh connection".

> So you might end up with devpts_t on some systems and ptmx_t on
> others. (inconsistency)

Actually we have inconsistency right now with /dev/ptmx and /dev/pts/ptmx 
having different labels.  My patch solves the inconsistency.

> Leaving it devpts_t will atleast allow you to rely on the labeling to be
> consistent, and since that is the only file that will ever legitimately
> end up devpts_t that should not be a problem

If we are going to take that approach then we should make ptmx_t an alias for 
devpts_t and label /dev/ptmx as devpts_t.

Chris, what do you think?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 05:32:48 PM Dominick Grift via refpolicy wrote:
> > +/etc/network/if-pre-up.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-up.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-down.d/.*
> > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > +/etc/network/if-post-down.d/.* --
> > gen_context(system_u:object_r:initrc_exec_t,s0)
> 
> I would probably use bin_t here if possible but regardless: you might want
> to escape the periods there to avoid possible regex issues later on

If bin_t was used then we wouldn't get the domain transitions needed to start 
daemons in the correct context.

If at some future time we have something like a /etc/network/if-up-d directory 
then we probably want the same context for the files it contains.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Tue, Apr 04, 2017 at 05:49:35PM +1000, Russell Coker wrote:
> On Tue, 4 Apr 2017 05:32:48 PM Dominick Grift via refpolicy wrote:
> > > +/etc/network/if-pre-up.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-up.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-down.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-post-down.d/.* --
> > > gen_context(system_u:object_r:initrc_exec_t,s0)
> > 
> > I would probably use bin_t here if possible but regardless: you might want
> > to escape the periods there to avoid possible regex issues later on
> 
> If bin_t was used then we wouldn't get the domain transitions needed to start 
> daemons in the correct context.
> 
> If at some future time we have something like a /etc/network/if-up-d directory 
> then we probably want the same context for the files it contains.

As for escaping the periods: i mean this (for example):

/etc/network/if-pre-up\.d/.*  --    gen_context(system_u:object_r:initrc_exec_t,s0)

if you do not escape the period then the period might be misinterpreted later on

> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/22e1cc1b/attachment-0001.bin 

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 05:44:24 PM Dominick Grift via refpolicy wrote:
> On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote:
> > Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets
> > bin_t
> > 
> > Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like
> > this but the presence of a device /dev/ptmx concealed it.  With a
> > container created by systemd-nspawn (and possibly other situations)
> > /dev/ptmx is a symlink and we need correct labelling of /dev/pts/ptmx.
> > 
> > Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system
> > scripts can run it without a domain transition.
> > 
> > Also lots of little changes that are obvious.
> > 
> > 
> > --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> > +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> > @@ -1,5 +1,3 @@
> > -/etc/cron\.(daily|monthly)/acct	--	
gen_context(system_u:object_r:acct_ex
> > ec_t,s0) -
> 
> Any specific reason for removing this? system_cronjob_t is pretty broad, so
> i tend to move stuff out of there whenever that makes a little sense

Those scripts use systemctl to restart daemons.  The choice is between having 
system_cronjob_t run some scripts that are in almost all cases unaltered from 
the distribution or allowing acct_t to restart daemons.

> > --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> > +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> > @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
> > 
> >  /usr/(.*/)?dh-python/dh_pypy		--	
gen_context(system_u:object_r:lib_t,s0)
> >  ')
> > 
> > +/usr/lib/postfix/lib.*so.*		--	
gen_context(system_u:object_r:lib_t,s0)
> 
> That looks like it might be redundant or that there is some other spec that
> should probably ideally be more specific for this location

# restorecon -R -v /usr/lib/postfix/
Relabeled /usr/lib/postfix/libpostfix-dns.so from system_u:object_r:lib_t:s0 to 
system_u:object_r:postfix_exec_t:s0
Relabeled /usr/lib/postfix/libpostfix-global.so from system_u:object_r:lib_t:s0 
to system_u:object_r:postfix_exec_t:s0
Relabeled /usr/lib/postfix/libpostfix-master.so from system_u:object_r:lib_t:s0 
to system_u:object_r:postfix_exec_t:s0
Relabeled /usr/lib/postfix/libpostfix-tls.so from system_u:object_r:lib_t:s0 to 
system_u:object_r:postfix_exec_t:s0
Relabeled /usr/lib/postfix/libpostfix-util.so from system_u:object_r:lib_t:s0 to 
system_u:object_r:postfix_exec_t:s0

No, if that line is removed then we get the wrong context.

> > --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> > +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> > @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
> > 
> >  /usr/sbin/lvdisplay		--	
gen_context(system_u:object_r:lvm_exec_t,s0)
> >  /usr/sbin/lvextend		--	
gen_context(system_u:object_r:lvm_exec_t,s0)
> >  /usr/sbin/lvm			--	
gen_context(system_u:object_r:lvm_exec_t,s0)
> > 
> > +/usr/sbin/lvmetad		--	
gen_context(system_u:object_r:lvm_exec_t,s0)
> 
> Fedora does this as well and i am wonder whether this is a good idea in the
> longer run

It's probably something I copied from Fedora.  ;)

> lvm is short running, lvmetad is long running
> lvm probably needs permission to raw storage? it remains to be seen whether
> this daemon needs access to raw storage as well (if it doesnt then that to
> me is reason enough to move it out of lvm_t)

OK, well if you would like to contribute policy for lvmetad_t then that would 
be great.  In the mean time I think this is the best option.

> > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
> > 
> >  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> >  gen_context(system_u:object_r:cert_t,s0)
> >  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
> >  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> > 
> > -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> > +/etc/ssl/private(/.*)?			
gen_context(system_u:object_r:cert_t,s0)
> 
> There probably should not be private keys on a production system in the
> first place? Regardless, atleast be consistent and apply this to /etc/pki
> as well

My systems don't have a /etc/pki directory.  It would be good if someone who 
has such a system could contribute a patch for it, maybe you?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 05:53:56 PM Dominick Grift via refpolicy wrote:
> > If at some future time we have something like a /etc/network/if-up-d
> > directory  then we probably want the same context for the files it
> > contains.
> 
> As for escaping the periods: i mean this (for example):
> 
> /etc/network/if-pre-up\.d/.*  --    gen_context(system_u:object_r:initrc_ex
> ec_t,s0)
> 
> if you do not escape the period then the period might be misinterpreted
> later on

I know what you mean.  But my definition of "misinterpreted" doesn't match 
yours.  I think that all ip-up*d directories should have the same context if 
they happen to exist.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Tue, Apr 04, 2017 at 05:49:35PM +1000, Russell Coker wrote:
> On Tue, 4 Apr 2017 05:32:48 PM Dominick Grift via refpolicy wrote:
> > > +/etc/network/if-pre-up.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-up.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-down.d/.*
> > > --	gen_context(system_u:object_r:initrc_exec_t,s0)
> > > +/etc/network/if-post-down.d/.* --
> > > gen_context(system_u:object_r:initrc_exec_t,s0)
> > 
> > I would probably use bin_t here if possible but regardless: you might want
> > to escape the periods there to avoid possible regex issues later on
> 
> If bin_t was used then we wouldn't get the domain transitions needed to start 
> daemons in the correct context.
> 
> If at some future time we have something like a /etc/network/if-up-d directory 
> then we probably want the same context for the files it contains.

Oops misunderstood your argument in my previous reply. I suppose you are right to argue that its pretty unlikely to happen in this case.

Just saying though that escaping the periods consistently has my preference, if only for consistency and to always be as specific as possible.

> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/e683c101/attachment.bin 

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 06:02:47 PM Dominick Grift via refpolicy wrote:
> > If at some future time we have something like a /etc/network/if-up-d
> > directory  then we probably want the same context for the files it
> > contains.
> 
> Oops misunderstood your argument in my previous reply. I suppose you are
> right to argue that its pretty unlikely to happen in this case.
> 
> Just saying though that escaping the periods consistently has my
> preference, if only for consistency and to always be as specific as
> possible.

If Chris asks me to do that then I will.  If he decides to just edit the patch 
in that way before applying it I won't bother arguing about it.  But I think 
it's fine as it is.

There are some situations where a '.' really makes a difference, ".so" is the 
one that springs to mind.  But in most situations it doesn't.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Dominick Grift]

On Tue, Apr 04, 2017 at 06:00:33PM +1000, Russell Coker wrote:
> On Tue, 4 Apr 2017 05:44:24 PM Dominick Grift via refpolicy wrote:
> > On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote:
> > > Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets
> > > bin_t
> > > 
> > > Label /dev/pts/ptmx as ptmx_t.  It always should have been labelled like
> > > this but the presence of a device /dev/ptmx concealed it.  With a
> > > container created by systemd-nspawn (and possibly other situations)
> > > /dev/ptmx is a symlink and we need correct labelling of /dev/pts/ptmx.
> > > 
> > > Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system
> > > scripts can run it without a domain transition.
> > > 
> > > Also lots of little changes that are obvious.
> > > 
> > > 
> > > --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc
> > > +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc
> > > @@ -1,5 +1,3 @@
> > > -/etc/cron\.(daily|monthly)/acct	--	
> gen_context(system_u:object_r:acct_ex
> > > ec_t,s0) -
> > 
> > Any specific reason for removing this? system_cronjob_t is pretty broad, so
> > i tend to move stuff out of there whenever that makes a little sense
> 
> Those scripts use systemctl to restart daemons.  The choice is between having 
> system_cronjob_t run some scripts that are in almost all cases unaltered from 
> the distribution or allowing acct_t to restart daemons.

Ok yes that sounds like an compelling argument.

> 
> > > --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc
> > > +++ refpolicy-2.20170329/policy/modules/system/libraries.fc
> > > @@ -105,6 +105,7 @@ ifdef(`distro_debian',`
> > > 
> > >  /usr/(.*/)?dh-python/dh_pypy		--	
> gen_context(system_u:object_r:lib_t,s0)
> > >  ')
> > > 
> > > +/usr/lib/postfix/lib.*so.*		--	
> gen_context(system_u:object_r:lib_t,s0)
> > 
> > That looks like it might be redundant or that there is some other spec that
> > should probably ideally be more specific for this location
> 
> # restorecon -R -v /usr/lib/postfix/
> Relabeled /usr/lib/postfix/libpostfix-dns.so from system_u:object_r:lib_t:s0 to 
> system_u:object_r:postfix_exec_t:s0
> Relabeled /usr/lib/postfix/libpostfix-global.so from system_u:object_r:lib_t:s0 
> to system_u:object_r:postfix_exec_t:s0
> Relabeled /usr/lib/postfix/libpostfix-master.so from system_u:object_r:lib_t:s0 
> to system_u:object_r:postfix_exec_t:s0
> Relabeled /usr/lib/postfix/libpostfix-tls.so from system_u:object_r:lib_t:s0 to 
> system_u:object_r:postfix_exec_t:s0
> Relabeled /usr/lib/postfix/libpostfix-util.so from system_u:object_r:lib_t:s0 to 
> system_u:object_r:postfix_exec_t:s0

Then maybe that postfix_exec_t context spec could be more specific to not include libraries?

if like of strange to have a lib_t base type for /usr/lib and to then have to specify lib_t for some individual lib file


> 
> No, if that line is removed then we get the wrong context.
> 
> > > --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> > > +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> > > @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',`
> > > 
> > >  /usr/sbin/lvdisplay		--	
> gen_context(system_u:object_r:lvm_exec_t,s0)
> > >  /usr/sbin/lvextend		--	
> gen_context(system_u:object_r:lvm_exec_t,s0)
> > >  /usr/sbin/lvm			--	
> gen_context(system_u:object_r:lvm_exec_t,s0)
> > > 
> > > +/usr/sbin/lvmetad		--	
> gen_context(system_u:object_r:lvm_exec_t,s0)
> > 
> > Fedora does this as well and i am wonder whether this is a good idea in the
> > longer run
> 
> It's probably something I copied from Fedora.  ;)
> 
> > lvm is short running, lvmetad is long running
> > lvm probably needs permission to raw storage? it remains to be seen whether
> > this daemon needs access to raw storage as well (if it doesnt then that to
> > me is reason enough to move it out of lvm_t)
> 
> OK, well if you would like to contribute policy for lvmetad_t then that would 
> be great.  In the mean time I think this is the best option.
> 
> > > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> > > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> > > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
> > > 
> > >  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> > >  gen_context(system_u:object_r:cert_t,s0)
> > >  /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
> > >  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> > > 
> > > -/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> > > +/etc/ssl/private(/.*)?			
> gen_context(system_u:object_r:cert_t,s0)
> > 
> > There probably should not be private keys on a production system in the
> > first place? Regardless, atleast be consistent and apply this to /etc/pki
> > as well
> 
> My systems don't have a /etc/pki directory.  It would be good if someone who 
> has such a system could contribute a patch for it, maybe you?
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/057f8d83/attachment.bin 

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Tue, 4 Apr 2017 06:08:03 PM Dominick Grift via refpolicy wrote:
> > > That looks like it might be redundant or that there is some other spec
> > > that should probably ideally be more specific for this location
> > 
> > # restorecon -R -v /usr/lib/postfix/
> > Relabeled /usr/lib/postfix/libpostfix-dns.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-global.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-master.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-tls.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-util.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> 
> Then maybe that postfix_exec_t context spec could be more specific to not
> include libraries?

There's a heap of programs under that tree that should have postfix_exec_t.

But if you can devise a regex that matches them then please submit it.

> if like of strange to have a lib_t base type for /usr/lib and to then have
> to specify lib_t for some individual lib file

Not really.  Having one context for the default files in a directory and 
another for exceptions is common.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Chris PeBenito]

On 04/03/2017 09:21 PM, Russell Coker wrote:
> On Tue, 4 Apr 2017 09:11:51 AM Chris PeBenito via refpolicy wrote:
>>> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
>>> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
>>> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
>>>
>>>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
>>> gen_context(system_u:object_r:cert_t,s0)
>>> /etc/localtime               --      gen_context(system_u:object_r:locale
>>> _t,s0)
>>> /etc/pki(/.*)?                       gen_context(system_u:object_r:cert_t
>>> ,s0)
>>>
>>> -/etc/ssl(/.*)?                       gen_context(system_u:object_r:cert_
>>> t,s0)
>>> +/etc/ssl/private(/.*)?                       gen_context(system_u:objec
>>> t_r:cert_t,s0)
>>
>> I think I'm ok with everything else except this.  Why shouldn't all
>> those certs be protected specially?
>
> The private directory is for private keys that need protection.
> /etc/ssh/certs is for public keys of CAs that need to be read by many programs
> that don't need access to private keys (IE any program that wants to verify a
> SSL server).  /etc/ssh/openssl.cnf is for openssl configuration that again may
> be read by programs that don't have any particular privileges.

In that case, /etc/ssl/private should be a different type, as all the 
public certs are cert_t.

-- 
Chris PeBenito

[refpolicy] [PATCH] misc fc changes

[Chris PeBenito]

On 04/04/2017 03:47 AM, Russell Coker via refpolicy wrote:
> On Tue, 4 Apr 2017 05:23:28 PM Dominick Grift via refpolicy wrote:
>>> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc
>>> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc
>>> @@ -14,6 +14,7 @@
>>>
>>>  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>>>  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>>>  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
>>>
>>> +/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
>>
>> This is probably going to cause issues. This file will be created with
>> devpts_t (there is no other way) and so you will have to rely on early
>> relabeling of /dev/pts to get this done Not all systems relabel /dev(/pts)
>> early on.
>
> That will only be an issue on systems that don't relabel it early enough and
> don't create a /dev/ptmx device node.  Such systems wouldn't work properly
> with the current policy, so probably don't exist.  In this case "early enough"
> means "before the first inbound ssh connection".
>
>> So you might end up with devpts_t on some systems and ptmx_t on
>> others. (inconsistency)
>
> Actually we have inconsistency right now with /dev/ptmx and /dev/pts/ptmx
> having different labels.  My patch solves the inconsistency.
>
>> Leaving it devpts_t will atleast allow you to rely on the labeling to be
>> consistent, and since that is the only file that will ever legitimately
>> end up devpts_t that should not be a problem
>
> If we are going to take that approach then we should make ptmx_t an alias for
> devpts_t and label /dev/ptmx as devpts_t.
>
> Chris, what do you think?

I want ptmx to be consistent and not devpts_t.  If it depends on early 
relabeling, then so be it.  It doesn't seem to be a problem generally, 
as you mentioned.  /dev/* is already a big potential for labeling race 
conditions.  I'd prefer a comment added in the fc file so if in the 
future someone hits the early relabeling problem, they might find info 
in the comment.

-- 
Chris PeBenito

[refpolicy] [PATCH] misc fc changes

[Chris PeBenito]

On 04/04/2017 04:05 AM, Russell Coker via refpolicy wrote:
> On Tue, 4 Apr 2017 06:02:47 PM Dominick Grift via refpolicy wrote:
>>> If at some future time we have something like a /etc/network/if-up-d
>>> directory  then we probably want the same context for the files it
>>> contains.
>>
>> Oops misunderstood your argument in my previous reply. I suppose you are
>> right to argue that its pretty unlikely to happen in this case.
>>
>> Just saying though that escaping the periods consistently has my
>> preference, if only for consistency and to always be as specific as
>> possible.
>
> If Chris asks me to do that then I will.  If he decides to just edit the patch
> in that way before applying it I won't bother arguing about it.  But I think
> it's fine as it is.
>
> There are some situations where a '.' really makes a difference, ".so" is the
> one that springs to mind.  But in most situations it doesn't.

While I agree that the "." doesn't really make a difference in this 
case, I'd prefer explicitness so there is no confusion in the future. 
i.e. that it be escaped.


-- 
Chris PeBenito

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Wed, 5 Apr 2017 08:50:56 AM Chris PeBenito wrote:
> >> I think I'm ok with everything else except this.  Why shouldn't all
> >> those certs be protected specially?
> > 
> > The private directory is for private keys that need protection.
> > /etc/ssh/certs is for public keys of CAs that need to be read by many
> > programs that don't need access to private keys (IE any program that
> > wants to verify a SSL server).  /etc/ssh/openssl.cnf is for openssl
> > configuration that again may be read by programs that don't have any
> > particular privileges.
> 
> In that case, /etc/ssl/private should be a different type, as all the 
> public certs are cert_t.

What is the point of having a type for just public keys?  On most systems the 
only public keys are those which are supplied by the distribution, they are 
read-only configuration files.  On the minority of systems that have locally 
installed public keys they are just like any other configuration file locally 
installed by the sysadmin.  Why would any type other than etc_t be desired?

Now we do have a problem of many domains having access to cert_t that don't 
deserve access to private keys, from a casual examination it seems mostly SSL 
clients, along with some things that are just strange (EG useradd_t).

So probably the best thing to do would be to make cert_t an alias for etc_t 
and create a new private_key_t for the private keys in question.

In the mean-time could you please apply the rest of that patch to the git 
repository?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Wed, 5 Apr 2017 08:56:51 AM Chris PeBenito wrote:
> While I agree that the "." doesn't really make a difference in this 
> case, I'd prefer explicitness so there is no confusion in the future. 
> i.e. that it be escaped.

OK.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc fc changes

[Russell Coker]

On Wed, 5 Apr 2017 08:54:39 AM Chris PeBenito wrote:
> I want ptmx to be consistent and not devpts_t.  If it depends on early 
> relabeling, then so be it.  It doesn't seem to be a problem generally, 
> as you mentioned.  /dev/* is already a big potential for labeling race 
> conditions.  I'd prefer a comment added in the fc file so if in the 
> future someone hits the early relabeling problem, they might find info 
> in the comment.

OK

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/