Some questions regarding RedHat refpolicy patches

David Härdeman <david@xxxxxxxxxxx> · Mon, 4 Aug 2008 00:44:48 +0200

Going through the RedHat patches trying to find more stuff to send 
upstream for merge, I've come across a few things that I don't quite 
understand and I'd appreciate if someone could explain them to me :)

a)

There are quite a lot of changes like this:

--- ./upstream/refpolicy/policy/modules/apps/uml.fc     2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/uml.fc       2008-08-03 12:29:42.000000000 +0200
@@ -1,7 +1,7 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.uml(/.*)?           gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)?           gen_context(system_u:object_r:user_uml_rw_t,s0)

What is the purpose of these changes and is it something that makes 
sense upstream? The upstream SVN version seems to contain quite a lot of 
"ROLE" contexts already...then again, other parts of the patch do the 
reverse:

--- ./upstream/refpolicy/policy/modules/apps/mplayer.fc 2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/mplayer.fc   2008-08-03 12:29:42.000000000 +0200
@@ -10,4 +10,4 @@
 /usr/bin/mencoder      --      gen_context(system_u:object_r:mencoder_exec_t,s0)
 /usr/bin/xine          --      gen_context(system_u:object_r:mplayer_exec_t,s0)
 
-HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:user_mplayer_home_t,s0)


b)

There are also quite a lot of changes like this:

--- ./upstream/refpolicy/policy/modules/apps/awstats.if 2008-08-03 12:31:17.000000000 +0200
+++ ./fedora/refpolicy/policy/modules/apps/awstats.if   2008-05-15 15:10:34.000000000 +0200
@@ -33,7 +33,8 @@
 #
 interface(`awstats_cgi_exec',`
        gen_require(`
-               type httpd_awstats_script_exec_t, httpd_awstats_content_t;
+               type httpd_awstats_script_exec_t;
+               type httpd_awstats_content_t;

Are these only noise (and in that case, would you (Dan) like a patch to 
remove that noise) or something which is actually wanted upstream?


c)

A lot of changes only alter whitespace, would it be possible to avoid 
these by generating the fedora diff with the appropriate options to 
diff?


d)

Why does postgrey_t need to be able to restart apache? (and the same 
goes for many many other service module changes in the patch, such as 
canna, ldap, etc, etc)

--
David Härdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.




