When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: Invalid argument
Here is the content of tmp/all_mods.fc around line 527:
# this is a static /dev dir "backup mount"
# if you want to disable udev, youll have to boot permissive and relabel!
/dev/\.static -d system_u:object_r:device_t
/dev/\.static/dev -d system_u:object_r:device_t
/dev/\.static/dev/(.*)? <<none>>
'
The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.
Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.
The following patch re-enables the ability to execute alert scripts.
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.
This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.
Thanks to Dominick for the tip.
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Interface fs_register_binary_executable_type allow registering
interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In
order to access this filesystem, the process needs to search every
parent directory of the mountpoint.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
The kernel_read_unix_sysctls() and kernel_rw_unix_sysctls() currenly
don't allow listing the /proc/sys/net/unix directory, contrary to the
other sysctl interfaces.
cgzones
Chris PeBenito
Nicolas Iooss
Russell Coker
Laurent Bigonville
Guido Trentalancia
Luis Ressel