Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: Invalid argument
Here is the content of tmp/all_mods.fc around line 527:
# this is a static /dev dir "backup mount"
# if you want to disable udev, youll have to boot permissive and relabel!
/dev/\.static -d system_u:object_r:device_t
/dev/\.static/dev -d system_u:object_r:device_t
/dev/\.static/dev/(.*)? <<none>>
'
The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.
Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446
When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.
This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:
validate: $(fc) $(polver)
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(polver) $(fc)
@echo "Success."
Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:
Validating policy file contexts.
/sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
tmp/all_mods.fc: Invalid argument
make: *** [Rules.modular:210: validate] Error 1
While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
* reorder file contexts
* rename getty_var_run_t into getty_runtime_t and getty_etc_t into getty_conf_t
* remove unneeded and confusing init permissions
* delete access on generic pids
* remove invalid etc filetrans: getty has no create permissions for its config files
* restrict logfile access
These are needed by several patches I'm about to send.
Description: some new interfaces for init/systemd
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-24
This patch defines rw_inherited_file_perms. It's needed by a few patches
I'm going to send soon so I need to get it in before they go in.
Also it's generally a good thing to have. We should reconsider some of the
other policy for whether it should use this.
