Re: SE Linux policy update

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Fri, 2011-03-11 at 23:21 +1100, Russell Coker wrote:
> The user friendly change list is that this makes USB flash storage devices 
> usable by default on the desktop, Iceweasel works correctly, upowerd is run 
> correctly in the devicekit_power_t domain, KDE mysqld access works, fetchmail 
> works as a daemon, Xen starts DomUs on boot, and NetworkManager and similar 
> programs (such as wicd) give more functionality.
>
> These are all serious updates that can be considered as "a truly critical 
> functionality problem" for some users.

"Truly critical for some users" is a fairly large set of issues,
particularly for small values of "some".  Have all of your proposed
changes been tested on Squeeze systems to ensure that they operate
correctly in that environment and don't introduce any regressions?

> I've attached a full diff between the version in Squeeze and my proposed 
> update.
> 
> Please let me know what else I have to do to get this included.
> 
>  refpolicy (2:0.2.20100524-8) unstable; urgency=low

For stable that will want to be -7+squeeze1 (or I suppose -8~squeeze1 if
you want and all of the fixes get acked).

>    * Add tunable user_manage_dos_files which defaults to true

What's the current behaviour?  All users can manage such files, or none
can?

>    * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
>    * Allow mozilla to create directories under /tmp
>    * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
>      installation if libgconf2-4 is installed
>    * Use correct label for /usr/lib/upower/upowerd
>    * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)

"Don't audit"

>    * Allow user domains to execute mysqld_exec_t, for KDE
>    * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.

That's this change?

+
+       optional_policy(`
+               gnome_role($2, $1_dbusd_t)
+       ')
 ')

Apologies if I'm missing something, but that doesn't appear to be
gconfd-specific at all.

[...]

diff -ru /tmp/t/refpolicy//policy/modules/kernel/files.fc ./policy/modules/kernel/files.fc
--- /tmp/t/refpolicy//policy/modules/kernel/files.fc    2011-03-11 23:19:40.372420590 +1100
+++ ./policy/modules/kernel/files.fc    2011-02-10 13:04:15.583492220 +1100
@@ -119,7 +119,7 @@
 #
 # Mount points; do not relabel subdirectories, since
 # we don't want to change any removable media by default.
-/media(/[^/]*)         -l      gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*           -l      gen_context(system_u:object_r:mnt_t,s0)

Is this part of one of the items mentioned in the changelog?  If so,
which one?  My possibly naive assumption was that the above is a no-op
change.

diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.te ./policy/modules/services/mysql.te
--- /tmp/t/refpolicy//policy/modules/services/mysql.te  2011-03-11 23:19:40.360430274 +1100
+++ ./policy/modules/services/mysql.te  2011-02-09 10:18:33.395481018 +1100
@@ -242,3 +242,4 @@
 miscfiles_read_localization(mysqlmanagerd_t)
 
 userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+

Was there supposed to be a change included there, other than the
presumably spuriously added newline?

Regards,

Adam