Re: How to handle lots of executables buried in /usr

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: How to handle lots of executables  buried in /usr
Date: Mon, 24 Nov 2003 17:44:55 -0500	[thread overview]
Message-ID: <3FC289E7.30602@redhat.com> (raw)
In-Reply-To: <1069700405.8635.137.camel@moss-spartans.epoch.ncsc.mil>

[-- Attachment #1: Type: text/plain, Size: 1173 bytes --]

Stephen Smalley wrote:

>On Mon, 2003-11-24 at 10:01, Daniel J Walsh wrote:
>  
>
>>I am seeing lots of errors in policy because of shell scripts and exes 
>>that are installed in subdirectories of /usr being marked as  usr_t 
>>instead of bin_t .  What do you guys think of adding a script to be 
>>executed after make relabel that would find these files and change their 
>>context to bin_t.
>>
>>find /usr -perm +111 --context system_u:object_r:usr_t -type f -exec 
>>chcon \
>>system_u:object_r:bin_t {} ; -print
>>
>>
>>Is this a bad idea?  I do notice that their are a lot of files marked 
>>executables by their install that are really not executable, but this 
>>would clean up several failures untill the package installs are cleaned up.
>>    
>>
>
>It might be better to define multiple types for different groups of
>binaries, and only grant execute access as appropriate.
>
>As a side note, be careful about symlinks.  The above find construct
>will get the context of the symlink, but the chcon will set the context
>of the referenced file unless you specify -h.
>  
>
The -type f on the command line will ensure that it only gets files, not 
sym links.

Dan

[-- Attachment #2: Type: text/html, Size: 1594 bytes --]

     prev parent reply	other threads:[~2003-11-24 22:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-24 15:01 How to handle lots of executables buried in /usr Daniel J Walsh
2003-11-24 19:00 ` Stephen Smalley
2003-11-24 22:44   ` Daniel J Walsh [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3FC289E7.30602@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.