Stephen Smalley wrote:

>On Mon, 2003-11-24 at 10:01, Daniel J Walsh wrote:
>  
>
>>I am seeing lots of errors in policy because of shell scripts and exes 
>>that are installed in subdirectories of /usr being marked as  usr_t 
>>instead of bin_t .  What do you guys think of adding a script to be 
>>executed after make relabel that would find these files and change their 
>>context to bin_t.
>>
>>find /usr -perm +111 --context system_u:object_r:usr_t -type f -exec 
>>chcon \
>>system_u:object_r:bin_t {} ; -print
>>
>>
>>Is this a bad idea?  I do notice that their are a lot of files marked 
>>executables by their install that are really not executable, but this 
>>would clean up several failures untill the package installs are cleaned up.
>>    
>>
>
>It might be better to define multiple types for different groups of
>binaries, and only grant execute access as appropriate.
>
>As a side note, be careful about symlinks.  The above find construct
>will get the context of the symlink, but the chcon will set the context
>of the referenced file unless you specify -h.
>  
>
The -type f on the command line will ensure that it only gets files, not 
sym links.

Dan