From mboxrd@z Thu Jan  1 00:00:00 1970
From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 07 Aug 2012 14:14:09 -0400
Subject: [refpolicy] [PATCH]: force a label on the fc_sort executable
In-Reply-To: <5021585F.2030401@trentalancia.com>
References: <201208050106.q7516Vog005937@vivaldi08.register.it>
	<5021546A.1080603@tresys.com> <5021585F.2030401@trentalancia.com>
Message-ID: <50215AF1.9010303@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/07/2012 02:03 PM, Guido Trentalancia wrote:
> On 07/08/2012 19:46, Christopher J. PeBenito wrote:
>> On 08/04/12 21:06, Guido Trentalancia wrote:
>>> Force a bin_t label on the fc_sort executable after creating it, to
>>> avoid possible execution denials under certain conditions.
>>> 
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- Makefile
>>> |    1 + 1 file changed, 1 insertion(+)
>>> 
>>> --- refpolicy-04062012/Makefile	2012-05-29 21:13:09.413703575 +0200 +++
>>> refpolicy-04062012-chcon-fc_sort/Makefile	2012-08-04 21:35:57.396092798
>>> +0200 @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) # 
>>> $(fcsort) : $(support)/fc_sort.c $(verbose) $(CC) $(CFLAGS) $^ -o $@ +
>>> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>>> 
>>> ######################################## #
>> 
>> I'm not sure this actually is a good choice because this may be done on a
>> different system than where the policy will be deployed.  It may have a
>> different policy running or even SELinux disabled.
> 
> It doesn't matter whether the policy is deployed elsewhere (this is not 
> being discussed as the problem might be executing fc_sort for building the
> policy).
> 
> It's easy to check if SELinux is enabled (getenforce | grep -q Enforcing &&
> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). Or perhaps have it
> just failing silently.
> 
> Regards,
> 
> Guido
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 

selinuxenabeled && chcon  system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort).

Would be better...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAhWvEACgkQrlYvE4MpobNV6wCgnvfHal4QCDHNGP5PNAWcP1kc
dDYAniSAUQhlNlqei2ULQ56kpW6WuC2o
=n0IB
-----END PGP SIGNATURE-----