[refpolicy] [PATCH] Label /usr/lib/getconf as bin

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Label /usr/lib/getconf as bin_t
@ 2014-04-14 21:15 Nicolas Iooss
  2014-04-21 14:17 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Iooss @ 2014-04-14 21:15 UTC (permalink / raw)
  To: refpolicy

On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
in /usr/lib/getconf/.  For example on a x86_64 machine:

    $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
    5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
    5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64

Such configuration produces an instability when labeling the files with
"restorecon -Rv /":

    restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
    restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0

As /usr/lib/getconf directory only contains executable programs, this issue is
fixed by labeling this directory and its content "bin_t".
---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index acc9ddc..096c4fd 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/getconf(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/git-core(/.*)		--	gen_context(system_u:object_r:bin_t,s0)
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] Label /usr/lib/getconf as bin_t
  2014-04-14 21:15 [refpolicy] [PATCH] Label /usr/lib/getconf as bin_t Nicolas Iooss
@ 2014-04-21 14:17 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-04-21 14:17 UTC (permalink / raw)
  To: refpolicy

On 04/14/2014 05:15 PM, Nicolas Iooss wrote:
> On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
> in /usr/lib/getconf/.  For example on a x86_64 machine:
> 
>     $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
>     5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
>     5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
> 
> Such configuration produces an instability when labeling the files with
> "restorecon -Rv /":
> 
>     restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
>     restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
> 
> As /usr/lib/getconf directory only contains executable programs, this issue is
> fixed by labeling this directory and its content "bin_t".
> ---
>  policy/modules/kernel/corecommands.fc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index acc9ddc..096c4fd 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/getconf(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/lib/git-core(/.*)		--	gen_context(system_u:object_r:bin_t,s0)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-04-21 14:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-14 21:15 [refpolicy] [PATCH] Label /usr/lib/getconf as bin_t Nicolas Iooss
2014-04-21 14:17 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.