On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
in /usr/lib/getconf/. For example on a x86_64 machine:
$ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
Such configuration produces an instability when labeling the files with
"restorecon -Rv /":
restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
As /usr/lib/getconf directory only contains executable programs, this issue is
fixed by labeling this directory and its content "bin_t".
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index acc9ddc..096c4fd 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/getconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/git-core(/.*) -- gen_context(system_u:object_r:bin_t,s0)
--
1.9.1
On 04/14/2014 05:15 PM, Nicolas Iooss wrote:
> On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
> in /usr/lib/getconf/. For example on a x86_64 machine:
>
> $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
> 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
> 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
>
> Such configuration produces an instability when labeling the files with
> "restorecon -Rv /":
>
> restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
> restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
>
> As /usr/lib/getconf directory only contains executable programs, this issue is
> fixed by labeling this directory and its content "bin_t".
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index acc9ddc..096c4fd 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/getconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
> /usr/lib/git-core(/.*) -- gen_context(system_u:object_r:bin_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com