Force a bin_t label on the fc_sort executable after creating it, to avoid possible
execution denials under certain conditions.
Signed-off-by: Guido Trentalancia <[email protected]>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200
+++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798 +0200
@@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
#
$(fcsort) : $(support)/fc_sort.c
$(verbose) $(CC) $(CFLAGS) $^ -o $@
+ chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
########################################
#
On 08/04/12 21:06, Guido Trentalancia wrote:
> Force a bin_t label on the fc_sort executable after creating it, to avoid possible
> execution denials under certain conditions.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> Makefile | 1 +
> 1 file changed, 1 insertion(+)
>
> --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200
> +++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798 +0200
> @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
> #
> $(fcsort) : $(support)/fc_sort.c
> $(verbose) $(CC) $(CFLAGS) $^ -o $@
> + chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>
> ########################################
> #
I'm not sure this actually is a good choice because this may be done on a different system than where the policy will be deployed. It may have a different policy running or even SELinux disabled.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/08/2012 19:46, Christopher J. PeBenito wrote:
> On 08/04/12 21:06, Guido Trentalancia wrote:
>> Force a bin_t label on the fc_sort executable after creating it, to avoid possible
>> execution denials under certain conditions.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> Makefile | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200
>> +++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798 +0200
>> @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
>> #
>> $(fcsort) : $(support)/fc_sort.c
>> $(verbose) $(CC) $(CFLAGS) $^ -o $@
>> + chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>>
>> ########################################
>> #
>
> I'm not sure this actually is a good choice because this may be done on a different system than where the policy will be deployed. It may have a different policy running or even SELinux disabled.
It doesn't matter whether the policy is deployed elsewhere (this is not
being discussed as the problem might be executing fc_sort for building
the policy).
It's easy to check if SELinux is enabled (getenforce | grep -q Enforcing
&& chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). Or perhaps have
it just failing silently.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/07/2012 02:03 PM, Guido Trentalancia wrote:
> On 07/08/2012 19:46, Christopher J. PeBenito wrote:
>> On 08/04/12 21:06, Guido Trentalancia wrote:
>>> Force a bin_t label on the fc_sort executable after creating it, to
>>> avoid possible execution denials under certain conditions.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]> --- Makefile
>>> | 1 + 1 file changed, 1 insertion(+)
>>>
>>> --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200 +++
>>> refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798
>>> +0200 @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) #
>>> $(fcsort) : $(support)/fc_sort.c $(verbose) $(CC) $(CFLAGS) $^ -o $@ +
>>> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>>>
>>> ######################################## #
>>
>> I'm not sure this actually is a good choice because this may be done on a
>> different system than where the policy will be deployed. It may have a
>> different policy running or even SELinux disabled.
>
> It doesn't matter whether the policy is deployed elsewhere (this is not
> being discussed as the problem might be executing fc_sort for building the
> policy).
>
> It's easy to check if SELinux is enabled (getenforce | grep -q Enforcing &&
> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). Or perhaps have it
> just failing silently.
>
> Regards,
>
> Guido
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
selinuxenabeled && chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort).
Would be better...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAhWvEACgkQrlYvE4MpobNV6wCgnvfHal4QCDHNGP5PNAWcP1kc
dDYAniSAUQhlNlqei2ULQ56kpW6WuC2o
=n0IB
-----END PGP SIGNATURE-----
Hello Daniel.
On 07/08/2012 20:14, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/07/2012 02:03 PM, Guido Trentalancia wrote:
>> On 07/08/2012 19:46, Christopher J. PeBenito wrote:
>>> On 08/04/12 21:06, Guido Trentalancia wrote:
>>>> Force a bin_t label on the fc_sort executable after creating it, to
>>>> avoid possible execution denials under certain conditions.
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]> --- Makefile
>>>> | 1 + 1 file changed, 1 insertion(+)
>>>>
>>>> --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200 +++
>>>> refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798
>>>> +0200 @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) #
>>>> $(fcsort) : $(support)/fc_sort.c $(verbose) $(CC) $(CFLAGS) $^ -o $@ +
>>>> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>>>>
>>>> ######################################## #
>>>
>>> I'm not sure this actually is a good choice because this may be done on a
>>> different system than where the policy will be deployed. It may have a
>>> different policy running or even SELinux disabled.
>>
>> It doesn't matter whether the policy is deployed elsewhere (this is not
>> being discussed as the problem might be executing fc_sort for building the
>> policy).
>>
>> It's easy to check if SELinux is enabled (getenforce | grep -q Enforcing &&
>> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). Or perhaps have it
>> just failing silently.
>>
>> Regards,
>>
>> Guido
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
> selinuxenabeled && chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort).
>
> Would be better...
It's not strictly needed though, as make as an option for let Makefile
commands fail silently.
Here a revised version of the patch:
Force a bin_t label on the fc_sort executable after creating it, to
avoid possible
execution denials under certain conditions (such as building under an
enforced
modular policy without the unconfineduser module).
Fail silently if SELinux is not enabled.
Signed-off-by: Guido Trentalancia <[email protected]>
---
Makefile | 1 +
1 file changed, 1 insertion(+)
--- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200
+++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04
21:35:57.396092798 +0200
@@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
#
$(fcsort) : $(support)/fc_sort.c
$(verbose) $(CC) $(CFLAGS) $^ -o $@
+ -chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
########################################
#