From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 15 Aug 2012 09:27:50 +0200 Subject: [refpolicy] [PATCH]: force a label on the fc_sort executable In-Reply-To: <50215AF1.9010303@redhat.com> References: <201208050106.q7516Vog005937@vivaldi08.register.it> <5021546A.1080603@tresys.com> <5021585F.2030401@trentalancia.com> <50215AF1.9010303@redhat.com> Message-ID: <502B4F76.3080800@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Daniel. On 07/08/2012 20:14, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 08/07/2012 02:03 PM, Guido Trentalancia wrote: >> On 07/08/2012 19:46, Christopher J. PeBenito wrote: >>> On 08/04/12 21:06, Guido Trentalancia wrote: >>>> Force a bin_t label on the fc_sort executable after creating it, to >>>> avoid possible execution denials under certain conditions. >>>> >>>> Signed-off-by: Guido Trentalancia --- Makefile >>>> | 1 + 1 file changed, 1 insertion(+) >>>> >>>> --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200 +++ >>>> refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798 >>>> +0200 @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) # >>>> $(fcsort) : $(support)/fc_sort.c $(verbose) $(CC) $(CFLAGS) $^ -o $@ + >>>> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort >>>> >>>> ######################################## # >>> >>> I'm not sure this actually is a good choice because this may be done on a >>> different system than where the policy will be deployed. It may have a >>> different policy running or even SELinux disabled. >> >> It doesn't matter whether the policy is deployed elsewhere (this is not >> being discussed as the problem might be executing fc_sort for building the >> policy). >> >> It's easy to check if SELinux is enabled (getenforce | grep -q Enforcing && >> chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). Or perhaps have it >> just failing silently. >> >> Regards, >> >> Guido >> >> _______________________________________________ refpolicy mailing list >> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy >> > > selinuxenabeled && chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort). > > Would be better... It's not strictly needed though, as make as an option for let Makefile commands fail silently. Here a revised version of the patch: Force a bin_t label on the fc_sort executable after creating it, to avoid possible execution denials under certain conditions (such as building under an enforced modular policy without the unconfineduser module). Fail silently if SELinux is not enabled. Signed-off-by: Guido Trentalancia --- Makefile | 1 + 1 file changed, 1 insertion(+) --- refpolicy-04062012/Makefile 2012-05-29 21:13:09.413703575 +0200 +++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 21:35:57.396092798 +0200 @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) # $(fcsort) : $(support)/fc_sort.c $(verbose) $(CC) $(CFLAGS) $^ -o $@ + -chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort ######################################## #