From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Apr 2014 10:17:31 -0400
Subject: [refpolicy] [PATCH] Label /usr/lib/getconf as bin_t
In-Reply-To: <1397510107-5798-1-git-send-email-nicolas.iooss@m4x.org>
References: <1397510107-5798-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <5355287B.7030602@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/14/2014 05:15 PM, Nicolas Iooss wrote:
> On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
> in /usr/lib/getconf/.  For example on a x86_64 machine:
> 
>     $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
>     5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
>     5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
> 
> Such configuration produces an instability when labeling the files with
> "restorecon -Rv /":
> 
>     restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
>     restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
> 
> As /usr/lib/getconf directory only contains executable programs, this issue is
> fixed by labeling this directory and its content "bin_t".
> ---
>  policy/modules/kernel/corecommands.fc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index acc9ddc..096c4fd 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/getconf(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/lib/git-core(/.*)		--	gen_context(system_u:object_r:bin_t,s0)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com