From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 Aug 2016 14:50:20 +0200 Subject: [refpolicy] [PATCH] fc_sort must be explicitly labeled as executable upon creation In-Reply-To: References: <1470669970.10405.3.camel@trentalancia.net> Message-ID: <1471092620.21480.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! Thanks for getting back on this... On Sat, 13/08/2016 at 08.32 -0400, Chris PeBenito wrote: > On 08/08/16 11:26, Guido Trentalancia wrote: > > Force a bin_t label on the fc_sort executable after creating it, to > > avoid execution > > denials (e.g. misplaced generic default labels). > > > > Signed-off-by: Guido Trentalancia > > --- > > ?Makefile |????1 + > > ?1 file changed, 1 insertion(+) > > > > --- refpolicy-04062012/Makefile 2012-05-29 > > 21:13:09.413703575 +0200 > > +++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 > > 21:35:57.396092798 +0200 > > @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) > > ?# > > ?$(fcsort) : $(support)/fc_sort.c > > ? $(verbose) $(CC) $(CFLAGS) $^ -o $@ > > + chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort > > > > ?######################################## > > ?# > > I'd prefer not to hard code any labeling into make targets except > for? > those that are explicitly for labeling. Can we determine it at runtime then ? For example by using grep "^/bin/\." on the corecommands.fc file and then with a little bit more processing ? Otherwise the fc_sort binary cannot, in general, be executed ! Best regards, Guido