From: guido@trentalancia.net (guido guido) Date: Sat, 13 Aug 2016 18:08:44 +0200 (CEST) Subject: [refpolicy] [PATCH] fc_sort must be explicitly labeled as executable upon creation In-Reply-To: <41868e4e-b084-eae3-80c0-a3fe4cf2fc26@ieee.org> References: <1470669970.10405.3.camel@trentalancia.net> <1471092620.21480.3.camel@trentalancia.net> <41868e4e-b084-eae3-80c0-a3fe4cf2fc26@ieee.org> Message-ID: <1860468357.5602.1471104524357.JavaMail.open-xchange@popper04.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Chris. > On 13th August 2016 at 15.00 Chris PeBenito wrote: > > On Sat, 13/08/2016 at 08.32 -0400, Chris PeBenito wrote: > >> On 08/08/16 11:26, Guido Trentalancia wrote: > >>> Force a bin_t label on the fc_sort executable after creating it, to > >>> avoid execution > >>> denials (e.g. misplaced generic default labels). > >>> > >>> Signed-off-by: Guido Trentalancia > >>> --- > >>> Makefile | 1 + > >>> 1 file changed, 1 insertion(+) > >>> > >>> --- refpolicy-04062012/Makefile 2012-05-29 > >>> 21:13:09.413703575 +0200 > >>> +++ refpolicy-04062012-chcon-fc_sort/Makefile 2012-08-04 > >>> 21:35:57.396092798 +0200 > >>> @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml) > >>> # > >>> $(fcsort) : $(support)/fc_sort.c > >>> $(verbose) $(CC) $(CFLAGS) $^ -o $@ > >>> + chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort > >>> > >>> ######################################## > >>> # > >> > >> I'd prefer not to hard code any labeling into make targets except > >> for > >> those that are explicitly for labeling. > > > > Can we determine it at runtime then ? > > > > For example by using grep "^/bin/\." on the corecommands.fc file and > > then with a little bit more processing ? > > > > Otherwise the fc_sort binary cannot, in general, be executed ! > > I don't want to make assumptions about where the policy is being > compiled. I don't think that you can assume it is not executable, in > general. e.g. if I build refpolicy in my home dir, then I can execute > fc_sort, and in that case you may not even be able to chcon to bin_t. As far as I know, system-wide sources are usually installed in /usr/src... That's why I suppose it ends up mislabeling the executable file context in most cases... What do you say ? Regards, Guido