From: guido@trentalancia.net (guido guido) Date: Sat, 13 Aug 2016 18:40:08 +0200 (CEST) Subject: [refpolicy] [PATCH v2] fc_sort must be explicitly labeled as executable upon creation In-Reply-To: <1860468357.5602.1471104524357.JavaMail.open-xchange@popper04.register.it> References: <1470669970.10405.3.camel@trentalancia.net> <1471092620.21480.3.camel@trentalancia.net> <41868e4e-b084-eae3-80c0-a3fe4cf2fc26@ieee.org> <1860468357.5602.1471104524357.JavaMail.open-xchange@popper04.register.it> Message-ID: <320702058.5693.1471106408231.JavaMail.open-xchange@popper04.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Install the fc_sort executable system-wide during the make target "install-src" (i.e. prior to make "policy") to avoid execution denials, due to misplaced generic non-executable default file labels, if the Reference Policy is installed in system-wide directories such as /usr/src. Signed-off-by: Guido Trentalancia --- Makefile | 4 +++- Rules.modular | 4 ++-- Rules.monolithic | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) --- refpolicy-git-06082016-orig/Makefile 2016-08-06 21:26:43.257773849 +0200 +++ refpolicy-git-06082016/Makefile 2016-08-13 18:31:37.005598127 +0200 @@ -99,6 +99,7 @@ gendoc := $(PYTHON) -E $(support)/sedoct genperm := $(PYTHON) -E $(support)/genclassperms.py policyvers := $(PYTHON) -E $(support)/policyvers.py fcsort := $(tmpdir)/fc_sort +fcsortexe := $(BINDIR)/fc_sort setbools := $(AWK) -f $(support)/set_bools_tuns.awk get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed @@ -547,11 +548,12 @@ install-docs: $(tmpdir)/html # # Install policy sources # -install-src: +install-src: $(fcsort) rm -rf $(srcpath)/policy.old -mv $(srcpath)/policy $(srcpath)/policy.old mkdir -p $(srcpath)/policy cp -R . $(srcpath)/policy + install tmp/fc_sort $(fcsortexe) ######################################## # --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200 +++ refpolicy-git-06082016/Rules.modular 2016-08-13 18:32:09.211057621 +0200 @@ -174,8 +174,8 @@ $(tmpdir)/only_te_rules.conf: $(tmpdir)/ # # Construct a base.fc # -$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort) - $(verbose) $(fcsort) $< $@ +$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsortexe) + $(verbose) $(fcsortexe) $< $@ $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files) ifeq ($(base_fc_files),) --- refpolicy-git-06082016-orig/Rules.monolithic 2016-08-06 21:26:43.258773860 +0200 +++ refpolicy-git-06082016/Rules.monolithic 2016-08-13 18:32:40.188493779 +0200 @@ -168,8 +168,8 @@ enableaudit: $(policy_conf) # # Construct file_contexts # -$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) - $(verbose) $(fcsort) $< $@ +$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsortexe) + $(verbose) $(fcsortexe) $< $@ $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@