From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 14 Aug 2016 14:17:06 -0400 Subject: [refpolicy] [PATCH v2] fc_sort must be explicitly labeled as executable upon creation In-Reply-To: <320702058.5693.1471106408231.JavaMail.open-xchange@popper04.register.it> References: <1470669970.10405.3.camel@trentalancia.net> <1471092620.21480.3.camel@trentalancia.net> <41868e4e-b084-eae3-80c0-a3fe4cf2fc26@ieee.org> <1860468357.5602.1471104524357.JavaMail.open-xchange@popper04.register.it> <320702058.5693.1471106408231.JavaMail.open-xchange@popper04.register.it> Message-ID: <0c156195-1f44-74c7-0283-9223eb116443@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/13/16 12:40, guido guido wrote: > Install the fc_sort executable system-wide during the make target > "install-src" (i.e. prior to make "policy") to avoid execution denials, > due to misplaced generic non-executable default file labels, if the > Reference Policy is installed in system-wide directories such as > /usr/src. I suspect that this will break the case where one simply clones the repo or unpacks a release and simply tries to build it wherever it is, especially if they can't or don't want to run the install-src target. > Signed-off-by: Guido Trentalancia > --- > Makefile | 4 +++- > Rules.modular | 4 ++-- > Rules.monolithic | 4 ++-- > 3 files changed, 7 insertions(+), 5 deletions(-) > > --- refpolicy-git-06082016-orig/Makefile 2016-08-06 21:26:43.257773849 +0200 > +++ refpolicy-git-06082016/Makefile 2016-08-13 18:31:37.005598127 +0200 > @@ -99,6 +99,7 @@ gendoc := $(PYTHON) -E $(support)/sedoct > genperm := $(PYTHON) -E $(support)/genclassperms.py > policyvers := $(PYTHON) -E $(support)/policyvers.py > fcsort := $(tmpdir)/fc_sort > +fcsortexe := $(BINDIR)/fc_sort > setbools := $(AWK) -f $(support)/set_bools_tuns.awk > get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed > comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed > @@ -547,11 +548,12 @@ install-docs: $(tmpdir)/html > # > # Install policy sources > # > -install-src: > +install-src: $(fcsort) > rm -rf $(srcpath)/policy.old > -mv $(srcpath)/policy $(srcpath)/policy.old > mkdir -p $(srcpath)/policy > cp -R . $(srcpath)/policy > + install tmp/fc_sort $(fcsortexe) > > ######################################## > # > --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 > +0200 > +++ refpolicy-git-06082016/Rules.modular 2016-08-13 18:32:09.211057621 +0200 > @@ -174,8 +174,8 @@ $(tmpdir)/only_te_rules.conf: $(tmpdir)/ > # > # Construct a base.fc > # > -$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort) > - $(verbose) $(fcsort) $< $@ > +$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsortexe) > + $(verbose) $(fcsortexe) $< $@ > > $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) > $(tmpdir)/generated_definitions.conf $(base_fc_files) > ifeq ($(base_fc_files),) > --- refpolicy-git-06082016-orig/Rules.monolithic 2016-08-06 21:26:43.258773860 > +0200 > +++ refpolicy-git-06082016/Rules.monolithic 2016-08-13 18:32:40.188493779 +0200 > @@ -168,8 +168,8 @@ enableaudit: $(policy_conf) > # > # Construct file_contexts > # > -$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) > - $(verbose) $(fcsort) $< $@ > +$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsortexe) > + $(verbose) $(fcsortexe) $< $@ > $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) > $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@ > -- Chris PeBenito