From: russell@coker.com.au (Russell Coker)
Date: Tue, 4 Apr 2017 18:13:02 +1000
Subject: [refpolicy] [PATCH] misc fc changes
In-Reply-To: <20170404080803.GF10685@t450.enp8s0.d30>
References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au>
	<201704041800.33260.russell@coker.com.au>
	<20170404080803.GF10685@t450.enp8s0.d30>
Message-ID: <201704041813.02439.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 4 Apr 2017 06:08:03 PM Dominick Grift via refpolicy wrote:
> > > That looks like it might be redundant or that there is some other spec
> > > that should probably ideally be more specific for this location
> > 
> > # restorecon -R -v /usr/lib/postfix/
> > Relabeled /usr/lib/postfix/libpostfix-dns.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-global.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-master.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-tls.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> > Relabeled /usr/lib/postfix/libpostfix-util.so from
> > system_u:object_r:lib_t:s0 to system_u:object_r:postfix_exec_t:s0
> 
> Then maybe that postfix_exec_t context spec could be more specific to not
> include libraries?

There's a heap of programs under that tree that should have postfix_exec_t.

But if you can devise a regex that matches them then please submit it.

> if like of strange to have a lib_t base type for /usr/lib and to then have
> to specify lib_t for some individual lib file

Not really.  Having one context for the default files in a directory and 
another for exceptions is common.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/