commit: 8f10b1934102c4c9b5f683dfe2d186e4133ec33e
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Apr 14 21:15:07 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:19:52 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f10b193
Label /usr/lib/getconf as bin_t
On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
in /usr/lib/getconf/. For example on a x86_64 machine:
$ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53
/usr/lib/getconf/XBS5_LP64_OFF64
Such configuration produces an instability when labeling the files with
"restorecon -Rv /":
restorecon reset /usr/bin/getconf context
unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context
unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
As /usr/lib/getconf directory only contains executable programs, this issue is
fixed by labeling this directory and its content "bin_t".
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index d1ad47f..9b4388e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -217,6 +217,7 @@ ifdef(`distro_gentoo',`
/usr/lib/cyrus-imapd/.* --
gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/getconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)?
gen_context(system_u:object_r:bin_t,s0)
/usr/lib/git-core/git-shell --
gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/git-core(/.*) -- gen_context(system_u:object_r:bin_t,s0)
