On Wed, 2007-04-04 at 23:27 +0200, Jan-Frode Myklebust wrote: > I have some sw that installs itself to /opt/whatever/libxyz.so > and not /opt/whatever/lib/libxyz.so, and these library files > are then getting the system_u:object_r:usr_t security context, > I assume this is because the files are not on a /lib/ directory. > > setroubleshoot suggests running: > > chcon -t textrel_shlib_t /opt/whatever/libxyz.so > > on these files, but I'm conserned I will loose this at the > next relabel. > > So, what's the procedure for adding own labelling rules? Can > I add them directly to /etc/selinux/targeted/contexts/files/file_contexts, > or should I create a separate file for these ?
You can create local file context definitions via semanage, e.g. /usr/sbin/semanage fcontext -a -t textrel_shlib_t "/opt/whatever/lib.*\.so.*" and then run restorecon -R on the directory to apply the context to those files. Those definitions are stored separately (in file_contexts.local) and will be preserved across updates. > And, I see files under /usr/lib/ are lib_t, not textrel_shlib_t. > Is textrel_shlib_t a subset of lib_t, and maybe lib_t what I > should be using ? textrel_shlib_t should only be used for objects that require text relocations. shlib_t (alias for lib_t at least under targeted policy), is for normal shared libraries. setroubleshoot presumably saw an execmod denial on the object and is thus recommending textrel_shlib_t for it. See: http://people.redhat.com/drepper/textrelocs.html http://people.redhat.com/drepper/selinux-mem.html -- Stephen Smalley National Security Agency _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
