Stephen Smalley wrote:
On Wed, 2007-04-04 at 23:27 +0200, Jan-Frode Myklebust wrote:
I have some sw that installs itself to /opt/whatever/libxyz.so
and not /opt/whatever/lib/libxyz.so, and these library files
are then getting the system_u:object_r:usr_t security context,
I assume this is because the files are not on a /lib/ directory.
setroubleshoot suggests running:
chcon -t textrel_shlib_t /opt/whatever/libxyz.so
on these files, but I'm conserned I will loose this at the
next relabel.
So, what's the procedure for adding own labelling rules? Can
I add them directly to /etc/selinux/targeted/contexts/files/file_contexts,
or should I create a separate file for these ?
You can create local file context definitions via semanage, e.g.
/usr/sbin/semanage fcontext -a -t textrel_shlib_t "/opt/whatever/lib.*\.so.*"
and then run restorecon -R on the directory to apply the context to those files.
Those definitions are stored separately (in file_contexts.local) and
will be preserved across updates.
Is there a way to discover what shared objects might be mislabeled other
than simply running the application and looking for errors?
I just encountered this with Matlab. I was thinking that I would just
add the chcon command to fix the offending .so files in an RPM %post
clause. Or I could create a file_contexts.local and do it that way, but
this could get hairy with a dozen or more commercial applications.
I see that /etc/selinux/targeted/contexts/files contains several
application specific contexts, ex:
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --
system_u:object_r:textrel_shlib_t:s0
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* --
system_u:object_r:textrel_shlib_t:s0
If I'm reading these correctly, these contexts are simply labeling every
.so under a certain path with the textrel_shlib_t type. Is this the way
to do it? It doesn't matter that files labeled with lib_t will changed
to textrel_shlib_t as well, even when they may not need to be?
Stephen, thanks for the links. They are very enlightening.
And, I see files under /usr/lib/ are lib_t, not textrel_shlib_t.
Is textrel_shlib_t a subset of lib_t, and maybe lib_t what I
should be using ?
textrel_shlib_t should only be used for objects that require text
relocations. shlib_t (alias for lib_t at least under targeted policy),
is for normal shared libraries. setroubleshoot presumably saw an
execmod denial on the object and is thus recommending textrel_shlib_t
for it. See:
http://people.redhat.com/drepper/textrelocs.html
http://people.redhat.com/drepper/selinux-mem.html
--
John Dickerson
Engineering Computing Support Services
Iowa State University
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
