Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

localpolicy.fc settings not always honoured: msg#00089

Subject: localpolicy.fc settings not always honoured 
For a personal requirement, I was trying to tweak SELinux strict sources
policy so that the OpenOffice main binary had a non-default label, i.e.
"soffice_exec_t".

I found that despite setting the file_context override in
localpolicy.fc, a restorecon kept flipping the file_context
back to bin_t, implying that the loaded policy had ignored my
localpolicy settings.

I eventually found that the settings in distros.fc appeared to be
overriding whatever I did, provided it had a regex match for the file in
question. In other words, "restorecon" used the file_context as set by
the last matching regex
in /etc/selinux/strict/contexts/files/file_contexts

The implication is that the Makefile for the policy doesn't guarantee to
arrange things such that localpolicy.fc can always be
used to apply local policy overrides. I had always assumed this to be
the case.

On most occasions, localpolicy.fc will override. My problem here was
that distros.fc contains a "wilder" regex which happened to match the
file_context I was trying to tweak.

A grep of the relevant sections of localpolicy.fc and distros.fc are
shown below. I was finding that an override for this file:

/usr/lib/openoffice.org2.0/program/soffice

was matching this in distros.fc

/usr/lib/.*/program(/.*)?


Could the Makefile be rearranged to ensure that local settings always
override the default policy, please?


Ted


Policy in use is:

selinux-policy-strict-sources-1.27.1-2.16


[root@workstation policy]# pwd
/etc/selinux/strict/src/policy

[root@workstation policy]#
[root@workstation policy]# grep program file_contexts/distros.fc
/usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.*            --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so     --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so      --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so        --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so         --
system_u:object_r:texrel_shlib_t
[root@workstation policy]#

[root@workstation policy]# grep program
file_contexts/program/localpolicy.fc
#/usr/lib/openoffice.org2.0/program/libsoffice.so       --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice      --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin  --
system_u:object_r:soffice_exec_t
[root@workstation policy]#


[root@workstation files]# pwd
/etc/selinux/strict/contexts/files
[root@workstation files]# grep program file_contexts
# when the security policy is installed.  The setfiles program
# listed here anyway so that if the setfiles program is used on a
running
# cvs program
#/usr/lib/openoffice.org2.0/program/libsoffice.so       --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice      --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin  --
system_u:object_r:soffice_exec_t
# rsync program
# sysstat and other sar programs
# Add programs here which should not be confined by SELinux
# Add programs here which should not be confined by SELinux
# uucico program
/usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.*            --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so     --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so      --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so        --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so         --
system_u:object_r:texrel_shlib_t
[root@workstation files]#




-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Adding two new booleans to httpd to tighten it's security., Robert L Cochran
Next by Date:  Re: Adding two new booleans to httpd to tighten it's security., Tom London
Previous by Thread:  How to setup a single user with almost no rights..., Pigeon
Next by Thread:  Re: localpolicy.fc settings not always honoured, Daniel J Walsh
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe