Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: localpolicy.fc settings not always honoured: msg#00092
|
Subject: |
Re: localpolicy.fc settings not always honoured |
Ted Rule wrote:
For a personal requirement, I was trying to tweak SELinux strict sources
policy so that the OpenOffice main binary had a non-default label, i.e.
"soffice_exec_t".
I found that despite setting the file_context override in
localpolicy.fc, a restorecon kept flipping the file_context
back to bin_t, implying that the loaded policy had ignored my
localpolicy settings.
I eventually found that the settings in distros.fc appeared to be
overriding whatever I did, provided it had a regex match for the file in
question. In other words, "restorecon" used the file_context as set by
the last matching regex
in /etc/selinux/strict/contexts/files/file_contexts
The implication is that the Makefile for the policy doesn't guarantee to
arrange things such that localpolicy.fc can always be
used to apply local policy overrides. I had always assumed this to be
the case.
On most occasions, localpolicy.fc will override. My problem here was
that distros.fc contains a "wilder" regex which happened to match the
file_context I was trying to tweak.
A grep of the relevant sections of localpolicy.fc and distros.fc are
shown below. I was finding that an override for this file:
/usr/lib/openoffice.org2.0/program/soffice
was matching this in distros.fc
/usr/lib/.*/program(/.*)?
Could the Makefile be rearranged to ensure that local settings always
override the default policy, please?
Ted
Policy in use is:
selinux-policy-strict-sources-1.27.1-2.16
[root@workstation policy]# pwd
/etc/selinux/strict/src/policy
[root@workstation policy]#
[root@workstation policy]# grep program file_contexts/distros.fc
/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.* --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so --
system_u:object_r:texrel_shlib_t
[root@workstation policy]#
[root@workstation policy]# grep program
file_contexts/program/localpolicy.fc
#/usr/lib/openoffice.org2.0/program/libsoffice.so --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin --
system_u:object_r:soffice_exec_t
[root@workstation policy]#
[root@workstation files]# pwd
/etc/selinux/strict/contexts/files
[root@workstation files]# grep program file_contexts
# when the security policy is installed. The setfiles program
# listed here anyway so that if the setfiles program is used on a
running
# cvs program
#/usr/lib/openoffice.org2.0/program/libsoffice.so --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin --
system_u:object_r:soffice_exec_t
# rsync program
# sysstat and other sar programs
# Add programs here which should not be confined by SELinux
# Add programs here which should not be confined by SELinux
# uucico program
/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.* --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so --
system_u:object_r:texrel_shlib_t
[root@workstation files]#
The makefile reassembles /etc/selinux/strict/contexts/files/file_context
and should put your change after the distro one.
--
|
| |
