From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2ED14138A1F for ; Mon, 21 Apr 2014 15:25:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9A3E4E09CD; Mon, 21 Apr 2014 15:25:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9F37DE0999 for ; Mon, 21 Apr 2014 15:25:20 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C9F9F33FE78 for ; Mon, 21 Apr 2014 15:25:19 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 91F58187A8 for ; Mon, 21 Apr 2014 15:25:17 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1398093592.8f10b1934102c4c9b5f683dfe2d186e4133ec33e.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corecommands.fc X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8f10b1934102c4c9b5f683dfe2d186e4133ec33e X-VCS-Branch: master Date: Mon, 21 Apr 2014 15:25:17 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a7c77789-7bb7-4aa9-b830-33d5961225da X-Archives-Hash: e08d4f0b77548471bec6921ff4d68818 commit: 8f10b1934102c4c9b5f683dfe2d186e4133ec33e Author: Nicolas Iooss m4x org> AuthorDate: Mon Apr 14 21:15:07 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 21 15:19:52 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8f10b193 Label /usr/lib/getconf as bin_t On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file in /usr/lib/getconf/. For example on a x86_64 machine: $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64 Such configuration produces an instability when labeling the files with "restorecon -Rv /": restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0 As /usr/lib/getconf directory only contains executable programs, this issue is fixed by labeling this directory and its content "bin_t". --- policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index d1ad47f..9b4388e 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -217,6 +217,7 @@ ifdef(`distro_gentoo',` /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/getconf(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/git-core(/.*) -- gen_context(system_u:object_r:bin_t,s0)