setting files attributes

Gene Czarcinski gene at czarc.net
Thu Apr 15 12:18:20 UTC 2004 

I had an experience yesterday which has given me pause for thought.  I was 
working with Dan Walsh to get the policy correct to run the X after the 
xorg-x11-* update which renamed a lot of things including 
/usr/X11R6/bin/XFree86 -> /usr/X11R6/bin/Xorg.  After installing the updated 
packages (which should be in development/rawhide later today), he informed me 
I needed to run the following:

restorecon /usr/bin/X11/Xorg
restorecon /var/log/Xorg*

and I dutifully did that.

Then I tried to do "telinit 5" with enforcing=1 again and, again, the X server 
startup failed.

After some looking around I came to realize the following:

The path specified makes a difference.  The full path specified in policy is 
/usr/X11R6/bin/Xorg where I was using /usr/bin/X11/Xorg.  The result of
   restorecon /usr/bin/X11/Xorg 
is
-rws--x--x+ root     root     system_u:object_r:bin_t    \      
/usr/bin/X11/Xorg

whereas the result of running
   restorecon /usr/X11R6/Xorg 
is
-rws--x--x+ root     root     system_u:object_r:xserver_exec_t 
/usr/bin/X11/Xorg

OK, besides sending this message to give folks some warning when they install 
the new xor-x11-* and the new policy (1.11.2-3 or later) is that I do not 
complete understand what is done when I do a system wide relabel.

What make -C /etc/security/selinux/src/policy/ relabel appears to do is to go 
through the all mounted filesystems and set the attributes depending on the 
rules it has.  The question is, does it follow symbolic links or not.  If it 
does not, then there should not be a problem as long as all of the policy 
rules always use the actual (non-symbolic-link) path AND make sure we do also 
if we do something manually.

However, I can see a problem occurring if it does follow symbolic links 
because the process likely occurs in sorted order.  Now /tmp is clears (or so 
it says and, I hope, that means /var/tmp/ also), so I should not be able to 
rename /usr/X11R6/bin/Xorg.  However, what if I had a symbolic link from my 
home directory to something in /etc.  Would that get mislabeled?

Gene

More information about the fedora-selinux-list mailing list