localpolicy.fc settings not always honoured

Daniel J Walsh dwalsh at redhat.com
Wed Dec 14 14:15:24 UTC 2005 

Ted Rule wrote:
> For a personal requirement, I was trying to tweak SELinux strict sources
> policy so that the OpenOffice main binary had a non-default label, i.e.
> "soffice_exec_t".
>
> I found that despite setting the file_context override in
> localpolicy.fc, a restorecon kept flipping the file_context
> back to bin_t, implying that the loaded policy had ignored my
> localpolicy settings.
>
> I eventually found that the settings in distros.fc appeared to be
> overriding whatever I did, provided it had a regex match for the file in
> question. In other words, "restorecon" used the file_context as set by
> the last matching regex
> in /etc/selinux/strict/contexts/files/file_contexts
>
> The implication is that the Makefile for the policy doesn't guarantee to
> arrange things such that localpolicy.fc can always be
> used to apply local policy overrides. I had always assumed this to be
> the case.
>
> On most occasions, localpolicy.fc will override. My problem here was
> that distros.fc contains a "wilder" regex which happened to match the
> file_context I was trying to tweak.
>
> A grep of the relevant sections of localpolicy.fc and distros.fc are
> shown below. I was finding that an override for this file:
>
> /usr/lib/openoffice.org2.0/program/soffice
>
> was matching this in distros.fc
>
> /usr/lib/.*/program(/.*)?
>
>
> Could the Makefile be rearranged to ensure that local settings always
> override the default policy, please?
>
>
> Ted
>
>
> Policy in use is:
>
> selinux-policy-strict-sources-1.27.1-2.16
>
>
> [root at workstation policy]# pwd
> /etc/selinux/strict/src/policy
>
> [root at workstation policy]#
> [root at workstation policy]# grep program file_contexts/distros.fc
> /usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
> /usr/lib/.*/program/.*\.so.*
> system_u:object_r:shlib_t
> /usr/lib/.*/program/libicudata\.so.*            --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libsts645li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libvclplug_gen645li\.so     --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libwrp645li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libswd680li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/librecentfile\.so      --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libsvx680li\.so        --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libsoffice\.so         --
> system_u:object_r:texrel_shlib_t
> [root at workstation policy]#
>
> [root at workstation policy]# grep program
> file_contexts/program/localpolicy.fc
> #/usr/lib/openoffice.org2.0/program/libsoffice.so       --
> system_u:object_r:texrel_shlib_t
> /usr/lib/openoffice.org2.0/program/soffice      --
> system_u:object_r:soffice_exec_t
> /usr/lib/openoffice.org2.0/program/soffice.bin  --
> system_u:object_r:soffice_exec_t
> [root at workstation policy]#
>
>
> [root at workstation files]# pwd
> /etc/selinux/strict/contexts/files
> [root at workstation files]# grep program file_contexts
> # when the security policy is installed.  The setfiles program
> # listed here anyway so that if the setfiles program is used on a
> running
> # cvs program
> #/usr/lib/openoffice.org2.0/program/libsoffice.so       --
> system_u:object_r:texrel_shlib_t
> /usr/lib/openoffice.org2.0/program/soffice      --
> system_u:object_r:soffice_exec_t
> /usr/lib/openoffice.org2.0/program/soffice.bin  --
> system_u:object_r:soffice_exec_t
> # rsync program
> # sysstat and other sar programs
> # Add programs here which should not be confined by SELinux
> # Add programs here which should not be confined by SELinux
> # uucico program
> /usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
> /usr/lib/.*/program/.*\.so.*
> system_u:object_r:shlib_t
> /usr/lib/.*/program/libicudata\.so.*            --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libsts645li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libvclplug_gen645li\.so     --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libwrp645li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib/.*/program/libswd680li\.so             --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/librecentfile\.so      --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libsvx680li\.so        --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
> system_u:object_r:texrel_shlib_t
> /usr/lib(64)?/.*/program/libsoffice\.so         --
> system_u:object_r:texrel_shlib_t
> [root at workstation files]#
>
>
>
>
>   
The makefile reassembles /etc/selinux/strict/contexts/files/file_context 
and should put your change after the distro one.

--

More information about the fedora-selinux-list mailing list