For a personal requirement, I was trying to tweak SELinux strict sources policy so that the OpenOffice main binary had a non-default label, i.e. "soffice_exec_t".
I found that despite setting the file_context override in localpolicy.fc, a restorecon kept flipping the file_context back to bin_t, implying that the loaded policy had ignored my localpolicy settings.
I eventually found that the settings in distros.fc appeared to be overriding whatever I did, provided it had a regex match for the file in question. In other words, "restorecon" used the file_context as set by the last matching regex in /etc/selinux/strict/contexts/files/file_contexts
The implication is that the Makefile for the policy doesn't guarantee to arrange things such that localpolicy.fc can always be used to apply local policy overrides. I had always assumed this to be the case.
On most occasions, localpolicy.fc will override. My problem here was that distros.fc contains a "wilder" regex which happened to match the file_context I was trying to tweak.
A grep of the relevant sections of localpolicy.fc and distros.fc are shown below. I was finding that an override for this file:
/usr/lib/openoffice.org2.0/program/soffice
was matching this in distros.fc
/usr/lib/.*/program(/.*)?
Could the Makefile be rearranged to ensure that local settings always override the default policy, please?
Ted
Policy in use is:
selinux-policy-strict-sources-1.27.1-2.16
[root@workstation policy]# pwd /etc/selinux/strict/src/policy
[root@workstation policy]# [root@workstation policy]# grep program file_contexts/distros.fc /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice.so -- system_u:object_r:texrel_shlib_t [root@workstation policy]#
[root@workstation policy]# grep program file_contexts/program/localpolicy.fc #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t [root@workstation policy]#
[root@workstation files]# pwd /etc/selinux/strict/contexts/files [root@workstation files]# grep program file_contexts # when the security policy is installed. The setfiles program # listed here anyway so that if the setfiles program is used on a running # cvs program #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t # rsync program # sysstat and other sar programs # Add programs here which should not be confined by SELinux # Add programs here which should not be confined by SELinux # uucico program /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice.so -- system_u:object_r:texrel_shlib_t [root@workstation files]#
Ted Rule wrote:
For a personal requirement, I was trying to tweak SELinux strict sources policy so that the OpenOffice main binary had a non-default label, i.e. "soffice_exec_t".
I found that despite setting the file_context override in localpolicy.fc, a restorecon kept flipping the file_context back to bin_t, implying that the loaded policy had ignored my localpolicy settings.
I eventually found that the settings in distros.fc appeared to be overriding whatever I did, provided it had a regex match for the file in question. In other words, "restorecon" used the file_context as set by the last matching regex in /etc/selinux/strict/contexts/files/file_contexts
The implication is that the Makefile for the policy doesn't guarantee to arrange things such that localpolicy.fc can always be used to apply local policy overrides. I had always assumed this to be the case.
On most occasions, localpolicy.fc will override. My problem here was that distros.fc contains a "wilder" regex which happened to match the file_context I was trying to tweak.
A grep of the relevant sections of localpolicy.fc and distros.fc are shown below. I was finding that an override for this file:
/usr/lib/openoffice.org2.0/program/soffice
was matching this in distros.fc
/usr/lib/.*/program(/.*)?
Could the Makefile be rearranged to ensure that local settings always override the default policy, please?
Ted
Policy in use is:
selinux-policy-strict-sources-1.27.1-2.16
[root@workstation policy]# pwd /etc/selinux/strict/src/policy
[root@workstation policy]# [root@workstation policy]# grep program file_contexts/distros.fc /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice.so -- system_u:object_r:texrel_shlib_t [root@workstation policy]#
[root@workstation policy]# grep program file_contexts/program/localpolicy.fc #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t [root@workstation policy]#
[root@workstation files]# pwd /etc/selinux/strict/contexts/files [root@workstation files]# grep program file_contexts # when the security policy is installed. The setfiles program # listed here anyway so that if the setfiles program is used on a running # cvs program #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t # rsync program # sysstat and other sar programs # Add programs here which should not be confined by SELinux # Add programs here which should not be confined by SELinux # uucico program /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice.so -- system_u:object_r:texrel_shlib_t [root@workstation files]#
The makefile reassembles /etc/selinux/strict/contexts/files/file_context and should put your change after the distro one.
On Tue, 2005-12-13 at 23:22 +0000, Ted Rule wrote:
For a personal requirement, I was trying to tweak SELinux strict sources policy so that the OpenOffice main binary had a non-default label, i.e. "soffice_exec_t".
I found that despite setting the file_context override in localpolicy.fc, a restorecon kept flipping the file_context back to bin_t, implying that the loaded policy had ignored my localpolicy settings.
A couple of points: - Conventionally, such local settings have been put into file_contexts/misc/local.fc or file_contexts/misc/custom.fc. The contents of the misc subdirectory are put after the distros.fc file and thus take precedence. - A better way of doing this is to create a /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.local file with your local settings. That doesn't require policy sources to be kept around at all. restorecon and other users of matchpathcon give precedence to anything in that file if it exists.
selinux@lists.fedoraproject.org