OK.. Maybe 3rd time's the charm ;)
Running Fedora Core as of last night-ish -devel tree, and installing
selinux-policy-strict-1.13.2-4.
Spotted while doing the relabelling (I knew there was a reason I try to
rememer to run it with '-v' ;):
/usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-au from root:object_r:lib_t to system_u:object_r:shlib_t
/usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-wav from root:object_r:lib_t to system_u:object_r:shlib_t
Looks like a runaway glob on '.*\.so'... Whoops. ;)
First, the good news.. ;)
Some grepping through file_contexts/file_contexts indicates that of the 553
uses of a .* glob, almost all are using it to indicate "to end of filename"
with either "/some/path.*" (197 usages) or "/some/path(/.*)?" (313 usages).
(Somebody else can audit these 510 to determine if The Other Flavor should have
been specified to handle the case of a file called "/some/path-foo" ;)
Now, the bad news.. There's 43 cases of "neither of the above" ;)
To find the rest:
grep '\.\*' file_contexts/file_contexts | egrep -v '\(\/\.\*\)\?[[:space:]]|\.\*[[:space:]]'
These 4 mystified me - why "(.*)?" instead of ".*" or "(/.*)?"
/var/run/courier(.*)? system_u:object_r:courier_var_run_t
/usr/lib(64)?/cyrus-imapd/(.*)? -- system_u:object_r:bin_t
/var/www/lrrd(.*)? system_u:object_r:lrrd_var_lib_t
/usr/X11R6/lib(64)?/xscreensaver(.*)? system_u:object_r:bin_t
I suspect that all 4 were intended to be of the form "foo(/.*)?" - anybody
know for sure?
Also, anybody know where these come from?
/lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t
/lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t
(I have some /lib/liblvm-10* files, but not /lib/lvm-* - is that from a
non-Fedora system? I'm not seeing a /lib/lvm-* file in either the lvm or lvm2
Fedora RPMs)
Now, some more good news - close to half the remaining 43 are from types.fc
handling of ld_so_t and shlib_t - patch to clean those up attached. ;)
Please double-check - I've verified that this patch doesn't unintentionally
relabel anything on my system, and does avoid mislabeling the two xemacs files,
but there very well might be things that intend to use .* to greedily swallow
across a / character for the types I changed.. if it's too drastic, probably
95% of the benefit could be gained by just changing all the \.so.*
to be \.so(\.[^/]*)* instead...
As an aside, I *tried* to do this against a current Fedora:
for i in *.rpm; do rpm -qpl $i >> /tmp/allfiles; done
sort -u /tmp/allfiles | /usr/sbin/setfiles -v -d -n -s file_contexts/file_contexts
but that just throws a lot of "File not found" for any files in RPMs that
aren't on my system. Could we have a -t (for "test") flag that reports "What
would the file context be set to if the file existed?" that skips statting the
file? It would make automated regression testing of this sort of thing a lot easier.
--- file_contexts/types.fc.dist 2004-06-01 21:09:03.000000000 -0400
+++ file_contexts/types.fc 2004-06-03 00:20:41.899373306 -0400
@@ -85,8 +85,8 @@
/var/ftp/bin(/.*)? system_u:object_r:bin_t
/var/ftp/bin/ls -- system_u:object_r:ls_exec_t
/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t
-/var/ftp/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t
-/var/ftp/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/var/ftp/etc(/.*)? system_u:object_r:etc_t
#
@@ -258,13 +258,13 @@
# /lib(64)?
#
/lib(64)?(/.*)? system_u:object_r:lib_t
-/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t
-/lib(64)?/tls/ld.*\.so.* -- system_u:object_r:ld_so_t
-/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
-/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t
-/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t
-/lib(64)?/security/.*\.so.* -- system_u:object_r:shlib_t
-/lib(64)?/tls/i686/cmov/.*\.so.* -- system_u:object_r:shlib_t
+/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+/lib(64)?/tls/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
+/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/devfsd/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /sbin
@@ -299,9 +299,9 @@
# /usr/lib(64)?
#
/usr/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
+/usr/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/usr/lib(64)?/python.*\.so -- system_u:object_r:shlib_t
-/usr/lib(64)?/.*/lib[^/]*\.so.* -- system_u:object_r:shlib_t
+/usr/lib(64)?/.*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/usr/lib(64)?/.*/.*\.so -- system_u:object_r:shlib_t
/usr/lib(64)?/autofs/.*\.so -- system_u:object_r:shlib_t
/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t
@@ -316,21 +316,21 @@
# /usr/.*glibc.*-linux/lib(64)?
#
/usr/.*glibc.*-linux/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/.*glibc.*-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*glibc.*-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t
+/usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t
# /usr/.*redhat-linux/lib(64)?
#
/usr/.*redhat-linux/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/.*redhat-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*redhat-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t
+/usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t
#
# /usr/.*linux-libc.*/lib(64)?
#
/usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/.*linux-libc.*/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t
-/usr/.*linux-libc.*/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t
+/usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
+/usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t
#
# /usr/local
@@ -349,7 +349,7 @@
# /usr/local/lib(64)?
#
/usr/local/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/local/lib(64)?/.*\.so.* -- system_u:object_r:shlib_t
+/usr/local/lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /usr/sbin
@@ -365,7 +365,7 @@
# /usr/X11R6/(.*/)?lib(64)?
#
/usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/X11R6/(.*/)?lib(64)?/.*\.so.* -- system_u:object_r:shlib_t
+/usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /usr/X11R6/man
@@ -378,7 +378,7 @@
/usr/kerberos/bin(/.*)? system_u:object_r:bin_t
/usr/kerberos/sbin(/.*)? system_u:object_r:sbin_t
/usr/kerberos/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/kerberos/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
+/usr/kerberos/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# Fonts dir
@@ -459,7 +459,7 @@
#
/usr/java/j2sdk.*/bin(/.*)? system_u:object_r:bin_t
/usr/java/j2sdk.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t
-/usr/java/j2re1.*/plugin/i386(/.*)?/lib.*\.so.* -- system_u:object_r:shlib_t
+/usr/java/j2re1.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# The krb5.conf file is always being tested for writability, so