OK.. Maybe 3rd time's the charm ;)
Running Fedora Core as of last night-ish -devel tree, and installing selinux-policy-strict-1.13.2-4.
Spotted while doing the relabelling (I knew there was a reason I try to rememer to run it with '-v' ;):
/usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-au from root:object_r:lib_t to system_u:object_r:shlib_t /usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-wav from root:object_r:lib_t to system_u:object_r:shlib_t
Looks like a runaway glob on '.*.so'... Whoops. ;)
First, the good news.. ;)
Some grepping through file_contexts/file_contexts indicates that of the 553 uses of a .* glob, almost all are using it to indicate "to end of filename" with either "/some/path.*" (197 usages) or "/some/path(/.*)?" (313 usages). (Somebody else can audit these 510 to determine if The Other Flavor should have been specified to handle the case of a file called "/some/path-foo" ;)
Now, the bad news.. There's 43 cases of "neither of the above" ;)
To find the rest:
grep '.*' file_contexts/file_contexts | egrep -v '(/.*)?[[:space:]]|.*[[:space:]]'
These 4 mystified me - why "(.*)?" instead of ".*" or "(/.*)?"
/var/run/courier(.*)? system_u:object_r:courier_var_run_t /usr/lib(64)?/cyrus-imapd/(.*)? -- system_u:object_r:bin_t /var/www/lrrd(.*)? system_u:object_r:lrrd_var_lib_t /usr/X11R6/lib(64)?/xscreensaver(.*)? system_u:object_r:bin_t
I suspect that all 4 were intended to be of the form "foo(/.*)?" - anybody know for sure?
Also, anybody know where these come from? /lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t /lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t
(I have some /lib/liblvm-10* files, but not /lib/lvm-* - is that from a non-Fedora system? I'm not seeing a /lib/lvm-* file in either the lvm or lvm2 Fedora RPMs)
Now, some more good news - close to half the remaining 43 are from types.fc handling of ld_so_t and shlib_t - patch to clean those up attached. ;)
Please double-check - I've verified that this patch doesn't unintentionally relabel anything on my system, and does avoid mislabeling the two xemacs files, but there very well might be things that intend to use .* to greedily swallow across a / character for the types I changed.. if it's too drastic, probably 95% of the benefit could be gained by just changing all the .so.* to be .so(.[^/]*)* instead...
As an aside, I *tried* to do this against a current Fedora:
for i in *.rpm; do rpm -qpl $i >> /tmp/allfiles; done sort -u /tmp/allfiles | /usr/sbin/setfiles -v -d -n -s file_contexts/file_contexts
but that just throws a lot of "File not found" for any files in RPMs that aren't on my system. Could we have a -t (for "test") flag that reports "What would the file context be set to if the file existed?" that skips statting the file? It would make automated regression testing of this sort of thing a lot easier.
--- file_contexts/types.fc.dist 2004-06-01 21:09:03.000000000 -0400 +++ file_contexts/types.fc 2004-06-03 00:20:41.899373306 -0400 @@ -85,8 +85,8 @@ /var/ftp/bin(/.*)? system_u:object_r:bin_t /var/ftp/bin/ls -- system_u:object_r:ls_exec_t /var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t -/var/ftp/lib(64)?/ld.*.so.* -- system_u:object_r:ld_so_t -/var/ftp/lib(64)?/lib.*.so.* -- system_u:object_r:shlib_t +/var/ftp/lib(64)?/ld[^/]*.so(.[^/]*)* -- system_u:object_r:ld_so_t +/var/ftp/lib(64)?/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t /var/ftp/etc(/.*)? system_u:object_r:etc_t
# @@ -258,13 +258,13 @@ # /lib(64)? # /lib(64)?(/.*)? system_u:object_r:lib_t -/lib(64)?/ld.*.so.* -- system_u:object_r:ld_so_t -/lib(64)?/tls/ld.*.so.* -- system_u:object_r:ld_so_t -/lib(64)?/lib.*.so.* -- system_u:object_r:shlib_t -/lib(64)?/[^/]*/lib.*.so.* -- system_u:object_r:shlib_t -/lib(64)?/devfsd/.*.so.* -- system_u:object_r:shlib_t -/lib(64)?/security/.*.so.* -- system_u:object_r:shlib_t -/lib(64)?/tls/i686/cmov/.*.so.* -- system_u:object_r:shlib_t +/lib(64)?/ld[^/]*.so(.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/tls/ld[^/]*.so(.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/[^/]*/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/devfsd/[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/security/[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/tls/i686/cmov/[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t
# # /sbin @@ -299,9 +299,9 @@ # /usr/lib(64)? # /usr/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/lib(64)?/lib.*.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/python.*.so -- system_u:object_r:shlib_t -/usr/lib(64)?/.*/lib[^/]*.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/.*/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/.*/.*.so -- system_u:object_r:shlib_t /usr/lib(64)?/autofs/.*.so -- system_u:object_r:shlib_t /usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t @@ -316,21 +316,21 @@ # /usr/.*glibc.*-linux/lib(64)? # /usr/.*glibc.*-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*glibc.*-linux/lib(64)?/ld.*.so.* system_u:object_r:ld_so_t -/usr/.*glibc.*-linux/lib(64)?/lib.*.so.* system_u:object_r:shlib_t +/usr/.*glibc.*-linux/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t +/usr/.*glibc.*-linux/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t
# /usr/.*redhat-linux/lib(64)? # /usr/.*redhat-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*redhat-linux/lib(64)?/ld.*.so.* system_u:object_r:ld_so_t -/usr/.*redhat-linux/lib(64)?/lib.*.so.* system_u:object_r:shlib_t +/usr/.*redhat-linux/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t +/usr/.*redhat-linux/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t
# # /usr/.*linux-libc.*/lib(64)? # /usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*linux-libc.*/lib(64)?/ld.*.so.* system_u:object_r:ld_so_t -/usr/.*linux-libc.*/lib(64)?/lib.*.so.* system_u:object_r:shlib_t +/usr/.*linux-libc.*/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t +/usr/.*linux-libc.*/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t
# # /usr/local @@ -349,7 +349,7 @@ # /usr/local/lib(64)? # /usr/local/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/local/lib(64)?/.*.so.* -- system_u:object_r:shlib_t +/usr/local/lib(64)?(/.*)+.so(.[^/]*)* -- system_u:object_r:shlib_t
# # /usr/sbin @@ -365,7 +365,7 @@ # /usr/X11R6/(.*/)?lib(64)? # /usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t -/usr/X11R6/(.*/)?lib(64)?/.*.so.* -- system_u:object_r:shlib_t +/usr/X11R6/(.*/)?lib(64)?(/.*)+.so(.[^/]*)* -- system_u:object_r:shlib_t
# # /usr/X11R6/man @@ -378,7 +378,7 @@ /usr/kerberos/bin(/.*)? system_u:object_r:bin_t /usr/kerberos/sbin(/.*)? system_u:object_r:sbin_t /usr/kerberos/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/kerberos/lib(64)?/lib.*.so.* -- system_u:object_r:shlib_t +/usr/kerberos/lib(64)?/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t
# # Fonts dir @@ -459,7 +459,7 @@ # /usr/java/j2sdk.*/bin(/.*)? system_u:object_r:bin_t /usr/java/j2sdk.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t -/usr/java/j2re1.*/plugin/i386(/.*)?/lib.*.so.* -- system_u:object_r:shlib_t +/usr/java/j2re1.*/plugin/i386(/.*)?/lib[^/]*.so(.[^/]*)* -- system_u:object_r:shlib_t
# # The krb5.conf file is always being tested for writability, so
On Sat, 5 Jun 2004 04:16, Valdis.Kletnieks@vt.edu wrote:
Also, anybody know where these come from? /lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t /lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t
These came from adjusting the Debian path names to the Red Hat naming convention. I'll fix them in my tree.
Please double-check - I've verified that this patch doesn't unintentionally relabel anything on my system, and does avoid mislabeling the two xemacs files, but there very well might be things that intend to use .* to greedily swallow across a / character for the types I changed.. if it's too drastic, probably 95% of the benefit could be gained by just changing all the .so.* to be .so(.[^/]*)* instead...
I've checked it and verified that it appears to do the correct thing according to the design. I believe it's good enough that everyone should use it.
There is one improvement that can be made however. Only class "file" should have type shlib_t or ld_so_t. The following six entries should have "--" added to specify that they only apply to the file class. This will improve the speed of setfiles, and may prevent some corner-cases from causing mis-labelled file system objects that can't be conveniently removed.
/usr/.*glibc.*-linux/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t /usr/.*glibc.*-linux/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t /usr/.*redhat-linux/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t /usr/.*redhat-linux/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t /usr/.*linux-libc.*/lib(64)?/ld[^/]*.so(.[^/]*)* system_u:object_r:ld_so_t /usr/.*linux-libc.*/lib(64)?/lib[^/]*.so(.[^/]*)* system_u:object_r:shlib_t
selinux@lists.fedoraproject.org