localpolicy.fc settings not always honoured

Ted Rule ejtr at layer3.co.uk
Tue Dec 13 23:22:27 UTC 2005 

For a personal requirement, I was trying to tweak SELinux strict sources
policy so that the OpenOffice main binary had a non-default label, i.e.
"soffice_exec_t".

I found that despite setting the file_context override in
localpolicy.fc, a restorecon kept flipping the file_context
back to bin_t, implying that the loaded policy had ignored my
localpolicy settings.

I eventually found that the settings in distros.fc appeared to be
overriding whatever I did, provided it had a regex match for the file in
question. In other words, "restorecon" used the file_context as set by
the last matching regex
in /etc/selinux/strict/contexts/files/file_contexts

The implication is that the Makefile for the policy doesn't guarantee to
arrange things such that localpolicy.fc can always be
used to apply local policy overrides. I had always assumed this to be
the case.

On most occasions, localpolicy.fc will override. My problem here was
that distros.fc contains a "wilder" regex which happened to match the
file_context I was trying to tweak.

A grep of the relevant sections of localpolicy.fc and distros.fc are
shown below. I was finding that an override for this file:

/usr/lib/openoffice.org2.0/program/soffice

was matching this in distros.fc

/usr/lib/.*/program(/.*)?


Could the Makefile be rearranged to ensure that local settings always
override the default policy, please?


Ted


Policy in use is:

selinux-policy-strict-sources-1.27.1-2.16


[root at workstation policy]# pwd
/etc/selinux/strict/src/policy

[root at workstation policy]#
[root at workstation policy]# grep program file_contexts/distros.fc
/usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.*            --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so     --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so      --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so        --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so         --
system_u:object_r:texrel_shlib_t
[root at workstation policy]#

[root at workstation policy]# grep program
file_contexts/program/localpolicy.fc
#/usr/lib/openoffice.org2.0/program/libsoffice.so       --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice      --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin  --
system_u:object_r:soffice_exec_t
[root at workstation policy]#


[root at workstation files]# pwd
/etc/selinux/strict/contexts/files
[root at workstation files]# grep program file_contexts
# when the security policy is installed.  The setfiles program
# listed here anyway so that if the setfiles program is used on a
running
# cvs program
#/usr/lib/openoffice.org2.0/program/libsoffice.so       --
system_u:object_r:texrel_shlib_t
/usr/lib/openoffice.org2.0/program/soffice      --
system_u:object_r:soffice_exec_t
/usr/lib/openoffice.org2.0/program/soffice.bin  --
system_u:object_r:soffice_exec_t
# rsync program
# sysstat and other sar programs
# Add programs here which should not be confined by SELinux
# Add programs here which should not be confined by SELinux
# uucico program
/usr/lib/.*/program(/.*)?                       system_u:object_r:bin_t
/usr/lib/.*/program/.*\.so.*
system_u:object_r:shlib_t
/usr/lib/.*/program/libicudata\.so.*            --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so     --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libwrp645li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libswd680li\.so             --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/librecentfile\.so      --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so        --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so   --
system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsoffice\.so         --
system_u:object_r:texrel_shlib_t
[root at workstation files]#




-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the selinux mailing list