selinux prelink avc's (broken paths in policy?)
Paul Howarth
paul at city-fan.org
Wed May 24 17:35:08 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-05-24 at 18:04 +0100, Paul Howarth wrote:
>> I think the best policy, for the avoidance of confusion for people
>> writing policy modules or calling semanage in rpm post-install scripts,
>> is to encourage them to use strings that will sort as "more specific",
>> i.e. avoid metacharacters if possible, and if not, use as long a stem as
>> possible. This probably means having two separate entries for things
>> that will go under /lib or /lib64, rather than the current idiom of
>> /lib(64)?, which has a metacharacter very early in the string.
>
> Yes, this would be desirable even in the base policy module.
Yes, and it explains why in the earlier thread "Re: unconfined_execmem_t
for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?" we had
/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java labelled as bin_t
rather than java_exec_t with the following file context entries in the
base policy:
/usr/lib(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/usr/lib/jvm/java.*/bin/.* all files
system_u:object_r:bin_t:s0
Paul.
More information about the selinux
mailing list