Nero for Linux & rpm initial labels
Tom London
selinux at gmail.com
Sun Dec 12 17:01:36 UTC 2010
2010/12/12 Jorge Fábregas <jorge.fabregas at gmail.com>:
> Hi,
>
> I installed the latest "Nero for Linux" (version 4) and noticed that rpm
> labeled all files in /usr/lib/nero/lib* as textrel_shlib_t.. However, there's
> no reference to this path in file_contexts and when I do a restorecon of these
> files they get labeled as "lib_t" (as I would expect since there's no regex in
> files_context for these).
>
> I thought that what made rpm SELinux-aware was that it somehow consulted the
> file_contexts (or a library called by rpm) but this is not the case in the
> above example. Is it that rpm has some hardcoded rules to label some files in
> /usr/lib/ as textrel_shlib_t regardless of what's in the file_contexts?
>
> BTW, I had to add some regular expressions to the local file_contexts in order
> to label some Nero libs as textrel_shlib_t for the ones located in
> /usr/lib/nero/plug-ins/lib* as I got many AVCs when using the program.
> There's one regex in file_contexts for Nero:
>
> /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* --
> system_u:object_r:textrel_shlib_t:s0
>
> ...but there are other libs in that directory (besides the MP3 one) that need
> textrel_shlib_t. I ddin't file a bug report as I'm on Fedora 12 (it reached
> its end of life). I'll check again if this happens when I install Fedora 14.
>
> Thanks,
> Jorge
rpms sometimes do 'ad-hoc' labeling, usually by inserting explicit
'chcon -t' commands in the 'post install' scripts.
You can see if that is the case by running 'rpm -q --scripts' on the
particular rpm.
tom
--
Tom London
More information about the selinux
mailing list