43329 – selinux policy does not allow file under opt to be relabeled more specifically

Bug 43329 - selinux policy does not allow file under opt to be relabeled more specifically

Summary: selinux policy does not allow file under opt to be relabeled more specifically

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Hardened Gentoo

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-02-29 15:35 UTC by Michael Ihde
Modified:	2004-02-29 15:43 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Ihde 2004-02-29 15:35:22 UTC

When trying to add a new file context (for sun-jdk) the specific file context information was being ignored and all files under /opt were being labeled system_u:object_r:opt_t

This is because the opt directory was labeled with program/opt.fc which was placed after the java.fc in the file_contexts.  Therefore the last one to precedence.

Reproducible: Always
Steps to Reproduce:
1.  Add a new file context that tries to relabel a subdirectory in opt
2.  make relabel
3.  ls -Z /opt

Actual Results:  
All subdirectories still are labeled opt_t

Expected Results:  
subdirectories should be labeled with more specific labeling that was specified
in my fc file.

The problem can be fixed by moving the contents of domains/programs/opt.te and
file_contexts/programs/opt.fc into types/file.te and file_contexts/types.fc
respectively.

More specifically add to file.te
   #
   # opt_t
   #
   type opt_t, file_type, root_dir_type, sysadmfile;

and add to types.fc

   #
   # /opt
   #
   /opt(/.*)?                              system_u:object_r:opt_t
   /opt/bin(/.*)?                          system_u:object_r:bin_t


Portage 2.0.50-r1 (selinux-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.24-selinux-r2)
=================================================================
System uname: 2.4.24-selinux-r2 i686 Pentium III (Coppermine)
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
CHOST="i386-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="berkdb crypt java ncurses pam perl python readline selinux ssl tcpd x86 zlib"

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2004-02-29 15:43:47 UTC

opt.te/fc is going to be removed, relabeling opt to usr_t.