Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55007 - selinux + /opt/*/lib/ + ldconfig_t != love
Summary: selinux + /opt/*/lib/ + ldconfig_t != love
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Chris PeBenito (RETIRED)
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks:
 
Reported: 2004-06-24 06:06 UTC by petre rodan (RETIRED)
Modified: 2004-07-01 21:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description petre rodan (RETIRED) gentoo-dev 2004-06-24 06:06:00 UTC 
would you please consider labeling directories like /opt/blackdown-jdk-*/jre/lib/ with lib_t or similar?

extremelab resources # ldconfig
extremelab resources # nr
allow ldconfig_t usr_t:file { getattr read };
extremelab resources # dmesg
audit(1088082039.279:0): avc:  denied  { read } for  pid=17775 exe=/sbin/ldconfig name=libjsig.so dev=sda5 ino=550843 scontext=prodan:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=file
audit(1088082039.279:0): avc:  denied  { getattr } for  pid=17775 exe=/sbin/ldconfig path=/opt/blackdown-jdk-1.4.1/jre/lib/i386/libjsig.so dev=sda5 ino=550843 scontext=prodan:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=file
Comment 1 Chris PeBenito (RETIRED) gentoo-dev 2004-06-25 08:30:55 UTC 
I had the java stuff in a misc/.fc for desktops, I didn't realize there was server stuff that would need it.  I'll make a file_contexts/misc/gentoo-opt.fc, and move it there.  In the mean time, this should work

# blackdown jdk
/opt/blackdown-jdk-.*/bin(/.*)? system_u:object_r:bin_t
/opt/blackdown-jdk-.*/lib(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/man(/.*)? system_u:object_r:man_t
/opt/blackdown-jdk-.*/jre/bin(/.*)? system_u:object_r:bin_t
/opt/blackdown-jdk-.*/jre/lib(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/jre/lib/fonts(/.*)? system_u:object_r:fonts_t
/opt/blackdown-jdk-.*/jre/lib/locale(/.*)? system_u:object_r:locale_t
/opt/blackdown-jdk-.*/jre/lib/i386/.*\.so.* -- system_u:object_r:shlib_t
/opt/blackdown-jdk-.*/jre/plugin/.*/.*(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/jre/plugin/.*/.*/.*\.so.* -- system_u:object_r:shlib_t
Comment 2 Chris PeBenito (RETIRED) gentoo-dev 2004-07-01 21:52:52 UTC 
in selinux-base-policy-20040629 (~x86 at the moment)