| Summary: | openoffice gets improperly labelled (soffice.bin is labelled lib_t) | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | BDKoepke <bdkoepke> |
| Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
this may be a amd64 only problem, I had to change it to /usr/lib64 instead of /usr/lib otherwise it didn't get labelled. closing old bugs. should be fixed in newer policies, please open a new bug if this is not the case |
all the .bin files in /usr/lib/openoffice/program get improperly labelled as lib_t. This is a bug in the sec-policy/selinux-base-policy. I found the context that is supposed to take care of this: /usr/lib/openoffice\.org.*/program/.+\.bin -- system_u:object_r:unconfined_execmem_exec_t I'm guessing that in between openoffice releases, the directory was changed to /usr/lib/openoffice/program/*.bin I'm not sure how to relabel all the .bin files (the asterisk didn't work), so I just entered all the .bin files manually. Ex: /usr/lib/openoffice/program/soffice.bin -- system_u:object_r:unconfined_execmem_exec_t. I fixed this by editing the unconfined.fc line in refpolicy-20061114.tar.bz2. Reproducible: Always Steps to Reproduce: 1.Install openoffice 2.Attempt to run openoffice (will complain about improper binary format) 3.ls --lcontext /usr/lib/openoffice/program | grep \.bin Actual Results: Openoffice failed with this avc message: audit(1167320262.814:1427): avc: denied { execmem } for pid=22984 comm="soffice.bin" scontext=root:system_r:unconfined_t tcontext=root:system_r:unconfined_t tclass=process Expected Results: Run soffice.bin labelled as unconfined_execmem_exec_t.