Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 55007

Summary: selinux + /opt/*/lib/ + ldconfig_t != love
Product: Gentoo Linux Reporter: petre rodan (RETIRED) <kaiowas>
Component: HardenedAssignee: Chris PeBenito (RETIRED) <pebenito>
Status: RESOLVED TEST-REQUEST    
Severity: normal Keywords: InVCS
Priority: High    
Version: 2004.1   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description petre rodan (RETIRED) gentoo-dev 2004-06-24 06:06:00 UTC 
would you please consider labeling directories like /opt/blackdown-jdk-*/jre/lib/ with lib_t or similar?

extremelab resources # ldconfig
extremelab resources # nr
allow ldconfig_t usr_t:file { getattr read };
extremelab resources # dmesg
audit(1088082039.279:0): avc:  denied  { read } for  pid=17775 exe=/sbin/ldconfig name=libjsig.so dev=sda5 ino=550843 scontext=prodan:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=file
audit(1088082039.279:0): avc:  denied  { getattr } for  pid=17775 exe=/sbin/ldconfig path=/opt/blackdown-jdk-1.4.1/jre/lib/i386/libjsig.so dev=sda5 ino=550843 scontext=prodan:sysadm_r:ldconfig_t tcontext=system_u:object_r:usr_t tclass=file
Comment 1 Chris PeBenito (RETIRED) gentoo-dev 2004-06-25 08:30:55 UTC 
I had the java stuff in a misc/.fc for desktops, I didn't realize there was server stuff that would need it.  I'll make a file_contexts/misc/gentoo-opt.fc, and move it there.  In the mean time, this should work

# blackdown jdk
/opt/blackdown-jdk-.*/bin(/.*)? system_u:object_r:bin_t
/opt/blackdown-jdk-.*/lib(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/man(/.*)? system_u:object_r:man_t
/opt/blackdown-jdk-.*/jre/bin(/.*)? system_u:object_r:bin_t
/opt/blackdown-jdk-.*/jre/lib(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/jre/lib/fonts(/.*)? system_u:object_r:fonts_t
/opt/blackdown-jdk-.*/jre/lib/locale(/.*)? system_u:object_r:locale_t
/opt/blackdown-jdk-.*/jre/lib/i386/.*\.so.* -- system_u:object_r:shlib_t
/opt/blackdown-jdk-.*/jre/plugin/.*/.*(/.*)? system_u:object_r:lib_t
/opt/blackdown-jdk-.*/jre/plugin/.*/.*/.*\.so.* -- system_u:object_r:shlib_t
Comment 2 Chris PeBenito (RETIRED) gentoo-dev 2004-07-01 21:52:52 UTC 
in selinux-base-policy-20040629 (~x86 at the moment)