| Summary: | dev-util/android-studio: $DESTDIR/bin missing SELinux file contexts | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | gentoo-bugzilla |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | gentoo-bugzilla, nvraxn, selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=949821 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | ls -laZ $DESTDIR/bin/ | ||
> I have noticed there are currently, some missing context for launcher script, bin/studio-safe.sh; and bin/studio (native(SEE Also #949821)) This is a policy issue, a filecon spec is needed for those. I'll send a pr upstream and it should get merged before the next policy release. > I would ask the package maintainers to consider adding the proper selinux's context to the bin folder Missing filecon specs are *not* the responsibility of package maintainers - this is the job of policy developers, so the matter at hand here is of policy not packaging. See the `sec-policy/selinux-android` package for more details. > While there are probably a lot more files that should have their SELinux contexts reviewed and set, that starts getting into the can of worms of how everyone wants their IDE to respond in a SELinux environment, a vastly complicated and subjective topic. Not sure what type it should be yet, I'll investigate and see what's appropriate. > I would ask the basic core functionality, at-least, is brought more in line with what is expected upstream, as each update requires a bit of user intervention, to get a more vanilla?? environment I'm not sure what you mean by "upstream" or "vanilla" here. Gentoo's SELinux policy upstream is SELinux Project's reference policy, which does *not* provide an android policy module. The android policy module is located in the `contrib` modules section, so is expected to be of lower quality as it is not officially maintained by the upstream SELinux Project. Regardless, for now you use `semanage` to correct the types: semanage fcontext -a -t android_java_exec_t "/opt/android-studio/bin/studio-safe.sh" along with any other files and types you want to add a filecon spec for. After that, relabel the entire directory: restorecon -RFv /opt/android-studio/bin I should also add the filecon specs for the android policy module are located here: https://github.com/gentoo/hardened-refpolicy/blob/master/policy/modules/contrib/android.fc |
Created attachment 919014 [details] ls -laZ $DESTDIR/bin/ I have noticed there are currently, some missing context for launcher script, bin/studio-safe.sh; and bin/studio (native(SEE Also #949821)) I would ask the package maintainers to consider adding the proper selinux's context to the bin folder While there are probably a lot more files that should have their SELinux contexts reviewed and set, that starts getting into the can of worms of how everyone wants their IDE to respond in a SELinux environment, a vastly complicated and subjective topic. I would ask the basic core functionality, at-least, is brought more in line with what is expected upstream, as each update requires a bit of user intervention, to get a more vanilla?? environment