OK.. Maybe 3rd time's the charm ;) Running Fedora Core as of last night-ish -devel tree, and installing selinux-policy-strict-1.13.2-4. Spotted while doing the relabelling (I knew there was a reason I try to rememer to run it with '-v' ;): /usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-au from root:object_r:lib_t to system_u:object_r:shlib_t /usr/sbin/setfiles: relabeling /usr/local/lib/xemacs/xemacs-packages/pkginfo/MANIFEST.sounds-wav from root:object_r:lib_t to system_u:object_r:shlib_t Looks like a runaway glob on '.*\.so'... Whoops. ;) First, the good news.. ;) Some grepping through file_contexts/file_contexts indicates that of the 553 uses of a .* glob, almost all are using it to indicate "to end of filename" with either "/some/path.*" (197 usages) or "/some/path(/.*)?" (313 usages). (Somebody else can audit these 510 to determine if The Other Flavor should have been specified to handle the case of a file called "/some/path-foo" ;) Now, the bad news.. There's 43 cases of "neither of the above" ;) To find the rest: grep '\.\*' file_contexts/file_contexts | egrep -v '\(\/\.\*\)\?[[:space:]]|\.\*[[:space:]]' These 4 mystified me - why "(.*)?" instead of ".*" or "(/.*)?" /var/run/courier(.*)? system_u:object_r:courier_var_run_t /usr/lib(64)?/cyrus-imapd/(.*)? -- system_u:object_r:bin_t /var/www/lrrd(.*)? system_u:object_r:lrrd_var_lib_t /usr/X11R6/lib(64)?/xscreensaver(.*)? system_u:object_r:bin_t I suspect that all 4 were intended to be of the form "foo(/.*)?" - anybody know for sure? Also, anybody know where these come from? /lib(64)?/lvm-10(/.*) system_u:object_r:lvm_exec_t /lib(64)?/lvm-200(/.*) system_u:object_r:lvm_exec_t (I have some /lib/liblvm-10* files, but not /lib/lvm-* - is that from a non-Fedora system? I'm not seeing a /lib/lvm-* file in either the lvm or lvm2 Fedora RPMs) Now, some more good news - close to half the remaining 43 are from types.fc handling of ld_so_t and shlib_t - patch to clean those up attached. ;) Please double-check - I've verified that this patch doesn't unintentionally relabel anything on my system, and does avoid mislabeling the two xemacs files, but there very well might be things that intend to use .* to greedily swallow across a / character for the types I changed.. if it's too drastic, probably 95% of the benefit could be gained by just changing all the \.so.* to be \.so(\.[^/]*)* instead... As an aside, I *tried* to do this against a current Fedora: for i in *.rpm; do rpm -qpl $i >> /tmp/allfiles; done sort -u /tmp/allfiles | /usr/sbin/setfiles -v -d -n -s file_contexts/file_contexts but that just throws a lot of "File not found" for any files in RPMs that aren't on my system. Could we have a -t (for "test") flag that reports "What would the file context be set to if the file existed?" that skips statting the file? It would make automated regression testing of this sort of thing a lot easier. --- file_contexts/types.fc.dist 2004-06-01 21:09:03.000000000 -0400 +++ file_contexts/types.fc 2004-06-03 00:20:41.899373306 -0400 @@ -85,8 +85,8 @@ /var/ftp/bin(/.*)? system_u:object_r:bin_t /var/ftp/bin/ls -- system_u:object_r:ls_exec_t /var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t -/var/ftp/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t -/var/ftp/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /var/ftp/etc(/.*)? system_u:object_r:etc_t # @@ -258,13 +258,13 @@ # /lib(64)? # /lib(64)?(/.*)? system_u:object_r:lib_t -/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t -/lib(64)?/tls/ld.*\.so.* -- system_u:object_r:ld_so_t -/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/security/.*\.so.* -- system_u:object_r:shlib_t -/lib(64)?/tls/i686/cmov/.*\.so.* -- system_u:object_r:shlib_t +/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/tls/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t +/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/devfsd/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /sbin @@ -299,9 +299,9 @@ # /usr/lib(64)? # /usr/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/python.*\.so -- system_u:object_r:shlib_t -/usr/lib(64)?/.*/lib[^/]*\.so.* -- system_u:object_r:shlib_t +/usr/lib(64)?/.*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/.*/.*\.so -- system_u:object_r:shlib_t /usr/lib(64)?/autofs/.*\.so -- system_u:object_r:shlib_t /usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t @@ -316,21 +316,21 @@ # /usr/.*glibc.*-linux/lib(64)? # /usr/.*glibc.*-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*glibc.*-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*glibc.*-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # /usr/.*redhat-linux/lib(64)? # /usr/.*redhat-linux/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*redhat-linux/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*redhat-linux/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # # /usr/.*linux-libc.*/lib(64)? # /usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/.*linux-libc.*/lib(64)?/ld.*\.so.* system_u:object_r:ld_so_t -/usr/.*linux-libc.*/lib(64)?/lib.*\.so.* system_u:object_r:shlib_t +/usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)* system_u:object_r:shlib_t # # /usr/local @@ -349,7 +349,7 @@ # /usr/local/lib(64)? # /usr/local/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/local/lib(64)?/.*\.so.* -- system_u:object_r:shlib_t +/usr/local/lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/sbin @@ -365,7 +365,7 @@ # /usr/X11R6/(.*/)?lib(64)? # /usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t -/usr/X11R6/(.*/)?lib(64)?/.*\.so.* -- system_u:object_r:shlib_t +/usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/X11R6/man @@ -378,7 +378,7 @@ /usr/kerberos/bin(/.*)? system_u:object_r:bin_t /usr/kerberos/sbin(/.*)? system_u:object_r:sbin_t /usr/kerberos/lib(64)?(/.*)? system_u:object_r:lib_t -/usr/kerberos/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/kerberos/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # Fonts dir @@ -459,7 +459,7 @@ # /usr/java/j2sdk.*/bin(/.*)? system_u:object_r:bin_t /usr/java/j2sdk.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t -/usr/java/j2re1.*/plugin/i386(/.*)?/lib.*\.so.* -- system_u:object_r:shlib_t +/usr/java/j2re1.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # The krb5.conf file is always being tested for writability, so
Attachment:
pgpJFVWBAjRe8.pgp
Description: PGP signature
