For a personal requirement, I was trying to tweak SELinux strict sources policy so that the OpenOffice main binary had a non-default label, i.e. "soffice_exec_t". I found that despite setting the file_context override in localpolicy.fc, a restorecon kept flipping the file_context back to bin_t, implying that the loaded policy had ignored my localpolicy settings. I eventually found that the settings in distros.fc appeared to be overriding whatever I did, provided it had a regex match for the file in question. In other words, "restorecon" used the file_context as set by the last matching regex in /etc/selinux/strict/contexts/files/file_contexts The implication is that the Makefile for the policy doesn't guarantee to arrange things such that localpolicy.fc can always be used to apply local policy overrides. I had always assumed this to be the case. On most occasions, localpolicy.fc will override. My problem here was that distros.fc contains a "wilder" regex which happened to match the file_context I was trying to tweak. A grep of the relevant sections of localpolicy.fc and distros.fc are shown below. I was finding that an override for this file: /usr/lib/openoffice.org2.0/program/soffice was matching this in distros.fc /usr/lib/.*/program(/.*)? Could the Makefile be rearranged to ensure that local settings always override the default policy, please? Ted Policy in use is: selinux-policy-strict-sources-1.27.1-2.16 [root@workstation policy]# pwd /etc/selinux/strict/src/policy [root@workstation policy]# [root@workstation policy]# grep program file_contexts/distros.fc /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t [root@workstation policy]# [root@workstation policy]# grep program file_contexts/program/localpolicy.fc #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t [root@workstation policy]# [root@workstation files]# pwd /etc/selinux/strict/contexts/files [root@workstation files]# grep program file_contexts # when the security policy is installed. The setfiles program # listed here anyway so that if the setfiles program is used on a running # cvs program #/usr/lib/openoffice.org2.0/program/libsoffice.so -- system_u:object_r:texrel_shlib_t /usr/lib/openoffice.org2.0/program/soffice -- system_u:object_r:soffice_exec_t /usr/lib/openoffice.org2.0/program/soffice.bin -- system_u:object_r:soffice_exec_t # rsync program # sysstat and other sar programs # Add programs here which should not be confined by SELinux # Add programs here which should not be confined by SELinux # uucico program /usr/lib/.*/program(/.*)? system_u:object_r:bin_t /usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t /usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t /usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t [root@workstation files]# -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
