Stephen Smalley wrote:
On Wed, 2006-05-24 at 18:04 +0100, Paul Howarth wrote:
I think the best policy, for the avoidance of confusion for people
writing policy modules or calling semanage in rpm post-install scripts,
is to encourage them to use strings that will sort as "more specific",
i.e. avoid metacharacters if possible, and if not, use as long a stem as
possible. This probably means having two separate entries for things
that will go under /lib or /lib64, rather than the current idiom of
/lib(64)?, which has a metacharacter very early in the string.
Yes, this would be desirable even in the base policy module.
Yes, and it explains why in the earlier thread "Re: unconfined_execmem_t
for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?" we had
/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java labelled as bin_t
rather than java_exec_t with the following file context entries in the
base policy:
/usr/lib(.*/)?bin/java([^/]*)? regular file
system_u:object_r:java_exec_t:s0
/usr/lib/jvm/java.*/bin/.* all files
system_u:object_r:bin_t:s0
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
