https://nixos.org/
The NixOS distribution of Linux is based on having hashes of packages in the
path names.
/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/usermod
/nix/store/l2b7y9waqwp4i1f03899yfsmzk8i7rid-shadow-4.5/bin/vipw
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdadm
/nix/store/lvrxkcf4b398nyiayknsqr44p8pl51s9-drbd-8.4.4/bin/drbdsetup
/nix/store/mzxhj1cxrhbqvsga4155xhw44iigwxxs-shadow-4.5-su/bin/su
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenconsoled
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xenstored
/nix/store/n3d4l234fppvz40jjyqlxa1jxglzbs48-xen-4.8.2/bin/xl
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/fusermount
/nix/store/n419slr5x6h4ydk2dd56nkwki7qpkf6v-fuse-2.9.7/bin/mount.fuse
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/libvirtd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virsh
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlockd
/nix/store/pc4j7b2bvac49qmjllhw9rk0fnbr86fs-libvirt-3.10.0/bin/virtlogd
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/blkid
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/dmsetup
/nix/store/pr94n9l1kvpiqilhjr308xbr8qmzilih-extra-utils/bin/e2fsck
Above is a random sample of binaries that need labelling on a NixOS system.
Before anyone asks, the naming of such paths is core to the way NixOS works,
requesting a change in that regard is not viable.
NixOS can run as a full OS (managing grub etc) or it can run on a system
running a regular Linux distribution. Running as a full OS or as a labelled
chroot are the use cases that interest me.
semanage fcontext -a -e / "/nix/store/*"
setfiles -r /chroot/nix /etc/selinux/default/contexts/files/file_contexts \
/chroot/nix/store -v
I've written a patch to support commands like the above to label a Nix store
(the above is a chroot example but the next step is to get full SE Linux
support in NixOS).
I've attached the patch. I don't expect this version to be accepted upstream
as-is. But it's a place to start the discussion about how to approach this
problem.
Russell Coker
PS Please use my personal address russell@xxxxxxxxxxxx for SE Linux
discussions unrelated to NixOS.
Description: Support wildcard source (EG /lib/*) in file_contexts.subs_dist
Index: libselinux-2.8/src/label_file.c
===================================================================
--- libselinux-2.8.orig/src/label_file.c
+++ libselinux-2.8/src/label_file.c
@@ -581,6 +581,25 @@ static char *selabel_sub(struct selabel_
while (ptr) {
if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
+ if (ptr->wildcard)
+ {
+ if ( src[ptr->slen] == 0 || !strchr(src+ptr->slen, '/') )
+ {
+ ptr = ptr->next;
+ continue;
+ }
+ for(len = ptr->slen + 1 ; src[len] && src[len] != '/' ; len++)
+ ;
+ if(!src[len])
+ {
+ ptr = ptr->next;
+ continue;
+ }
+ len++;
+ if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
+ return NULL;
+ return dst;
+ }
if (src[ptr->slen] == '/' ||
src[ptr->slen] == 0) {
if ((src[ptr->slen] == '/') &&
@@ -606,6 +625,7 @@ static int selabel_subs_init(const char
struct selabel_sub *list = NULL, *sub = NULL;
struct stat sb;
int status = -1;
+ int len;
*out_subs = NULL;
if (!cfg) {
@@ -630,6 +650,8 @@ static int selabel_subs_init(const char
*ptr++ = '\0';
if (! *src) continue;
+ if(!strcmp("/*", src)) continue;
+
dst = ptr;
while (*dst && isspace(*dst))
dst++;
@@ -645,6 +667,16 @@ static int selabel_subs_init(const char
goto err;
memset(sub, 0, sizeof(*sub));
+ len = strlen(src);
+ if(len < 2) continue;
+ if(src[len - 1] == '*')
+ {
+ sub->wildcard = 1;
+ src[len - 1] = 0;
+ len--;
+ }
+ else
+ sub->wildcard = 0;
sub->src=strdup(src);
if (! sub->src)
goto err;
Index: libselinux-2.8/src/label_file.h
===================================================================
--- libselinux-2.8.orig/src/label_file.h
+++ libselinux-2.8/src/label_file.h
@@ -35,6 +35,7 @@ struct selabel_sub {
char *src;
int slen;
char *dst;
+ int wildcard;
struct selabel_sub *next;
};
