[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux prelink avc's (broken paths in policy?)



Stephen Smalley wrote:
On Wed, 2006-05-24 at 18:04 +0100, Paul Howarth wrote:
I think the best policy, for the avoidance of confusion for people writing policy modules or calling semanage in rpm post-install scripts, is to encourage them to use strings that will sort as "more specific", i.e. avoid metacharacters if possible, and if not, use as long a stem as possible. This probably means having two separate entries for things that will go under /lib or /lib64, rather than the current idiom of /lib(64)?, which has a metacharacter very early in the string.

Yes, this would be desirable even in the base policy module.

Yes, and it explains why in the earlier thread "Re: unconfined_execmem_t for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?" we had /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java labelled as bin_t rather than java_exec_t with the following file context entries in the base policy:

/usr/lib(.*/)?bin/java([^/]*)? regular file system_u:object_r:java_exec_t:s0 /usr/lib/jvm/java.*/bin/.* all files system_u:object_r:bin_t:s0

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]