Re: selinux prelink avc's (broken paths in policy?)

[Paul Howarth <paul city-fan org>]

Stephen Smalley wrote:
> On Wed, 2006-05-24 at 18:04 +0100, Paul Howarth wrote:
> > I think the best policy, for the avoidance of confusion for people 
> > writing policy modules or calling semanage in rpm post-install scripts, 
> > is to encourage them to use strings that will sort as "more specific", 
> > i.e. avoid metacharacters if possible, and if not, use as long a stem as 
> > possible. This probably means having two separate entries for things 
> > that will go under /lib or /lib64, rather than the current idiom of 
> > /lib(64)?, which has a metacharacter very early in the string.
>
> Yes, this would be desirable even in the base policy module.

Yes, and it explains why in the earlier thread "Re: unconfined_execmem_t 
for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?" we had 
/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java labelled as bin_t 
rather than java_exec_t with the following file context entries in the 
base policy:

/usr/lib(.*/)?bin/java([^/]*)?     regular file 
system_u:object_r:java_exec_t:s0
/usr/lib/jvm/java.*/bin/.*         all files 
system_u:object_r:bin_t:s0

Paul.