Label /usr/lib/getconf as bin_t

On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file in /usr/lib/getconf/. For example on a x86_64 machine: $ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf 5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64 Such configuration produces an instability when labeling the files with "restorecon -Rv /": restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0 As /usr/lib/getconf directory only contains executable programs, this issue is fixed by labeling this directory and its content "bin_t".
2014-04-14 23:15:07 +02:00 · 2014-04-14 23:15:07 +02:00 · 9427fc3ce1
parent 65551111ed
commit 9427fc3ce1
1 changed files with 1 additions and 0 deletions
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -209,6 +209,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/getconf(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/git-core(/.*)		--	gen_context(system_u:object_r:bin_t,s0)