• 1

Re: Can you target a single executable with a local policy?

In this case the simpler/better solution is to change the context of the library to textrel_shlib_t.

# semanage fcontext -a -t textrel_shlib_t PATHTOLIB
# restorecon PATHTOLIB

The policy that you added would allow most non confined applications to load any library file with execmod. So I don't think this is a good idea or what you had in mind.

The third option would be to write a policy for the executable that uses the shared library and give it the priv to execmod lib_t, or create a special context for this library and only allow the policy to execmod this library.

You should report a bug to the owners of the PATHTOLIB, with a link to
http://people.redhat.com/~drepper/selinux-mem.html

Re: Can you target a single executable with a local policy?

(Anonymous)
Thanks for the quick response!

Yes, I accept that making PATHTOLIB textrel_shlib_t would solve the situation, but: 1) PATHTOLIB is supplied by a prominent commercial software company and I wouldn't like to tinker with their libraries for fear it would break their executables, which seem to operate fine without the need for textrel_shlib_t'ing their own libraries; 2) well, it's THEIR software and I don't want to change their installation anyway; and 3) if I disinstalled their software after doing the semanage fcontext, presumably the file context information relating to PATHTOLIB would be orphaned and not cleaned up.

So, I would like to stick to policies strictly related to my own executables and their installation and deinstallation scripts.

What would your third option look like, when applied only to my executable or directory of executables? How does a file or path name get entered into the .te file? Would I have to make my own MYEXECUTABLE_t type or category and thus have to supply more than just a simple .te file?

Peter K.

  • 1
?

Log in