On Wed, 16 Aug 2023 10:03:08 +0100
"Richard W.M. Jones"
On Wed, Aug 16, 2023 at 08:00:32AM +0200, Stefano Brivio wrote:
The Makefile installs symbolic links by default, which actually worked at some point (not by design) with SELinux, but at least on recent kernel versions it doesn't anymore: override pasta (and pasta.avx2) with hard links.
Otherwise, even if the links are labeled as pasta_exec_t, SELinux will "resolve" them to passt_exec_t, and we'll have pasta running as passt_t instead of pasta_t.
The patch and this cover note don't seem to do the same thing. It appears to copy the binary, not make a hard link. (The comment in the spec file seems to be correct.)
Gosh, thanks for noticing, I sent out the wrong version. :/ That was another option that luckily we can avoid with hard links. I'll re-post in a bit. With a copy, by the way, we would have duplicate build-IDs in the RPM, and rpmtool would issue warnings (possibly problematic for debugging packages, I'm not sure).
It does appear to be possible to label symbolic links:
$ touch test1 $ chcon system_u:object_r:bin_t:s0 test1 $ ln -s test1 test2 $ chcon -h system_u:object_r:tmp_t:s0 test2 $ ll -Z test1 test2 -rw-r--r--. 1 rjones rjones system_u:object_r:bin_t:s0 0 Aug 16 10:00 test1 lrwxrwxrwx. 1 rjones rjones system_u:object_r:tmp_t:s0 5 Aug 16 10:00 test2 -> test1
(which surprised me). But I don't know if SELinux does the right thing or not in this case, or if something has changed in the kernel, so I can't comment if copying is right or not.
Right, yes, that's what we had before -- symbolic links with the "right" labels, but it stopped working a while ago (bisecting not really convenient, and it wasn't intended to work anyway, so whatever). -- Stefano