From: Yuli Khodorkovskiy <ykhodo@gmail.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH v2 1/2] libselinux: verify file_contexts when using restorecon
Date: Wed, 28 Mar 2018 20:40:02 -0700 [thread overview]
Message-ID: <20180329034003.2231-2-ykhodo@gmail.com> (raw)
In-Reply-To: <20180329034003.2231-1-ykhodo@gmail.com>
In permissive mode, calling restorecon with a bad label in file_contexts
does not verify the label's existence in the loaded policy. This
results in any label successfully applying to a file, as long as the
file exists.
This issue has two assumptions:
1) file_contexts must be manually updated with the invalid label.
Running `semanage fcontext` will error when attempting to add
an invalid label to file_contexts.
2) the system must be in permissive. Although applying an invalid label
in enforcing gives an error and fails, successfully labeling a file with a
bad label could cause issues during policy development in permissive.
Instead, as each context is used, verify it is valid before blindly
applying the label. If an error with validation occurs in restorecon,
application of remaining valid labels will be uninterrupted as before.
Signed-off-by: Yuli Khodorkovskiy <ykhodo@gmail.com>
---
libselinux/src/label.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 48f4d2d6..e642a97b 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -126,7 +126,7 @@ int selabel_validate(struct selabel_handle *rec,
{
int rc = 0;
- if (!rec->validating || contexts->validated)
+ if (contexts->validated)
goto out;
rc = selinux_validate(&contexts->ctx_raw);
--
2.14.3
next prev parent reply other threads:[~2018-03-29 3:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-29 3:40 [PATCH v2 0/2] restorecon context validation improvement Yuli Khodorkovskiy
2018-03-29 3:40 ` Yuli Khodorkovskiy [this message]
2018-03-29 12:37 ` [PATCH v2 1/2] libselinux: verify file_contexts when using restorecon Stephen Smalley
2018-03-29 16:17 ` William Roberts
2018-03-29 3:40 ` [PATCH v2 2/2] libselinux: echo line number of bad label in selabel_fini() Yuli Khodorkovskiy
2018-03-29 13:49 ` Stephen Smalley
2018-03-29 15:48 ` Yuli Khodorkovskiy
2018-03-29 16:35 ` Stephen Smalley
2018-03-29 16:37 ` Yuli Khodorkovskiy
2018-03-29 5:00 ` [PATCH v2 0/2] restorecon context validation improvement William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180329034003.2231-2-ykhodo@gmail.com \
--to=ykhodo@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.