You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 lines
3.5 KiB
89 lines
3.5 KiB
From 2d30914ae86e9f40c02d80e0ef5c01e54efbbbc9 Mon Sep 17 00:00:00 2001 |
|
From: Michal Sekletar <msekleta@redhat.com> |
|
Date: Tue, 1 Sep 2015 16:02:58 +0200 |
|
Subject: [PATCH] selinux: always use *_raw API from libselinux |
|
|
|
When mcstransd* is running non-raw functions will return translated SELinux |
|
context. Problem is that libselinux will cache this information and in the |
|
future it will return same context even though mcstransd maybe not running at |
|
that time. If you then check with such context against SELinux policy then |
|
selinux_check_access may fail depending on whether mcstransd is running or not. |
|
|
|
To workaround this problem/bug in libselinux, we should always get raw context |
|
instead. Most users will not notice because they don't use MCS/MLS policy |
|
anyway. Others will most likely not notice as well because result of access |
|
check is logged only in debug mode. |
|
|
|
* Service which translates labels to human readable form |
|
|
|
Resolves: #1256888 |
|
--- |
|
src/core/selinux-access.c | 4 ++-- |
|
src/shared/selinux-util.c | 10 +++++----- |
|
2 files changed, 7 insertions(+), 7 deletions(-) |
|
|
|
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c |
|
index f11247c092..297372d126 100644 |
|
--- a/src/core/selinux-access.c |
|
+++ b/src/core/selinux-access.c |
|
@@ -219,13 +219,13 @@ int mac_selinux_generic_access_check( |
|
if (path && !system) { |
|
/* Get the file context of the unit file */ |
|
|
|
- r = getfilecon(path, &fcon); |
|
+ r = getfilecon_raw(path, &fcon); |
|
if (r < 0) { |
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path); |
|
goto finish; |
|
} |
|
} else { |
|
- r = getcon(&fcon); |
|
+ r = getcon_raw(&fcon); |
|
if (r < 0) { |
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context."); |
|
goto finish; |
|
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c |
|
index a46ddf8498..4c2e1b0b47 100644 |
|
--- a/src/shared/selinux-util.c |
|
+++ b/src/shared/selinux-util.c |
|
@@ -200,11 +200,11 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) { |
|
if (!mac_selinux_use()) |
|
return -EOPNOTSUPP; |
|
|
|
- r = getcon(&mycon); |
|
+ r = getcon_raw(&mycon); |
|
if (r < 0) |
|
return -errno; |
|
|
|
- r = getfilecon(exe, &fcon); |
|
+ r = getfilecon_raw(exe, &fcon); |
|
if (r < 0) |
|
return -errno; |
|
|
|
@@ -226,7 +226,7 @@ int mac_selinux_get_our_label(char **label) { |
|
if (!mac_selinux_use()) |
|
return -EOPNOTSUPP; |
|
|
|
- r = getcon(label); |
|
+ r = getcon_raw(label); |
|
if (r < 0) |
|
return -errno; |
|
#endif |
|
@@ -250,7 +250,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char * |
|
if (!mac_selinux_use()) |
|
return -EOPNOTSUPP; |
|
|
|
- r = getcon(&mycon); |
|
+ r = getcon_raw(&mycon); |
|
if (r < 0) |
|
return -errno; |
|
|
|
@@ -261,7 +261,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char * |
|
if (!exec_label) { |
|
/* If there is no context set for next exec let's use context |
|
of target executable */ |
|
- r = getfilecon(exe, &fcon); |
|
+ r = getfilecon_raw(exe, &fcon); |
|
if (r < 0) |
|
return -errno; |
|
}
|
|
|