93 lines
3.5 KiB
Diff
93 lines
3.5 KiB
Diff
|
From 01fafd4fd6456c02921979ed634441a2c2c63f22 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Michal Sekletar <msekleta@redhat.com>
|
||
|
|
Date: Tue, 1 Sep 2015 16:02:58 +0200
|
||
|
|
Subject: [PATCH 40/47] selinux: always use *_raw API from libselinux
|
||
|
|
|
||
|
|
When mcstransd* is running non-raw functions will return translated SELinux
|
||
|
|
context. Problem is that libselinux will cache this information and in the
|
||
|
|
future it will return same context even though mcstransd maybe not running at
|
||
|
|
that time. If you then check with such context against SELinux policy then
|
||
|
|
selinux_check_access may fail depending on whether mcstransd is running or not.
|
||
|
|
|
||
|
|
To workaround this problem/bug in libselinux, we should always get raw context
|
||
|
|
instead. Most users will not notice because result of access check is logged
|
||
|
|
only in debug mode.
|
||
|
|
|
||
|
|
* SELinux context translation service, which will translates labels to human
|
||
|
|
readable form
|
||
|
|
---
|
||
|
|
src/basic/selinux-util.c | 10 +++++-----
|
||
|
|
src/core/selinux-access.c | 4 ++--
|
||
|
|
2 files changed, 7 insertions(+), 7 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
|
||
|
|
index 7c58985..a39a0f7 100644
|
||
|
|
--- a/src/basic/selinux-util.c
|
||
|
|
+++ b/src/basic/selinux-util.c
|
||
|
|
@@ -199,11 +199,11 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
|
||
|
|
if (!mac_selinux_use())
|
||
|
|
return -EOPNOTSUPP;
|
||
|
|
|
||
|
|
- r = getcon(&mycon);
|
||
|
|
+ r = getcon_raw(&mycon);
|
||
|
|
if (r < 0)
|
||
|
|
return -errno;
|
||
|
|
|
||
|
|
- r = getfilecon(exe, &fcon);
|
||
|
|
+ r = getfilecon_raw(exe, &fcon);
|
||
|
|
if (r < 0)
|
||
|
|
return -errno;
|
||
|
|
|
||
|
|
@@ -225,7 +225,7 @@ int mac_selinux_get_our_label(char **label) {
|
||
|
|
if (!mac_selinux_use())
|
||
|
|
return -EOPNOTSUPP;
|
||
|
|
|
||
|
|
- r = getcon(label);
|
||
|
|
+ r = getcon_raw(label);
|
||
|
|
if (r < 0)
|
||
|
|
return -errno;
|
||
|
|
#endif
|
||
|
|
@@ -249,7 +249,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
|
||
|
|
if (!mac_selinux_use())
|
||
|
|
return -EOPNOTSUPP;
|
||
|
|
|
||
|
|
- r = getcon(&mycon);
|
||
|
|
+ r = getcon_raw(&mycon);
|
||
|
|
if (r < 0)
|
||
|
|
return -errno;
|
||
|
|
|
||
|
|
@@ -260,7 +260,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
|
||
|
|
if (!exec_label) {
|
||
|
|
/* If there is no context set for next exec let's use context
|
||
|
|
of target executable */
|
||
|
|
- r = getfilecon(exe, &fcon);
|
||
|
|
+ r = getfilecon_raw(exe, &fcon);
|
||
|
|
if (r < 0)
|
||
|
|
return -errno;
|
||
|
|
}
|
||
|
|
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
|
||
|
|
index 2ecfa40..011644b 100644
|
||
|
|
--- a/src/core/selinux-access.c
|
||
|
|
+++ b/src/core/selinux-access.c
|
||
|
|
@@ -246,7 +246,7 @@ int mac_selinux_generic_access_check(
|
||
|
|
if (path) {
|
||
|
|
/* Get the file context of the unit file */
|
||
|
|
|
||
|
|
- r = getfilecon(path, &fcon);
|
||
|
|
+ r = getfilecon_raw(path, &fcon);
|
||
|
|
if (r < 0) {
|
||
|
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
|
||
|
|
goto finish;
|
||
|
|
@@ -254,7 +254,7 @@ int mac_selinux_generic_access_check(
|
||
|
|
|
||
|
|
tclass = "service";
|
||
|
|
} else {
|
||
|
|
- r = getcon(&fcon);
|
||
|
|
+ r = getcon_raw(&fcon);
|
||
|
|
if (r < 0) {
|
||
|
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
|
||
|
|
goto finish;
|
||
|
|
--
|
||
|
|
2.5.0
|
||
|
|
|