Hi! On Sat, 2010-07-03 at 17:00:20 +1000, Russell Coker wrote: > Package: dpkg > Version: 1.15.7.2 > Severity: normal > > The mode parameter to the matchpathcon() is used for the format type (IE file, > dir, etc) NOT for the permission bits. So the mask in the > set_selinux_path_context() function discards all the bits that we want.
Ah! nice catch. > While the man page matchpathcon(3) isn't exactly clear it is consistent > with the section of stat(2) relating to st_mode. I would appreciate > suggestions for how to improve matchpathcon(3) as it seems apparent > that it needs to be improved. I read that section and it seems perfectly clear to me. Take into account that bug was present in the initial code submitted by Manoj adding SE Linux support, so not sure if maybe it was not clear back then, or it was just a thinko. > For files in /usr/sbin it seems that both code paths that call > set_selinux_path_context() are being executed, it would be good if we > could only call set_selinux_path_context() once as it's not the fastest > function... The two calls should be operating on different paths, the first one does on the new extracted object, the second one operates on the backup symlink used in case of roll back (which has to be manually copied, because it cannot be hardlinked). > Please consider my tar_file_type_to_mode() function to be an illustration > of an algorithm in the form of working code. I don't think it will be > acceptable to be included as-is, but it should allow someone else to > write something better with minimal effort. I've rearranged and fixed the code, which I'll push in a bit. > To reproduce this bug run a system with SE Linux enabled, install the > package policycoreutils, and then run the command "restorecon -R -v > /usr/sbin", if things work correctly then all objects contained in the > package will have the correct context and restorecon will not display > any output. But the way things work currently is that "restorecon -R > -v /usr/sbin" gives the following output: > restorecon reset /usr/sbin/load_policy context > system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0 I don't feel like setting up a SE Linux environment, the fix should be available for 1.15.8, so if it does not fix your problem, please reopen this bug report! thanks, guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
