On Thu, 29 Jul 2010, Guillem Jover <guil...@debian.org> wrote: > > For files in /usr/sbin it seems that both code paths that call > > set_selinux_path_context() are being executed, it would be good if we > > could only call set_selinux_path_context() once as it's not the fastest > > function... > > The two calls should be operating on different paths, the first one > does on the new extracted object, the second one operates on the > backup symlink used in case of roll back (which has to be manually > copied, because it cannot be hardlinked).
What do you mean by this? If you are keeping a second copy of the file around then it should have the same label. SE Linux labels can (depending on policy) cause a domain transition that reduce the privileges after the exec() call. If we have a SUID binary could the current code result in a SUID copy of it that has a label based on the backup name instead of the real name? If so then it's a security problem as a program may run with a superset of the privileges of the calling code. Even if the program is not SUID it's still a potential security problem for the case where a non-SUID program should run with less privileges than the calling code. > > Please consider my tar_file_type_to_mode() function to be an illustration > > of an algorithm in the form of working code. I don't think it will be > > acceptable to be included as-is, but it should allow someone else to > > write something better with minimal effort. > > I've rearranged and fixed the code, which I'll push in a bit. Great! > > To reproduce this bug run a system with SE Linux enabled, install the > > package policycoreutils, and then run the command "restorecon -R -v > > /usr/sbin", if things work correctly then all objects contained in the > > package will have the correct context and restorecon will not display > > any output. But the way things work currently is that "restorecon -R > > -v /usr/sbin" gives the following output: > > restorecon reset /usr/sbin/load_policy context > > system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0 > > I don't feel like setting up a SE Linux environment, the fix should be > available for 1.15.8, so if it does not fix your problem, please > reopen this bug report! Sure. Incidentally if I gave you root access to a SE Linux system would you be interested in trying it out? -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
