From 6e2896098c99dff2eaf45a417bc1149eb8d6927d Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Wed, 16 Jan 2019 22:03:23 +0100 Subject: [PATCH] selinuxutil: restorecond is buggy when it dereferencies symlinks restorecond uses libselinux's selinux_restorecon() to relabel files, which dereferences symlinks in a useless call to statfs(). This produces AVC denials which are noisy. Fixes: https://github.com/SELinuxProject/refpolicy/pull/22 --- policy/modules/system/selinuxutil.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index d183fc2c5..b520d40b4 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -372,7 +372,7 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) -files_read_non_auth_symlinks(restorecond_t) +files_dontaudit_read_all_symlinks(restorecond_t) auth_use_nsswitch(restorecond_t) logging_send_syslog_msg(restorecond_t)