mirror of
https://github.com/SELinuxProject/selinux
synced 2025-03-04 09:17:40 +00:00
31f532aacb
As originally reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 , "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the wrong security context. This turned out to be a result of systemd-hwdb calling selabel_lookup_raw() with a path with a leading double slash (//lib/udev/hwdb.bin). While the selabel file backend already removes duplicate slashes, this was occurring after any substitution matching and replacement had occurred in the generic selabel frontend, and thus the double slash was still preventing the /lib -> /usr/lib substitution specified by file_contexts.subs_dist from occurring. As a consequence, the final path (/lib/udev/hwdb.bin) used to look up did not match the /usr/lib/udev/[^/]* entry in file_contexts. There were two options for resolving: 1) move the double slash removal to the selabel frontend code before substitutions, or 2) move the substitution processing to the selabel file backend code after double slash removal. Since substitutions are currently only supported for the file backend, and since the slash character may have no particular meaning in the keys for other backends, it seems more correct to do the latter. This has the advantage of taking all of the substitution data structures and code private to the selabel file backend. Test case: Compare the output of: selabel_lookup -r -b file -k //lib/udev/hwdb.bin versus: selabel_lookup -r -b file -k /lib/udev/hwdb.bin Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 Reported-by: Russell Coker <russell@coker.com.au> Reported-by: Michael Biebl <biebl@debian.org> Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@tycho.nsa.gov. Subscribe via selinux-join@tycho.nsa.gov. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).