mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 15:32:07 +00:00
31f532aacb
As originally reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 , "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the wrong security context. This turned out to be a result of systemd-hwdb calling selabel_lookup_raw() with a path with a leading double slash (//lib/udev/hwdb.bin). While the selabel file backend already removes duplicate slashes, this was occurring after any substitution matching and replacement had occurred in the generic selabel frontend, and thus the double slash was still preventing the /lib -> /usr/lib substitution specified by file_contexts.subs_dist from occurring. As a consequence, the final path (/lib/udev/hwdb.bin) used to look up did not match the /usr/lib/udev/[^/]* entry in file_contexts. There were two options for resolving: 1) move the double slash removal to the selabel frontend code before substitutions, or 2) move the substitution processing to the selabel file backend code after double slash removal. Since substitutions are currently only supported for the file backend, and since the slash character may have no particular meaning in the keys for other backends, it seems more correct to do the latter. This has the advantage of taking all of the substitution data structures and code private to the selabel file backend. Test case: Compare the output of: selabel_lookup -r -b file -k //lib/udev/hwdb.bin versus: selabel_lookup -r -b file -k /lib/udev/hwdb.bin Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 Reported-by: Russell Coker <russell@coker.com.au> Reported-by: Michael Biebl <biebl@debian.org> Reported-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
---|---|---|
.. | ||
include | ||
man | ||
src | ||
utils | ||
LICENSE | ||
Makefile | ||
VERSION |