mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-24 15:02:44 +00:00
689a6eb576
When selinux_restorecon() is used to relabel symlinks, it performs the following syscalls (as seen by running strace on restorecond): lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0 statfs("/root/symlink", 0x7ffd6bb4d090) = -1 ENOENT (No such file or directory) lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0 lgetxattr("/root/symlink", "security.selinux", "sysadm_u:object_r:user_home_t", 255) = 30 The second one triggers a SELinux check for lnk_file:read, as statfs() dereferences symbolic links. This call to statfs() is only used to find out whether "restoreconlast" xattr can be ignored, which is always the case for non-directory files (the first syscall, lstat(), is actually used to perform this check). Skip the call to statfs() when setrestoreconlast is already false. This silences an AVC denial that would otherwise be reported to audit.log (cf. https://github.com/SELinuxProject/refpolicy/pull/22). Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> |
||
---|---|---|
.. | ||
include | ||
man | ||
src | ||
utils | ||
LICENSE | ||
Makefile | ||
VERSION |