selinux/libselinux
Nicolas Iooss 689a6eb576 libselinux: do not dereference symlink with statfs in selinux_restorecon
When selinux_restorecon() is used to relabel symlinks, it performs the
following syscalls (as seen by running strace on restorecond):

    lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0
    statfs("/root/symlink", 0x7ffd6bb4d090) = -1 ENOENT (No such file or directory)
    lstat("/root/symlink", {st_mode=S_IFLNK|0777, st_size=6, ...}) = 0
    lgetxattr("/root/symlink", "security.selinux", "sysadm_u:object_r:user_home_t", 255) = 30

The second one triggers a SELinux check for lnk_file:read, as statfs()
dereferences symbolic links. This call to statfs() is only used to find
out whether "restoreconlast" xattr can be ignored, which is always the
case for non-directory files (the first syscall, lstat(), is actually
used to perform this check).

Skip the call to statfs() when setrestoreconlast is already false.

This silences an AVC denial that would otherwise be reported to
audit.log (cf. https://github.com/SELinuxProject/refpolicy/pull/22).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-18 11:13:19 -05:00
..
include Fix minor typos 2018-06-30 20:28:25 +02:00
man Fix minor typos 2018-06-30 20:28:25 +02:00
src libselinux: do not dereference symlink with statfs in selinux_restorecon 2019-01-18 11:13:19 -05:00
utils Makefile: add -Wstrict-overflow=5 to CFLAGS 2018-12-31 08:06:29 -08:00
LICENSE
Makefile libselinux: Add support for pcre2 to pkgconfig definition 2017-10-13 15:24:23 -04:00
VERSION Update VERSIONs to 2.8 for release. 2018-05-24 14:21:09 -04:00