Re: install giving the wrong label

From: Stephen Smalley <stephen.smalley_at_nospam>
Date: Thu May 27 2010 - 00:42:44 GMT
To: Chad Sellers <csellers@tresys.com>

On Tue, May 25, 2010 at 5:36 PM, Chad Sellers <csellers@tresys.com> wrote:
> I just found a problem with /usr/bin/install. It appears that it will label
> things improperly if they have an extra / in the target name. For instance:
>
> # install foo /usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/foo
>
> but
>
> # install foo //usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:default_t:s0 /usr/foo
>
> The same thing goes for targets like /var/www//foo, where the // is later in
> the filename.
>
> This appears to result from install calling matchpathcon() with the target
> passed in directly. My question is, whose responsibility should this be?
> Should matchpatchcon() scrub filenames passed into it, or should callers be
> required to pass proper filenames to matchpathcon()?

I suppose matchpathcon / selabel_lookup could handle the trivial cases
(e.g. duplicate /), but we don't want it to internally canonicalize
the pathname via realpath() or equivalent - leave that to the callers
(as is already done by e.g. restorecon).

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Daniel J Walsh: "Re: Updated sandbox patch."
Previous message: Stephen Smalley: "Re: SELinux support in Libc"
In reply to: Chad Sellers: "install giving the wrong label"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]