Package: dpkg
Version: 1.14.20
Severity: normal
In src/archive.c the SE Linux context for file creation is set at about
line 640. It's set again at about line 795 for reasons I don't
understand (this second setting doesn't respect the fact that scontext
might have a value of "<<none>>" but this is a minor issue).
Then on line 824 it is unset.
The problem is that on line 744 the function may return if the file is a
conffile. This means that all further files created until dpkg sets the
context again with setfscreatecon() get the same label. A consequence
of this is that often files under /var/lib/dpkg will have the type etc_t
(the type used for most files under /etc).
A minimal solution to this would be to have the following before the
return statement at around line 744:
#ifdef WITH_SELINUX
if (selinux_enabled > 0)
if(setfscreatecon(NULL) < 0)
perror("Error restoring default security context:");
#endif
I'm also concerned that the ohshit() function calls might result in the
code later creating files with the wrong context. It wouldn't do any
harm to have code such as the above inside ohshit() to deal with this.
Calling setfscreatecon(NULL) an extra few times is not going to do any
harm.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
