[PATCH] libselinux: verify file_contexts when using restorecon

Sun, 25 Mar 2018 12:37:29 -0700 

In permissive mode, calling restorecon with a bad label in file_contexts
does not verify the label's existence in the loaded policy. This
results in any label successfully applying to a file, as long as the
file exists.

This issue has two assumptions:
1) file_contexts must be manually updated with the invalid label.
Running `semanage fcontext` will error when attempting to add
an invalid label to file_contexts.
2) the system must be in permissive. Although applying an invalid label
in enforcing gives an error and fails, successfully labeling a file with a
bad label could cause issues during policy development in permissive.

Instead of the current behavior, mimic setfiles' -c flag, and verify the labels
against the loaded policy binary.

Behavior before patch:

$ sudo -s
$ setenforce 0
$ echo '/test.txt       --      system_u:object_r:foo_bar_baz:s0' >> 
/etc/selinux/targeted/contexts/files/file_contexts
$ restorecon -v /test.txt
Relabeled /test.txt from system_u:object_r:etc_runtime_t:s0 to 
system_u:object_r:foo_bar_baz:s0

Behavior after patch:

$ sudo -s
$ setenforce 0
$ echo '/test.txt       --      system_u:object_r:foo_bar_baz:s0' >> 
/etc/selinux/targeted/contexts/files/file_contexts
$ restorecon -v /test.txt
restorecon: /etc/selinux/targeted/contexts/files/file_contexts: line 6123 has 
invalid context system_u:object_r:foo_bar_baz:s0
Invalid argument

Signed-off-by: Yuli Khodorkovskiy <[email protected]>
---
 policycoreutils/setfiles/setfiles.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/setfiles/setfiles.c 
b/policycoreutils/setfiles/setfiles.c
index bc83c27b..ce1e4324 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -217,7 +217,7 @@ int main(int argc, char **argv)
                 * Do not abort on errors during the file tree walk,
                 * Do not try to track inode associations for conflict 
detection,
                 * Follows mounts,
-                * Does lazy validation of contexts upon use.
+                * Validates all file contexts at init time.
                 */
                if (strcmp(base, RESTORECON))
                        fprintf(stderr, "Executed with unrecognized name (%s), 
defaulting to %s behavior.\n",
@@ -230,7 +230,7 @@ int main(int argc, char **argv)
                r_opts.add_assoc = 0;
                r_opts.xdev = 0;
                r_opts.ignore_mounts = 0;
-               ctx_validate = 0;
+               ctx_validate = 1;
                opts = ropts;
 
                /* restorecon only:  silent exit if no SELinux.
-- 
2.14.3

Reply via email to