[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: install giving the wrong label
From:       Stephen Smalley <stephen.smalley () gmail ! com>
Date:       2010-05-27 0:42:44
Message-ID: AANLkTim1T-6OdCijnKbMkOSFqSjfth-QDokuKSZe113k () mail ! gmail ! com
[Download RAW message or body]

On Tue, May 25, 2010 at 5:36 PM, Chad Sellers <csellers@tresys.com> wrote:
> I just found a problem with /usr/bin/install. It appears that it will label
> things improperly if they have an extra / in the target name. For instance:
>
> # install foo /usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/foo
>
> but
>
> # install foo //usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:default_t:s0       /usr/foo
>
> The same thing goes for targets like /var/www//foo, where the // is later in
> the filename.
>
> This appears to result from install calling matchpathcon() with the target
> passed in directly. My question is, whose responsibility should this be?
> Should matchpatchcon() scrub filenames passed into it, or should callers be
> required to pass proper filenames to matchpathcon()?

I suppose matchpathcon / selabel_lookup could handle the trivial cases
(e.g. duplicate /), but we don't want it to internally canonicalize
the pathname via realpath() or equivalent - leave that to the callers
(as is already done by e.g. restorecon).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]