install giving the wrong label

All of lore.kernel.org
 help / color / mirror / Atom feed

* install giving the wrong label
@ 2010-05-25 21:36 Chad Sellers
  2010-05-26 19:27 ` Daniel J Walsh
  2010-05-27  0:42 ` Stephen Smalley
  0 siblings, 2 replies; 3+ messages in thread
From: Chad Sellers @ 2010-05-25 21:36 UTC (permalink / raw)
  To: SE Linux

I just found a problem with /usr/bin/install. It appears that it will label
things improperly if they have an extra / in the target name. For instance:

# install foo /usr
# ls -lZ /usr/foo
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/foo

but

# install foo //usr
# ls -lZ /usr/foo
-rwxr-xr-x. root root system_u:object_r:default_t:s0       /usr/foo

The same thing goes for targets like /var/www//foo, where the // is later in
the filename.

This appears to result from install calling matchpathcon() with the target
passed in directly. My question is, whose responsibility should this be?
Should matchpatchcon() scrub filenames passed into it, or should callers be
required to pass proper filenames to matchpathcon()?

Thanks,
Chad Sellers

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: install giving the wrong label
  2010-05-25 21:36 install giving the wrong label Chad Sellers
@ 2010-05-26 19:27 ` Daniel J Walsh
  2010-05-27  0:42 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2010-05-26 19:27 UTC (permalink / raw)
  To: Chad Sellers; +Cc: SE Linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/25/2010 05:36 PM, Chad Sellers wrote:
> I just found a problem with /usr/bin/install. It appears that it will label
> things improperly if they have an extra / in the target name. For instance:
> 
> # install foo /usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/foo
> 
> but
> 
> # install foo //usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:default_t:s0       /usr/foo
> 
> The same thing goes for targets like /var/www//foo, where the // is later in
> the filename.
> 
> This appears to result from install calling matchpathcon() with the target
> passed in directly. My question is, whose responsibility should this be?
> Should matchpatchcon() scrub filenames passed into it, or should callers be
> required to pass proper filenames to matchpathcon()?
> 
> Thanks,
> Chad Sellers
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
I would expect matchpathcon to do the right thing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv9dhkACgkQrlYvE4MpobPv1wCgopndh1097BAaL+dSEAGj/z9g
w/8Anjmg2kDSvk4YnfEnw154O25wt1ap
=klZG
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: install giving the wrong label
  2010-05-25 21:36 install giving the wrong label Chad Sellers
  2010-05-26 19:27 ` Daniel J Walsh
@ 2010-05-27  0:42 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2010-05-27  0:42 UTC (permalink / raw)
  To: Chad Sellers; +Cc: SE Linux

On Tue, May 25, 2010 at 5:36 PM, Chad Sellers <csellers@tresys.com> wrote:
> I just found a problem with /usr/bin/install. It appears that it will label
> things improperly if they have an extra / in the target name. For instance:
>
> # install foo /usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/foo
>
> but
>
> # install foo //usr
> # ls -lZ /usr/foo
> -rwxr-xr-x. root root system_u:object_r:default_t:s0       /usr/foo
>
> The same thing goes for targets like /var/www//foo, where the // is later in
> the filename.
>
> This appears to result from install calling matchpathcon() with the target
> passed in directly. My question is, whose responsibility should this be?
> Should matchpatchcon() scrub filenames passed into it, or should callers be
> required to pass proper filenames to matchpathcon()?

I suppose matchpathcon / selabel_lookup could handle the trivial cases
(e.g. duplicate /), but we don't want it to internally canonicalize
the pathname via realpath() or equivalent - leave that to the callers
(as is already done by e.g. restorecon).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-05-27  0:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-25 21:36 install giving the wrong label Chad Sellers
2010-05-26 19:27 ` Daniel J Walsh
2010-05-27  0:42 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.