libselinux: compare absolute pathname in matchpathcon -V

Message ID	1466431818-20937-1-git-send-email-plautrba@redhat.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3Atp7sYhdPV+6tWGpX/wN2GM5VlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc6/Yh7h7PlgxGXEQZ/co6odzbGG4uaxBCdfsN6oizMrTt9lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?= =?us-ascii?q?HOnpAIma153xjLDjvcyOKFoZzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?= =?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IbL/+N5gcYfQYSW1+cjN92Mq+rhTH?= =?us-ascii?q?TA2S9lMAQ24WlVxOGAGD4xbkDbnrtS6vjudhwmG+NNDqV7o9UjTqu79vQQL0ki?= =?us-ascii?q?0OHyQ0/GHelop7i6cN80HpnAB234OBONLdD/F5ZK6IOIpCSA=3D=3D?= IronPort-PHdr: =?us-ascii?q?9a23=3AHuIEux1AM/xLVIDKsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?segSK/ad9pjvdHbS+e9qxAeQG96LurQV1qGI7OjJYi8p39WoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd6DyZXqnL7ts7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?= =?us-ascii?q?YxGI4y4kX3kM2j5BHhTf5hjxXt+lqi/zq/Zn0iCyJ8D6TbkoHz+l6vE4G1fTlC?= =?us-ascii?q?4bOmthoynsgctqgfcDrQ=3D=3D?= From: Petr Lautrbach <plautrba@redhat.com> To: selinux@tycho.nsa.gov Subject: [PATCH] libselinux: compare absolute pathname in matchpathcon -V Date: Mon, 20 Jun 2016 16:10:18 +0200 Message-Id: <1466431818-20937-1-git-send-email-plautrba@redhat.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Message ID

1466431818-20937-1-git-send-email-plautrba@redhat.com (mailing list archive)

State

Not Applicable

Headers

IronPort-PHdr: =?us-ascii?q?9a23=3Atp7sYhdPV+6tWGpX/wN2GM5VlGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc6/Yh7h7PlgxGXEQZ/co6odzbGG4uaxBCdfsN6oizMrTt9lb1c9k8?=
	=?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?=
	=?us-ascii?q?HOnpAIma153xjLDjvcyOKFoZzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?=
	=?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IbL/+N5gcYfQYSW1+cjN92Mq+rhTH?=
	=?us-ascii?q?TA2S9lMAQ24WlVxOGAGD4xbkDbnrtS6vjudhwmG+NNDqV7o9UjTqu79vQQL0ki?=
	=?us-ascii?q?0OHyQ0/GHelop7i6cN80HpnAB234OBONLdD/F5ZK6IOIpCSA=3D=3D?=
IronPort-PHdr: =?us-ascii?q?9a23=3AHuIEux1AM/xLVIDKsmDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?segSK/ad9pjvdHbS+e9qxAeQG96LurQV1qGI7OjJYi8p39WoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd6DyZXqnL7ts7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?=
	=?us-ascii?q?YxGI4y4kX3kM2j5BHhTf5hjxXt+lqi/zq/Zn0iCyJ8D6TbkoHz+l6vE4G1fTlC?=
	=?us-ascii?q?4bOmthoynsgctqgfcDrQ=3D=3D?=
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libselinux: compare absolute pathname in matchpathcon -V
Date: Mon, 20 Jun 2016 16:10:18 +0200
Message-Id: <1466431818-20937-1-git-send-email-plautrba@redhat.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Commit Message

Petr Lautrbach June 20, 2016, 2:10 p.m. UTC

filepath needs to be resolved first in order to be correctly found by
selabel_lookup_raw()

Fixes:
$ matchpathcon -V passwd
passwd has context system_u:object_r:passwd_file_t:s0, should be
system_u:object_r:passwd_file_t:s0

$ echo $?
1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libselinux/src/matchpathcon.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Stephen Smalley June 23, 2016, 5:06 p.m. UTC | #1

On 06/20/2016 10:10 AM, Petr Lautrbach wrote:
> filepath needs to be resolved first in order to be correctly found by
> selabel_lookup_raw()
> 
> Fixes:
> $ matchpathcon -V passwd
> passwd has context system_u:object_r:passwd_file_t:s0, should be
> system_u:object_r:passwd_file_t:s0
> 
> $ echo $?
> 1
> 
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Thanks, applied.

> ---
>  libselinux/src/matchpathcon.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
> index 3868711..a2f2c3e 100644
> --- a/libselinux/src/matchpathcon.c
> +++ b/libselinux/src/matchpathcon.c
> @@ -471,6 +471,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
>  	char * con = NULL;
>  	char * fcontext = NULL;
>  	int rc = 0;
> +	char stackpath[PATH_MAX + 1];
> +	char *p = NULL;
> +
> +	if (S_ISLNK(mode)) {
> +		if (!realpath_not_final(path, stackpath))
> +			path = stackpath;
> +	} else {
> +		p = realpath(path, stackpath);
> +		if (p)
> +			path = p;
> +	}
>  
>  	rc = lgetfilecon_raw(path, &con);
>  	if (rc == -1) {
>

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 3868711..a2f2c3e 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -471,6 +471,17 @@  int selinux_file_context_verify(const char *path, mode_t mode)
 	char * con = NULL;
 	char * fcontext = NULL;
 	int rc = 0;
+	char stackpath[PATH_MAX + 1];
+	char *p = NULL;
+
+	if (S_ISLNK(mode)) {
+		if (!realpath_not_final(path, stackpath))
+			path = stackpath;
+	} else {
+		p = realpath(path, stackpath);
+		if (p)
+			path = p;
+	}
 
 	rc = lgetfilecon_raw(path, &con);
 	if (rc == -1) {

libselinux: compare absolute pathname in matchpathcon -V

Commit Message

Comments

Patch