From patchwork Mon Jun 20 14:10:18 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petr Lautrbach <plautrba@redhat.com>
X-Patchwork-Id: 9187701
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C2269607D1 for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:55:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFB25223A1
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:55:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A433425221; Mon, 20 Jun 2016 14:55:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 49932223A1
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon, 20 Jun 2016 14:55:17 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.26,499,1459814400"; d="scan'208";a="17039751"
IronPort-PHdr: =?us-ascii?q?9a23=3Atp7sYhdPV+6tWGpX/wN2GM5VlGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc6/Yh7h7PlgxGXEQZ/co6odzbGG4uaxBCdfsN6oizMrTt9lb1c9k8?=
	=?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?=
	=?us-ascii?q?HOnpAIma153xjLDjvcyOKFoZzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?=
	=?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IbL/+N5gcYfQYSW1+cjN92Mq+rhTH?=
	=?us-ascii?q?TA2S9lMAQ24WlVxOGAGD4xbkDbnrtS6vjudhwmG+NNDqV7o9UjTqu79vQQL0ki?=
	=?us-ascii?q?0OHyQ0/GHelop7i6cN80HpnAB234OBONLdD/F5ZK6IOIpCSA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2EOBQDnAmhX/wHyM5Bdgz6BU7xVIoc0TAEBAQEBAQICYie?=
	=?us-ascii?q?CMYIiAjcUIA4DCQIXKQgIAwEtDAkfCwUYBIgPwGolhieIXxEBaIUPBZh2iH6FL?=
	=?us-ascii?q?AKJWoVEAo93VINybIkTgTUBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 20 Jun 2016 14:55:15 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KErCeg025694;
	Mon, 20 Jun 2016 10:54:37 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u5KEAsuc091141 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 20 Jun 2016 10:10:54 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5KEAobe019600
	for <selinux@tycho.nsa.gov>; Mon, 20 Jun 2016 10:10:54 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1C0AQDW+GdXhxy3hNFdHoRzp3CCAgGOZIQJEoYFgTNMAQEBAQEBEwEBAQoLCQkhhXqBHjOIMMB0hieJWYUPBZh2iH6FLAKPHgKPd4ILAQtWgVk6MopIAQEB
X-IPAS-Result: 
 A1C0AQDW+GdXhxy3hNFdHoRzp3CCAgGOZIQJEoYFgTNMAQEBAQEBEwEBAQoLCQkhhXqBHjOIMMB0hieJWYUPBZh2iH6FLAKPHgKPd4ILAQtWgVk6MopIAQEB
X-IronPort-AV: E=Sophos;i="5.26,498,1459828800"; d="scan'208";a="5526935"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Jun 2016 10:10:45 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AHuIEux1AM/xLVIDKsmDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?segSK/ad9pjvdHbS+e9qxAeQG96LurQV1qGI7OjJYi8p39WoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd6DyZXqnL7ts7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?=
	=?us-ascii?q?YxGI4y4kX3kM2j5BHhTf5hjxXt+lqi/zq/Zn0iCyJ8D6TbkoHz+l6vE4G1fTlC?=
	=?us-ascii?q?4bOmthoynsgctqgfcDrQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HYAQA5+GdXhxy3hNFdhRGncIICAY5kh?=
	=?us-ascii?q?AkShgWBM0wBAQEBAQECAg8BAQEKCwkJIS+CMYMagR4ziDDAcYYniVmFDwWYdoh?=
	=?us-ascii?q?+hSwCjx4Cj3eCF1aBWToyikgBAQE?=
X-IPAS-Result: =?us-ascii?q?A0HYAQA5+GdXhxy3hNFdhRGncIICAY5khAkShgWBM0wBAQE?=
	=?us-ascii?q?BAQECAg8BAQEKCwkJIS+CMYMagR4ziDDAcYYniVmFDwWYdoh+hSwCjx4Cj3eCF?=
	=?us-ascii?q?1aBWToyikgBAQE?=
X-IronPort-AV: E=Sophos;i="5.26,498,1459814400"; d="scan'208";a="17037076"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	20 Jun 2016 14:10:36 +0000
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 278E47F6A7
	for <selinux@tycho.nsa.gov>; Mon, 20 Jun 2016 14:10:29 +0000 (UTC)
Received: from hulk.com ([10.40.3.79])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u5KEARS1006719; Mon, 20 Jun 2016 10:10:28 -0400
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libselinux: compare absolute pathname in matchpathcon -V
Date: Mon, 20 Jun 2016 16:10:18 +0200
Message-Id: <1466431818-20937-1-git-send-email-plautrba@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.25]); Mon, 20 Jun 2016 14:10:29 +0000 (UTC)
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

filepath needs to be resolved first in order to be correctly found by
selabel_lookup_raw()

Fixes:
$ matchpathcon -V passwd
passwd has context system_u:object_r:passwd_file_t:s0, should be
system_u:object_r:passwd_file_t:s0

$ echo $?
1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libselinux/src/matchpathcon.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 3868711..a2f2c3e 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -471,6 +471,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
 	char * con = NULL;
 	char * fcontext = NULL;
 	int rc = 0;
+	char stackpath[PATH_MAX + 1];
+	char *p = NULL;
+
+	if (S_ISLNK(mode)) {
+		if (!realpath_not_final(path, stackpath))
+			path = stackpath;
+	} else {
+		p = realpath(path, stackpath);
+		if (p)
+			path = p;
+	}
 
 	rc = lgetfilecon_raw(path, &con);
 	if (rc == -1) {