On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
> On 30/11/07 15:55, Christopher J. PeBenito wrote:
> > On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
> >> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
> >>>> Corresponding code is in udev_node.c, function node_symlink().
> >>>> if (strcmp(target, buf) == 0) {
> >>>> info("preserve already existing symlink '%s' to '%s'", slink,
> >>>> target);
> >>>> selinux_setfilecon(slink, NULL, S_IFLNK);
> >>>> goto exit;
> >>>> }
> >>> I'll add the rule. Perhaps someone should send up a patch to remove the
> >>> setfilecon, and update the info message.
> >> Mean you to compare the context of symlink and no setfilecon if it is
> >> ok?
> >
> > Yes. Unless there's a good reason to keep it as-is that I don't know
> > about.
>
> Well I'll send a patch to udev. Should it just be the below, or should udev
> be relabelling symlinks if it finds that they exist but are wrongly
> labelled? How do I test for equality of security contexts?
>
> --- a/udev_node.c
> +++ b/udev_node.c
> @@ -146,7 +146,6 @@ static int node_symlink(const char *node, const char *slink)
> buf[len] = '\0';
> if (strcmp(target, buf) == 0) {
> info("preserve already existing symlink '%s' to '%s'", slink, target);
> - selinux_setfilecon(slink, NULL, S_IFLNK);
> goto exit;
> }
> }
Yes, thats what I was thinkin. Since the function is node_symlink(),
I'm guessing there is a similar function for char and block node, etc?
Those should be checked to make sure they don't do unneeded relabeling
too.
--
Chris PeBenito
<pebenito@xxxxxxxxxx>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
