In permissive mode, calling restorecon with a bad label in file_contexts does not verify the label's existence in the loaded policy. This results in any label successfully applying to a file, as long as the file exists. This issue has two assumptions: 1) file_contexts must be manually updated with the invalid label. Running `semanage fcontext` will error when attempting to add an invalid label to file_contexts. 2) the system must be in permissive. Although applying an invalid label in enforcing gives an error and fails, successfully labeling a file with a bad label could cause issues during policy development in permissive. Instead of the current behavior, mimic setfiles' -c flag, and verify the labels against the loaded policy binary. Behavior before patch: $ sudo -s $ setenforce 0 $ echo '/test.txt -- system_u:object_r:foo_bar_baz:s0' >> /etc/selinux/targeted/contexts/files/file_contexts $ restorecon -v /test.txt Relabeled /test.txt from system_u:object_r:etc_runtime_t:s0 to system_u:object_r:foo_bar_baz:s0 Behavior after patch: $ sudo -s $ setenforce 0 $ echo '/test.txt -- system_u:object_r:foo_bar_baz:s0' >> /etc/selinux/targeted/contexts/files/file_contexts $ restorecon -v /test.txt restorecon: /etc/selinux/targeted/contexts/files/file_contexts: line 6123 has invalid context system_u:object_r:foo_bar_baz:s0 Invalid argument Signed-off-by: Yuli Khodorkovskiy <ykhodo@xxxxxxxxx> --- policycoreutils/setfiles/setfiles.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index bc83c27b..ce1e4324 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -217,7 +217,7 @@ int main(int argc, char **argv) * Do not abort on errors during the file tree walk, * Do not try to track inode associations for conflict detection, * Follows mounts, - * Does lazy validation of contexts upon use. + * Validates all file contexts at init time. */ if (strcmp(base, RESTORECON)) fprintf(stderr, "Executed with unrecognized name (%s), defaulting to %s behavior.\n", @@ -230,7 +230,7 @@ int main(int argc, char **argv) r_opts.add_assoc = 0; r_opts.xdev = 0; r_opts.ignore_mounts = 0; - ctx_validate = 0; + ctx_validate = 1; opts = ropts; /* restorecon only: silent exit if no SELinux. -- 2.14.3
