[RFC PATCH] libsemanage: Do not change file context when copying files

Vit Mojzis <vmojzis@xxxxxxxxxx> · Thu, 11 Jul 2024 16:15:04 +0200

Issue:
  # semodule -B
  # ls -lZ  /etc/selinux/targeted/contexts/files

-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  14704 Jul 11 09:57 file_contexts.homedirs
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  20289 Jul 11 09:57 file_contexts.homedirs.bin

  SELinux user changed from system_u to the user used to execute semodule

Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
---
 libsemanage/src/semanage_store.c | 24 +++++++++++++++++++++++-
 libsemanage/src/semanage_store.h |  1 +
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 27c5d349..694c1519 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -731,7 +731,9 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode,
 
 	if (!mode)
 		mode = S_IRUSR | S_IWUSR;
-	
+
+	semanage_setfscreatecon(src);
+
 	mask = umask(0);
 	if ((out = open(tmp, O_WRONLY | O_CREAT | O_TRUNC, mode)) == -1) {
 		umask(mask);
@@ -812,6 +814,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
 	}
 
 	if (stat(dst, &sb) != 0) {
+		semanage_setfscreatecon(src);
 		mask = umask(0077);
 		if (mkdir(dst, S_IRWXU) != 0) {
 			umask(mask);
@@ -831,6 +834,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
 		snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name);
 		if (S_ISDIR(sb.st_mode)) {
 			mask = umask(0077);
+			semanage_setfscreatecon(path);
 			if (mkdir(path2, 0700) == -1 ||
 			    semanage_copy_dir_flags(path, path2, flag) == -1) {
 				umask(mask);
@@ -952,6 +956,24 @@ cleanup:
 	return status;
 }
 
+/* Get file context of "path" and use it for the next file to be created.
+ * To be used for creating a sandbox labeled the same as the original SELinux store */
+int semanage_setfscreatecon(const char *path)
+{
+	int status = 0;
+	char *fcontext_raw = NULL;
+
+	if (getfilecon(path, &fcontext_raw) < 0){
+		fcontext_raw = NULL;
+	}
+
+	status = setfscreatecon_raw(fcontext_raw);
+
+	freecon(fcontext_raw);
+
+	return status;
+}
+
 /********************* sandbox management routines *********************/
 
 /* Creates a sandbox for a single client. Returns 0 if a
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
index 1fc77da8..135e6ac6 100644
--- a/libsemanage/src/semanage_store.h
+++ b/libsemanage/src/semanage_store.h
@@ -124,6 +124,7 @@ int semanage_get_cil_paths(semanage_handle_t * sh, semanage_module_info_t *modin
 int semanage_get_active_modules(semanage_handle_t *sh,
 			       semanage_module_info_t **modinfo, int *num_modules);
 
+int semanage_setfscreatecon(const char *path);
 
 /* lock file routines */
 int semanage_get_trans_lock(semanage_handle_t * sh);
-- 
2.43.0








