New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux.Chcon should check legal rather then just label.Relabel #181
Conversation
Since label.Relabel ends up calling into selinux.chcon, we should do the check for invalid directories under chcon. This will allow the selinux.Chcon function to also be verified. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
if home := os.Getenv("HOME"); home != "" { | ||
exclude_paths[home] = true | ||
} | ||
|
||
if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" { | ||
if usr, err := user.Lookup(sudoUser); err == nil { | ||
exclude_paths[usr.HomeDir] = true | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this part bring back the issue you ran into that you were trying to solve in #180?
But some users put homedirectories under /usr, and I see no reason to block them from relabeling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No the #180 was blocking /usr/*
Now we are just blocking /usr or $HOME not $HOME/*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, gotcha!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Since label.Relabel ends up calling into selinux.chcon, we should do the check for invalid directories under chcon. This will allow the selinux.Chcon function to also be verified.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com