Bug#786435: dpkg: SELinux label not properly set for file that have a dpkg-statoverride entry

Thu, 21 May 2015 10:16:02 -0700 

Package: dpkg
Version: 1.18.0
Severity: important
User: [email protected]
Usertags: selinux

Hi,

When the dbus package is installed, it seems that the SELinux label for
/usr/lib/dbus-1.0/dbus-daemon-launch-helper is not properly set.

Investigating a bit further it seem that dpkg_selabel_set_context() is
immediately exiting the function in the following test:

        if ((mode & S_IFMT) == 0)
                return;

When installing the dbus package, gdb shows:

Breakpoint 1, dpkg_selabel_set_context (matchpath=0x2ad6500 
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper", path=0x29d38b0 
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper.dpkg-new", mode=2540)

The file is setuid with the following dpkg-statoverride call:

dpkg-statoverride --update --add  root "messagebus" 4754 
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper"

So it seems that the "mode" for files that have a statoverride entry is not
containing the type of the file, but only the permissions. I can confirm that
if I'm removing the override and reinstalling the package. I then get:

Breakpoint 1, dpkg_selabel_set_context (matchpath=0x24a1500 
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper", path=0x239e8b0 
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper.dpkg-new", mode=33261)

I guess that the proper fix is to set the file type in the "mode" variable in
all situation.

Cheers,

Laurent Bigonville

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dpkg depends on:
ii  libbz2-1.0   1.0.6-8
ii  libc6        2.19-18
ii  liblzma5     5.1.1alpha+20120614-2+b3
ii  libselinux1  2.3-2
ii  tar          1.27.1-2+b1
ii  zlib1g       1:1.2.8.dfsg-2+b1

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii  apt  1.0.9.9

-- no debconf information


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to