Re: [PATCH v2 0/2] restorecon context validation improvement

On Wed, Mar 28, 2018 at 8:40 PM, Yuli Khodorkovskiy wrote: > In permissive, if a bad label is written to a file_context file, > restorecon will not verify the label before succesfully applying the > context. These patches fix validation of labels during restorecon > while not

[PATCH v2 2/2] libselinux: echo line number of bad label in selabel_fini()

Keep track of line numbers for each file context in selabel_handle. If an error occurs in selabel_fini(), the line number of an invalid file context is echoed to the user. Signed-off-by: Yuli Khodorkovskiy --- libselinux/src/label.c | 2 +- libselinux/src/label_file.h

[PATCH v2 0/2] restorecon context validation improvement

In permissive, if a bad label is written to a file_context file, restorecon will not verify the label before succesfully applying the context. These patches fix validation of labels during restorecon while not breaking current behavior of lazy validation. Yuli Khodorkovskiy (2): libselinux:

[PATCH v2 1/2] libselinux: verify file_contexts when using restorecon

In permissive mode, calling restorecon with a bad label in file_contexts does not verify the label's existence in the loaded policy. This results in any label successfully applying to a file, as long as the file exists. This issue has two assumptions: 1) file_contexts must be manually updated