libselinux: fix selabel_lookup*() double slash bug
As originally reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
, "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the
wrong security context. This turned out to be a result of systemd-hwdb
calling selabel_lookup_raw() with a path with a leading double slash
(//lib/udev/hwdb.bin). While the selabel file backend already removes
duplicate slashes, this was occurring after any substitution matching
and replacement had occurred in the generic selabel frontend, and thus
the double slash was still preventing the /lib -> /usr/lib substitution
specified by file_contexts.subs_dist from occurring. As a consequence,
the final path (/lib/udev/hwdb.bin) used to look up did not match the
/usr/lib/udev/[^/]* entry in file_contexts.
There were two options for resolving:
1) move the double slash removal to the selabel frontend code before
substitutions, or
2) move the substitution processing to the selabel file backend code
after double slash removal.
Since substitutions are currently only supported for the file backend,
and since the slash character may have no particular meaning in the
keys for other backends, it seems more correct to do the latter.
This has the advantage of taking all of the substitution data
structures and code private to the selabel file backend.
Test case:
Compare the output of:
selabel_lookup -r -b file -k //lib/udev/hwdb.bin
versus:
selabel_lookup -r -b file -k /lib/udev/hwdb.bin
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
Reported-by: Russell Coker <russell@coker.com.au>
Reported-by: Michael Biebl <biebl@debian.org>
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
4 files changed