Bug 359531
Summary: | corrupting file context database | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hynek Černoch <hynek> |
Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-21 15:42:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Hynek Černoch
2007-10-31 02:41:53 UTC
You can remove the lines by editing vi /etc/selinux/targeted/modules/active/file_contexts.local semodule -B Should fix the problem. I will look into preventing \n in input. policycoreutils-2.0.16-14.fc7 1) you wrote: "You can remove the lines by editing.." It was necessary to edit also /etc/selinux/targeted/modules/active/file_contexts.local 2) Yes. In usernames, interfaces, transitions etc _except filenames_ should definitely be prevented. It may be better to transparently escape \n by \\n by libsemodule in filenames to keep the possibility to create context patterns for all filenames the kernel can handle. It is not good to pass more possibilities to hackers than to administrators. - I have an idea for a new security feature by selinux: - It would be useful for additional security of many applications, especially httpd scripts and email clients the capability of selinux to optionally forbid creating of filenames with \n. Please keep the possibility to write some experimental filecontext and modules: eg: semodule fcontext -a -t insecure_name_t '.* .*' libsemodule => file_contexts: .*\n.* system_u:object_r:insecure_name_t:s0 newmodule => something.te ... disallow ... insecure_name_t:file create; |