Bug 118617 - restorecon on symlink applies wrong context
restorecon on symlink applies wrong context
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2004-03-18 07:51 EST by Stephen Tweedie
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-03-25 00:20:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Tweedie 2004-03-18 07:51:20 EST
Description of problem:
"restorecon" on a symlink has entirely the wrong behaviour.  It looks
up the correct context for the symlink, but then applies that context
to the file that the symlink points to.

So, for example, "restorecon /bin/sh" will give bash the context
system_u:object_r:bin_t instead of system_u:object_r:shell_exec_t. 
This breaks all manner of things.

"restorecon -h" will work, but without -h, we do something completely
broken.  If we're going to follow the symlink when applying the
context, then we need to follow the symlink when looking up the
appropriate context, too.

"restorecon" is what people will use to fix policy, it should really
try to avoid this unexpected behaviour by default.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
# restorecon /bin/sh
# ls -lZ /bin/bash

Actual results:
-rwxr-xr-x+ root root system_u:object_r:bin_t /bin/bash

Expected results:
-rwxr-xr-x+ root root system_u:object_r:shell_exec_t /bin/bash
Comment 1 Daniel Walsh 2004-03-18 08:33:23 EST
I pulled out the handlng of symlinks and made it always set the
context of the file handed to it, whether it is a symlink or a file.

-h option removed.

Available in policycoreutils-1.9-9

Note You need to log in before you can comment on or make changes to this bug.