Bug 127361 – vim breaks SELinux contexts for symlinks

Bug 127361 - vim breaks SELinux contexts for symlinks

Summary:	vim breaks SELinux contexts for symlinks

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	vim (Show other bugs)
Sub Component:
Version:	2
Hardware:	i686 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Karsten Hopp
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2004-07-07 00:18 EDT by Tom London
Modified:	2007-11-30 17:10 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-07-12 06:50:22 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tom London 2004-07-07 00:18:18 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510

Description of problem:
The patch added to have vim maintain SELinux contexts does not work if
the file being edited is a symlink.

In that case, a backup file is created and the context of the backup
is given to the final file (not the context of the original file).

For example, suppose you a file 'file1' with context
'system_u:object_r:initrc_exec_t'. If you edit the file,
it remains with that context.

Suppose you have a symbolic link 'symlink1' to that file with
context 'system_u;object_r:etc_t'. If you edit the symlink (file),
'file1' now has a different context, something like
'root:object_r:etc_t' (the type depends on the path, not on the
context of the symlink).

Version-Release number of selected component (if applicable):
vim-enhanced-6.2.457-1 (and vim-enhanced-6.3.011-2)

How reproducible:
Always

Steps to Reproduce:
1. create a symlink to a file.
2. modify file via 'vim file' and 'vim symlink'
3. ls -lZ file after both.
    

Additional info:

Comment 1 Tom London 2004-07-07 13:26:47 EDT

OK. I've dug a bit deeper. I think the calls to mch_copy_sec() have
the args reversed in the code segment executed when 'backup_copy' is TRUE.

Here is a patch that makes it work with both real files and symlinks.
[I only (lightly) tested those two cases.]

tom
--------------------------------------------------
*** fileio.c    2004-07-07 10:22:46.514931406 -0700
--- SAVE/fileio.c       2004-07-07 10:15:42.922396738 -0700
***************
*** 3331,3337 ****
                            mch_setperm(backup,
                                          (perm & 0707) | ((perm & 07)
<< 3));
  #ifdef HAVE_SELINUX
!                       mch_copy_sec(fname, backup);
  #endif
  #endif
   
--- 3331,3337 ----
                            mch_setperm(backup,
                                          (perm & 0707) | ((perm & 07)
<< 3));
  #ifdef HAVE_SELINUX
!                       mch_copy_sec(backup, fname);
  #endif
  #endif
   
***************
*** 3370,3376 ****
                        mch_set_acl(backup, acl);
  #endif
  #ifdef HAVE_SELINUX
!                       mch_copy_sec(fname, backup);
  #endif
                        break;
                    }
--- 3370,3376 ----
                        mch_set_acl(backup, acl);
  #endif
  #ifdef HAVE_SELINUX
!                       mch_copy_sec(backup, fname);
  #endif
                        break;
                    }

Comment 2 Karsten Hopp 2004-07-12 06:50:22 EDT

vim 6.3.011-4 and newer will have this fix, thanks for tracking down 
the bug !

Note You need to log in before you can comment on or make changes to this bug.