Red Hat Bugzilla – Bug 416351
setroubleshoot does not escape regex chars in suggested cmds
Last modified: 2008-02-28 16:42:46 EST
Description of problem: For many kinds of SELinux problems with files, the setroubleshoot tool tries to give the user advice and example commands to follow. The filename appears in those example commands. A common suggested command is "semanage fcontext". The setroubleshoot tool prints the filename as part of the suggested command line syntax for the user to use. However, the argument to the "semanage fcontext" command is not a filename, instead, it's a regular expression. The setroubleshoot tool gives bad advice, unfortunately, because it doesn't take this into account. A naive user could get themselves into trouble by blindly cutting and pasting setroubleshoot's suggested commands, since they do not protect against the various regular expression metacharacters. I did this myself, and got scary errors upon rebooting, until I realized what happened, and manually fixed things from there. Version-Release number of selected component (if applicable): I'll tell you after my system finishes relabeling, once I can log in again.... How reproducible: 100% reproducible. Steps to Reproduce: 1. Mislabel a file, then try to use it. Observe setroubleshoot's popup regarding that file. 2. Notice "semanage fcontext" command does not protect regular expression metacharacters in that filename. 3. Worry about a naive user hosing their system by cutting and pasting. Actual results: See above. Expected results: I was hoping that setroubleshoot's suggested command lines would include backslashes, or whatever it takes, to properly protect special regular expression metacharacters in filenames. Also, the filename itself should be in 'single quotes', to protect it from shell metacharacters as well. Additional info: I'm not sure of the complete list of regular expression metacharacters and shell metacharacters that need to be protected. What exactly is the correct syntax? Unfortunately, the "semanage" manpage doesn't document this at all.
I agree the suggested fix should be correct shell syntax. Can you please provide an example of where the filename contained regular expressions? By any chance was it something like socket:[123456]?
Here is the filename: ~/.thunderbird/*.default/extensions/{c8961d25-7d90-4c7e-893b-400a5c882920}/platform/Linux_x86-gcc3/components/rmdBadCertListener.so I believe the { and } characters are what caused problems. BTW, this is the Remember Mismatched Domains extension for Mozilla Thunderbird. I did a bit of SELinux evangelism and contacted the author of this extension, and he agreed to recompile with -fPIC in order to work around the SELinux error message.
*** Bug 430950 has been marked as a duplicate of this bug. ***
Rather than escaping characters I've enclosed the necessary arguments in shell commands inside single quotes. This was easier and should be more readable. Dan: this was done in the plugins. In the future when we add new plugins or edit existing ones we need to remember to always quote shell arguments when the derive from a template substitution since we don't know what the substitution string might be. This has to be done in the individual plugin's there isn't anyway to automate the quoting.
setroubleshoot-2.0.5-1.fc8,setroubleshoot-plugins-2.0.4-1.fc8 has been submitted as an update for Fedora 8
setroubleshoot-plugins-2.0.4-3.fc8,setroubleshoot-2.0.5-2.fc8 has been submitted as an update for Fedora 8
setroubleshoot-plugins-2.0.4-3.fc8, setroubleshoot-2.0.5-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.