Bug 416351 - setroubleshoot does not escape regex chars in suggested cmds
setroubleshoot does not escape regex chars in suggested cmds
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: John Dennis
Fedora Extras Quality Assurance
:
: 430950 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-08 01:40 EST by JoSH Lehan
Modified: 2008-02-28 16:42 EST (History)
2 users (show)

See Also:
Fixed In Version: setroubleshoot-plugins-2.0.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-31 12:52:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description JoSH Lehan 2007-12-08 01:40:02 EST
Description of problem:

For many kinds of SELinux problems with files, the setroubleshoot tool tries to
give the user advice and example commands to follow.
The filename appears in those example commands.
A common suggested command is "semanage fcontext".
The setroubleshoot tool prints the filename as part of the suggested command
line syntax for the user to use.
However, the argument to the "semanage fcontext" command is not a filename,
instead, it's a regular expression.
The setroubleshoot tool gives bad advice, unfortunately, because it doesn't take
this into account.
A naive user could get themselves into trouble by blindly cutting and pasting
setroubleshoot's suggested commands, since they do not protect against the
various regular expression metacharacters.
I did this myself, and got scary errors upon rebooting, until I realized what
happened, and manually fixed things from there.

Version-Release number of selected component (if applicable):

I'll tell you after my system finishes relabeling, once I can log in again....

How reproducible:

100% reproducible.

Steps to Reproduce:
1. Mislabel a file, then try to use it.  Observe setroubleshoot's popup
regarding that file.
2. Notice "semanage fcontext" command does not protect regular expression
metacharacters in that filename.
3. Worry about a naive user hosing their system by cutting and pasting.
  
Actual results:

See above.

Expected results:

I was hoping that setroubleshoot's suggested command lines would include
backslashes, or whatever it takes, to properly protect special regular
expression metacharacters in filenames.

Also, the filename itself should be in 'single quotes', to protect it from shell
metacharacters as well.

Additional info:

I'm not sure of the complete list of regular expression metacharacters and shell
metacharacters that need to be protected.  What exactly is the correct syntax? 
Unfortunately, the "semanage" manpage doesn't document this at all.
Comment 1 John Dennis 2008-01-09 17:26:44 EST
I agree the suggested fix should be correct shell syntax. 

Can you please provide an example of where the filename contained regular
expressions? By any chance was it something like socket:[123456]?
Comment 2 JoSH Lehan 2008-01-10 05:29:24 EST
Here is the filename:

~/.thunderbird/*.default/extensions/{c8961d25-7d90-4c7e-893b-400a5c882920}/platform/Linux_x86-gcc3/components/rmdBadCertListener.so

I believe the { and } characters are what caused problems.

BTW, this is the Remember Mismatched Domains extension for Mozilla Thunderbird.
 I did a bit of SELinux evangelism and contacted the author of this extension,
and he agreed to recompile with -fPIC in order to work around the SELinux error
message.
Comment 3 John Dennis 2008-01-30 15:26:32 EST
*** Bug 430950 has been marked as a duplicate of this bug. ***
Comment 4 John Dennis 2008-01-31 12:52:35 EST
Rather than escaping characters I've enclosed the necessary arguments in shell
commands inside single quotes. This was easier and should be more readable.

Dan: this was done in the plugins. In the future when we add new plugins or edit
existing ones we need to remember to always quote shell arguments when the
derive from a template substitution since we don't know what the substitution
string might be. This has to be done in the individual plugin's there isn't
anyway to automate the quoting.
Comment 5 Fedora Update System 2008-02-13 11:23:37 EST
setroubleshoot-2.0.5-1.fc8,setroubleshoot-plugins-2.0.4-1.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-02-25 21:18:37 EST
setroubleshoot-plugins-2.0.4-3.fc8,setroubleshoot-2.0.5-2.fc8 has been submitted as an update for Fedora 8
Comment 7 Fedora Update System 2008-02-28 16:42:46 EST
setroubleshoot-plugins-2.0.4-3.fc8, setroubleshoot-2.0.5-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.