[Rpm-maint] [PATCH 01/18] Execute matchpathcon_init in a chroot

Steve Lawrence slawrence at tresys.com
Wed Dec 23 20:57:21 UTC 2009


If the --root option is given and matchpathcon_init is called outside of
the chroot, it will read the host policy configuration and file context
rather than those in the chroot. This leads to potentially mislabeled
files (if host and root policies differ) and wrong data from libselinux
(e.g. selinux_getpolicytype).
---
 lib/transaction.c |   35 +++++++++++++++++++++++++++--------
 1 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/lib/transaction.c b/lib/transaction.c
index e4f282b..41cd165 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1211,14 +1211,6 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
         rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
     }
 
-    if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
-	char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
-	if (matchpathcon_init(fn) == -1) {
-	    rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
-	}
-	free(fn);
-    }
-
     /* XXX Make sure the database is open RDWR for package install/erase. */
     if (rpmtsOpenDB(ts, dbmode)) {
 	return -1;	/* XXX W2DO? */
@@ -1235,6 +1227,33 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
     (void) rpmtsSetChrootDone(ts, 0);
     (void) rpmtsSetTid(ts, tid);
 
+    if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
+	const char * rootDir = rpmtsRootDir(ts);
+	int dochroot = (rootDir != NULL && !rstreq(rootDir, "/") && *rootDir == '/');
+	if (dochroot) {
+	    if (chdir("/") == -1) {
+	        rpmlog(RPMLOG_ERR, "Failed to change directory: %s\n", strerror(errno));
+	        return -1;
+	    }
+	    if (chroot(rootDir) == -1) {
+	        rpmlog(RPMLOG_ERR, "Failed to chroot to %s: %s\n", rootDir, strerror(errno));
+	        return -1;
+	    }
+	}
+	char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
+	if (matchpathcon_init(fn) == -1) {
+	    rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
+	}
+	_free(fn);
+	if (dochroot) {
+	    if (chroot(".") == -1) {
+	        rpmlog(RPMLOG_ERR, "Failed to exit chroot: %s\n", strerror(errno));
+	        return -1;
+	    }
+	    chdir(rpmtsCurrDir(ts));
+	}
+    }
+
     /* Get available space on mounted file systems. */
     (void) rpmtsInitDSI(ts);
 
-- 
1.6.0.6



More information about the Rpm-maint mailing list