[DSE-Dev] Bug#752002: cdebconf: Please run maintainer scripts in correct selinux context

Laurent Bigonville bigon at debian.org
Sat Aug 30 11:05:34 UTC 2014 

Regis Boudin wrote:
> Hi Laurent,

Hello Regis,

> 
> On 18/06/14 18:27, Laurent Bigonville wrote:
> > Package: cdebconf
> > Version: 0.191
> > Severity: wishlist
> > 
> > Hi,
> > 
> > Since 1.17.0, dpkg is trying to run the maintainer scripts in a
> > different context based on the file context and fallback on
> > "dpkg_script_t".
> > 
> > OTHO, a maintainer script run by dpkg-reconfigure is never
> > transitioned out of the "dpkg_t" context.
> > 
> > The maintainer scripts run by dpkg-reconfigure should also
> > transition to the appropriate context.
> > 
> > Since libselinux 2.3, the setexecfilecon() function can be called
> > for every maintainer scripts just before they are executed.  
> 
> I had a look at it this morning. As I'm not really a SELinux
> specialist, so I have a question. Would it make sense and be safe to
> apply it for all scripts run from cdebconf ? That would include
> dpkg-reconfigure, but also dpkg-preconfigure, and when cdebconf is
> called from dpkg (dpkg calls the script, which calls (c)debconf,
> which in turn exec the script again).

In dpkg (I'm not an expert here and quickly looked at the code) the
maintscript_exec() function is called for all {pre,post}{inst,rm}
maintainer scripts.
(https://anonscm.debian.org/cgit/dpkg/dpkg.git/tree/src/script.c#n155)
And this function is (indirectly) calling setexecfilecon().

So I guess that cdebconf should do the transition only in these cases
too?

> Is the required modification then as simple as this ?
> 
> + setexecfilecon(argv[1],"dpkg_script_t");
>   if (execv(argv[1], args) != 0)

Yes, calling the function just before the execv() should do it. You
just need to add some return code checking (dpkg exits as soon as
setexecfilecon() is failing) and also make it conditional so cdebconf
can still build on !linux :)

If you have a patch I would happily test it.

I've added the debian selinux-devel mailing list if anybody has a
comment on this.

Cheers,

Laurent Bigonville

> Thanks,
> Regis

More information about the SELinux-devel mailing list