Debian Bug report logs - #587949
dpkg gives sym-links and other non-file object the wrong SE Linux labels

version graph

Package: dpkg; Maintainer for dpkg is Dpkg Developers <debian-dpkg@lists.debian.org>; Source for dpkg is src:dpkg.

Reported by: Russell Coker <russell@coker.com.au>

Date: Sat, 3 Jul 2010 07:03:01 UTC

Severity: normal

Found in version dpkg/1.15.7.2

Fixed in version dpkg/1.15.8

Done: Guillem Jover <guillem@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Sat, 03 Jul 2010 07:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Sat, 03 Jul 2010 07:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Sat, 03 Jul 2010 17:00:20 +1000
Package: dpkg
Version: 1.15.7.2
Severity: normal

The mode parameter to the matchpathcon() is used for the format type (IE file,
dir, etc) NOT for the permission bits.  So the mask in the
set_selinux_path_context() function discards all the bits that we want.  While
the man page matchpathcon(3) isn't exactly clear it is consistent with the
section of stat(2) relating to st_mode.  I would appreciate suggestions for
how to improve matchpathcon(3) as it seems apparent that it needs to be
improved.

For files in /usr/sbin it seems that both code paths that call
set_selinux_path_context() are being executed, it would be good if we could
only call set_selinux_path_context() once as it's not the fastest function...

Please consider my tar_file_type_to_mode() function to be an illustration of
an algorithm in the form of working code.  I don't think it will be acceptable
to be included as-is, but it should allow someone else to write something
better with minimal effort.

To reproduce this bug run a system with SE Linux enabled, install the package
policycoreutils, and then run the command "restorecon -R -v /usr/sbin", if
things work correctly then all objects contained in the package will have the
correct context and restorecon will not display any output.  But the way
things work currently is that "restorecon -R -v /usr/sbin" gives the following
output:
restorecon reset /usr/sbin/load_policy context system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0

diff -ru dpkg-1.15.7.2-old//src/archives.c dpkg-1.15.7.2/src/archives.c
--- dpkg-1.15.7.2-old//src/archives.c	2010-05-19 15:55:01.000000000 +1000
+++ dpkg-1.15.7.2/src/archives.c	2010-07-03 16:44:32.154839759 +1000
@@ -276,7 +276,7 @@
 
   /* Do nothing if we can't figure out what the context is, or if it has
    * no context; in which case the default context shall be applied. */
-  ret = matchpathcon(matchpath, mode & ~S_IFMT, &scontext);
+  ret = matchpathcon(matchpath, mode & S_IFMT, &scontext);
   if (ret == -1 || (ret == 0 && scontext == NULL))
     return;
 
@@ -388,6 +388,31 @@
   return true;
 }
 
+#ifdef WITH_SELINUX
+int tar_file_type_to_mode(enum TarFileType tft)
+{
+  switch(tft) {
+  case SymbolicLink:
+    return S_IFLNK;
+  case Directory:
+    return S_IFDIR;
+  case NormalFile0: case NormalFile1:
+    return 0;
+  case CharacterDevice:
+    return S_IFCHR;
+  case BlockDevice:
+    return S_IFBLK;
+  case FIFO:
+    return S_IFIFO;
+  case HardLink:
+    return -1;
+  default:
+    ohshit(_("archive contained object of unknown type 0x%x"),tft);
+  }
+
+}
+#endif
+
 int tarobject(struct TarInfo *ti) {
   static struct varbuf conffderefn, hardlinkfn, symlinkfn;
   static int fd;
@@ -726,9 +751,11 @@
     internerr("unknown tar type '%d', but already checked", ti->Type);
   }
 
-  set_selinux_path_context(fnamevb.buf, fnamenewvb.buf,
-                           nifd->namenode->statoverride ?
-                           nifd->namenode->statoverride->mode : ti->Mode);
+  /* if it's a hard link then the first link should have been lavelled to
+     there is nothing to do.  */
+  if(ti->Type != HardLink)
+    set_selinux_path_context(fnamevb.buf, fnamenewvb.buf
+                           , tar_file_type_to_mode(ti->Type));
 
   /* CLEANUP: Now we have extracted the new object in .dpkg-new (or,
    * if the file already exists as a directory and we were trying to extract

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dpkg depends on:
ii  coreutils         8.5-1                  GNU core utilities
ii  libbz2-1.0        1.0.5-4                high-quality block-sorting file co
ii  libc6             2.11.2-2               Embedded GNU C Library: Shared lib
ii  libselinux1       2.0.94-1               SELinux runtime shared libraries
ii  xz-utils          4.999.9beta+20100527-1 XZ-format compression utilities
ii  zlib1g            1:1.2.3.4.dfsg-3       compression library - runtime

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii  apt                           0.7.25.3   Advanced front-end for dpkg

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Thu, 29 Jul 2010 04:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Thu, 29 Jul 2010 04:33:05 GMT) Full text and rfc822 format available.

Message #10 received at 587949@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: Russell Coker <russell@coker.com.au>, 587949@bugs.debian.org
Subject: Re: Bug#587949: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Thu, 29 Jul 2010 06:30:49 +0200
Hi!

On Sat, 2010-07-03 at 17:00:20 +1000, Russell Coker wrote:
> Package: dpkg
> Version: 1.15.7.2
> Severity: normal
> 
> The mode parameter to the matchpathcon() is used for the format type (IE file,
> dir, etc) NOT for the permission bits.  So the mask in the
> set_selinux_path_context() function discards all the bits that we want.

Ah! nice catch.

> While the man page matchpathcon(3) isn't exactly clear it is consistent
> with the section of stat(2) relating to st_mode.  I would appreciate
> suggestions for how to improve matchpathcon(3) as it seems apparent
> that it needs to be improved.

I read that section and it seems perfectly clear to me. Take into account
that bug was present in the initial code submitted by Manoj adding SE
Linux support, so not sure if maybe it was not clear back then, or it
was just a thinko.

> For files in /usr/sbin it seems that both code paths that call
> set_selinux_path_context() are being executed, it would be good if we
> could only call set_selinux_path_context() once as it's not the fastest
> function...

The two calls should be operating on different paths, the first one
does on the new extracted object, the second one operates on the
backup symlink used in case of roll back (which has to be manually
copied, because it cannot be hardlinked).

> Please consider my tar_file_type_to_mode() function to be an illustration
> of an algorithm in the form of working code.  I don't think it will be
> acceptable to be included as-is, but it should allow someone else to
> write something better with minimal effort.

I've rearranged and fixed the code, which I'll push in a bit.

> To reproduce this bug run a system with SE Linux enabled, install the
> package policycoreutils, and then run the command "restorecon -R -v
> /usr/sbin", if things work correctly then all objects contained in the
> package will have the correct context and restorecon will not display
> any output.  But the way things work currently is that "restorecon -R
> -v /usr/sbin" gives the following output:
> restorecon reset /usr/sbin/load_policy context system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0

I don't feel like setting up a SE Linux environment, the fix should be
available for 1.15.8, so if it does not fix your problem, please
reopen this bug report!

thanks,
guillem




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Thu, 29 Jul 2010 05:21:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Thu, 29 Jul 2010 05:21:25 GMT) Full text and rfc822 format available.

Message #15 received at 587949@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Guillem Jover <guillem@debian.org>
Cc: 587949@bugs.debian.org
Subject: Re: Bug#587949: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Thu, 29 Jul 2010 15:20:29 +1000
On Thu, 29 Jul 2010, Guillem Jover <guillem@debian.org> wrote:
> > For files in /usr/sbin it seems that both code paths that call
> > set_selinux_path_context() are being executed, it would be good if we
> > could only call set_selinux_path_context() once as it's not the fastest
> > function...
> 
> The two calls should be operating on different paths, the first one
> does on the new extracted object, the second one operates on the
> backup symlink used in case of roll back (which has to be manually
> copied, because it cannot be hardlinked).

What do you mean by this?

If you are keeping a second copy of the file around then it should have the 
same label.  SE Linux labels can (depending on policy) cause a domain 
transition that reduce the privileges after the exec() call.  If we have a 
SUID binary could the current code result in a SUID copy of it that has a 
label based on the backup name instead of the real name?  If so then it's a 
security problem as a program may run with a superset of the privileges of the 
calling code.

Even if the program is not SUID it's still a potential security problem for 
the case where a non-SUID program should run with less privileges than the 
calling code.

> > Please consider my tar_file_type_to_mode() function to be an illustration
> > of an algorithm in the form of working code.  I don't think it will be
> > acceptable to be included as-is, but it should allow someone else to
> > write something better with minimal effort.
> 
> I've rearranged and fixed the code, which I'll push in a bit.

Great!
 
> > To reproduce this bug run a system with SE Linux enabled, install the
> > package policycoreutils, and then run the command "restorecon -R -v
> > /usr/sbin", if things work correctly then all objects contained in the
> > package will have the correct context and restorecon will not display
> > any output.  But the way things work currently is that "restorecon -R
> > -v /usr/sbin" gives the following output:
> > restorecon reset /usr/sbin/load_policy context
> > system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0
> 
> I don't feel like setting up a SE Linux environment, the fix should be
> available for 1.15.8, so if it does not fix your problem, please
> reopen this bug report!

Sure.

Incidentally if I gave you root access to a SE Linux system would you be 
interested in trying it out?

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Thu, 29 Jul 2010 07:45:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Thu, 29 Jul 2010 07:45:14 GMT) Full text and rfc822 format available.

Message #20 received at 587949@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: 587949@bugs.debian.org
Subject: Re: Bug#587949: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Thu, 29 Jul 2010 09:34:17 +0200
On Thu, 2010-07-29 at 15:20:29 +1000, Russell Coker wrote:
> On Thu, 29 Jul 2010, Guillem Jover <guillem@debian.org> wrote:
> > > For files in /usr/sbin it seems that both code paths that call
> > > set_selinux_path_context() are being executed, it would be good if we
> > > could only call set_selinux_path_context() once as it's not the fastest
> > > function...
> > 
> > The two calls should be operating on different paths, the first one
> > does on the new extracted object, the second one operates on the
> > backup symlink used in case of roll back (which has to be manually
> > copied, because it cannot be hardlinked).
> 
> What do you mean by this?

Sorry, I guess this assumed some deep understanding of how dpkg operates
internally. I'll try to give an overview (obviating some corner-cases
and other uninteresting details).

> If you are keeping a second copy of the file around then it should have the 
> same label.  SE Linux labels can (depending on policy) cause a domain 
> transition that reduce the privileges after the exec() call.  If we have a 
> SUID binary could the current code result in a SUID copy of it that has a 
> label based on the backup name instead of the real name?  If so then it's a 
> security problem as a program may run with a superset of the privileges of the 
> calling code.
> 
> Even if the program is not SUID it's still a potential security problem for 
> the case where a non-SUID program should run with less privileges than the 
> calling code.

On unpack, dpkg extracts the new object as <pathname.dpkg-new>, as this
is a newly created object it needs all permissions and labels set anew,
the SE Linux label for <pathname.dpkg-new> is set as if it was <pathname>
(that's why the set_selinux_path_context function has a matchpath arg
representing <pathname>, and a path arg representing <pathname.dpkg-new>
or <pathname.dpkg-tmp>).

Then to be able to roll-back in case of failure, dpkg makes a backup of
the existing object, for most file types that's just a hardlink, for dirs
if it needs to replaces them, then it just renames them (to take them out
of the way as we cannot atomicaly replace them later on), and for symlinks
as they cannot be hardlinked it needs to create a new <pathname.dpkg-tmp>
symlink with the same contents as the <pathname> one. But as this one is
a newly created object it needs the permissions and SE Linux labels
applied to it, otherwise if we need to roll-back with rename(2) from
<pathname.dpkg-tmp> to <pathname> it would not have the correct metadata.

Hope this explains a bit more clearly.

> > > To reproduce this bug run a system with SE Linux enabled, install the
> > > package policycoreutils, and then run the command "restorecon -R -v
> > > /usr/sbin", if things work correctly then all objects contained in the
> > > package will have the correct context and restorecon will not display
> > > any output.  But the way things work currently is that "restorecon -R
> > > -v /usr/sbin" gives the following output:
> > > restorecon reset /usr/sbin/load_policy context
> > > system_u:object_r:load_policy_exec_t:s0->system_u:object_r:bin_t:s0
> > 
> > I don't feel like setting up a SE Linux environment, the fix should be
> > available for 1.15.8, so if it does not fix your problem, please
> > reopen this bug report!
> 
> Sure.
> 
> Incidentally if I gave you root access to a SE Linux system would you be 
> interested in trying it out?

Hmm, not right now, too much stuff on my TODO list already, thanks for
the offer though, maybe another time!

regards,
guillem




Added tag(s) pending. Request was from Guillem Jover <guillem@debian.org> to control@bugs.debian.org. (Thu, 29 Jul 2010 09:09:02 GMT) Full text and rfc822 format available.

Message sent on to Russell Coker <russell@coker.com.au>:
Bug#587949. (Thu, 29 Jul 2010 09:09:11 GMT) Full text and rfc822 format available.

Message #25 received at 587949-submitter@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: 587949-submitter@bugs.debian.org
Subject: Bug#587949 marked as pending
Date: Thu, 29 Jul 2010 09:06:07 +0000
tag 587949 pending
thanks

Hello,

Bug #587949 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=d254075

---
commit d25407536dbed4cad2943187b36fbb6c92a6b5ab
Author: Guillem Jover <guillem@debian.org>
Date:   Wed Jul 28 15:06:19 2010 +0200

    dpkg: Assign correct SE Linux label to non-regular files
    
    The call to matchpathcon() was getting passed only the permission bits
    of the mode argument, instead of the format type. Map the tar filetype
    to the Unix mode and OR that information into the tar_entry mode member.
    
    Closes: #587949
    
    Based-on-patch-by: Russell Coker <russell@coker.com.au>
    Signed-off-by: Guillem Jover <guillem@debian.org>

diff --git a/debian/changelog b/debian/changelog
index 9a1248c..28d26d6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -97,6 +97,8 @@ dpkg (1.15.8) UNRELEASED; urgency=low
   * Consistently use earlier/later instead of smaller/bigger when describing
     comparison relationships. Closes: #587641
   * Stop exporting DPKG_LIBDIR to maintainer scripts, no need for it anymore.
+  * Assign correct SE Linux label on non-regular files. Based on a patch by
+    Russell Coker <russell@coker.com.au>. Closes: #587949
 
   [ Updated programs translations ]
   * Catalan (Guillem Jover).




Reply sent to Guillem Jover <guillem@debian.org>:
You have taken responsibility. (Thu, 29 Jul 2010 09:34:07 GMT) Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. (Thu, 29 Jul 2010 09:34:07 GMT) Full text and rfc822 format available.

Message #30 received at 587949-close@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: 587949-close@bugs.debian.org
Subject: Bug#587949: fixed in dpkg 1.15.8
Date: Thu, 29 Jul 2010 09:32:23 +0000
Source: dpkg
Source-Version: 1.15.8

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive:

dpkg-dev_1.15.8_all.deb
  to main/d/dpkg/dpkg-dev_1.15.8_all.deb
dpkg_1.15.8.dsc
  to main/d/dpkg/dpkg_1.15.8.dsc
dpkg_1.15.8.tar.bz2
  to main/d/dpkg/dpkg_1.15.8.tar.bz2
dpkg_1.15.8_amd64.deb
  to main/d/dpkg/dpkg_1.15.8_amd64.deb
dselect_1.15.8_amd64.deb
  to main/d/dpkg/dselect_1.15.8_amd64.deb
libdpkg-dev_1.15.8_amd64.deb
  to main/d/dpkg/libdpkg-dev_1.15.8_amd64.deb
libdpkg-perl_1.15.8_all.deb
  to main/d/dpkg/libdpkg-perl_1.15.8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 587949@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jul 2010 09:37:35 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.15.8
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 68788 68861 80252 102609 477954 497304 525567 534637 547993 550252 572526 574704 575304 578365 579012 579149 581544 582389 582401 582404 582406 582814 582819 582893 583656 583902 587382 587641 587724 587949 588265 590297 590472
Changes: 
 dpkg (1.15.8) unstable; urgency=low
 .
   [ Raphaël Hertzog ]
   * Add new commands --before-build and --after-build to dpkg-source
     and modify dpkg-buildpackage to call them automatically at the
     start and at the end of the process. With "3.0 (quilt)" source packages
     this ensures patches are applied even in case of binary-only builds.
     Closes: #572526
   * Merge non-regression test for Ubuntu's specificities concerning
     changelog handling. Closes: #582389
   * Fix some copy-paste mistakes in dpkg-architecture(1). Thanks to Ian Fleming
     <iflema@yahoo.com.au> for the patch and Colin Watson for forwarding out of
     Launchpad. Closes: #582404 LP: #564308
   * Clarify description of dpkg --configure in dpkg(1). Thanks to Colin Watson
     for the patch and to Robert Persson for the report.
     Closes: #582406 LP: #77287
   * Fix the non-regression test lib/dpkg/test/t-ar.c by not overflowing the
     size of ar_name. Thanks to Colin Watson for the report, analysis and patch.
     Closes: #582401
   * Modify Dpkg::Shlibs::Objdump to use the cross objdump binary when cross
     compiling. Thanks to Loïc Minier for the initial patch. Closes: #578365
   * Make dpkg-maintscript-helper more robust when required parameters are
     missing. Closes: #582814
   * Clarify that dpkg-maintscript-helper rm_conffile needs the last version of
     the package that did not remove the obsolete conffile if this was not
     implemented at the time the file became obsolete. Closes: #582893
   * Enhance dpkg-maintscript-helper rm_conffile and mv_conffile to work
     properly when <lastversion> is not given (or is empty). Closes: #582819
   * Small fix in dpkg-gensymbols' handling of tags. Closes: #583656
     Thanks to Michael Tautschnig <mt@debian.org> for the report and the fix.
   * update-alternatives has been rewritten in C, the only feature change
     should be that it uses its own logfile /var/log/alternatives.log (rotated
     like dpkg.log).
   * Implement new --unapply-patches option for dpkg-source with source formats
     2.0 and 3.0 (quilt) that unapplies the patches after a successful build.
     This option can be put in debian/source/local-options in the package VCS
     repository for instance.
   * Implement new --abort-on-upstream-changes option for dpkg-source with
     source formats 1.0, 2.0 and 3.0 (quilt). It aborts every time that you try
     to build a source package which contains (unmanaged) changes to the
     upstream source code. Closes: #579012
   * dpkg-source now captures the output of patch and prints it on error so
     that the user can better diagnose what went wrong. Closes: #575304
   * Fix Dpkg::Changelog to cope properly with an entry of version "0".
     Add non-regression test for this. Closes: #587382
   * Add --export command to dpkg-buildflags to be used in shell with eval.
   * Modify source format "3.0 (git)" to use git bundles. Thanks to Joey Hess
     for the patch.
     The usage of git bundle avoids distributing cruft. Closes: #477954
     It's no longer needed to tell which branch contains the debian packaging,
     it uses automatically the one that was used at build-time. Closes: #534637
   * Pass --no-name option to gzip to avoid encoding the timestamp in the file
     so that the result is more predictable. Closes: #587724
     Also pass --rsyncable to make source packages more rsync friendly.
   * Replace dpkg-source's tar ignore pattern "*~" with "*/*~" to avoid
     matching on the top level directory. Closes: #588265
   * In source formats "2.0" and "3.0 (quilt)", make sure to remove the
     upstream-provided debian directory before copying the debian-provided
     version of that directory in place. Closes: #590297
 .
   [ Guillem Jover ]
   * Require gettext 0.18:
     - Remove embedded gettext files from the repository, now properly
       installed by autopoint for all po/ directories.
     - Add versioned Build-Depends.
   * Fix variable usage after delete in dselect.
   * Change default configure admindir to LOCALSTATEDIR/lib/dpkg from
     LOCALSTATEDIR/dpkg, so that we can use a correct --localstatedir=/var.
   * Add two new dpkg options --path-exclude and --path-include for filtering
     files on package installation. This allows embedded systems to skip
     /usr/share/doc, manpages, etc. Based on work from Tollef Fog Heen and
     Martin Pitt, thanks! Closes: #68788, #68861, #497304, #525567, #583902
   * Remove obsolete internal status aliases “postinst-failed” for
     stat_halfconfigured and “removal-failed” for stat_halfinstalled.
   * Check version syntax when parsing it from libdpkg based programs.
     Closes: #574704
   * Rewrite mksplit in C, and merge it into dpkg-split.
   * Rewrite dpkg-divert in C.
   * Use linux-any wildcard for libselinux1-dev Build-Depends instead of
     using a list of negated architectures.
   * Use Breaks instead of Conflicts in dpkg, dpkg-dev and libdpkg-perl binary
     packages.
   * Move Dpkg.pm and Dpkg/Gettext.pm from dpkg to libdpkg-perl.
   * Bump Standards-Version to 3.9.1.
   * Detect when another process has locked the database, and mention that
     problematic dpkg --audit results might be due to ongoing operations.
     Closes: #80252
   * Add new dpkg --force-confask option that forces a conffile prompt when
     the conffile from the new package does not differ from the previous one.
     Thanks to Henning Makholm <henning@makholm.net>. Closes: #102609
   * On dpkg-divert --rename, check if the source file exists, and disable
     renaming if it does not. Closes: #550252
     As a side effect, this avoids useless errors when the destination
     directory is not existent or writable. Closes: #581544
   * Properly compute the longest package description from all to be displayed
     on “dpkg-query --list”, so that it does not get incorrectly trimmed.
   * Consistently use earlier/later instead of smaller/bigger when describing
     comparison relationships. Closes: #587641
   * Stop exporting DPKG_LIBDIR to maintainer scripts, no need for it anymore.
   * Assign correct SE Linux label on non-regular files. Based on a patch by
     Russell Coker <russell@coker.com.au>. Closes: #587949
   * Add -F option to dpkg-buildpackage to be able to explicitly specify a
     normal full build and combine it with -nc. Closes: #547993
   * Add missing mentions of the Breaks field alongside the other fields
     sharing the same syntax in deb-control(5).
     Thanks to Osamu Aoki <osamu@debian.org>. Closes: #590472
 .
   [ Updated programs translations ]
   * Catalan (Guillem Jover).
   * German (Sven Joachim).
   * Russian (Yuri Kozlov). Closes: #579149
   * Swedish (Peter Krefting).
 .
   [ Updated man page translations ]
   * German (Helge Kreutzmann).
   * Russian (Yuri Kozlov). Closes: #579149
   * Spanish (Omar Campagne).
   * Swedish (Peter Krefting).
 .
   [ New scripts translation ]
   * Spanish (Omar Campagne).
 .
   [ Updated scripts translations ]
   * French (Christian Perrier).
   * German (Helge Kreutzmann). Improved by Holger Wansing.
   * Russian (Yuri Kozlov). Closes: #579149
   * Swedish (Peter Krefting).
Checksums-Sha1: 
 ea484858776de1d0d4670936dd0065f488ff3300 1200 dpkg_1.15.8.dsc
 1d7d064ab2f5269d4d74643f01a1e4020466d51d 5041695 dpkg_1.15.8.tar.bz2
 9af89a72ac53443f7663917055c2149cff3187f3 409508 libdpkg-dev_1.15.8_amd64.deb
 1357be6a546dc627eae5ea81c046d474639aad54 1922772 dpkg_1.15.8_amd64.deb
 3244714f016e7c159383d61efec80ef71b7b90af 824080 dselect_1.15.8_amd64.deb
 d8c88870ff56dff6bac23f331a3228f0d80a2081 440374 dpkg-dev_1.15.8_all.deb
 b22ebc72d22026c793fc66fdad1af2fd0480045b 650142 libdpkg-perl_1.15.8_all.deb
Checksums-Sha256: 
 bbde5652260d25cf1d268f5bd245b081af0a1cd9897818bae4bdffa4559ecf32 1200 dpkg_1.15.8.dsc
 b19a2304109b4a78685e334c22cc9a9de899108b9bdb29b3b70e5378cfb8eff7 5041695 dpkg_1.15.8.tar.bz2
 fb5aa2e0fb93519c7829ffb8df50d2740cb37c6f1dbc82fc641ffd1ed99c7aee 409508 libdpkg-dev_1.15.8_amd64.deb
 49bcb9a6ca55e441e524c714046ea90ce9f8230e855ba636bb8ce278f0c6804d 1922772 dpkg_1.15.8_amd64.deb
 994e5c065e94e37d6e19363ca96cb770c0b5535f1aabb415113b4db2a7c31184 824080 dselect_1.15.8_amd64.deb
 a0d8f98ed4bf28c4f6fda03145f32fe77096b5f60c5d62f4d4b5531c506e3115 440374 dpkg-dev_1.15.8_all.deb
 c997307ed3cfa8df36be891011ca8b4d67f6341c2449b01de66260fe14670788 650142 libdpkg-perl_1.15.8_all.deb
Files: 
 e0e08c2c28707238e6882ad1a158f1f8 1200 admin required dpkg_1.15.8.dsc
 fedbe74bf99ecf4bb1a767c9e700f84c 5041695 admin required dpkg_1.15.8.tar.bz2
 89b778b74969e79bbe7bb7ac347b556a 409508 libdevel optional libdpkg-dev_1.15.8_amd64.deb
 9dd776d0693849e081356f4cca2f32a4 1922772 admin required dpkg_1.15.8_amd64.deb
 2ee729998c71106874b84e545a0672ec 824080 admin optional dselect_1.15.8_amd64.deb
 b4e5658bcbb7618e98893a42e112510f 440374 utils optional dpkg-dev_1.15.8_all.deb
 6c0a9d3c5f760f3c0498b0ee5a8e7ccc 650142 perl optional libdpkg-perl_1.15.8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxRQqMACgkQuW9ciZ2SjJuuYACg+5XmjSk92wsslSJhX2/RLP4T
iHIAoLFB4Ou8hjPRY+EUN9UKi52WSD6v
=N1Hd
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Thu, 29 Jul 2010 12:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Thu, 29 Jul 2010 12:06:06 GMT) Full text and rfc822 format available.

Message #35 received at 587949@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Guillem Jover <guillem@debian.org>
Cc: 587949@bugs.debian.org
Subject: Re: Bug#587949: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Thu, 29 Jul 2010 22:02:00 +1000
On Thu, 29 Jul 2010, Guillem Jover <guillem@debian.org> wrote:
> as they cannot be hardlinked it needs to create a new <pathname.dpkg-tmp>
> symlink with the same contents as the <pathname> one. But as this one is
> a newly created object it needs the permissions and SE Linux labels
> applied to it, otherwise if we need to roll-back with rename(2) from
> <pathname.dpkg-tmp> to <pathname> it would not have the correct metadata.

But why does that require a second context lookup?  Why not cache the result 
of the first lookup?  It's generally not going to change between calls - while 
it can change you have to keep in mind that any change to the policy is a 
heavy-weight operation that takes moderate amounts of system resources (you 
don't do it often) and if using the context that was used for the object a few 
seconds ago causes security problems then we have bigger problems than a dpkg 
race-condition.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#587949; Package dpkg. (Thu, 12 Aug 2010 14:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>. (Thu, 12 Aug 2010 14:57:05 GMT) Full text and rfc822 format available.

Message #40 received at 587949@bugs.debian.org (full text, mbox):

From: Guillem Jover <guillem@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: 587949@bugs.debian.org
Subject: Re: Bug#587949: dpkg gives sym-links and other non-file object the wrong SE Linux labels
Date: Thu, 12 Aug 2010 16:54:41 +0200
On Thu, 2010-07-29 at 22:02:00 +1000, Russell Coker wrote:
> On Thu, 29 Jul 2010, Guillem Jover <guillem@debian.org> wrote:
> > as they cannot be hardlinked it needs to create a new <pathname.dpkg-tmp>
> > symlink with the same contents as the <pathname> one. But as this one is
> > a newly created object it needs the permissions and SE Linux labels
> > applied to it, otherwise if we need to roll-back with rename(2) from
> > <pathname.dpkg-tmp> to <pathname> it would not have the correct metadata.
> 
> But why does that require a second context lookup?  Why not cache the
> result of the first lookup?  It's generally not going to change between
> calls - while it can change you have to keep in mind that any change to
> the policy is a heavy-weight operation that takes moderate amounts of
> system resources (you don't do it often) and if using the context that
> was used for the object a few seconds ago causes security problems then
> we have bigger problems than a dpkg race-condition.

The reason for the current code is not due to fears of possible security
issues from race conditions or similar, it's mainly because it makes the
code simpler. If it has to cache the context lookup, we have to keep
state, and free it on the intermixed return point. It's of course
doable, but if the lookup is not that slow, and remember it's only
performed on symlinks being replaced by something else, then I'd rather
keep the current code. I've added an entry in my TODO list to possibly
take a look into this in the future though.

BTW, shouldn't the lsetfilecon() call ohshite() in case of error,
probably excluding ENOTSUP?

regards,
guillem




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Sep 2010 07:34:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 22:43:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.