From d3ccb697e01d1671de2f1dd32779efe8808e2132 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 23 Sep 2022 09:43:33 -0400 Subject: [PATCH] Allow relabeling of files/directories under /usr prefix We already check to make sure users do not accidentily relabel these excluded paths: exclude_paths := map[string]bool{ "/": true, "/bin": true, "/boot": true, "/dev": true, "/etc": true, "/etc/passwd": true, "/etc/pki": true, "/etc/shadow": true, "/home": true, "/lib": true, "/lib64": true, "/media": true, "/opt": true, "/proc": true, "/root": true, "/run": true, "/sbin": true, "/srv": true, "/sys": true, "/tmp": true, "/usr": true, "/var": true, "/var/lib": true, "/var/log": true, } But some users put homedirectories under /usr, and I see no reason to block them from relabeling. At a certain point if users do something dumb with relableing we can not stop them. Signed-off-by: Daniel J Walsh --- go-selinux/selinux_linux.go | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go index ee602ab..bedc89f 100644 --- a/go-selinux/selinux_linux.go +++ b/go-selinux/selinux_linux.go @@ -1072,21 +1072,6 @@ func copyLevel(src, dest string) (string, error) { return tcon.Get(), nil } -// Prevent users from relabeling system files -func badPrefix(fpath string) error { - if fpath == "" { - return ErrEmptyPath - } - - badPrefixes := []string{"/usr"} - for _, prefix := range badPrefixes { - if strings.HasPrefix(fpath, prefix) { - return fmt.Errorf("relabeling content in %s is not allowed", prefix) - } - } - return nil -} - // chcon changes the fpath file object to the SELinux label label. // If fpath is a directory and recurse is true, then chcon walks the // directory tree setting the label. @@ -1097,9 +1082,6 @@ func chcon(fpath string, label string, recurse bool) error { if label == "" { return nil } - if err := badPrefix(fpath); err != nil { - return err - } if !recurse { return setFileLabel(fpath, label)