Bug#752002: cdebconf: Please run maintainer scripts in correct selinux context

To: Laurent Bigonville <bigon@debian.org>, 752002@bugs.debian.org
Subject: Bug#752002: cdebconf: Please run maintainer scripts in correct selinux context
From: Regis Boudin <regis@boudin.name>
Date: Fri, 15 Aug 2014 14:51:34 +0200
Message-id: <[🔎] 53EE0256.5080709@boudin.name>
Reply-to: Regis Boudin <regis@boudin.name>, 752002@bugs.debian.org
In-reply-to: <20140618162709.23742.84692.reportbug@soldur.bigon.be>
References: <20140618162709.23742.84692.reportbug@soldur.bigon.be>

Hi Laurent,

On 18/06/14 18:27, Laurent Bigonville wrote:
> Package: cdebconf
> Version: 0.191
> Severity: wishlist
> 
> Hi,
> 
> Since 1.17.0, dpkg is trying to run the maintainer scripts in a
> different context based on the file context and fallback on
> "dpkg_script_t".
> 
> OTHO, a maintainer script run by dpkg-reconfigure is never transitioned
> out of the "dpkg_t" context.
> 
> The maintainer scripts run by dpkg-reconfigure should also transition to
> the appropriate context.
> 
> Since libselinux 2.3, the setexecfilecon() function can be called for
> every maintainer scripts just before they are executed.

I had a look at it this morning. As I'm not really a SELinux specialist,
so I have a question. Would it make sense and be safe to apply it for
all scripts run from cdebconf ? That would include dpkg-reconfigure, but
also dpkg-preconfigure, and when cdebconf is called from dpkg (dpkg
calls the script, which calls (c)debconf, which in turn exec the script
again).

Is the required modification then as simple as this ?

+ setexecfilecon(argv[1],"dpkg_script_t");
  if (execv(argv[1], args) != 0)

Thanks,
Regis

Reply to:

Prev by Date: Bug#691079: marked as done (.dot percentage spelled)
Next by Date: the audio group
Previous by thread: Bug#691079: marked as done (.dot percentage spelled)
Next by thread: Bug#752002: cdebconf: Please run maintainer scripts in correct selinux context
Index(es):
- Date
- Thread