diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2020-02-18 20:38:00 +0200 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-02-22 08:27:24 +0000 |
| commit | 1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e (patch) | |
| tree | 415eb19d90e2ed1de7236c784c1e28d3acfbcaab /src/firejail/restrict_users.c | |
| parent | Whitelist more /usr/share for okular and others (diff) | |
| download | firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.gz firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.zst firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.zip | |
Add support for SELinux labeling
Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin`
shows that the SELinux labels are not correct:
```
user_u:object_r:user_tmpfs_t:s0 .
system_u:object_r:usr_t:s0 ..
user_u:object_r:user_tmpfs_t:s0 bash
user_u:object_r:user_tmpfs_t:s0 ls
```
After fixing this:
```
system_u:object_r:bin_t:s0 .
system_u:object_r:usr_t:s0 ..
system_u:object_r:shell_exec_t:s0 bash
system_u:object_r:bin_t:s0 ls
```
Most copied files and created directories should now have correct
labels (bind mounted objects keep their labels). This is useful to
avoid having to change the SELinux rules when using Firejail.
Diffstat (limited to 'src/firejail/restrict_users.c')
| -rw-r--r-- | src/firejail/restrict_users.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index b51172219..5ebb0e9ec 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -97,6 +97,7 @@ static void sanitize_home(void) { | |||
| 97 | // mount tmpfs in the new home | 97 | // mount tmpfs in the new home |
| 98 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 98 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
| 99 | errExit("mount tmpfs"); | 99 | errExit("mount tmpfs"); |
| 100 | selinux_relabel_path("/home", "/home"); | ||
| 100 | fs_logger("tmpfs /home"); | 101 | fs_logger("tmpfs /home"); |
| 101 | 102 | ||
| 102 | // create user home directory | 103 | // create user home directory |
| @@ -105,6 +106,7 @@ static void sanitize_home(void) { | |||
| 105 | errExit("mkpath"); | 106 | errExit("mkpath"); |
| 106 | if (mkdir(cfg.homedir, 0755) == -1) | 107 | if (mkdir(cfg.homedir, 0755) == -1) |
| 107 | errExit("mkdir"); | 108 | errExit("mkdir"); |
| 109 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
| 108 | } | 110 | } |
| 109 | fs_logger2("mkdir", cfg.homedir); | 111 | fs_logger2("mkdir", cfg.homedir); |
| 110 | 112 | ||
| @@ -152,11 +154,13 @@ static void sanitize_run(void) { | |||
| 152 | // mount tmpfs on /run/user | 154 | // mount tmpfs on /run/user |
| 153 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 155 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
| 154 | errExit("mount tmpfs"); | 156 | errExit("mount tmpfs"); |
| 157 | selinux_relabel_path("/run/user", "/run/user"); | ||
| 155 | fs_logger("tmpfs /run/user"); | 158 | fs_logger("tmpfs /run/user"); |
| 156 | 159 | ||
| 157 | // create new user directory | 160 | // create new user directory |
| 158 | if (mkdir(runuser, 0700) == -1) | 161 | if (mkdir(runuser, 0700) == -1) |
| 159 | errExit("mkdir"); | 162 | errExit("mkdir"); |
| 163 | selinux_relabel_path(runuser, runuser); | ||
| 160 | fs_logger2("mkdir", runuser); | 164 | fs_logger2("mkdir", runuser); |
| 161 | 165 | ||
| 162 | // set mode and ownership | 166 | // set mode and ownership |