From 570e0412a7619660133b49d54813133b0cf76943 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 14 Mar 2021 00:57:04 +0100 Subject: selinux relabeling fixes --- src/firejail/fs.c | 1 + src/firejail/fs_home.c | 7 ++++--- src/firejail/restrict_users.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fe79daa70..8b7e49611 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { } } fs_tmpfs(fname, getuid()); + selinux_relabel_path(fname, fname); last_disable = SUCCESSFUL; } else diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2c5ea8be0..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -31,7 +31,7 @@ #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif static void skel(const char *homedir, uid_t u, gid_t g) { @@ -384,7 +384,6 @@ void fs_private(void) { if (chown(homedir, u, g) < 0) errExit("chown"); - selinux_relabel_path(homedir, homedir); fs_logger2("mkdir", homedir); fs_logger2("tmpfs", homedir); } @@ -392,6 +391,8 @@ void fs_private(void) { // mask user home directory // the directory should be owned by the current user fs_tmpfs(homedir, 1); + + selinux_relabel_path(homedir, homedir); } skel(homedir, u, g); @@ -549,7 +550,7 @@ void fs_private_home_list(void) { // create /run/firejail/mnt/home directory mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); - selinux_relabel_path(RUN_HOME_DIR, "/home"); + selinux_relabel_path(RUN_HOME_DIR, homedir); fs_logger_print(); // save the current log if (arg_debug) diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 0dfd9ca1c..f86f39397 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -104,13 +104,13 @@ static void sanitize_home(void) { errExit("mkpath"); if (mkdir(cfg.homedir, 0755) == -1) errExit("mkdir"); - selinux_relabel_path(cfg.homedir, cfg.homedir); } fs_logger2("mkdir", cfg.homedir); // set mode and ownership if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) errExit("set_perms"); + selinux_relabel_path(cfg.homedir, cfg.homedir); // mount user home directory if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) -- cgit v1.2.3-54-g00ecf