-
Notifications
You must be signed in to change notification settings - Fork 24k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[POC] apply explicit SELinux label on tempfile in copy #80302
Conversation
cea6be3
to
ec82eba
Compare
(looks like there's some test failures from moving the |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This branch needs rebasing for the CI to pick it up. |
secontext = file_args['secontext'] | ||
|
||
if secontext and any(secontext): # only bother if any of the context attributes were specified | ||
module.set_context_if_different(src, secontext, False) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in cases the tempfile is not in the same folder, this might fail, so i would make this 'best effort'
SUMMARY
fixes #80269
SELinux labels are only applied at the final stage of the
copy
module, however, the system policy may require a specific context for the file accessed by the process in thevalidate
step, which will not be present on the intermediate tempfile that validate is run against. This change applies explicitly-set SELinux labels (including_default
to use the policy default) to the tempfile whenvalidate
is used (consistent with the other permissions/ownership things we were already doing).ISSUE TYPE
COMPONENT NAME
copy.py