From: Christian Göttsche <[email protected]> When using the -Z option to use the default security context for named pipes the context gets looked-up and registered in the kernel via the internal defaultcon() helper. But afterwards it is not cleaned up, potentially leaking it for the next created pipe if the lookup for that next pipe fails to find a context (common for e.g. /tmp entries).
Example: mkfifo -Z a /tmp/a mkfifo -Z b mkfifo -Z /tmp/b ls -lZ /tmp/a /tmp/b prw-r--r--. 1 u u unconfined_u:object_r:user_home_t:s0 0 ... a prw-r--r--. 1 u u unconfined_u:object_r:user_home_t:s0 0 ... b prw-r--r--. 1 u u unconfined_u:object_r:user_home_t:s0 0 ... /tmp/a prw-r--r--. 1 u u unconfined_u:object_r:user_tmp_t:s0 0 ... /tmp/b Reset the stored context used for creating new file system objects after the mkfifo(3) call, if it was set via defaultcon() beforehand. Reported-by: наб <[email protected]> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990962 --- src/mkfifo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/mkfifo.c b/src/mkfifo.c index 12d9a423e..40850b67b 100644 --- a/src/mkfifo.c +++ b/src/mkfifo.c @@ -182,6 +182,8 @@ main (int argc, char **argv) quoteaf (argv[optind])); exit_status = EXIT_FAILURE; } + if (set_security_context) + setfscreatecon_raw (NULL); } return exit_status; -- 2.51.0
