* Patch to policycoreutils [not found] <1106927779.32737.59.camel@moss-spartans.epoch.ncsc.mil> @ 2005-01-28 16:29 ` Daniel J Walsh 2005-01-28 19:51 ` Stephen Smalley 0 siblings, 1 reply; 14+ messages in thread From: Daniel J Walsh @ 2005-01-28 16:29 UTC (permalink / raw) To: Stephen Smalley, SELinux [-- Attachment #1: Type: text/plain, Size: 649 bytes --] Added new fixfiles -C PREVIOUS_FILECONTEXT (RESTORE | CHECK) Which will take an old version of the file_context file and the currently installed one and do a diff. Then it will run a recursive restorecon on all files covered by the difference. The idea here is to potentially call this function from within policy spec files on updates. So the if the file_context file changes on update, the file context on disk will be updated. Also changed restorecon to not error out if one of the files handed to it does not exist. restorecon /etc/BOGUS_FILE /etc/passwd /etc/shadow Will restore password and shadow and warn about BOGUS_FILE. Dan [-- Attachment #2: policycoreutils-rhat.patch --] [-- Type: text/x-patch, Size: 3289 bytes --] diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.5/restorecon/restorecon.c --- nsapolicycoreutils/restorecon/restorecon.c 2005-01-25 10:32:01.000000000 -0500 +++ policycoreutils-1.21.5/restorecon/restorecon.c 2005-01-28 10:40:23.000000000 -0500 @@ -188,7 +188,7 @@ fprintf(stderr, "%s: error while labeling files under %s\n", progname, buf); - exit(1); + errors++; } } else diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500 +++ policycoreutils-1.21.5/scripts/fixfiles 2005-01-28 11:16:21.000000000 -0500 @@ -37,10 +37,12 @@ SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config + FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` - cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null + cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null else - FC=/etc/security/selinux/file_contexts + FILE_CONTEXT=/etc/security/selinux/file_contexts + FC=${FILE_CONTEXT} fi cleanup() { @@ -60,7 +62,24 @@ echo $1 >> $LOGFILE fi } - +# +# Compare PREVious File Context to currently installed File Context and +# run restorecon on all files affected by the differences. +# +diff_filecontext() { +if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX` + test -z "$TEMPFILE" && exit + /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ + sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ + -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ + while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ + while read pattern ; do find $pattern -print; done 2> /dev/null | \ + ${RESTORECON} $2 -v -f - + rm -f ${TEMPFILE} +fi +} # # Log all Read Only file systems # @@ -80,6 +99,10 @@ # if called with -n will only check file context # restore () { +if [ ! -z "$PREFC" ]; then + diff_filecontext $1 + exit $? +fi if [ ! -z "$RPMFILES" ]; then for i in `echo $RPMFILES | sed 's/,/ /g'`; do rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE @@ -128,7 +151,7 @@ usage() { echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " echo or - echo $"Usage: $0 -R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] { check | restore }" + echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }" } if [ $# = 0 ]; then @@ -137,7 +160,7 @@ fi # See how we were called. -while getopts "Fo:R:l:" i; do +while getopts "C:Fo:R:l:" i; do case "$i" in F) fullFlag=1 @@ -151,6 +174,9 @@ l) LOGFILE=$OPTARG ;; + C) + PREFC=$OPTARG + ;; *) usage exit 1 ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-28 16:29 ` Patch to policycoreutils Daniel J Walsh @ 2005-01-28 19:51 ` Stephen Smalley 2005-01-28 20:25 ` Daniel J Walsh 0 siblings, 1 reply; 14+ messages in thread From: Stephen Smalley @ 2005-01-28 19:51 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Fri, 2005-01-28 at 11:29, Daniel J Walsh wrote: > Added new fixfiles -C PREVIOUS_FILECONTEXT (RESTORE | CHECK) > > Which will take an old version of the file_context file and the > currently installed one and do a > diff. Then it will run a recursive restorecon on all files covered by > the difference. The idea here > is to potentially call this function from within policy spec files on > updates. So the if the file_context > file changes on update, the file context on disk will be updated. Interesting idea, although textual diffs of file_contexts may not be adequate. > diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles > --- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500 > +++ policycoreutils-1.21.5/scripts/fixfiles 2005-01-28 11:16:21.000000000 -0500 > @@ -37,10 +37,12 @@ > SELINUXTYPE="targeted" > if [ -e /etc/selinux/config ]; then > . /etc/selinux/config > + FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts > FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` > - cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null > + cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null > else > - FC=/etc/security/selinux/file_contexts > + FILE_CONTEXT=/etc/security/selinux/file_contexts > + FC=${FILE_CONTEXT} > fi We no longer need to have fixfiles deal with file_contexts.local with the latest version of setfiles, since setfiles is now using matchpathcon and matchpathcon will internally check it as well. > +# > +# Compare PREVious File Context to currently installed File Context and > +# run restorecon on all files affected by the differences. > +# > +diff_filecontext() { > +if [ -f ${PREFC} -a -x /usr/bin/diff ]; then > + TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX` > + test -z "$TEMPFILE" && exit > + /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ > + sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ > + -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ > + while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ > + while read pattern ; do find $pattern -print; done 2> /dev/null | \ > + ${RESTORECON} $2 -v -f - > + rm -f ${TEMPFILE} > +fi > +} Hmmm...I'm a bit concerned about the correctness and robustness of this filter pipeline, as well as with the notion of feeding restorecon from a temporary file. Can you explain the stages in the filter pipeline a bit? I think it would be preferable to make the temporary file in a directory with the same protections as the file_contexts configuration (i.e. /etc/selinux/${SELINUXTYPE}/contexts/files). -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-28 19:51 ` Stephen Smalley @ 2005-01-28 20:25 ` Daniel J Walsh 2005-01-28 20:30 ` Stephen Smalley 2005-01-31 14:14 ` Stephen Smalley 0 siblings, 2 replies; 14+ messages in thread From: Daniel J Walsh @ 2005-01-28 20:25 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 3866 bytes --] Stephen Smalley wrote: >On Fri, 2005-01-28 at 11:29, Daniel J Walsh wrote: > > >>Added new fixfiles -C PREVIOUS_FILECONTEXT (RESTORE | CHECK) >> >>Which will take an old version of the file_context file and the >>currently installed one and do a >>diff. Then it will run a recursive restorecon on all files covered by >>the difference. The idea here >>is to potentially call this function from within policy spec files on >>updates. So the if the file_context >>file changes on update, the file context on disk will be updated. >> >> > >Interesting idea, although textual diffs of file_contexts may not be >adequate. > > > >>diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles >>--- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500 >>+++ policycoreutils-1.21.5/scripts/fixfiles 2005-01-28 11:16:21.000000000 -0500 >>@@ -37,10 +37,12 @@ >> SELINUXTYPE="targeted" >> if [ -e /etc/selinux/config ]; then >> . /etc/selinux/config >>+ FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts >> FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` >>- cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null >>+ cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null >> else >>- FC=/etc/security/selinux/file_contexts >>+ FILE_CONTEXT=/etc/security/selinux/file_contexts >>+ FC=${FILE_CONTEXT} >> fi >> >> > >We no longer need to have fixfiles deal with file_contexts.local with >the latest version of setfiles, since setfiles is now using matchpathcon >and matchpathcon will internally check it as well. > > > >>+# >>+# Compare PREVious File Context to currently installed File Context and >>+# run restorecon on all files affected by the differences. >>+# >>+diff_filecontext() { >>+if [ -f ${PREFC} -a -x /usr/bin/diff ]; then >>+ TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX` >>+ test -z "$TEMPFILE" && exit >>+ /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ >>+ sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ >>+ -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ >>+ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ >>+ while read pattern ; do find $pattern -print; done 2> /dev/null | \ >>+ ${RESTORECON} $2 -v -f - >>+ rm -f ${TEMPFILE} >>+fi >>+} >> >> > >Hmmm...I'm a bit concerned about the correctness and robustness of this >filter pipeline, as well as with the notion of feeding restorecon from a >temporary file. Can you explain the stages in the filter pipeline a >bit? I think it would be preferable to make the temporary file in a >directory with the same protections as the file_contexts configuration >(i.e. /etc/selinux/${SELINUXTYPE}/contexts/files). > > > I have attached an updated fixfiles. TEMP FILE will not be in the /etc/selinux/${SELINUXTYPE}/contexts/files directory. Also changed it to have restorecon to do the recursing instead of find. Basically the pipeline is finding all files with a < or > output by diff, then it is looking for the first occurance of a regular expression and replacing it with a "*". Next it is checking if their is any overlap. IE /usr /usr/bin/postgres Only needs /usr since we are going to do a recursive restore. Then restorecon will recurse on what ever it gets. Worst case we end up doing a restorecon -R / :^( Best case we have a minor change in policy and we end up with restorecon /usr/bin/pg* Probably should change the script to avoid recursing over /tmp, /var/tmp and /home... [-- Attachment #2: fixfiles --] [-- Type: text/plain, Size: 5294 bytes --] #!/bin/sh # fixfiles # # Script to restore labels on a SELinux box # # Copyright (C) 2004 Red Hat, Inc. # Authors: Dan Walsh <dwalsh@redhat.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Set global Variables # fullFlag=0 DIRS="" RPMILES="" OUTFILES="" LOGFILE=/dev/null SYSLOGFLAG="-l" SETFILES=/usr/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';` FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';` FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null else FILE_CONTEXT=/etc/security/selinux/file_contexts FC=${FILE_CONTEXT} fi cleanup() { if [ -e /etc/selinux/config -a -f "$FC" ]; then rm -f $FC fi } trap "cleanup" 0 1 2 3 13 15 # # Log to either syslog or a LOGFILE # logit () { if [ -z $LOGFILE ]; then logger -i $1 else echo $1 >> $LOGFILE fi } # # Compare PREVious File Context to currently installed File Context and # run restorecon on all files affected by the differences. # diff_filecontext() { if [ -f ${PREFC} -a -x /usr/bin/diff ]; then TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` test -z "$TEMPFILE" && exit /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ ${RESTORECON} $2 -v -f -R - rm -f ${TEMPFILE} fi } # # Log all Read Only file systems # LogReadOnly() { if [ ! -z "$FILESYSTEMSRO" ]; then logit "Warning: Skipping the following R/O filesystems:" logit "$FILESYSTEMSRO" fi } rpmlist() { rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' } # # restore # if called with -n will only check file context # restore () { if [ ! -z "$PREFC" ]; then diff_filecontext $1 exit $? fi if [ ! -z "$RPMFILES" ]; then for i in `echo $RPMFILES | sed 's/,/ /g'`; do rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE done exit $? fi if [ ! -z "$DIRS" ]; then ${RESTORECON} ${OUTFILES} -R $1 -v $DIRS 2>&1 >> $LOGFILE exit $? fi LogReadOnly ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} $1 -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE exit $? } fullrelabel() { logit "Cleaning out /tmp" rm -rf /tmp/.??* /tmp/* LogReadOnly restore } relabel() { if [ ! -z "$RPMFILES" ]; then restore fi if [ $fullFlag == 1 ]; then fullrelabel fi echo -n " Files in the /tmp directory may be labeled incorrectly, this command can remove all files in /tmp. If you choose to remove files from /tmp, a reboot will be required after completion. Do you wish to clean out the /tmp directory [N]? " read answer if [ "$answer" = y -o "$answer" = Y ]; then fullrelabel else restore fi } usage() { echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " echo or echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }" } if [ $# = 0 ]; then usage exit 1 fi # See how we were called. while getopts "C:Fo:R:l:" i; do case "$i" in F) fullFlag=1 ;; R) RPMFILES=$OPTARG ;; o) OUTFILES=$OPTARG ;; l) LOGFILE=$OPTARG ;; C) PREFC=$OPTARG ;; *) usage exit 1 esac done # Check for the command eval command=\$${OPTIND} let OPTIND=$OPTIND+1 if [ -z $command ]; then usage fi # # check if they specified both DIRS and RPMFILES # if [ ! -z $RPMFILES ]; then if [ $OPTIND -le $# ]; then usage fi else while [ $OPTIND -le $# ]; do eval DIR=\$${OPTIND} DIRS="$DIRS $DIR" let OPTIND=$OPTIND+1 done fi # # Make sure they specified one of the three valid commands # case "$command" in restore) restore ;; check) restore -n ;; relabel) relabel;; *) usage exit 1 esac ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-28 20:25 ` Daniel J Walsh @ 2005-01-28 20:30 ` Stephen Smalley 2005-01-31 14:14 ` Stephen Smalley 1 sibling, 0 replies; 14+ messages in thread From: Stephen Smalley @ 2005-01-28 20:30 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote: > I have attached an updated fixfiles. TEMP FILE will now be in the > /etc/selinux/${SELINUXTYPE}/contexts/files directory. > Also changed it to have restorecon to do the recursing instead of find. Patch below removes the temporary file for file_contexts and file_contexts.local, as that will no longer be needed with the new setfiles. --- policycoreutils/scripts/fixfiles.dan 2005-01-28 15:33:11.269307680 -0500 +++ policycoreutils/scripts/fixfiles 2005-01-28 15:29:54.606205016 -0500 @@ -37,21 +37,11 @@ SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config - FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts - FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` - cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null + FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts else - FILE_CONTEXT=/etc/security/selinux/file_contexts - FC=${FILE_CONTEXT} + FC=/etc/security/selinux/file_contexts fi -cleanup() { - if [ -e /etc/selinux/config -a -f "$FC" ]; then - rm -f $FC - fi -} -trap "cleanup" 0 1 2 3 13 15 - # # Log to either syslog or a LOGFILE # @@ -68,9 +58,9 @@ # diff_filecontext() { if [ -f ${PREFC} -a -x /usr/bin/diff ]; then - TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` + TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` test -z "$TEMPFILE" && exit - /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ + /usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \ sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-28 20:25 ` Daniel J Walsh 2005-01-28 20:30 ` Stephen Smalley @ 2005-01-31 14:14 ` Stephen Smalley 2005-01-31 15:13 ` Daniel J Walsh 1 sibling, 1 reply; 14+ messages in thread From: Stephen Smalley @ 2005-01-31 14:14 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote: > diff_filecontext() { > if [ -f ${PREFC} -a -x /usr/bin/diff ]; then > TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` > test -z "$TEMPFILE" && exit > /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ > sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ > -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ > while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ > while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ > ${RESTORECON} $2 -v -f -R - > rm -f ${TEMPFILE} > fi > } To try to understand this better, I split the pipeline and wrote each stage into a separate temporary file, then looked at diffs between each pair of stages. I'm not sure if the filter pipline is functioning as you intend, e.g.: 1) The first sed substitution changes: /var/tmp/vi\.recover -d system_u:object_r:tmp_t to: /var/tmp/vi* A \. is not a regex; it is a regular dot character, so I would have expected you to just remove the backslash for passing along to restorecon. 2) The second sed substitution changes: /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t to: /usr/lib* This is due to sed itself performing regex matching for the .* sequence, i.e. it consumes anything after an open parens. Possibly you could escape it if that is what you intended, e.g. \.\*. Similar issues with the other substitutions that are using .*, I think, e.g. changing: /usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t to: /usr/bin/* But the shell would have correctly handled /usr/bin/[xgkw]dm without any change at all. Also seems to have a problem with the /u?dev entries, changing: /u?dev/microcode to: /u* which won't actually catch /dev nodes. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-31 14:14 ` Stephen Smalley @ 2005-01-31 15:13 ` Daniel J Walsh 2005-01-31 15:27 ` Stephen Smalley 0 siblings, 1 reply; 14+ messages in thread From: Daniel J Walsh @ 2005-01-31 15:13 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux Stephen Smalley wrote: >On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote: > > >>diff_filecontext() { >>if [ -f ${PREFC} -a -x /usr/bin/diff ]; then >> TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` >> test -z "$TEMPFILE" && exit >> /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ >> sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ >> -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ >> while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ >> while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ >> ${RESTORECON} $2 -v -f -R - >> rm -f ${TEMPFILE} >>fi >>} >> >> > >To try to understand this better, I split the pipeline and wrote each >stage into a separate temporary file, then looked at diffs between each >pair of stages. I'm not sure if the filter pipline is functioning as >you intend, e.g.: > >1) The first sed substitution changes: >/var/tmp/vi\.recover -d system_u:object_r:tmp_t >to: >/var/tmp/vi* > > > This looks good. >A \. is not a regex; it is a regular dot character, so I would have >expected you to just remove the backslash for passing along to >restorecon. > >2) The second sed substitution changes: >/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t >to: >/usr/lib* > >This is due to sed itself performing regex matching for the .* sequence, >i.e. it consumes anything after an open parens. Possibly you could >escape it if that is what you intended, e.g. \.\*. > > > Huh? you need to match both /usr/lib/ and /usr/lib64/ So I don't see anyway of doing this withoug /usr/lib* >Similar issues with the other substitutions that are using .*, I think, >e.g. changing: >/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t >to: >/usr/bin/* > >But the shell would have correctly handled /usr/bin/[xgkw]dm without any >change at all. > > > But there are lots of other stuff that could be in between the [] correct? >Also seems to have a problem with the /u?dev entries, changing: >/u?dev/microcode >to: >/u* > >which won't actually catch /dev nodes. > > > Yes, good catch. First off we should remove /u?dev and switch to /dev in policy since this was only a pre-fc3 problem. But as in other message any sed experts who can change /u*dev --> /{u,}dev Dan -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-31 15:13 ` Daniel J Walsh @ 2005-01-31 15:27 ` Stephen Smalley 2005-01-31 18:49 ` Daniel J Walsh 0 siblings, 1 reply; 14+ messages in thread From: Stephen Smalley @ 2005-01-31 15:27 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Mon, 2005-01-31 at 10:13, Daniel J Walsh wrote: > >1) The first sed substitution changes: > >/var/tmp/vi\.recover -d system_u:object_r:tmp_t > >to: > >/var/tmp/vi* > > > > > > > This looks good. i.e. We can drop the first substitution entirely, right? Shell will correctly handle \. as is. > >2) The second sed substitution changes: > >/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t > >to: > >/usr/lib* > > > >This is due to sed itself performing regex matching for the .* sequence, > >i.e. it consumes anything after an open parens. Possibly you could > >escape it if that is what you intended, e.g. \.\*. > > > > > > > Huh? you need to match both /usr/lib/ and /usr/lib64/ So I don't see > anyway of doing this withoug /usr/lib* Possibly /usr/lib{64,}/*thunderbird*/thunderbird. The point being that we don't need to relabel all of /usr/lib here. > >Similar issues with the other substitutions that are using .*, I think, > >e.g. changing: > >/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t > >to: > >/usr/bin/* > > > >But the shell would have correctly handled /usr/bin/[xgkw]dm without any > >change at all. > > > > > > > But there are lots of other stuff that could be in between the [] correct? Yes, we would have to distinguish the cases that can be handled by the shell vs. the use of other regex metacharacters within the brackets. > Yes, good catch. First off we should remove /u?dev and switch to /dev > in policy since this was > only a pre-fc3 problem. But as in other message any sed experts who can > change > > /u*dev --> /{u,}dev More generally, we would want to replace x? or (x)? with {x,}. Might be easier to do in perl or other languages than just sed. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-31 15:27 ` Stephen Smalley @ 2005-01-31 18:49 ` Daniel J Walsh 2005-02-01 14:22 ` Stephen Smalley 0 siblings, 1 reply; 14+ messages in thread From: Daniel J Walsh @ 2005-01-31 18:49 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1 bytes --] [-- Attachment #2: policycoreutils-rhat.patch --] [-- Type: text/x-patch, Size: 1418 bytes --] diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.9/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2005-01-31 09:49:15.000000000 -0500 +++ policycoreutils-1.21.9/scripts/fixfiles 2005-01-31 13:39:27.000000000 -0500 @@ -60,12 +60,20 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` test -z "$TEMPFILE" && exit - /usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \ - sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ - -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ + /usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \ + grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \ + sed -r -e 's|\(([/?[:alnum:]]+)\)\?|{\1,}|g' \ + -e 's|([[:alnum:]])\?|{\1,}|g' \ + -e 's,\(.*,*,g' -e 's,\[.*,*,g' \ + -e 's,[[:blank:]].*,,g' \ + -e 's,\?.*,*,g' \ + -e 's,\.\*,*,g' \ + -e 's,\(.*,*,g' \ + -e 's,\[.*,*,g' | \ + sort -u | \ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ - ${RESTORECON} $2 -v -f -R - + ${RESTORECON} -R $2 -v -f - rm -f ${TEMPFILE} fi } ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Patch to policycoreutils 2005-01-31 18:49 ` Daniel J Walsh @ 2005-02-01 14:22 ` Stephen Smalley 0 siblings, 0 replies; 14+ messages in thread From: Stephen Smalley @ 2005-02-01 14:22 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux On Mon, 2005-01-31 at 13:49, Daniel J Walsh wrote: > + /usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \ > + grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \ > + sed -r -e 's|\(([/?[:alnum:]]+)\)\?|{\1,}|g' \ > + -e 's|([[:alnum:]])\?|{\1,}|g' \ > + -e 's,\(.*,*,g' -e 's,\[.*,*,g' \ > + -e 's,[[:blank:]].*,,g' \ > + -e 's,\?.*,*,g' \ > + -e 's,\.\*,*,g' \ > + -e 's,\(.*,*,g' \ > + -e 's,\[.*,*,g' | \ Minor: You have duplicate \(.* and \[.* substitutions above, once with both on the same line and then separately immediately above. > + sort -u | \ > while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ > while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ The find command can end up re-introducing /root, /tmp, and /home if / is in the input patterns, so you may want to move the grep -v command down to the end of the pipeline. tmp directories are likely ok anyway, as file_contexts specifies <<none>> for them already (so restorecon shouldn't relabel them even if they are passed). Further, the find command ends up re-introducing duplication; even though / was included in my test, it also ended up generating a list of other directories directly in / that were not separate filesystems. As a side note, I experimented with this by splitting the pipeline up and writing the output of each stage to a separate temporary file, then diff'ing each pair of temporary files to see the effect of each stage. I wanted to force it to be applied to all file_contexts entries as a degenerate case, so I initially tried passing -C /dev/null, but that didn't seem to work (possibly fails the -f test), so I instead use a MLS vs. non-MLS file_contexts to ensure that every line differed (due to the MLS level field). -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* patch to policycoreutils @ 2009-04-01 14:10 Daniel J Walsh 2009-04-22 22:03 ` Chad Sellers 0 siblings, 1 reply; 14+ messages in thread From: Daniel J Walsh @ 2009-04-01 14:10 UTC (permalink / raw) To: SE Linux [-- Attachment #1: Type: text/plain, Size: 353 bytes --] Multiple patches to policycoreutils. First added /root/.ssh and /root/.ssh/* to allow people to place keys in /root directory and have them labeled by restorcond Fix transaction handling in semanage so you can update multiple records simultaniously. Clean up permissive domains creation in semanage so it does not leave crap in /var/lib/selinux [-- Attachment #2: diff --] [-- Type: text/plain, Size: 4643 bytes --] diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 16:44:47.000000000 -0500 +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23 11:32:21.000000000 -0500 @@ -5,3 +5,7 @@ /var/run/utmp /var/log/wtmp ~/* +/root/.ssh +/root/.ssh/* + + diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500 +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000 -0500 @@ -122,7 +122,7 @@ fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE done exit $? fi diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500 +++ policycoreutils-2.0.62/semanage/semanage 2009-03-12 09:22:45.000000000 -0400 @@ -464,10 +464,10 @@ else: fd = open(input, 'r') trans = seobject.semanageRecords(store) - trans.begin() + trans.start() for l in fd.readlines(): process_args(mkargv(l)) - trans.commit() + trans.finish() else: process_args(sys.argv[1:]) diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500 +++ policycoreutils-2.0.62/semanage/seobject.py 2009-03-31 08:54:25.000000000 -0400 @@ -281,15 +281,20 @@ global handle if handle != None: - self.transaction = True self.sh = handle else: self.sh=get_handle(store) - self.transaction = False + self.transaction = False def deleteall(self): raise ValueError(_("Not yet implemented")) + def start(self): + if self.transaction: + raise ValueError(_("Semanage transaction already in progress")) + self.begin() + self.transaction = True + def begin(self): if self.transaction: return @@ -303,6 +308,12 @@ if rc < 0: raise ValueError(_("Could not commit semanage transaction")) + def finish(self): + if not self.transaction: + raise ValueError(_("Semanage transaction not in progress")) + self.transaction = False + self.commit() + class permissiveRecords(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) @@ -328,6 +339,7 @@ def add(self, type): + import glob name = "permissive_%s" % type dirname = "/var/lib/selinux" os.chdir(dirname) @@ -351,16 +363,19 @@ fd.close() rc = semanage_module_install(self.sh, data, len(data)); - if rc < 0: - raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) - - self.commit() + if rc >= 0: + self.commit() for root, dirs, files in os.walk("tmp", topdown=False): for name in files: os.remove(os.path.join(root, name)) for name in dirs: os.rmdir(os.path.join(root, name)) + os.removedirs("tmp") + for i in glob.glob("permissive_%s.*" % type): + os.remove(i) + if rc < 0: + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) def delete(self, name): for n in name.split(): ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: patch to policycoreutils 2009-04-01 14:10 patch " Daniel J Walsh @ 2009-04-22 22:03 ` Chad Sellers 2009-04-23 1:50 ` Daniel J Walsh 0 siblings, 1 reply; 14+ messages in thread From: Chad Sellers @ 2009-04-22 22:03 UTC (permalink / raw) To: Daniel J Walsh, SE Linux On 4/1/09 10:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Multiple patches to policycoreutils. > > First added /root/.ssh and /root/.ssh/* to allow people to place keys > in /root directory and have them labeled by restorcond > > Fix transaction handling in semanage so you can update multiple records > simultaniously. > > Clean up permissive domains creation in semanage so it does not leave > crap in /var/lib/selinux > > diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui > --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf > policycoreutils-2.0.62/restorecond/restorecond.conf > --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 > 16:44:47.000000000 -0500 > +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23 > 11:32:21.000000000 -0500 > @@ -5,3 +5,7 @@ > /var/run/utmp > /var/log/wtmp > ~/* > +/root/.ssh > +/root/.ssh/* > + > + > diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui > --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles > policycoreutils-2.0.62/scripts/fixfiles > --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500 > +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000 > -0500 > @@ -122,7 +122,7 @@ > fi > if [ ! -z "$RPMFILES" ]; then > for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do > - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> > $LOGFILE > + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> > $LOGFILE > done > exit $? > fi Not sure I understand this one, and it didn't seem to be mentioned in your comment. You're changing fixfiles to relabel recursively when it's fixing files from an rpm? Wouldn't an rpm already list all the files it owned? <snip due to previously ack'd patch> > @@ -303,6 +308,12 @@ > if rc < 0: > raise ValueError(_("Could not commit semanage > transaction")) > > + def finish(self): > + if not self.transaction: > + raise ValueError(_("Semanage transaction not in > progress")) > + self.transaction = False > + self.commit() > + > class permissiveRecords(semanageRecords): > def __init__(self, store): > semanageRecords.__init__(self, store) > @@ -328,6 +339,7 @@ > > > def add(self, type): > + import glob > name = "permissive_%s" % type > dirname = "/var/lib/selinux" > os.chdir(dirname) > @@ -351,16 +363,19 @@ > fd.close() > > rc = semanage_module_install(self.sh, data, len(data)); > - if rc < 0: > - raise ValueError(_("Could not set permissive domain %s (module > installation failed)") % name) > - > - self.commit() > + if rc >= 0: > + self.commit() > > for root, dirs, files in os.walk("tmp", topdown=False): > for name in files: > os.remove(os.path.join(root, name)) > for name in dirs: > os.rmdir(os.path.join(root, name)) > + os.removedirs("tmp") > + for i in glob.glob("permissive_%s.*" % type): > + os.remove(i) > + if rc < 0: > + raise ValueError(_("Could not set permissive domain %s (module > installation failed)") % name) > > def delete(self, name): > for n in name.split(): Other than that one thing, this looks fine to me. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: patch to policycoreutils 2009-04-22 22:03 ` Chad Sellers @ 2009-04-23 1:50 ` Daniel J Walsh 2009-04-23 20:01 ` Chad Sellers 0 siblings, 1 reply; 14+ messages in thread From: Daniel J Walsh @ 2009-04-23 1:50 UTC (permalink / raw) To: Chad Sellers; +Cc: SE Linux On 04/22/2009 06:03 PM, Chad Sellers wrote: > On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: > >> Multiple patches to policycoreutils. >> >> First added /root/.ssh and /root/.ssh/* to allow people to place keys >> in /root directory and have them labeled by restorcond >> >> Fix transaction handling in semanage so you can update multiple records >> simultaniously. >> >> Clean up permissive domains creation in semanage so it does not leave >> crap in /var/lib/selinux >> >> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf >> policycoreutils-2.0.62/restorecond/restorecond.conf >> --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 >> 16:44:47.000000000 -0500 >> +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23 >> 11:32:21.000000000 -0500 >> @@ -5,3 +5,7 @@ >> /var/run/utmp >> /var/log/wtmp >> ~/* >> +/root/.ssh >> +/root/.ssh/* >> + >> + >> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles >> policycoreutils-2.0.62/scripts/fixfiles >> --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500 >> +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000 >> -0500 >> @@ -122,7 +122,7 @@ >> fi >> if [ ! -z "$RPMFILES" ]; then >> for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do >> - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>> >> $LOGFILE >> + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1>> >> $LOGFILE >> done >> exit $? >> fi > Not sure I understand this one, and it didn't seem to be mentioned in your > comment. You're changing fixfiles to relabel recursively when it's fixing > files from an rpm? Wouldn't an rpm already list all the files it owned? > > <snip due to previously ack'd patch> >> @@ -303,6 +308,12 @@ >> if rc< 0: >> raise ValueError(_("Could not commit semanage >> transaction")) >> >> + def finish(self): >> + if not self.transaction: >> + raise ValueError(_("Semanage transaction not in >> progress")) >> + self.transaction = False >> + self.commit() >> + >> class permissiveRecords(semanageRecords): >> def __init__(self, store): >> semanageRecords.__init__(self, store) >> @@ -328,6 +339,7 @@ >> >> >> def add(self, type): >> + import glob >> name = "permissive_%s" % type >> dirname = "/var/lib/selinux" >> os.chdir(dirname) >> @@ -351,16 +363,19 @@ >> fd.close() >> >> rc = semanage_module_install(self.sh, data, len(data)); >> - if rc< 0: >> - raise ValueError(_("Could not set permissive domain %s (module >> installation failed)") % name) >> - >> - self.commit() >> + if rc>= 0: >> + self.commit() >> >> for root, dirs, files in os.walk("tmp", topdown=False): >> for name in files: >> os.remove(os.path.join(root, name)) >> for name in dirs: >> os.rmdir(os.path.join(root, name)) >> + os.removedirs("tmp") >> + for i in glob.glob("permissive_%s.*" % type): >> + os.remove(i) >> + if rc< 0: >> + raise ValueError(_("Could not set permissive domain %s (module >> installation failed)") % name) >> >> def delete(self, name): >> for n in name.split(): > > Other than that one thing, this looks fine to me. > > Thanks, > Chad > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. If a package owned a directory like /var/lib/libvirt/images, when it is relabeling we would want it to relabel not only the directory but the contents of the directory -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: patch to policycoreutils 2009-04-23 1:50 ` Daniel J Walsh @ 2009-04-23 20:01 ` Chad Sellers 2009-05-18 15:29 ` Joshua Brindle 0 siblings, 1 reply; 14+ messages in thread From: Chad Sellers @ 2009-04-23 20:01 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On 4/22/09 9:50 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > On 04/22/2009 06:03 PM, Chad Sellers wrote: >> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >> >>> Multiple patches to policycoreutils. >>> >>> First added /root/.ssh and /root/.ssh/* to allow people to place keys >>> in /root directory and have them labeled by restorcond >>> >>> Fix transaction handling in semanage so you can update multiple records >>> simultaniously. >>> >>> Clean up permissive domains creation in semanage so it does not leave >>> crap in /var/lib/selinux >>> >>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf >>> policycoreutils-2.0.62/restorecond/restorecond.conf >>> --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 >>> 16:44:47.000000000 -0500 >>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23 >>> 11:32:21.000000000 -0500 >>> @@ -5,3 +5,7 @@ >>> /var/run/utmp >>> /var/log/wtmp >>> ~/* >>> +/root/.ssh >>> +/root/.ssh/* >>> + >>> + >>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles >>> policycoreutils-2.0.62/scripts/fixfiles >>> --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 >>> -0500 >>> +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000 >>> -0500 >>> @@ -122,7 +122,7 @@ >>> fi >>> if [ ! -z "$RPMFILES" ]; then >>> for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do >>> - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>> >>> $LOGFILE >>> + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - >>> 2>&1>> >>> $LOGFILE >>> done >>> exit $? >>> fi >> Not sure I understand this one, and it didn't seem to be mentioned in your >> comment. You're changing fixfiles to relabel recursively when it's fixing >> files from an rpm? Wouldn't an rpm already list all the files it owned? >> >> <snip due to previously ack'd patch> >>> @@ -303,6 +308,12 @@ >>> if rc< 0: >>> raise ValueError(_("Could not commit semanage >>> transaction")) >>> >>> + def finish(self): >>> + if not self.transaction: >>> + raise ValueError(_("Semanage transaction not in >>> progress")) >>> + self.transaction = False >>> + self.commit() >>> + >>> class permissiveRecords(semanageRecords): >>> def __init__(self, store): >>> semanageRecords.__init__(self, store) >>> @@ -328,6 +339,7 @@ >>> >>> >>> def add(self, type): >>> + import glob >>> name = "permissive_%s" % type >>> dirname = "/var/lib/selinux" >>> os.chdir(dirname) >>> @@ -351,16 +363,19 @@ >>> fd.close() >>> >>> rc = semanage_module_install(self.sh, data, len(data)); >>> - if rc< 0: >>> - raise ValueError(_("Could not set permissive domain %s (module >>> installation failed)") % name) >>> - >>> - self.commit() >>> + if rc>= 0: >>> + self.commit() >>> >>> for root, dirs, files in os.walk("tmp", topdown=False): >>> for name in files: >>> os.remove(os.path.join(root, name)) >>> for name in dirs: >>> os.rmdir(os.path.join(root, name)) >>> + os.removedirs("tmp") >>> + for i in glob.glob("permissive_%s.*" % type): >>> + os.remove(i) >>> + if rc< 0: >>> + raise ValueError(_("Could not set permissive domain %s (module >>> installation failed)") % name) >>> >>> def delete(self, name): >>> for n in name.split(): >> >> Other than that one thing, this looks fine to me. >> >> Thanks, >> Chad >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > If a package owned a directory like /var/lib/libvirt/images, when it is > relabeling we would want it to relabel not only the directory but the > contents of the directory Makes sense. Acked-by: Chad Sellers <csellers@tresys.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: patch to policycoreutils 2009-04-23 20:01 ` Chad Sellers @ 2009-05-18 15:29 ` Joshua Brindle 0 siblings, 0 replies; 14+ messages in thread From: Joshua Brindle @ 2009-05-18 15:29 UTC (permalink / raw) To: Chad Sellers; +Cc: Daniel J Walsh, SE Linux Chad Sellers wrote: > On 4/22/09 9:50 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> On 04/22/2009 06:03 PM, Chad Sellers wrote: >>> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>> >>>> Multiple patches to policycoreutils. >>>> >>>> First added /root/.ssh and /root/.ssh/* to allow people to place keys >>>> in /root directory and have them labeled by restorcond >>>> >>>> Fix transaction handling in semanage so you can update multiple records >>>> simultaniously. >>>> >>>> Clean up permissive domains creation in semanage so it does not leave >>>> crap in /var/lib/selinux >>>> >>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >>>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf >>>> policycoreutils-2.0.62/restorecond/restorecond.conf >>>> --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 >>>> 16:44:47.000000000 -0500 >>>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23 >>>> 11:32:21.000000000 -0500 >>>> @@ -5,3 +5,7 @@ >>>> /var/run/utmp >>>> /var/log/wtmp >>>> ~/* >>>> +/root/.ssh >>>> +/root/.ssh/* >>>> + >>>> + >>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui >>>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles >>>> policycoreutils-2.0.62/scripts/fixfiles >>>> --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 >>>> -0500 >>>> +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000 >>>> -0500 >>>> @@ -122,7 +122,7 @@ >>>> fi >>>> if [ ! -z "$RPMFILES" ]; then >>>> for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do >>>> - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>> >>>> $LOGFILE >>>> + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - >>>> 2>&1>> >>>> $LOGFILE >>>> done >>>> exit $? >>>> fi >>> Not sure I understand this one, and it didn't seem to be mentioned in your >>> comment. You're changing fixfiles to relabel recursively when it's fixing >>> files from an rpm? Wouldn't an rpm already list all the files it owned? >>> >>> <snip due to previously ack'd patch> >>>> @@ -303,6 +308,12 @@ >>>> if rc< 0: >>>> raise ValueError(_("Could not commit semanage >>>> transaction")) >>>> >>>> + def finish(self): >>>> + if not self.transaction: >>>> + raise ValueError(_("Semanage transaction not in >>>> progress")) >>>> + self.transaction = False >>>> + self.commit() >>>> + >>>> class permissiveRecords(semanageRecords): >>>> def __init__(self, store): >>>> semanageRecords.__init__(self, store) >>>> @@ -328,6 +339,7 @@ >>>> >>>> >>>> def add(self, type): >>>> + import glob >>>> name = "permissive_%s" % type >>>> dirname = "/var/lib/selinux" >>>> os.chdir(dirname) >>>> @@ -351,16 +363,19 @@ >>>> fd.close() >>>> >>>> rc = semanage_module_install(self.sh, data, len(data)); >>>> - if rc< 0: >>>> - raise ValueError(_("Could not set permissive domain %s (module >>>> installation failed)") % name) >>>> - >>>> - self.commit() >>>> + if rc>= 0: >>>> + self.commit() >>>> >>>> for root, dirs, files in os.walk("tmp", topdown=False): >>>> for name in files: >>>> os.remove(os.path.join(root, name)) >>>> for name in dirs: >>>> os.rmdir(os.path.join(root, name)) >>>> + os.removedirs("tmp") >>>> + for i in glob.glob("permissive_%s.*" % type): >>>> + os.remove(i) >>>> + if rc< 0: >>>> + raise ValueError(_("Could not set permissive domain %s (module >>>> installation failed)") % name) >>>> >>>> def delete(self, name): >>>> for n in name.split(): >>> Other than that one thing, this looks fine to me. >>> >>> Thanks, >>> Chad >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >>> the words "unsubscribe selinux" without quotes as the message. >> If a package owned a directory like /var/lib/libvirt/images, when it is >> relabeling we would want it to relabel not only the directory but the >> contents of the directory > > Makes sense. > > Acked-by: Chad Sellers <csellers@tresys.com> > Merged in policycoreutils-2.0.63 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2009-05-18 15:29 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <1106927779.32737.59.camel@moss-spartans.epoch.ncsc.mil> 2005-01-28 16:29 ` Patch to policycoreutils Daniel J Walsh 2005-01-28 19:51 ` Stephen Smalley 2005-01-28 20:25 ` Daniel J Walsh 2005-01-28 20:30 ` Stephen Smalley 2005-01-31 14:14 ` Stephen Smalley 2005-01-31 15:13 ` Daniel J Walsh 2005-01-31 15:27 ` Stephen Smalley 2005-01-31 18:49 ` Daniel J Walsh 2005-02-01 14:22 ` Stephen Smalley 2009-04-01 14:10 patch " Daniel J Walsh 2009-04-22 22:03 ` Chad Sellers 2009-04-23 1:50 ` Daniel J Walsh 2009-04-23 20:01 ` Chad Sellers 2009-05-18 15:29 ` Joshua Brindle
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.