* Add restorecon and install methods for libselinux python bindings.
@ 2008-11-17 15:30 Daniel J Walsh
2009-01-06 15:01 ` Joshua Brindle
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2008-11-17 15:30 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 524 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luke Macken wrote restorecon and install functions used in Fedora
Infrastructure which can be used to install files with the proper
context and to fix the labels of files/directories without having to
exec restorecon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkhjhwACgkQrlYvE4MpobPyDgCfZ3vdiX/irkv3A9ka89LvUV1s
RjQAniK+8rHaotyzEVoCM/yIg8nvAk8x
=bePO
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 18945 bytes --]
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.75/src/selinux.py
--- nsalibselinux/src/selinux.py 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.75/src/selinux.py 2008-11-14 17:09:54.000000000 -0500
@@ -1,5 +1,5 @@
# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.33
+# Version 1.3.35
#
# Don't modify this file, modify the SWIG interface instead.
# This file is compatible with both classic and new-style classes.
@@ -48,6 +48,29 @@
del types
+import shutil, os
+
+def restorecon(path, recursive=False):
+ """ Restore SELinux context on a given path """
+ mode = os.stat(path)[stat.ST_MODE]
+ status, context = matchpathcon(path, mode)
+ if status == 0:
+ lsetfilecon(path, context)
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+ s for fname in fnames]), None)
+
+def copytree(src, dest):
+ """ An SELinux-friendly shutil.copytree method """
+ shutil.copytree(src, dest)
+ restorecon(dest, recursive=True)
+
+def install(src, dest):
+ """ An SELinux-friendly shutil.move method """
+ shutil.move(src, dest)
+ restorecon(dest, recursive=True)
+
is_selinux_enabled = _selinux.is_selinux_enabled
is_selinux_mls_enabled = _selinux.is_selinux_mls_enabled
getcon = _selinux.getcon
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.75/src/selinuxswig_python.i
--- nsalibselinux/src/selinuxswig_python.i 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14 17:09:50.000000000 -0500
@@ -6,6 +6,32 @@
#include "selinux/selinux.h"
%}
+%pythoncode %{
+
+import shutil, os
+
+def restorecon(path, recursive=False):
+ """ Restore SELinux context on a given path """
+ mode = os.stat(path)[stat.ST_MODE]
+ status, context = matchpathcon(path, mode)
+ if status == 0:
+ lsetfilecon(path, context)
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+ s for fname in fnames]), None)
+
+def copytree(src, dest):
+ """ An SELinux-friendly shutil.copytree method """
+ shutil.copytree(src, dest)
+ restorecon(dest, recursive=True)
+
+def install(src, dest):
+ """ An SELinux-friendly shutil.move method """
+ shutil.move(src, dest)
+ restorecon(dest, recursive=True)
+%}
+
/* security_get_boolean_names() typemap */
%typemap(argout) (char ***names, int *len) {
PyObject* list = PyList_New(*$2);
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.75/src/selinuxswig_wrap.c
--- nsalibselinux/src/selinuxswig_wrap.c 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.75/src/selinuxswig_wrap.c 2008-11-14 17:09:54.000000000 -0500
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------------
* This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.33
+ * Version 1.3.35
*
* This file is not intended to be easily readable and contains a number of
* coding conventions designed to improve portability and efficiency. Do not make
@@ -126,7 +126,7 @@
/* This should only be incremented when either the layout of swig_type_info changes,
or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "3"
+#define SWIG_RUNTIME_VERSION "4"
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
#ifdef SWIG_TYPE_TABLE
@@ -161,6 +161,7 @@
/* Flags for pointer conversions */
#define SWIG_POINTER_DISOWN 0x1
+#define SWIG_CAST_NEW_MEMORY 0x2
/* Flags for new pointer objects */
#define SWIG_POINTER_OWN 0x1
@@ -301,10 +302,10 @@
extern "C" {
#endif
-typedef void *(*swig_converter_func)(void *);
+typedef void *(*swig_converter_func)(void *, int *);
typedef struct swig_type_info *(*swig_dycast_func)(void **);
-/* Structure to store inforomation on one type */
+/* Structure to store information on one type */
typedef struct swig_type_info {
const char *name; /* mangled name of this type */
const char *str; /* human readable name of this type */
@@ -431,8 +432,8 @@
Cast a pointer up an inheritance hierarchy
*/
SWIGRUNTIMEINLINE void *
-SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
- return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
+SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) {
+ return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory);
}
/*
@@ -856,7 +857,7 @@
Py_DECREF(old_str);
Py_DECREF(value);
} else {
- PyErr_Format(PyExc_RuntimeError, mesg);
+ PyErr_SetString(PyExc_RuntimeError, mesg);
}
}
@@ -1416,7 +1417,7 @@
{
PySwigObject *sobj = (PySwigObject *) v;
PyObject *next = sobj->next;
- if (sobj->own) {
+ if (sobj->own == SWIG_POINTER_OWN) {
swig_type_info *ty = sobj->ty;
PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
PyObject *destroy = data ? data->destroy : 0;
@@ -1434,12 +1435,13 @@
res = ((*meth)(mself, v));
}
Py_XDECREF(res);
- } else {
- const char *name = SWIG_TypePrettyName(ty);
+ }
#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
- printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
-#endif
+ else {
+ const char *name = SWIG_TypePrettyName(ty);
+ printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown"));
}
+#endif
}
Py_XDECREF(next);
PyObject_DEL(v);
@@ -1944,7 +1946,7 @@
SWIGRUNTIME int
SWIG_Python_AcquirePtr(PyObject *obj, int own) {
- if (own) {
+ if (own == SWIG_POINTER_OWN) {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
if (sobj) {
int oldown = sobj->own;
@@ -1965,6 +1967,8 @@
return SWIG_OK;
} else {
PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+ if (own)
+ *own = 0;
while (sobj) {
void *vptr = sobj->ptr;
if (ty) {
@@ -1978,7 +1982,15 @@
if (!tc) {
sobj = (PySwigObject *)sobj->next;
} else {
- if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
+ if (ptr) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ if (newmemory == SWIG_CAST_NEW_MEMORY) {
+ assert(own);
+ if (own)
+ *own = *own | SWIG_CAST_NEW_MEMORY;
+ }
+ }
break;
}
}
@@ -1988,7 +2000,8 @@
}
}
if (sobj) {
- if (own) *own = sobj->own;
+ if (own)
+ *own = *own | sobj->own;
if (flags & SWIG_POINTER_DISOWN) {
sobj->own = 0;
}
@@ -2053,8 +2066,13 @@
}
if (ty) {
swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
- if (!tc) return SWIG_ERROR;
- *ptr = SWIG_TypeCast(tc,vptr);
+ if (tc) {
+ int newmemory = 0;
+ *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+ assert(!newmemory); /* newmemory handling not yet implemented */
+ } else {
+ return SWIG_ERROR;
+ }
} else {
*ptr = vptr;
}
@@ -2506,7 +2524,7 @@
#define SWIG_name "_selinux"
-#define SWIGVERSION 0x010333
+#define SWIGVERSION 0x010335
#define SWIG_VERSION SWIGVERSION
@@ -4273,7 +4291,7 @@
struct av_decision *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_av_decision")) SWIG_fail;
- result = (struct av_decision *)(struct av_decision *) calloc(1, sizeof(struct av_decision));
+ result = (struct av_decision *)calloc(1, sizeof(struct av_decision));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_av_decision, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -4305,7 +4323,7 @@
SWIGINTERN PyObject *av_decision_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_av_decision, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -4428,7 +4446,7 @@
struct selinux_opt *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_selinux_opt")) SWIG_fail;
- result = (struct selinux_opt *)(struct selinux_opt *) calloc(1, sizeof(struct selinux_opt));
+ result = (struct selinux_opt *)calloc(1, sizeof(struct selinux_opt));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_selinux_opt, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -4460,7 +4478,7 @@
SWIGINTERN PyObject *selinux_opt_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_selinux_opt, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -4626,7 +4644,7 @@
union selinux_callback *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_selinux_callback")) SWIG_fail;
- result = (union selinux_callback *)(union selinux_callback *) calloc(1, sizeof(union selinux_callback));
+ result = (union selinux_callback *)calloc(1, sizeof(union selinux_callback));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_selinux_callback, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -4658,7 +4676,7 @@
SWIGINTERN PyObject *selinux_callback_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_selinux_callback, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -5586,7 +5604,7 @@
SELboolean *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_SELboolean")) SWIG_fail;
- result = (SELboolean *)(SELboolean *) calloc(1, sizeof(SELboolean));
+ result = (SELboolean *)calloc(1, sizeof(SELboolean));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_SELboolean, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -5618,7 +5636,7 @@
SWIGINTERN PyObject *SELboolean_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_SELboolean, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -6139,7 +6157,7 @@
struct security_class_mapping *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_security_class_mapping")) SWIG_fail;
- result = (struct security_class_mapping *)(struct security_class_mapping *) calloc(1, sizeof(struct security_class_mapping));
+ result = (struct security_class_mapping *)calloc(1, sizeof(struct security_class_mapping));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_security_class_mapping, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -6171,7 +6189,7 @@
SWIGINTERN PyObject *security_class_mapping_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_security_class_mapping, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -7596,7 +7614,7 @@
struct security_id *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_security_id")) SWIG_fail;
- result = (struct security_id *)(struct security_id *) calloc(1, sizeof(struct security_id));
+ result = (struct security_id *)calloc(1, sizeof(struct security_id));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_security_id, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -7628,7 +7646,7 @@
SWIGINTERN PyObject *security_id_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_security_id, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -7915,7 +7933,7 @@
struct avc_entry_ref *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_entry_ref")) SWIG_fail;
- result = (struct avc_entry_ref *)(struct avc_entry_ref *) calloc(1, sizeof(struct avc_entry_ref));
+ result = (struct avc_entry_ref *)calloc(1, sizeof(struct avc_entry_ref));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_entry_ref, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -7947,7 +7965,7 @@
SWIGINTERN PyObject *avc_entry_ref_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_entry_ref, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -8061,7 +8079,7 @@
struct avc_memory_callback *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_memory_callback")) SWIG_fail;
- result = (struct avc_memory_callback *)(struct avc_memory_callback *) calloc(1, sizeof(struct avc_memory_callback));
+ result = (struct avc_memory_callback *)calloc(1, sizeof(struct avc_memory_callback));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_memory_callback, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -8093,7 +8111,7 @@
SWIGINTERN PyObject *avc_memory_callback_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_memory_callback, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -8207,7 +8225,7 @@
struct avc_log_callback *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_log_callback")) SWIG_fail;
- result = (struct avc_log_callback *)(struct avc_log_callback *) calloc(1, sizeof(struct avc_log_callback));
+ result = (struct avc_log_callback *)calloc(1, sizeof(struct avc_log_callback));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_log_callback, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -8239,7 +8257,7 @@
SWIGINTERN PyObject *avc_log_callback_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_log_callback, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -8353,7 +8371,7 @@
struct avc_thread_callback *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_thread_callback")) SWIG_fail;
- result = (struct avc_thread_callback *)(struct avc_thread_callback *) calloc(1, sizeof(struct avc_thread_callback));
+ result = (struct avc_thread_callback *)calloc(1, sizeof(struct avc_thread_callback));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_thread_callback, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -8385,7 +8403,7 @@
SWIGINTERN PyObject *avc_thread_callback_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_thread_callback, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -8603,7 +8621,7 @@
struct avc_lock_callback *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_lock_callback")) SWIG_fail;
- result = (struct avc_lock_callback *)(struct avc_lock_callback *) calloc(1, sizeof(struct avc_lock_callback));
+ result = (struct avc_lock_callback *)calloc(1, sizeof(struct avc_lock_callback));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_lock_callback, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -8635,7 +8653,7 @@
SWIGINTERN PyObject *avc_lock_callback_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_lock_callback, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -9493,7 +9511,7 @@
struct avc_cache_stats *result = 0 ;
if (!PyArg_ParseTuple(args,(char *)":new_avc_cache_stats")) SWIG_fail;
- result = (struct avc_cache_stats *)(struct avc_cache_stats *) calloc(1, sizeof(struct avc_cache_stats));
+ result = (struct avc_cache_stats *)calloc(1, sizeof(struct avc_cache_stats));
resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_avc_cache_stats, SWIG_POINTER_NEW | 0 );
return resultobj;
fail:
@@ -9525,7 +9543,7 @@
SWIGINTERN PyObject *avc_cache_stats_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
- if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+ if (!PyArg_ParseTuple(args,(char*)"O:swigregister", &obj)) return NULL;
SWIG_TypeNewClientData(SWIGTYPE_p_avc_cache_stats, SWIG_NewClientData(obj));
return SWIG_Py_Void();
}
@@ -10513,7 +10531,7 @@
SWIG_InitializeModule(void *clientdata) {
size_t i;
swig_module_info *module_head, *iter;
- int found;
+ int found, init;
clientdata = clientdata;
@@ -10523,6 +10541,9 @@
swig_module.type_initial = swig_type_initial;
swig_module.cast_initial = swig_cast_initial;
swig_module.next = &swig_module;
+ init = 1;
+ } else {
+ init = 0;
}
/* Try and load any already created modules */
@@ -10551,6 +10572,12 @@
module_head->next = &swig_module;
}
+ /* When multiple interpeters are used, a module could have already been initialized in
+ a different interpreter, but not yet have a pointer in this interpreter.
+ In this case, we do not want to continue adding types... everything should be
+ set up already */
+ if (init == 0) return;
+
/* Now work on filling in swig_module.types */
#ifdef SWIGRUNTIME_DEBUG
printf("SWIG_InitializeModule: size %d\n", swig_module.size);
[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2008-11-17 15:30 Add restorecon and install methods for libselinux python bindings Daniel J Walsh
@ 2009-01-06 15:01 ` Joshua Brindle
2009-01-06 15:21 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Joshua Brindle @ 2009-01-06 15:01 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Luke Macken wrote restorecon and install functions used in Fedora
> Infrastructure which can be used to install files with the proper
> context and to fix the labels of files/directories without having to
> exec restorecon.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkhjhwACgkQrlYvE4MpobPyDgCfZ3vdiX/irkv3A9ka89LvUV1s
> RjQAniK+8rHaotyzEVoCM/yIg8nvAk8x
> =bePO
> -----END PGP SIGNATURE-----
>
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.75/src/selinuxswig_python.i
--- nsalibselinux/src/selinuxswig_python.i 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14 17:09:50.000000000 -0500
@@ -6,6 +6,32 @@
#include "selinux/selinux.h"
%}
+%pythoncode %{
+
+import shutil, os
+
+def restorecon(path, recursive=False):
+ """ Restore SELinux context on a given path """
+ mode = os.stat(path)[stat.ST_MODE]
stat doesn't exist here, perhaps he meant mode?
+ status, context = matchpathcon(path, mode)
+ if status == 0:
+ lsetfilecon(path, context)
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+ s for fname in fnames]), None)
typo, the s causes a syntax error
+
+def copytree(src, dest):
+ """ An SELinux-friendly shutil.copytree method """
+ shutil.copytree(src, dest)
+ restorecon(dest, recursive=True)
+
+def install(src, dest):
+ """ An SELinux-friendly shutil.move method """
+ shutil.move(src, dest)
+ restorecon(dest, recursive=True)
+%}
+
/* security_get_boolean_names() typemap */
%typemap(argout) (char ***names, int *len) {
PyObject* list = PyList_New(*$2);
This patch doesn't appear correct, I'll fix the things above, have you been testing this at all?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 15:01 ` Joshua Brindle
@ 2009-01-06 15:21 ` Daniel J Walsh
2009-01-06 15:31 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2009-01-06 15:21 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 2216 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Daniel J Walsh wrote:
> Luke Macken wrote restorecon and install functions used in Fedora
> Infrastructure which can be used to install files with the proper
> context and to fix the labels of files/directories without having to
> exec restorecon.
> diff --exclude-from=exclude -N -u -r
> nsalibselinux/src/selinuxswig_python.i
> libselinux-2.0.75/src/selinuxswig_python.i
> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
> 09:34:24.000000000 -0400
> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
> 17:09:50.000000000 -0500
> @@ -6,6 +6,32 @@
> #include "selinux/selinux.h"
> %}
> +%pythoncode %{
> +
> +import shutil, os
> +
> +def restorecon(path, recursive=False):
> + """ Restore SELinux context on a given path """
> + mode = os.stat(path)[stat.ST_MODE]
> stat doesn't exist here, perhaps he meant mode?
> + status, context = matchpathcon(path, mode)
> + if status == 0:
> + lsetfilecon(path, context)
> + if recursive:
> + os.path.walk(path, lambda arg, dirname, fnames:
> + map(restorecon, [os.path.join(dirname, fname)
> + s for fname in fnames]),
> None)
> typo, the s causes a syntax error
> +
> +def copytree(src, dest):
> + """ An SELinux-friendly shutil.copytree method """
> + shutil.copytree(src, dest)
> + restorecon(dest, recursive=True)
> +
> +def install(src, dest):
> + """ An SELinux-friendly shutil.move method """
> + shutil.move(src, dest)
> + restorecon(dest, recursive=True)
> +%}
> +
> /* security_get_boolean_names() typemap */
> %typemap(argout) (char ***names, int *len) {
> PyObject* list = PyList_New(*$2);
> This patch doesn't appear correct, I'll fix the things above, have you
> been testing this at all?
Must have sent you a bad patch.
This is what the current patch looks like.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkljdt8ACgkQrlYvE4MpobMzpQCg5USqSeTJzdPipICo1MVwKn/c
sz0An2fm7yc8T1my5y3Zi4kzIQP2OStQ
=oQ4y
-----END PGP SIGNATURE-----
[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/plain, Size: 1285 bytes --]
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.76/src/selinuxswig_python.i
--- nsalibselinux/src/selinuxswig_python.i 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.76/src/selinuxswig_python.i 2008-12-02 09:14:48.000000000 -0500
@@ -6,6 +6,32 @@
#include "selinux/selinux.h"
%}
+%pythoncode %{
+
+import shutil, os, stat
+
+def restorecon(path, recursive=False):
+ """ Restore SELinux context on a given path """
+ mode = os.stat(path)[stat.ST_MODE]
+ status, context = matchpathcon(path, mode)
+ if status == 0:
+ lsetfilecon(path, context)
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+ for fname in fnames]), None)
+
+def copytree(src, dest):
+ """ An SELinux-friendly shutil.copytree method """
+ shutil.copytree(src, dest)
+ restorecon(dest, recursive=True)
+
+def install(src, dest):
+ """ An SELinux-friendly shutil.move method """
+ shutil.move(src, dest)
+ restorecon(dest, recursive=True)
+%}
+
/* security_get_boolean_names() typemap */
%typemap(argout) (char ***names, int *len) {
PyObject* list = PyList_New(*$2);
[-- Attachment #3: libselinux-rhat.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 15:21 ` Daniel J Walsh
@ 2009-01-06 15:31 ` Daniel J Walsh
2009-01-06 18:28 ` Joshua Brindle
2009-01-12 20:56 ` Joshua Brindle
0 siblings, 2 replies; 9+ messages in thread
From: Daniel J Walsh @ 2009-01-06 15:31 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 2448 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>> Luke Macken wrote restorecon and install functions used in Fedora
>> Infrastructure which can be used to install files with the proper
>> context and to fix the labels of files/directories without having to
>> exec restorecon.
>
>> diff --exclude-from=exclude -N -u -r
>> nsalibselinux/src/selinuxswig_python.i
>> libselinux-2.0.75/src/selinuxswig_python.i
>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>> 09:34:24.000000000 -0400
>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>> 17:09:50.000000000 -0500
>> @@ -6,6 +6,32 @@
>> #include "selinux/selinux.h"
>> %}
>
>> +%pythoncode %{
>> +
>> +import shutil, os
>> +
>> +def restorecon(path, recursive=False):
>> + """ Restore SELinux context on a given path """
>> + mode = os.stat(path)[stat.ST_MODE]
>
>> stat doesn't exist here, perhaps he meant mode?
>
>> + status, context = matchpathcon(path, mode)
>> + if status == 0:
>> + lsetfilecon(path, context)
>> + if recursive:
>> + os.path.walk(path, lambda arg, dirname, fnames:
>> + map(restorecon, [os.path.join(dirname, fname)
>> + s for fname in fnames]),
>> None)
>
>> typo, the s causes a syntax error
>
>> +
>> +def copytree(src, dest):
>> + """ An SELinux-friendly shutil.copytree method """
>> + shutil.copytree(src, dest)
>> + restorecon(dest, recursive=True)
>> +
>> +def install(src, dest):
>> + """ An SELinux-friendly shutil.move method """
>> + shutil.move(src, dest)
>> + restorecon(dest, recursive=True)
>> +%}
>> +
>> /* security_get_boolean_names() typemap */
>> %typemap(argout) (char ***names, int *len) {
>> PyObject* list = PyList_New(*$2);
>
>> This patch doesn't appear correct, I'll fix the things above, have you
>> been testing this at all?
>
> Must have sent you a bad patch.
>
>
> This is what the current patch looks like.
>
And this is still broken.
One more fix.
+ mode = os.stat(path)[stat.ST_MODE]
should be
+ mode = os.lstat(path)[stat.ST_MODE]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkljeTgACgkQrlYvE4MpobP3sACgnyo4HIvhaQ3TWmfph94ElSvF
84gAoLi4v7/UaWmpvTO5oIdvHj/tsb0H
=D91y
-----END PGP SIGNATURE-----
[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/plain, Size: 1286 bytes --]
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.76/src/selinuxswig_python.i
--- nsalibselinux/src/selinuxswig_python.i 2008-08-28 09:34:24.000000000 -0400
+++ libselinux-2.0.76/src/selinuxswig_python.i 2008-12-02 09:14:48.000000000 -0500
@@ -6,6 +6,32 @@
#include "selinux/selinux.h"
%}
+%pythoncode %{
+
+import shutil, os, stat
+
+def restorecon(path, recursive=False):
+ """ Restore SELinux context on a given path """
+ mode = os.lstat(path)[stat.ST_MODE]
+ status, context = matchpathcon(path, mode)
+ if status == 0:
+ lsetfilecon(path, context)
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+ for fname in fnames]), None)
+
+def copytree(src, dest):
+ """ An SELinux-friendly shutil.copytree method """
+ shutil.copytree(src, dest)
+ restorecon(dest, recursive=True)
+
+def install(src, dest):
+ """ An SELinux-friendly shutil.move method """
+ shutil.move(src, dest)
+ restorecon(dest, recursive=True)
+%}
+
/* security_get_boolean_names() typemap */
%typemap(argout) (char ***names, int *len) {
PyObject* list = PyList_New(*$2);
[-- Attachment #3: libselinux-rhat.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 15:31 ` Daniel J Walsh
@ 2009-01-06 18:28 ` Joshua Brindle
2009-01-06 19:31 ` Daniel J Walsh
2009-01-12 20:56 ` Joshua Brindle
1 sibling, 1 reply; 9+ messages in thread
From: Joshua Brindle @ 2009-01-06 18:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel J Walsh wrote:
>
>> Joshua Brindle wrote:
>>
>>> Daniel J Walsh wrote:
>>> Luke Macken wrote restorecon and install functions used in Fedora
>>> Infrastructure which can be used to install files with the proper
>>> context and to fix the labels of files/directories without having to
>>> exec restorecon.
>>>
>>> diff --exclude-from=exclude -N -u -r
>>> nsalibselinux/src/selinuxswig_python.i
>>> libselinux-2.0.75/src/selinuxswig_python.i
>>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>>> 09:34:24.000000000 -0400
>>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>>> 17:09:50.000000000 -0500
>>> @@ -6,6 +6,32 @@
>>> #include "selinux/selinux.h"
>>> %}
>>>
>>> +%pythoncode %{
>>> +
>>> +import shutil, os
>>> +
>>> +def restorecon(path, recursive=False):
>>> + """ Restore SELinux context on a given path """
>>> + mode = os.stat(path)[stat.ST_MODE]
>>>
>>> stat doesn't exist here, perhaps he meant mode?
>>>
>>> + status, context = matchpathcon(path, mode)
>>> + if status == 0:
>>> + lsetfilecon(path, context)
>>> + if recursive:
>>> + os.path.walk(path, lambda arg, dirname, fnames:
>>> + map(restorecon, [os.path.join(dirname, fname)
>>> + s for fname in fnames]),
>>> None)
>>>
>>> typo, the s causes a syntax error
>>>
>>> +
>>> +def copytree(src, dest):
>>> + """ An SELinux-friendly shutil.copytree method """
>>> + shutil.copytree(src, dest)
>>> + restorecon(dest, recursive=True)
>>> +
>>> +def install(src, dest):
>>> + """ An SELinux-friendly shutil.move method """
>>> + shutil.move(src, dest)
>>> + restorecon(dest, recursive=True)
>>> +%}
>>> +
>>> /* security_get_boolean_names() typemap */
>>> %typemap(argout) (char ***names, int *len) {
>>> PyObject* list = PyList_New(*$2);
>>>
>>> This patch doesn't appear correct, I'll fix the things above, have you
>>> been testing this at all?
>>>
>> Must have sent you a bad patch.
>>
>>
>> This is what the current patch looks like.
>>
>>
> And this is still broken.
>
> One more fix.
>
> + mode = os.stat(path)[stat.ST_MODE]
> should be
> + mode = os.lstat(path)[stat.ST_MODE]
Ok, this works but isn't ideal, for example if I try
selinux.restorecon("/") as a non-root user there is no error, no
exception throw, no indication that it failed. There is an exception
thrown if the path doesn't exist which is good.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 18:28 ` Joshua Brindle
@ 2009-01-06 19:31 ` Daniel J Walsh
2009-01-12 17:06 ` Joshua Brindle
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2009-01-06 19:31 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Daniel J Walsh wrote:
>>
>>> Joshua Brindle wrote:
>>>
>>>> Daniel J Walsh wrote:
>>>> Luke Macken wrote restorecon and install functions used in Fedora
>>>> Infrastructure which can be used to install files with the proper
>>>> context and to fix the labels of files/directories without having to
>>>> exec restorecon.
>>>> diff --exclude-from=exclude -N -u -r
>>>> nsalibselinux/src/selinuxswig_python.i
>>>> libselinux-2.0.75/src/selinuxswig_python.i
>>>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>>>> 09:34:24.000000000 -0400
>>>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>>>> 17:09:50.000000000 -0500
>>>> @@ -6,6 +6,32 @@
>>>> #include "selinux/selinux.h"
>>>> %}
>>>> +%pythoncode %{
>>>> +
>>>> +import shutil, os
>>>> +
>>>> +def restorecon(path, recursive=False):
>>>> + """ Restore SELinux context on a given path """
>>>> + mode = os.stat(path)[stat.ST_MODE]
>>>> stat doesn't exist here, perhaps he meant mode?
>>>> + status, context = matchpathcon(path, mode)
>>>> + if status == 0:
>>>> + lsetfilecon(path, context)
>>>> + if recursive:
>>>> + os.path.walk(path, lambda arg, dirname, fnames:
>>>> + map(restorecon, [os.path.join(dirname,
>>>> fname)
>>>> + s for fname in fnames]),
>>>> None)
>>>> typo, the s causes a syntax error
>>>> +
>>>> +def copytree(src, dest):
>>>> + """ An SELinux-friendly shutil.copytree method """
>>>> + shutil.copytree(src, dest)
>>>> + restorecon(dest, recursive=True)
>>>> +
>>>> +def install(src, dest):
>>>> + """ An SELinux-friendly shutil.move method """
>>>> + shutil.move(src, dest)
>>>> + restorecon(dest, recursive=True)
>>>> +%}
>>>> +
>>>> /* security_get_boolean_names() typemap */
>>>> %typemap(argout) (char ***names, int *len) {
>>>> PyObject* list = PyList_New(*$2);
>>>> This patch doesn't appear correct, I'll fix the things above,
>>>> have you
>>>> been testing this at all?
>>>>
>>> Must have sent you a bad patch.
>>>
>>>
>>> This is what the current patch looks like.
>>>
>>>
>> And this is still broken.
>>
>> One more fix.
>>
>> + mode = os.stat(path)[stat.ST_MODE]
>> should be
>> + mode = os.lstat(path)[stat.ST_MODE]
>
> Ok, this works but isn't ideal, for example if I try
> selinux.restorecon("/") as a non-root user there is no error, no
> exception throw, no indication that it failed. There is an exception
> thrown if the path doesn't exist which is good.
>
That is a more fundamental problem in that selinux.lsetfilecon should be
raising the exception.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkljsZsACgkQrlYvE4MpobNcagCeI61AtrtseaQMlg+286l+mCgx
N70AnjaLY5gwav7uJeoIvoW0W2XYbAjz
=OWP9
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 19:31 ` Daniel J Walsh
@ 2009-01-12 17:06 ` Joshua Brindle
2009-01-12 19:20 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Joshua Brindle @ 2009-01-12 17:06 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Daniel J Walsh wrote:
>>>
>>>> Joshua Brindle wrote:
>>>>
>>>>> Daniel J Walsh wrote:
>>>>> Luke Macken wrote restorecon and install functions used in Fedora
>>>>> Infrastructure which can be used to install files with the proper
>>>>> context and to fix the labels of files/directories without having to
>>>>> exec restorecon.
>>>>> diff --exclude-from=exclude -N -u -r
>>>>> nsalibselinux/src/selinuxswig_python.i
>>>>> libselinux-2.0.75/src/selinuxswig_python.i
>>>>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>>>>> 09:34:24.000000000 -0400
>>>>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>>>>> 17:09:50.000000000 -0500
>>>>> @@ -6,6 +6,32 @@
>>>>> #include "selinux/selinux.h"
>>>>> %}
>>>>> +%pythoncode %{
>>>>> +
>>>>> +import shutil, os
>>>>> +
>>>>> +def restorecon(path, recursive=False):
>>>>> + """ Restore SELinux context on a given path """
>>>>> + mode = os.stat(path)[stat.ST_MODE]
>>>>> stat doesn't exist here, perhaps he meant mode?
>>>>> + status, context = matchpathcon(path, mode)
>>>>> + if status == 0:
>>>>> + lsetfilecon(path, context)
>>>>> + if recursive:
>>>>> + os.path.walk(path, lambda arg, dirname, fnames:
>>>>> + map(restorecon, [os.path.join(dirname,
>>>>> fname)
>>>>> + s for fname in fnames]),
>>>>> None)
>>>>> typo, the s causes a syntax error
>>>>> +
>>>>> +def copytree(src, dest):
>>>>> + """ An SELinux-friendly shutil.copytree method """
>>>>> + shutil.copytree(src, dest)
>>>>> + restorecon(dest, recursive=True)
>>>>> +
>>>>> +def install(src, dest):
>>>>> + """ An SELinux-friendly shutil.move method """
>>>>> + shutil.move(src, dest)
>>>>> + restorecon(dest, recursive=True)
>>>>> +%}
>>>>> +
>>>>> /* security_get_boolean_names() typemap */
>>>>> %typemap(argout) (char ***names, int *len) {
>>>>> PyObject* list = PyList_New(*$2);
>>>>> This patch doesn't appear correct, I'll fix the things above,
>>>>> have you
>>>>> been testing this at all?
>>>>>
>>>> Must have sent you a bad patch.
>>>>
>>>>
>>>> This is what the current patch looks like.
>>>>
>>>>
>>> And this is still broken.
>>>
>>> One more fix.
>>>
>>> + mode = os.stat(path)[stat.ST_MODE]
>>> should be
>>> + mode = os.lstat(path)[stat.ST_MODE]
>> Ok, this works but isn't ideal, for example if I try
>> selinux.restorecon("/") as a non-root user there is no error, no
>> exception throw, no indication that it failed. There is an exception
>> thrown if the path doesn't exist which is good.
>>
> That is a more fundamental problem in that selinux.lsetfilecon should be
> raising the exception.
Ok, hopefully we can get someone to look at the wrappers and make sure
they throw exceptions properly.
Back to this patch, it does restorecon after copying or moving files,
which isn't ideal. I think it should be rewritten to set contexts and
copy/move atomically.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-12 17:06 ` Joshua Brindle
@ 2009-01-12 19:20 ` Daniel J Walsh
0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2009-01-12 19:20 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>> Joshua Brindle wrote:
>>>>>
>>>>>> Daniel J Walsh wrote:
>>>>>> Luke Macken wrote restorecon and install functions used in Fedora
>>>>>> Infrastructure which can be used to install files with the proper
>>>>>> context and to fix the labels of files/directories without having to
>>>>>> exec restorecon.
>>>>>> diff --exclude-from=exclude -N -u -r
>>>>>> nsalibselinux/src/selinuxswig_python.i
>>>>>> libselinux-2.0.75/src/selinuxswig_python.i
>>>>>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>>>>>> 09:34:24.000000000 -0400
>>>>>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>>>>>> 17:09:50.000000000 -0500
>>>>>> @@ -6,6 +6,32 @@
>>>>>> #include "selinux/selinux.h"
>>>>>> %}
>>>>>> +%pythoncode %{
>>>>>> +
>>>>>> +import shutil, os
>>>>>> +
>>>>>> +def restorecon(path, recursive=False):
>>>>>> + """ Restore SELinux context on a given path """
>>>>>> + mode = os.stat(path)[stat.ST_MODE]
>>>>>> stat doesn't exist here, perhaps he meant mode?
>>>>>> + status, context = matchpathcon(path, mode)
>>>>>> + if status == 0:
>>>>>> + lsetfilecon(path, context)
>>>>>> + if recursive:
>>>>>> + os.path.walk(path, lambda arg, dirname, fnames:
>>>>>> + map(restorecon, [os.path.join(dirname,
>>>>>> fname)
>>>>>> + s for fname in
>>>>>> fnames]),
>>>>>> None)
>>>>>> typo, the s causes a syntax error
>>>>>> +
>>>>>> +def copytree(src, dest):
>>>>>> + """ An SELinux-friendly shutil.copytree method """
>>>>>> + shutil.copytree(src, dest)
>>>>>> + restorecon(dest, recursive=True)
>>>>>> +
>>>>>> +def install(src, dest):
>>>>>> + """ An SELinux-friendly shutil.move method """
>>>>>> + shutil.move(src, dest)
>>>>>> + restorecon(dest, recursive=True)
>>>>>> +%}
>>>>>> +
>>>>>> /* security_get_boolean_names() typemap */
>>>>>> %typemap(argout) (char ***names, int *len) {
>>>>>> PyObject* list = PyList_New(*$2);
>>>>>> This patch doesn't appear correct, I'll fix the things above,
>>>>>> have you
>>>>>> been testing this at all?
>>>>>>
>>>>> Must have sent you a bad patch.
>>>>>
>>>>>
>>>>> This is what the current patch looks like.
>>>>>
>>>>>
>>>> And this is still broken.
>>>>
>>>> One more fix.
>>>>
>>>> + mode = os.stat(path)[stat.ST_MODE]
>>>> should be
>>>> + mode = os.lstat(path)[stat.ST_MODE]
>>> Ok, this works but isn't ideal, for example if I try
>>> selinux.restorecon("/") as a non-root user there is no error, no
>>> exception throw, no indication that it failed. There is an exception
>>> thrown if the path doesn't exist which is good.
>>>
>> That is a more fundamental problem in that selinux.lsetfilecon should be
>> raising the exception.
>
> Ok, hopefully we can get someone to look at the wrappers and make sure
> they throw exceptions properly.
>
> Back to this patch, it does restorecon after copying or moving files,
> which isn't ideal. I think it should be rewritten to set contexts and
> copy/move atomically.
Well since this is using shutil.copy and shutil.move it is not likely
that this is going to be upstreamable to them. Especially when what
happens on a move and copy is not well understood. I order to do the
write thing, we would need to reimplent this code within the selinux
python module or make selinux a requirement of shutil. Either way we
end up with a recursive import which would be a problem.
So eliminate everything but restorecon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklrl+YACgkQrlYvE4MpobNPTgCg109mB4oXBoASzhJQhGf3qwf4
9DsAoJ1MEWWACLyci7iK9VeVn2m9xDae
=2t4M
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Add restorecon and install methods for libselinux python bindings.
2009-01-06 15:31 ` Daniel J Walsh
2009-01-06 18:28 ` Joshua Brindle
@ 2009-01-12 20:56 ` Joshua Brindle
1 sibling, 0 replies; 9+ messages in thread
From: Joshua Brindle @ 2009-01-12 20:56 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel J Walsh wrote:
>> Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>> Luke Macken wrote restorecon and install functions used in Fedora
>>> Infrastructure which can be used to install files with the proper
>>> context and to fix the labels of files/directories without having to
>>> exec restorecon.
>>> diff --exclude-from=exclude -N -u -r
>>> nsalibselinux/src/selinuxswig_python.i
>>> libselinux-2.0.75/src/selinuxswig_python.i
>>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>>> 09:34:24.000000000 -0400
>>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>>> 17:09:50.000000000 -0500
>>> @@ -6,6 +6,32 @@
>>> #include "selinux/selinux.h"
>>> %}
>>> +%pythoncode %{
>>> +
>>> +import shutil, os
>>> +
>>> +def restorecon(path, recursive=False):
>>> + """ Restore SELinux context on a given path """
>>> + mode = os.stat(path)[stat.ST_MODE]
>>> stat doesn't exist here, perhaps he meant mode?
>>> + status, context = matchpathcon(path, mode)
>>> + if status == 0:
>>> + lsetfilecon(path, context)
>>> + if recursive:
>>> + os.path.walk(path, lambda arg, dirname, fnames:
>>> + map(restorecon, [os.path.join(dirname, fname)
>>> + s for fname in fnames]),
>>> None)
>>> typo, the s causes a syntax error
>>> +
>>> +def copytree(src, dest):
>>> + """ An SELinux-friendly shutil.copytree method """
>>> + shutil.copytree(src, dest)
>>> + restorecon(dest, recursive=True)
>>> +
>>> +def install(src, dest):
>>> + """ An SELinux-friendly shutil.move method """
>>> + shutil.move(src, dest)
>>> + restorecon(dest, recursive=True)
>>> +%}
>>> +
>>> /* security_get_boolean_names() typemap */
>>> %typemap(argout) (char ***names, int *len) {
>>> PyObject* list = PyList_New(*$2);
>>> This patch doesn't appear correct, I'll fix the things above, have you
>>> been testing this at all?
>> Must have sent you a bad patch.
>>
>>
>> This is what the current patch looks like.
>>
> And this is still broken.
>
> One more fix.
>
> + mode = os.stat(path)[stat.ST_MODE]
> should be
> + mode = os.lstat(path)[stat.ST_MODE]
merged in libselinux 2.0.77 without copytree and install.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2009-01-12 20:56 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-11-17 15:30 Add restorecon and install methods for libselinux python bindings Daniel J Walsh
2009-01-06 15:01 ` Joshua Brindle
2009-01-06 15:21 ` Daniel J Walsh
2009-01-06 15:31 ` Daniel J Walsh
2009-01-06 18:28 ` Joshua Brindle
2009-01-06 19:31 ` Daniel J Walsh
2009-01-12 17:06 ` Joshua Brindle
2009-01-12 19:20 ` Daniel J Walsh
2009-01-12 20:56 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.