patch to policycoreutils

patch to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 353 bytes --]

Multiple patches to policycoreutils.

First added /root/.ssh and /root/.ssh/*  to allow people to place keys 
in /root directory and have them labeled by restorcond

Fix transaction handling in semanage so you can update multiple records 
simultaniously.

Clean up permissive domains creation in semanage so it does not leave 
crap in /var/lib/selinux


[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 4643 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf	2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.conf	2009-02-23 11:32:21.000000000 -0500
@@ -5,3 +5,7 @@
 /var/run/utmp
 /var/log/wtmp
 ~/*
+/root/.ssh
+/root/.ssh/*
+
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/scripts/fixfiles	2009-02-19 10:07:49.000000000 -0500
@@ -122,7 +122,7 @@
 fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
-	rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE
+	rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE
     done
     exit $?
 fi
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/semanage/semanage	2009-03-12 09:22:45.000000000 -0400
@@ -464,10 +464,10 @@
                       else:
                              fd = open(input, 'r')
                       trans = seobject.semanageRecords(store)
-                      trans.begin()
+                      trans.start()
                       for l in fd.readlines():
                              process_args(mkargv(l))
-                      trans.commit()
+                      trans.finish()
                else:
                       process_args(sys.argv[1:])
 			
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2008-11-14 17:10:15.000000000 -0500
+++ policycoreutils-2.0.62/semanage/seobject.py	2009-03-31 08:54:25.000000000 -0400
@@ -281,15 +281,20 @@
                global handle
                       
                if handle != None:
-                      self.transaction = True
                       self.sh = handle
                else:
                       self.sh=get_handle(store)
-                      self.transaction = False
+               self.transaction = False
 
         def deleteall(self):
                raise ValueError(_("Not yet implemented"))
 
+        def start(self):
+               if self.transaction:
+                      raise ValueError(_("Semanage transaction already in progress"))
+               self.begin()
+               self.transaction = True
+
         def begin(self):
                if self.transaction:
                       return
@@ -303,6 +308,12 @@
                if rc < 0:
                       raise ValueError(_("Could not commit semanage transaction"))
 
+        def finish(self):
+               if not self.transaction:
+                      raise ValueError(_("Semanage transaction not in progress"))
+               self.transaction = False
+               self.commit()
+
 class permissiveRecords(semanageRecords):
 	def __init__(self, store):
                semanageRecords.__init__(self, store)
@@ -328,6 +339,7 @@
 
 
 	def add(self, type):
+               import glob
                name = "permissive_%s" % type
                dirname = "/var/lib/selinux"
                os.chdir(dirname)
@@ -351,16 +363,19 @@
                fd.close()
 
                rc = semanage_module_install(self.sh, data, len(data));
-               if rc < 0:
-			raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
-
-               self.commit()
+               if rc >= 0:
+                      self.commit()
 
                for root, dirs, files in os.walk("tmp", topdown=False):
                       for name in files:
                              os.remove(os.path.join(root, name))
                       for name in dirs:
                              os.rmdir(os.path.join(root, name))
+               os.removedirs("tmp")
+               for i in glob.glob("permissive_%s.*" % type):
+                      os.remove(i)
+               if rc < 0:
+			raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
 
 	def delete(self, name):
                for n in name.split():

Re: patch to policycoreutils

[Chad Sellers]

On 4/1/09 10:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> Multiple patches to policycoreutils.
> 
> First added /root/.ssh and /root/.ssh/*  to allow people to place keys
> in /root directory and have them labeled by restorcond
> 
> Fix transaction handling in semanage so you can update multiple records
> simultaniously.
> 
> Clean up permissive domains creation in semanage so it does not leave
> crap in /var/lib/selinux
> 
> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf
> policycoreutils-2.0.62/restorecond/restorecond.conf
> --- nsapolicycoreutils/restorecond/restorecond.conf    2009-02-18
> 16:44:47.000000000 -0500
> +++ policycoreutils-2.0.62/restorecond/restorecond.conf    2009-02-23
> 11:32:21.000000000 -0500
> @@ -5,3 +5,7 @@
>  /var/run/utmp
>  /var/log/wtmp
>  ~/*
> +/root/.ssh
> +/root/.ssh/*
> +
> +
> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles
> policycoreutils-2.0.62/scripts/fixfiles
> --- nsapolicycoreutils/scripts/fixfiles    2009-02-18 16:44:47.000000000 -0500
> +++ policycoreutils-2.0.62/scripts/fixfiles    2009-02-19 10:07:49.000000000
> -0500
> @@ -122,7 +122,7 @@
>  fi
>  if [ ! -z "$RPMFILES" ]; then
>      for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
> -    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >>
> $LOGFILE
> +    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >>
> $LOGFILE
>      done
>      exit $?
>  fi
Not sure I understand this one, and it didn't seem to be mentioned in your
comment. You're changing fixfiles to relabel recursively when it's fixing
files from an rpm? Wouldn't an rpm already list all the files it owned?

<snip due to previously ack'd patch>
> @@ -303,6 +308,12 @@
>                 if rc < 0:
>                        raise ValueError(_("Could not commit semanage
> transaction"))
>  
> +        def finish(self):
> +               if not self.transaction:
> +                      raise ValueError(_("Semanage transaction not in
> progress"))
> +               self.transaction = False
> +               self.commit()
> +
>  class permissiveRecords(semanageRecords):
>      def __init__(self, store):
>                 semanageRecords.__init__(self, store)
> @@ -328,6 +339,7 @@
>  
>  
>      def add(self, type):
> +               import glob
>                 name = "permissive_%s" % type
>                 dirname = "/var/lib/selinux"
>                 os.chdir(dirname)
> @@ -351,16 +363,19 @@
>                 fd.close()
>  
>                 rc = semanage_module_install(self.sh, data, len(data));
> -               if rc < 0:
> -            raise ValueError(_("Could not set permissive domain %s (module
> installation failed)") % name)
> -
> -               self.commit()
> +               if rc >= 0:
> +                      self.commit()
>  
>                 for root, dirs, files in os.walk("tmp", topdown=False):
>                        for name in files:
>                               os.remove(os.path.join(root, name))
>                        for name in dirs:
>                               os.rmdir(os.path.join(root, name))
> +               os.removedirs("tmp")
> +               for i in glob.glob("permissive_%s.*" % type):
> +                      os.remove(i)
> +               if rc < 0:
> +            raise ValueError(_("Could not set permissive domain %s (module
> installation failed)") % name)
>  
>      def delete(self, name):
>                 for n in name.split():

Other than that one thing, this looks fine to me.

Thanks,
Chad


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patch to policycoreutils

[Daniel J Walsh]

On 04/22/2009 06:03 PM, Chad Sellers wrote:
> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>
>> Multiple patches to policycoreutils.
>>
>> First added /root/.ssh and /root/.ssh/*  to allow people to place keys
>> in /root directory and have them labeled by restorcond
>>
>> Fix transaction handling in semanage so you can update multiple records
>> simultaniously.
>>
>> Clean up permissive domains creation in semanage so it does not leave
>> crap in /var/lib/selinux
>>
>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf
>> policycoreutils-2.0.62/restorecond/restorecond.conf
>> --- nsapolicycoreutils/restorecond/restorecond.conf    2009-02-18
>> 16:44:47.000000000 -0500
>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf    2009-02-23
>> 11:32:21.000000000 -0500
>> @@ -5,3 +5,7 @@
>>   /var/run/utmp
>>   /var/log/wtmp
>>   ~/*
>> +/root/.ssh
>> +/root/.ssh/*
>> +
>> +
>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles
>> policycoreutils-2.0.62/scripts/fixfiles
>> --- nsapolicycoreutils/scripts/fixfiles    2009-02-18 16:44:47.000000000 -0500
>> +++ policycoreutils-2.0.62/scripts/fixfiles    2009-02-19 10:07:49.000000000
>> -0500
>> @@ -122,7 +122,7 @@
>>   fi
>>   if [ ! -z "$RPMFILES" ]; then
>>       for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
>> -    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>>
>> $LOGFILE
>> +    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1>>
>> $LOGFILE
>>       done
>>       exit $?
>>   fi
> Not sure I understand this one, and it didn't seem to be mentioned in your
> comment. You're changing fixfiles to relabel recursively when it's fixing
> files from an rpm? Wouldn't an rpm already list all the files it owned?
>
> <snip due to previously ack'd patch>
>> @@ -303,6 +308,12 @@
>>                  if rc<  0:
>>                         raise ValueError(_("Could not commit semanage
>> transaction"))
>>
>> +        def finish(self):
>> +               if not self.transaction:
>> +                      raise ValueError(_("Semanage transaction not in
>> progress"))
>> +               self.transaction = False
>> +               self.commit()
>> +
>>   class permissiveRecords(semanageRecords):
>>       def __init__(self, store):
>>                  semanageRecords.__init__(self, store)
>> @@ -328,6 +339,7 @@
>>
>>
>>       def add(self, type):
>> +               import glob
>>                  name = "permissive_%s" % type
>>                  dirname = "/var/lib/selinux"
>>                  os.chdir(dirname)
>> @@ -351,16 +363,19 @@
>>                  fd.close()
>>
>>                  rc = semanage_module_install(self.sh, data, len(data));
>> -               if rc<  0:
>> -            raise ValueError(_("Could not set permissive domain %s (module
>> installation failed)") % name)
>> -
>> -               self.commit()
>> +               if rc>= 0:
>> +                      self.commit()
>>
>>                  for root, dirs, files in os.walk("tmp", topdown=False):
>>                         for name in files:
>>                                os.remove(os.path.join(root, name))
>>                         for name in dirs:
>>                                os.rmdir(os.path.join(root, name))
>> +               os.removedirs("tmp")
>> +               for i in glob.glob("permissive_%s.*" % type):
>> +                      os.remove(i)
>> +               if rc<  0:
>> +            raise ValueError(_("Could not set permissive domain %s (module
>> installation failed)") % name)
>>
>>       def delete(self, name):
>>                  for n in name.split():
>
> Other than that one thing, this looks fine to me.
>
> Thanks,
> Chad
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
If a package owned a directory like /var/lib/libvirt/images, when it is 
relabeling we would want it to relabel not only the directory but the 
contents of the directory

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patch to policycoreutils

[Chad Sellers]

On 4/22/09 9:50 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> On 04/22/2009 06:03 PM, Chad Sellers wrote:
>> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>> 
>>> Multiple patches to policycoreutils.
>>> 
>>> First added /root/.ssh and /root/.ssh/*  to allow people to place keys
>>> in /root directory and have them labeled by restorcond
>>> 
>>> Fix transaction handling in semanage so you can update multiple records
>>> simultaniously.
>>> 
>>> Clean up permissive domains creation in semanage so it does not leave
>>> crap in /var/lib/selinux
>>> 
>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf
>>> policycoreutils-2.0.62/restorecond/restorecond.conf
>>> --- nsapolicycoreutils/restorecond/restorecond.conf    2009-02-18
>>> 16:44:47.000000000 -0500
>>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf    2009-02-23
>>> 11:32:21.000000000 -0500
>>> @@ -5,3 +5,7 @@
>>>   /var/run/utmp
>>>   /var/log/wtmp
>>>   ~/*
>>> +/root/.ssh
>>> +/root/.ssh/*
>>> +
>>> +
>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles
>>> policycoreutils-2.0.62/scripts/fixfiles
>>> --- nsapolicycoreutils/scripts/fixfiles    2009-02-18 16:44:47.000000000
>>> -0500
>>> +++ policycoreutils-2.0.62/scripts/fixfiles    2009-02-19 10:07:49.000000000
>>> -0500
>>> @@ -122,7 +122,7 @@
>>>   fi
>>>   if [ ! -z "$RPMFILES" ]; then
>>>       for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
>>> -    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>>
>>> $LOGFILE
>>> +    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f -
>>> 2>&1>>
>>> $LOGFILE
>>>       done
>>>       exit $?
>>>   fi
>> Not sure I understand this one, and it didn't seem to be mentioned in your
>> comment. You're changing fixfiles to relabel recursively when it's fixing
>> files from an rpm? Wouldn't an rpm already list all the files it owned?
>> 
>> <snip due to previously ack'd patch>
>>> @@ -303,6 +308,12 @@
>>>                  if rc<  0:
>>>                         raise ValueError(_("Could not commit semanage
>>> transaction"))
>>> 
>>> +        def finish(self):
>>> +               if not self.transaction:
>>> +                      raise ValueError(_("Semanage transaction not in
>>> progress"))
>>> +               self.transaction = False
>>> +               self.commit()
>>> +
>>>   class permissiveRecords(semanageRecords):
>>>       def __init__(self, store):
>>>                  semanageRecords.__init__(self, store)
>>> @@ -328,6 +339,7 @@
>>> 
>>> 
>>>       def add(self, type):
>>> +               import glob
>>>                  name = "permissive_%s" % type
>>>                  dirname = "/var/lib/selinux"
>>>                  os.chdir(dirname)
>>> @@ -351,16 +363,19 @@
>>>                  fd.close()
>>> 
>>>                  rc = semanage_module_install(self.sh, data, len(data));
>>> -               if rc<  0:
>>> -            raise ValueError(_("Could not set permissive domain %s (module
>>> installation failed)") % name)
>>> -
>>> -               self.commit()
>>> +               if rc>= 0:
>>> +                      self.commit()
>>> 
>>>                  for root, dirs, files in os.walk("tmp", topdown=False):
>>>                         for name in files:
>>>                                os.remove(os.path.join(root, name))
>>>                         for name in dirs:
>>>                                os.rmdir(os.path.join(root, name))
>>> +               os.removedirs("tmp")
>>> +               for i in glob.glob("permissive_%s.*" % type):
>>> +                      os.remove(i)
>>> +               if rc<  0:
>>> +            raise ValueError(_("Could not set permissive domain %s (module
>>> installation failed)") % name)
>>> 
>>>       def delete(self, name):
>>>                  for n in name.split():
>> 
>> Other than that one thing, this looks fine to me.
>> 
>> Thanks,
>> Chad
>> 
>> 
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> If a package owned a directory like /var/lib/libvirt/images, when it is
> relabeling we would want it to relabel not only the directory but the
> contents of the directory

Makes sense.

Acked-by: Chad Sellers <csellers@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patch to policycoreutils

[Joshua Brindle]

Chad Sellers wrote:
> On 4/22/09 9:50 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> 
>> On 04/22/2009 06:03 PM, Chad Sellers wrote:
>>> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>>>
>>>> Multiple patches to policycoreutils.
>>>>
>>>> First added /root/.ssh and /root/.ssh/*  to allow people to place keys
>>>> in /root directory and have them labeled by restorcond
>>>>
>>>> Fix transaction handling in semanage so you can update multiple records
>>>> simultaniously.
>>>>
>>>> Clean up permissive domains creation in semanage so it does not leave
>>>> crap in /var/lib/selinux
>>>>
>>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf
>>>> policycoreutils-2.0.62/restorecond/restorecond.conf
>>>> --- nsapolicycoreutils/restorecond/restorecond.conf    2009-02-18
>>>> 16:44:47.000000000 -0500
>>>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf    2009-02-23
>>>> 11:32:21.000000000 -0500
>>>> @@ -5,3 +5,7 @@
>>>>   /var/run/utmp
>>>>   /var/log/wtmp
>>>>   ~/*
>>>> +/root/.ssh
>>>> +/root/.ssh/*
>>>> +
>>>> +
>>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles
>>>> policycoreutils-2.0.62/scripts/fixfiles
>>>> --- nsapolicycoreutils/scripts/fixfiles    2009-02-18 16:44:47.000000000
>>>> -0500
>>>> +++ policycoreutils-2.0.62/scripts/fixfiles    2009-02-19 10:07:49.000000000
>>>> -0500
>>>> @@ -122,7 +122,7 @@
>>>>   fi
>>>>   if [ ! -z "$RPMFILES" ]; then
>>>>       for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
>>>> -    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>>
>>>> $LOGFILE
>>>> +    rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f -
>>>> 2>&1>>
>>>> $LOGFILE
>>>>       done
>>>>       exit $?
>>>>   fi
>>> Not sure I understand this one, and it didn't seem to be mentioned in your
>>> comment. You're changing fixfiles to relabel recursively when it's fixing
>>> files from an rpm? Wouldn't an rpm already list all the files it owned?
>>>
>>> <snip due to previously ack'd patch>
>>>> @@ -303,6 +308,12 @@
>>>>                  if rc<  0:
>>>>                         raise ValueError(_("Could not commit semanage
>>>> transaction"))
>>>>
>>>> +        def finish(self):
>>>> +               if not self.transaction:
>>>> +                      raise ValueError(_("Semanage transaction not in
>>>> progress"))
>>>> +               self.transaction = False
>>>> +               self.commit()
>>>> +
>>>>   class permissiveRecords(semanageRecords):
>>>>       def __init__(self, store):
>>>>                  semanageRecords.__init__(self, store)
>>>> @@ -328,6 +339,7 @@
>>>>
>>>>
>>>>       def add(self, type):
>>>> +               import glob
>>>>                  name = "permissive_%s" % type
>>>>                  dirname = "/var/lib/selinux"
>>>>                  os.chdir(dirname)
>>>> @@ -351,16 +363,19 @@
>>>>                  fd.close()
>>>>
>>>>                  rc = semanage_module_install(self.sh, data, len(data));
>>>> -               if rc<  0:
>>>> -            raise ValueError(_("Could not set permissive domain %s (module
>>>> installation failed)") % name)
>>>> -
>>>> -               self.commit()
>>>> +               if rc>= 0:
>>>> +                      self.commit()
>>>>
>>>>                  for root, dirs, files in os.walk("tmp", topdown=False):
>>>>                         for name in files:
>>>>                                os.remove(os.path.join(root, name))
>>>>                         for name in dirs:
>>>>                                os.rmdir(os.path.join(root, name))
>>>> +               os.removedirs("tmp")
>>>> +               for i in glob.glob("permissive_%s.*" % type):
>>>> +                      os.remove(i)
>>>> +               if rc<  0:
>>>> +            raise ValueError(_("Could not set permissive domain %s (module
>>>> installation failed)") % name)
>>>>
>>>>       def delete(self, name):
>>>>                  for n in name.split():
>>> Other than that one thing, this looks fine to me.
>>>
>>> Thanks,
>>> Chad
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>> If a package owned a directory like /var/lib/libvirt/images, when it is
>> relabeling we would want it to relabel not only the directory but the
>> contents of the directory
> 
> Makes sense.
> 
> Acked-by: Chad Sellers <csellers@tresys.com>
> 

Merged in policycoreutils-2.0.63


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Stephen Smalley]

On Mon, 2005-01-31 at 13:49, Daniel J Walsh wrote:
> +	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
> +	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
> +	sed -r -e 's|\(([/?[:alnum:]]+)\)\?|{\1,}|g' \
> +	       -e 's|([[:alnum:]])\?|{\1,}|g' \
> +	       -e 's,\(.*,*,g' -e 's,\[.*,*,g' \
> +	       -e 's,[[:blank:]].*,,g' \
> +               -e 's,\?.*,*,g' \
> +               -e 's,\.\*,*,g' \
> +	       -e 's,\(.*,*,g' \
> +	       -e 's,\[.*,*,g' | \

Minor:  You have duplicate \(.* and \[.* substitutions above, once with
both on the same line and then separately immediately above.

> +	sort -u | \
>          while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
>  	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \

The find command can end up re-introducing /root, /tmp, and /home if /
is in the input patterns, so you may want to move the grep -v command
down to the end of the pipeline.  tmp directories are likely ok anyway,
as file_contexts specifies <<none>> for them already (so restorecon
shouldn't relabel them even if they are passed).  Further, the find
command ends up re-introducing duplication; even though / was included
in my test, it also ended up generating a list of other directories
directly in / that were not separate filesystems.

As a side note, I experimented with this by splitting the pipeline up
and writing the output of each stage to a separate temporary file, then
diff'ing each pair of temporary files to see the effect of each stage. 
I wanted to force it to be applied to all file_contexts entries as a
degenerate case, so I initially tried passing -C /dev/null, but that
didn't seem to work (possibly fails the -f test), so I instead use a MLS
vs. non-MLS file_contexts to ensure that every line differed (due to the
MLS level field).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 1418 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.9/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-31 09:49:15.000000000 -0500
+++ policycoreutils-1.21.9/scripts/fixfiles	2005-01-31 13:39:27.000000000 -0500
@@ -60,12 +60,20 @@
 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
 	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
 	test -z "$TEMPFILE" && exit
-	/usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \
-        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
-            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
+	/usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
+	grep -v -e ^/root -e ^/home -e ^/tmp -e ^/var/tmp | \
+	sed -r -e 's|\(([/?[:alnum:]]+)\)\?|{\1,}|g' \
+	       -e 's|([[:alnum:]])\?|{\1,}|g' \
+	       -e 's,\(.*,*,g' -e 's,\[.*,*,g' \
+	       -e 's,[[:blank:]].*,,g' \
+               -e 's,\?.*,*,g' \
+               -e 's,\.\*,*,g' \
+	       -e 's,\(.*,*,g' \
+	       -e 's,\[.*,*,g' | \
+	sort -u | \
         while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
-	${RESTORECON} $2 -v -f -R - 
+	${RESTORECON} -R $2 -v -f - 
 	rm -f ${TEMPFILE}
 fi
 }

Re: Patch to policycoreutils

[Stephen Smalley]

On Mon, 2005-01-31 at 10:13, Daniel J Walsh wrote:
> >1) The first sed substitution changes:
> >/var/tmp/vi\.recover  -d      system_u:object_r:tmp_t
> >to:
> >/var/tmp/vi*
> >
> >  
> >
> This looks good.

i.e. We can drop the first substitution entirely, right?  Shell will
correctly handle \. as is.

> >2) The second sed substitution changes:
> >/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
> >to:
> >/usr/lib*
> >
> >This is due to sed itself performing regex matching for the .* sequence,
> >i.e. it consumes anything after an open parens.  Possibly you could
> >escape it if that is what you intended, e.g. \.\*.
> >
> >  
> >
> Huh?   you need to match both /usr/lib/ and /usr/lib64/  So I don't see 
> anyway of doing this withoug /usr/lib*

Possibly /usr/lib{64,}/*thunderbird*/thunderbird.  The point being that
we don't need to relabel all of /usr/lib here.

> >Similar issues with the other substitutions that are using .*, I think,
> >e.g. changing:
> >/usr/bin/[xgkw]dm     --      system_u:object_r:xdm_exec_t
> >to:
> >/usr/bin/*
> >
> >But the shell would have correctly handled /usr/bin/[xgkw]dm without any
> >change at all.
> >
> >  
> >
> But there are lots of other stuff that could be in between the [] correct?

Yes, we would have to distinguish the cases that can be handled by the
shell vs. the use of other regex metacharacters within the brackets.

> Yes, good catch.  First off we should remove /u?dev and switch to /dev 
> in policy since this was
> only a pre-fc3 problem.  But as in other message any sed experts who can 
> change
> 
> /u*dev --> /{u,}dev

More generally, we would want to replace x? or (x)? with {x,}.  Might be
easier to do in perl or other languages than just sed.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote:
>  
>
>>diff_filecontext() {
>>if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
>>	TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX`
>>	test -z "$TEMPFILE" && exit
>>	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
>>        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
>>            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
>>        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
>>	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
>>	${RESTORECON} $2 -v -f -R - 
>>	rm -f ${TEMPFILE}
>>fi
>>}
>>    
>>
>
>To try to understand this better, I split the pipeline and wrote each
>stage into a separate temporary file, then looked at diffs between each
>pair of stages.  I'm not sure if the filter pipline is functioning as
>you intend, e.g.:
>
>1) The first sed substitution changes:
>/var/tmp/vi\.recover  -d      system_u:object_r:tmp_t
>to:
>/var/tmp/vi*
>
>  
>
This looks good.

>A \. is not a regex; it is a regular dot character, so I would have
>expected you to just remove the backslash for passing along to
>restorecon. 
>
>2) The second sed substitution changes:
>/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
>to:
>/usr/lib*
>
>This is due to sed itself performing regex matching for the .* sequence,
>i.e. it consumes anything after an open parens.  Possibly you could
>escape it if that is what you intended, e.g. \.\*.
>
>  
>
Huh?   you need to match both /usr/lib/ and /usr/lib64/  So I don't see 
anyway of doing this withoug /usr/lib*

>Similar issues with the other substitutions that are using .*, I think,
>e.g. changing:
>/usr/bin/[xgkw]dm     --      system_u:object_r:xdm_exec_t
>to:
>/usr/bin/*
>
>But the shell would have correctly handled /usr/bin/[xgkw]dm without any
>change at all.
>
>  
>
But there are lots of other stuff that could be in between the [] correct?

>Also seems to have a problem with the /u?dev entries, changing:
>/u?dev/microcode
>to:
>/u*
>
>which won't actually catch /dev nodes.
>
>  
>
Yes, good catch.  First off we should remove /u?dev and switch to /dev 
in policy since this was
only a pre-fc3 problem.  But as in other message any sed experts who can 
change

/u*dev --> /{u,}dev

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Stephen Smalley]

On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote:
> diff_filecontext() {
> if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> 	TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX`
> 	test -z "$TEMPFILE" && exit
> 	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
>         sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
>             -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
>         while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
> 	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
> 	${RESTORECON} $2 -v -f -R - 
> 	rm -f ${TEMPFILE}
> fi
> }

To try to understand this better, I split the pipeline and wrote each
stage into a separate temporary file, then looked at diffs between each
pair of stages.  I'm not sure if the filter pipline is functioning as
you intend, e.g.:

1) The first sed substitution changes:
/var/tmp/vi\.recover  -d      system_u:object_r:tmp_t
to:
/var/tmp/vi*

A \. is not a regex; it is a regular dot character, so I would have
expected you to just remove the backslash for passing along to
restorecon. 

2) The second sed substitution changes:
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
to:
/usr/lib*

This is due to sed itself performing regex matching for the .* sequence,
i.e. it consumes anything after an open parens.  Possibly you could
escape it if that is what you intended, e.g. \.\*.

Similar issues with the other substitutions that are using .*, I think,
e.g. changing:
/usr/bin/[xgkw]dm     --      system_u:object_r:xdm_exec_t
to:
/usr/bin/*

But the shell would have correctly handled /usr/bin/[xgkw]dm without any
change at all.

Also seems to have a problem with the /u?dev entries, changing:
/u?dev/microcode
to:
/u*

which won't actually catch /dev nodes.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Stephen Smalley]

On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote:
> I have attached an updated fixfiles.   TEMP FILE will now be in the 
> /etc/selinux/${SELINUXTYPE}/contexts/files directory.
> Also changed it to have restorecon to do the recursing instead of find.

Patch below removes the temporary file for file_contexts and
file_contexts.local, as that will no longer be needed with the new
setfiles.

--- policycoreutils/scripts/fixfiles.dan	2005-01-28 15:33:11.269307680 -0500
+++ policycoreutils/scripts/fixfiles	2005-01-28 15:29:54.606205016 -0500
@@ -37,21 +37,11 @@
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
     . /etc/selinux/config
-    FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
-    FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
-    cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
+    FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
 else
-    FILE_CONTEXT=/etc/security/selinux/file_contexts
-    FC=${FILE_CONTEXT}
+    FC=/etc/security/selinux/file_contexts
 fi
 
-cleanup() {
-    if [ -e /etc/selinux/config -a -f "$FC" ]; then
-	rm -f $FC
-    fi
-}
-trap "cleanup" 0 1 2 3 13 15
-
 #
 # Log to either syslog or a LOGFILE
 #
@@ -68,9 +58,9 @@
 #
 diff_filecontext() {
 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
-	TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX`
+	TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
 	test -z "$TEMPFILE" && exit
-	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
+	/usr/bin/diff $PREFC $FC | egrep '^[<>]'|cut -c3-| grep ^/ | \
         sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
             -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
         while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \


-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 3866 bytes --]

Stephen Smalley wrote:

>On Fri, 2005-01-28 at 11:29, Daniel J Walsh wrote:
>  
>
>>Added new fixfiles -C PREVIOUS_FILECONTEXT  (RESTORE | CHECK)
>>
>>Which will take an old version of the file_context file and the 
>>currently installed one and do a
>>diff.  Then it will run a recursive restorecon on all files covered by 
>>the difference.  The idea here
>>is to potentially call this function from within policy spec files on 
>>updates.  So the if the file_context
>>file changes on update, the file context on disk will be updated.
>>    
>>
>
>Interesting idea, although textual diffs of file_contexts may not be
>adequate.
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles
>>--- nsapolicycoreutils/scripts/fixfiles	2005-01-26 11:30:57.000000000 -0500
>>+++ policycoreutils-1.21.5/scripts/fixfiles	2005-01-28 11:16:21.000000000 -0500
>>@@ -37,10 +37,12 @@
>> SELINUXTYPE="targeted"
>> if [ -e /etc/selinux/config ]; then
>>     . /etc/selinux/config
>>+    FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
>>     FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
>>-    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
>>+    cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
>> else
>>-    FC=/etc/security/selinux/file_contexts
>>+    FILE_CONTEXT=/etc/security/selinux/file_contexts
>>+    FC=${FILE_CONTEXT}
>> fi
>>    
>>
>
>We no longer need to have fixfiles deal with file_contexts.local with
>the latest version of setfiles, since setfiles is now using matchpathcon
>and matchpathcon will internally check it as well.
>
>  
>
>>+#
>>+# Compare PREVious File Context to currently installed File Context and 
>>+# run restorecon on all files affected by the differences.
>>+#
>>+diff_filecontext() {
>>+if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
>>+	TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX`
>>+	test -z "$TEMPFILE" && exit
>>+	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
>>+        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
>>+            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
>>+        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
>>+	while read pattern ; do find $pattern -print; done 2> /dev/null | \
>>+	${RESTORECON} $2 -v -f - 
>>+	rm -f ${TEMPFILE}
>>+fi
>>+}
>>    
>>
>
>Hmmm...I'm a bit concerned about the correctness and robustness of this
>filter pipeline, as well as with the notion of feeding restorecon from a
>temporary file.  Can you explain the stages in the filter pipeline a
>bit?  I think it would be preferable to make the temporary file in a
>directory with the same protections as the file_contexts configuration
>(i.e. /etc/selinux/${SELINUXTYPE}/contexts/files).
>
>  
>
I have attached an updated fixfiles.   TEMP FILE will not be in the 
/etc/selinux/${SELINUXTYPE}/contexts/files directory.
Also changed it to have restorecon to do the recursing instead of find.

Basically the pipeline is finding all files with a < or > output by 
diff, then it is looking for the first occurance of a regular expression
and replacing it with a "*".  Next it is checking if their is any overlap.

IE

/usr
/usr/bin/postgres
 
Only needs /usr since we are going to do a recursive restore.

Then restorecon will recurse on what ever it gets.  Worst case we end up 
doing a restorecon -R /  :^(

Best case we have a minor change in policy and we end up with
restorecon /usr/bin/pg*


Probably should change the script to avoid recursing over /tmp, /var/tmp 
and /home...




[-- Attachment #2: fixfiles --]
[-- Type: text/plain, Size: 5294 bytes --]

#!/bin/sh
# fixfiles
#
# Script to restore labels on a SELinux box
#
# Copyright (C) 2004 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

#
# Set global Variables
#
fullFlag=0
DIRS=""
RPMILES=""
OUTFILES=""
LOGFILE=/dev/null
SYSLOGFLAG="-l"
SETFILES=/usr/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
    . /etc/selinux/config
    FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
    FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
    cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
else
    FILE_CONTEXT=/etc/security/selinux/file_contexts
    FC=${FILE_CONTEXT}
fi

cleanup() {
    if [ -e /etc/selinux/config -a -f "$FC" ]; then
	rm -f $FC
    fi
}
trap "cleanup" 0 1 2 3 13 15

#
# Log to either syslog or a LOGFILE
#
logit () {
if [ -z $LOGFILE ]; then
    logger -i $1
else
    echo $1 >> $LOGFILE
fi
}
#
# Compare PREVious File Context to currently installed File Context and 
# run restorecon on all files affected by the differences.
#
diff_filecontext() {
if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
	TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX`
	test -z "$TEMPFILE" && exit
	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
	while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
	${RESTORECON} $2 -v -f -R - 
	rm -f ${TEMPFILE}
fi
}
#
# Log all Read Only file systems 
#
LogReadOnly() {
if [ ! -z "$FILESYSTEMSRO" ]; then
    logit "Warning: Skipping the following R/O filesystems:"
    logit "$FILESYSTEMSRO"
fi
}

rpmlist() {
rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
}

# 
# restore
# if called with -n will only check file context
#
restore () {
if [ ! -z "$PREFC" ]; then
    diff_filecontext $1
    exit $?
fi
if [ ! -z "$RPMFILES" ]; then
    for i in `echo $RPMFILES | sed 's/,/ /g'`; do
	rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE
    done
    exit $?
fi
if [ ! -z "$DIRS" ]; then
    ${RESTORECON} ${OUTFILES} -R $1 -v $DIRS 2>&1 >> $LOGFILE
    exit $?
fi
LogReadOnly
${SETFILES} ${OUTFILES} ${SYSLOGFLAG} $1 -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
exit $?
}

fullrelabel() {
    logit "Cleaning out /tmp"
    rm -rf /tmp/.??* /tmp/*
    LogReadOnly
    restore
}

relabel() {
    if [ ! -z "$RPMFILES" ]; then
	restore 
    fi

    if [ $fullFlag == 1  ]; then
	fullrelabel
    fi

    echo -n "
    Files in the /tmp directory may be labeled incorrectly, this command 
    can remove all files in /tmp.  If you choose to remove files from /tmp, 
    a reboot will be required after completion.
    
    Do you wish to clean out the /tmp directory [N]? "
    read answer
    if [ "$answer" = y -o  "$answer" = Y ]; then 
	fullrelabel
    else
	restore
    fi
}

usage() {
      	echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
	echo or
      	echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
}

if [ $# = 0 ]; then
	usage
	exit 1
fi

# See how we were called.
while getopts "C:Fo:R:l:" i; do
    case "$i" in
	F)
	fullFlag=1
	;;
        R)
		RPMFILES=$OPTARG
		;;
        o)
		OUTFILES=$OPTARG
		;;
        l)
		LOGFILE=$OPTARG
		;;
        C)
		PREFC=$OPTARG
		;;
	*)
	    usage
	    exit 1
esac
done


# Check for the command
eval command=\$${OPTIND}
let OPTIND=$OPTIND+1
if [ -z $command ]; then
    usage
fi

#
# check if they specified both DIRS and RPMFILES
#

if [ ! -z $RPMFILES ]; then
    if [ $OPTIND -le $# ]; then
	    usage
    fi
else
    while [ $OPTIND -le $# ]; do
	eval DIR=\$${OPTIND}
	DIRS="$DIRS $DIR"
	let OPTIND=$OPTIND+1
    done
fi
#
# Make sure they specified one of the three valid commands
#
case "$command" in
    restore) restore ;;
    check) restore -n ;;
    relabel) relabel;;
    *)
    usage
    exit 1
esac

Re: Patch to policycoreutils

[Stephen Smalley]

On Fri, 2005-01-28 at 11:29, Daniel J Walsh wrote:
> Added new fixfiles -C PREVIOUS_FILECONTEXT  (RESTORE | CHECK)
> 
> Which will take an old version of the file_context file and the 
> currently installed one and do a
> diff.  Then it will run a recursive restorecon on all files covered by 
> the difference.  The idea here
> is to potentially call this function from within policy spec files on 
> updates.  So the if the file_context
> file changes on update, the file context on disk will be updated.

Interesting idea, although textual diffs of file_contexts may not be
adequate.

> diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles
> --- nsapolicycoreutils/scripts/fixfiles	2005-01-26 11:30:57.000000000 -0500
> +++ policycoreutils-1.21.5/scripts/fixfiles	2005-01-28 11:16:21.000000000 -0500
> @@ -37,10 +37,12 @@
>  SELINUXTYPE="targeted"
>  if [ -e /etc/selinux/config ]; then
>      . /etc/selinux/config
> +    FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
>      FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
> -    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
> +    cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
>  else
> -    FC=/etc/security/selinux/file_contexts
> +    FILE_CONTEXT=/etc/security/selinux/file_contexts
> +    FC=${FILE_CONTEXT}
>  fi

We no longer need to have fixfiles deal with file_contexts.local with
the latest version of setfiles, since setfiles is now using matchpathcon
and matchpathcon will internally check it as well.

> +#
> +# Compare PREVious File Context to currently installed File Context and 
> +# run restorecon on all files affected by the differences.
> +#
> +diff_filecontext() {
> +if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> +	TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX`
> +	test -z "$TEMPFILE" && exit
> +	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
> +        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
> +            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
> +        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
> +	while read pattern ; do find $pattern -print; done 2> /dev/null | \
> +	${RESTORECON} $2 -v -f - 
> +	rm -f ${TEMPFILE}
> +fi
> +}

Hmmm...I'm a bit concerned about the correctness and robustness of this
filter pipeline, as well as with the notion of feeding restorecon from a
temporary file.  Can you explain the stages in the filter pipeline a
bit?  I think it would be preferable to make the temporary file in a
directory with the same protections as the file_contexts configuration
(i.e. /etc/selinux/${SELINUXTYPE}/contexts/files).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Patch to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 649 bytes --]

Added new fixfiles -C PREVIOUS_FILECONTEXT  (RESTORE | CHECK)

Which will take an old version of the file_context file and the 
currently installed one and do a
diff.  Then it will run a recursive restorecon on all files covered by 
the difference.  The idea here
is to potentially call this function from within policy spec files on 
updates.  So the if the file_context
file changes on update, the file context on disk will be updated.

Also changed restorecon to not error out if one of the files  handed to 
it does not exist.

restorecon /etc/BOGUS_FILE /etc/passwd /etc/shadow

Will restore password and shadow and warn about BOGUS_FILE.

Dan

[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 3289 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.5/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2005-01-25 10:32:01.000000000 -0500
+++ policycoreutils-1.21.5/restorecon/restorecon.c	2005-01-28 10:40:23.000000000 -0500
@@ -188,7 +188,7 @@
 	  fprintf(stderr,
 		  "%s:  error while labeling files under %s\n",
 		  progname, buf);
-	  exit(1);
+	  errors++;
 	}
       }
       else
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-26 11:30:57.000000000 -0500
+++ policycoreutils-1.21.5/scripts/fixfiles	2005-01-28 11:16:21.000000000 -0500
@@ -37,10 +37,12 @@
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
     . /etc/selinux/config
+    FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 
     FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
-    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
+    cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
 else
-    FC=/etc/security/selinux/file_contexts
+    FILE_CONTEXT=/etc/security/selinux/file_contexts
+    FC=${FILE_CONTEXT}
 fi
 
 cleanup() {
@@ -60,7 +62,24 @@
     echo $1 >> $LOGFILE
 fi
 }
-
+#
+# Compare PREVious File Context to currently installed File Context and 
+# run restorecon on all files affected by the differences.
+#
+diff_filecontext() {
+if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+	TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX`
+	test -z "$TEMPFILE" && exit
+	/usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
+        sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
+            -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
+        while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};;  esac; fi; done | \
+	while read pattern ; do find $pattern -print; done 2> /dev/null | \
+	${RESTORECON} $2 -v -f - 
+	rm -f ${TEMPFILE}
+fi
+}
 #
 # Log all Read Only file systems 
 #
@@ -80,6 +99,10 @@
 # if called with -n will only check file context
 #
 restore () {
+if [ ! -z "$PREFC" ]; then
+    diff_filecontext $1
+    exit $?
+fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo $RPMFILES | sed 's/,/ /g'`; do
 	rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE
@@ -128,7 +151,7 @@
 usage() {
       	echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
 	echo or
-      	echo $"Usage: $0 -R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] { check | restore }"
+      	echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
 }
 
 if [ $# = 0 ]; then
@@ -137,7 +160,7 @@
 fi
 
 # See how we were called.
-while getopts "Fo:R:l:" i; do
+while getopts "C:Fo:R:l:" i; do
     case "$i" in
 	F)
 	fullFlag=1
@@ -151,6 +174,9 @@
         l)
 		LOGFILE=$OPTARG
 		;;
+        C)
+		PREFC=$OPTARG
+		;;
 	*)
 	    usage
 	    exit 1