Currently we can end up with different permissions on the compiled file_context regex files than the original.

Currently we can end up with different permissions on the compiled file_context regex files than the original.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: 0001-Compiled-file-context-files-and-the-original-should-.patch --]
[-- Type: text/x-patch, Size: 1624 bytes --]

>From dc822395634647dfc25c611261fd74f30962e668 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sat, 16 Aug 2014 07:37:42 -0400
Subject: [PATCH] Compiled file context files and the original should have the
 same permissions

Currently the compiled file context files can end up with different
permissions then the original.  This can lead to non priv users
not being able to read the compiled versions.
---
 libselinux/utils/sefcontext_compile.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
index 0adc968..9618989 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -4,6 +4,9 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 
 #include <linux/limits.h>
 
@@ -323,6 +326,7 @@ int main(int argc, char *argv[])
 	int rc;
 	char *tmp= NULL;
 	int fd;
+	struct stat buf;
 
 	if (argc != 2) {
 		fprintf(stderr, "usage: %s input_file\n", argv[0]);
@@ -333,6 +337,11 @@ int main(int argc, char *argv[])
 
 	path = argv[1];
 
+	if (stat(path, &buf) < 0) {
+		fprintf(stderr, "Can not stat: %s: %m\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
 	rc = process_file(&data, path);
 	if (rc < 0)
 		return rc;
@@ -352,6 +361,12 @@ int main(int argc, char *argv[])
 	if (fd < 0)
 		goto err;
 
+	rc = fchmod(fd, buf.st_mode);
+	if (rc < 0) {
+		perror("fchmod failed to set permission on compiled regexs");
+		goto err;
+	}
+
 	rc = write_binary_file(&data, fd);
 
 	if (rc < 0)
-- 
2.0.4

Re: Currently we can end up with different permissions on the compiled file_context regex files than the original.

[Steve Lawrence]

> +	if (stat(path, &buf) < 0) {
> +		fprintf(stderr, "Can not stat: %s: %m\n", argv[0]);

Should the fprintf print path instead of argv[0]?

> +		exit(EXIT_FAILURE);
> +	}
> +

Looks good otherwise. I'll add to the repo with that change if that's okay.

- Steve

Re: Currently we can end up with different permissions on the compiled file_context regex files than the original.

[Daniel J Walsh]

On 08/25/2014 01:12 PM, Steve Lawrence wrote:
>> +	if (stat(path, &buf) < 0) {
>> +		fprintf(stderr, "Can not stat: %s: %m\n", argv[0]);
> Should the fprintf print path instead of argv[0]?
Yes.
>> +		exit(EXIT_FAILURE);
>> +	}
>> +
> Looks good otherwise. I'll add to the repo with that change if that's okay.
>
> - Steve
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
Sounds great.