Re: [PATCH] policycoretuils: sestatus belongs to bin not sbin

From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: bauen1 <j2468h@googlemail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] policycoretuils: sestatus belongs to bin not sbin
Date: Tue, 16 Feb 2021 22:31:09 +0100	[thread overview]
Message-ID: <CAJfZ7=keAs69Az0O8jkdfkAPvAYjQ=pqzV=t+ktLQ2KqU3Y6jQ@mail.gmail.com> (raw)
In-Reply-To: <65111b4f-23b9-6758-9cd6-d2f8429916fb@gmail.com>

On Sat, Feb 13, 2021 at 9:44 PM bauen1 <j2468h@googlemail.com> wrote:
>
> It is quite useful even to non-privileged users and doesn't require any
> privileges to work, except for maybe -v.
>
> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>

I agree with the reasoning, but changing the location of an existing
tool has the potential to break software which depends on the precise
location of sestatus (like
https://github.com/openstack/cookbook-openstack-dashboard/blob/86127240974041b456086b5fff6f8f525c9cf555/spec/spec_helper.rb#L82
and https://github.com/rapid7/metasploit-framework/blob/4a380771d3a18011af153e47e1d08a4a83feb452/lib/msf/core/post/linux/kernel.rb#L276
and https://github.com/RedHatInsights/insights-core/blob/6fd58aeab11232a62ea97ba576220abca808c660/insights/specs/default.py#L815
and ...).

On the other hand, if you have a clear use-case of non-privileged
users refusing to add /usr/sbin to their $PATH but willing to use
sestatus, and that supporting this use-case seems more important than
not breaking programs which rely on sestatus being in /usr/sbin, this
patch will be acceptable. Do you know of such a use-case?

(By the way, there is a misspelling in the patch subject: you wrote
"policycoretuils" instead of "policycoreutils")

Thanks,
Nicolas

> ---
>
>  Only tested by running `make DESTDIR="$PWD" install` and checking that
>  sestatus ends up at /usr/bin/sestatus
>
>  policycoreutils/sestatus/Makefile | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> index 8c4f45f8..ac113814 100644
> --- a/policycoreutils/sestatus/Makefile
> +++ b/policycoreutils/sestatus/Makefile
> @@ -1,7 +1,7 @@
>  # Installation directories.
>  LINGUAS ?= ru
>  PREFIX ?= /usr
> -SBINDIR ?= $(PREFIX)/sbin
> +BINDIR ?= $(PREFIX)/bin
>  MANDIR = $(PREFIX)/share/man
>  ETCDIR ?= /etc
>
> @@ -16,8 +16,8 @@ sestatus: sestatus.o
>  install: all
>         [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
>         [ -d $(DESTDIR)$(MANDIR)/man5 ] || mkdir -p $(DESTDIR)$(MANDIR)/man5
> -       -mkdir -p $(DESTDIR)$(SBINDIR)
> -       install -m 755 sestatus $(DESTDIR)$(SBINDIR)
> +       -mkdir -p $(DESTDIR)$(BINDIR)
> +       install -m 755 sestatus $(DESTDIR)$(BINDIR)
>         install -m 644 sestatus.8 $(DESTDIR)$(MANDIR)/man8
>         install -m 644 sestatus.conf.5 $(DESTDIR)$(MANDIR)/man5
>         for lang in $(LINGUAS) ; do \
> --
> 2.30.0
>