[PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 346 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk45teYACgkQrlYvE4MpobN0IACfcWZx1inqKKn8GWqy2VpDu5Ls
rSIAoNAYJ22tntOUF3elYf3u2fAFFTaM
=GJMM
-----END PGP SIGNATURE-----

[-- Attachment #2: 0029-policycoreutils-fixfiles-clean-up-var-run-and-var-li.patch --]
[-- Type: text/plain, Size: 0 bytes --]

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Stephen Smalley]

On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> This patch looks good to me. acked.

>From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Sun, 10 Jul 2011 13:35:32 +0200
Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and
 /var/lib/debug

clean up /var/run and /var/lib/debug just like we do for /tmp and
/var/tmp since they can easily get unlabeled files.

Signed-off-by: Eric Paris <eparis@redhat.com>
---
 policycoreutils/scripts/fixfiles |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 1da3fb2..c5c92bf 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
 find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
 find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
 find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
+find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
 exit $?
 }
 

Does it bother anyone else that you are hardcoding policy types into
your scripts here?  What happens when someone wants to use a different
policy that doesn't define those types?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/04/2011 10:56 AM, Stephen Smalley wrote:
> On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> 
>> This patch looks good to me. acked.
> 
>> From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00
>> 2001
> From: Eric Paris <eparis@redhat.com> Date: Sun, 10 Jul 2011 13:35:32
> +0200 Subject: [PATCH 029/155] policycoreutils: fixfiles clean up
> /var/run and /var/lib/debug
> 
> clean up /var/run and /var/lib/debug just like we do for /tmp and 
> /var/tmp since they can easily get unlabeled files.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com> --- 
> policycoreutils/scripts/fixfiles |    2 ++ 1 files changed, 2
> insertions(+), 0 deletions(-)
> 
> diff --git a/policycoreutils/scripts/fixfiles
> b/policycoreutils/scripts/fixfiles index 1da3fb2..c5c92bf 100755 ---
> a/policycoreutils/scripts/fixfiles +++
> b/policycoreutils/scripts/fixfiles @@ -142,6 +142,8 @@ rm -rf
> /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context
> "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \)
> -delete find /tmp \( -context "*:file_t*" -o -context
> "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \(
> -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t
> tmp_t {} \; +find /var/run \( -context "*:file_t*" -o -context
> "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; +[ -e
> /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o
> -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; exit $? }
> 
> 
> Does it bother anyone else that you are hardcoding policy types into 
> your scripts here?  What happens when someone wants to use a
> different policy that doesn't define those types?
> 


I guess we could add a file to identify the types of files with no
labels and files that the kernel does not understand.   Patches welcome...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk46y/0ACgkQrlYvE4MpobPIOQCg4HMijy8wQbb2A8N6Oq/YK9Cd
3jkAnilxruKeLvqm9Ca/tIU/I7959dL2
=C1vN
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Eric Paris]

Is there a reasonable way for a script to determine
SECINITSID_UNLABELED?  You're right though, it does sound like a good
todo.

-Eric

On Thu, Aug 4, 2011 at 10:56 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> This patch looks good to me. acked.
>
> >From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001
> From: Eric Paris <eparis@redhat.com>
> Date: Sun, 10 Jul 2011 13:35:32 +0200
> Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and
>  /var/lib/debug
>
> clean up /var/run and /var/lib/debug just like we do for /tmp and
> /var/tmp since they can easily get unlabeled files.
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>  policycoreutils/scripts/fixfiles |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index 1da3fb2..c5c92bf 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
>  find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
>  find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
>  find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
> +find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
> +[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
>  exit $?
>  }
>
>
> Does it bother anyone else that you are hardcoding policy types into
> your scripts here?  What happens when someone wants to use a different
> policy that doesn't define those types?
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Christopher J. PeBenito]

On 8/4/2011 1:33 PM, Eric Paris wrote:
> Is there a reasonable way for a script to determine
> SECINITSID_UNLABELED?  You're right though, it does sound like a good
> todo.

cat /selinux/initial_contexts/unlabeled

> On Thu, Aug 4, 2011 at 10:56 AM, Stephen Smalley<sds@tycho.nsa.gov>  wrote:
>> On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>> This patch looks good to me. acked.
>>
>> > From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001
>> From: Eric Paris<eparis@redhat.com>
>> Date: Sun, 10 Jul 2011 13:35:32 +0200
>> Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and
>>   /var/lib/debug
>>
>> clean up /var/run and /var/lib/debug just like we do for /tmp and
>> /var/tmp since they can easily get unlabeled files.
>>
>> Signed-off-by: Eric Paris<eparis@redhat.com>
>> ---
>>   policycoreutils/scripts/fixfiles |    2 ++
>>   1 files changed, 2 insertions(+), 0 deletions(-)
>>
>> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
>> index 1da3fb2..c5c92bf 100755
>> --- a/policycoreutils/scripts/fixfiles
>> +++ b/policycoreutils/scripts/fixfiles
>> @@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
>>   find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
>>   find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
>>   find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
>> +find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
>> +[ -e /var/lib/debug ]&&  find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
>>   exit $?
>>   }
>>
>>
>> Does it bother anyone else that you are hardcoding policy types into
>> your scripts here?  What happens when someone wants to use a different
>> policy that doesn't define those types?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Stephen Smalley]

On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote:
> well I guess [selinuxfs]/initial_contexts/unlabeled works for the
> first part, but how to come up with the lib_t/var_t I don't know....
> more initial sids   :)

chcon --reference=/lib ...
chcon --reference=/var ...

Or:
chcon `matchpathcon /lib` ...


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 401 bytes --]

On 08/04/2011 03:33 PM, Stephen Smalley wrote:
> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote:
>> well I guess [selinuxfs]/initial_contexts/unlabeled works for the 
>> first part, but how to come up with the lib_t/var_t I don't
>> know.... more initial sids   :)
> 
> chcon --reference=/lib ... chcon --reference=/var ...
> 
> Or: chcon `matchpathcon /lib` ...
> 
> 
	

How about this patch...

[-- Attachment #2: unlabeled_file.patch --]
[-- Type: text/plain, Size: 2412 bytes --]

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6de710a..9c1e6dd 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -21,6 +21,31 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 #
+# Get the default label returned from the kernel for a file with a lable the 
+# kernel does not understand
+#
+get_undefined_type() {
+    if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then
+	UNKNOWN_LABEL=`cat /sys/fs/selinux/initial_contexts/unlabeled`
+    else
+	UNKNOWN_LABEL=`cat /selinux/initial_contexts/unlabeled`
+    fi
+    secon -t $UNKNOWN_LABEL
+}
+
+#
+# Get the default label for a file without a label
+#
+get_unlabeled_type() {
+    if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then
+	NOLABEL=`cat /sys/fs/selinux/initial_contexts/file`
+    else
+	NOLABEL=`cat /selinux/initial_contexts/file`
+    fi
+    secon -t $NOLABEL
+}
+
+#
 # Get all mount points that support seclabel
 #
 get_all_labeled_mounts() {
@@ -200,11 +225,13 @@ fi
 ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
 
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
+undefined=`get_undefined_type`
+unlabeled=`get_unlabeled_type`
+find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) \( -type s -o -type p \) -delete
+find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /tmp {} \;
+find /var/tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/tmp {} \;
+find /var/run \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/run {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /lib {} \;
 exit $?
 }
 

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Eric Paris]

On 08/04/2011 04:26 PM, Daniel J Walsh wrote:
> On 08/04/2011 03:33 PM, Stephen Smalley wrote:
>> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote:
>>> well I guess [selinuxfs]/initial_contexts/unlabeled works for the 
>>> first part, but how to come up with the lib_t/var_t I don't
>>> know.... more initial sids   :)
>>
>> chcon --reference=/lib ... chcon --reference=/var ...
>>
>> Or: chcon `matchpathcon /lib` ...
>>
>>
> 	
> 
> How about this patch...

If you don't have /selinux mounted in one of those two places secon -t
will return your process type, which might delete the wrong files.

Not that it makes a huge difference, but we don't really need to pare it
down to just the type with secon -t and then search using *$TYPE*.

I also question the use of /sys/fs/selinux/ but I'm not sure we have a
good way to find that in a script.....  Do we have one?

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

On 08/04/2011 05:00 PM, Eric Paris wrote:
> On 08/04/2011 04:26 PM, Daniel J Walsh wrote:
>> On 08/04/2011 03:33 PM, Stephen Smalley wrote:
>>> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote:
>>>> well I guess [selinuxfs]/initial_contexts/unlabeled works for
>>>> the first part, but how to come up with the lib_t/var_t I
>>>> don't know.... more initial sids   :)
>>> 
>>> chcon --reference=/lib ... chcon --reference=/var ...
>>> 
>>> Or: chcon `matchpathcon /lib` ...
>>> 
>>> 
>> 
>> 
>> How about this patch...
> 
> If you don't have /selinux mounted in one of those two places secon
> -t will return your process type, which might delete the wrong
> files.
> 
I guess we should just exit with an error if this happens.
> Not that it makes a huge difference, but we don't really need to pare
> it down to just the type with secon -t and then search using
> *$TYPE*.
> 
Well if you are using mcstransd the MLS field could be translated.
> I also question the use of /sys/fs/selinux/ but I'm not sure we have
> a good way to find that in a script.....  Do we have one?
> 

grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'

> -Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Eric Paris]

On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
> On 08/04/2011 05:00 PM, Eric Paris wrote:

>> I also question the use of /sys/fs/selinux/ but I'm not sure we have
>> a good way to find that in a script.....  Do we have one?
>>
> 
> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'

$ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
/selinux
/chroot/selinux

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 685 bytes --]

On 08/04/2011 05:10 PM, Eric Paris wrote:
> On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
>> On 08/04/2011 05:00 PM, Eric Paris wrote:
> 
>>> I also question the use of /sys/fs/selinux/ but I'm not sure we
>>> have a good way to find that in a script.....  Do we have one?
>>> 
>> 
>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
> 
> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux 
> /chroot/selinux
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
> 
> 

Second attempt.

[-- Attachment #2: unlabeled_file.patch --]
[-- Type: text/plain, Size: 2280 bytes --]

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6de710a..899dce2 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -21,6 +21,23 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 #
+# Get the default label returned from the kernel for a file with a lable the 
+# kernel does not understand
+#
+get_undefined_type() {
+    SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+    cat ${SELINUXMNT}/initial_contexts/unlabeled | secon -t
+}
+
+#
+# Get the default label for a file without a label
+#
+get_unlabeled_type() {
+    SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+    cat $SELINUXMNT/initial_contexts/file | secon -t 
+}
+
+#
 # Get all mount points that support seclabel
 #
 get_all_labeled_mounts() {
@@ -200,11 +217,13 @@ fi
 ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
 
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
+UNDEFINED=`get_undefined_type` || exit $?
+UNLABELED=`get_unlabeled_type` || exit $?
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
+find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
+find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
 exit $?
 }
 

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1160 bytes --]

On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote:
> On 08/04/2011 05:10 PM, Eric Paris wrote:
> > On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
> >> On 08/04/2011 05:00 PM, Eric Paris wrote:
> > 
> >>> I also question the use of /sys/fs/selinux/ but I'm not sure we
> >>> have a good way to find that in a script.....  Do we have one?
> >>> 
> >> 
> >> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
> > 
> > $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux 
> > /chroot/selinux
> > 
> > -- This message was distributed to subscribers of the selinux mailing
> > list. If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> > quotes as the message.
> > 
> > 
> 
> Second attempt.

Technically I think we wanted to encapsulate all references to selinuxfs
by using libselinux, whether via direct bindings (as from python) or by
adding utils to libselinux (for shell scripts).  For example:
$ gcc -lselinux -o getinitialcontext getinitialcontext.c
$ ./getinitialcontext unlabeled
system_u:object_r:unlabeled_t:s0

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: getinitialcontext.c --]
[-- Type: text/x-csrc, Size: 370 bytes --]

#include <selinux/selinux.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv)
{
	int rc;
	security_context_t con;
	if (argc != 2) {
		fprintf(stderr, "usage:  %s sid-name\n", argv[0]);
		exit(1);
	}
	rc = security_get_initial_context(argv[1], &con);
	if (rc < 0) {
		perror(argv[1]);
		exit(2);
	}
	printf("%s\n", con);
	freecon(con);
	exit(0);
}

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2011 10:18 AM, Stephen Smalley wrote:
> On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote:
>> On 08/04/2011 05:10 PM, Eric Paris wrote:
>>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
>>>> On 08/04/2011 05:00 PM, Eric Paris wrote:
>>> 
>>>>> I also question the use of /sys/fs/selinux/ but I'm not sure
>>>>> we have a good way to find that in a script.....  Do we have
>>>>> one?
>>>>> 
>>>> 
>>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
>>> 
>>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
>>> /selinux /chroot/selinux
>>> 
>>> -- This message was distributed to subscribers of the selinux
>>> mailing list. If you no longer wish to subscribe, send mail to 
>>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>>> without quotes as the message.
>>> 
>>> 
>> 
>> Second attempt.
> 
> Technically I think we wanted to encapsulate all references to
> selinuxfs by using libselinux, whether via direct bindings (as from
> python) or by adding utils to libselinux (for shell scripts).  For
> example: $ gcc -lselinux -o getinitialcontext getinitialcontext.c $
> ./getinitialcontext unlabeled system_u:object_r:unlabeled_t:s0
> 
If we are going to add any more commands to libselinux I would prefer
them to be prefixed with selinux or at lease se.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk48AgIACgkQrlYvE4MpobOaHgCeKeAXbKuKtI/0nSfZ0CWBgqcC
ogsAoNbjsH0obxI3HVx44LrAQxNlUc67
=aG/T
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Eric Paris]

On 08/05/2011 10:45 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/05/2011 10:18 AM, Stephen Smalley wrote:
>> On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote:
>>> On 08/04/2011 05:10 PM, Eric Paris wrote:
>>>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
>>>>> On 08/04/2011 05:00 PM, Eric Paris wrote:
>>>>
>>>>>> I also question the use of /sys/fs/selinux/ but I'm not sure
>>>>>> we have a good way to find that in a script.....  Do we have
>>>>>> one?
>>>>>>
>>>>>
>>>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
>>>>
>>>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
>>>> /selinux /chroot/selinux
>>>>
>>>> -- This message was distributed to subscribers of the selinux
>>>> mailing list. If you no longer wish to subscribe, send mail to 
>>>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>>>> without quotes as the message.
>>>>
>>>>
>>>
>>> Second attempt.
>>
>> Technically I think we wanted to encapsulate all references to
>> selinuxfs by using libselinux, whether via direct bindings (as from
>> python) or by adding utils to libselinux (for shell scripts).  For
>> example: $ gcc -lselinux -o getinitialcontext getinitialcontext.c $
>> ./getinitialcontext unlabeled system_u:object_r:unlabeled_t:s0
>>
> If we are going to add any more commands to libselinux I would prefer
> them to be prefixed with selinux or at lease se.

no problem, I can call it anything we want.  Last issue I question is
better handling of there being no result.  We wouldn't want to delete
context'**'   :)

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2011 11:10 AM, Eric Paris wrote:
> On 08/05/2011 10:45 AM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 08/05/2011 10:18 AM, Stephen Smalley wrote:
>>> On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote:
>>>> On 08/04/2011 05:10 PM, Eric Paris wrote:
>>>>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
>>>>>> On 08/04/2011 05:00 PM, Eric Paris wrote:
>>>>> 
>>>>>>> I also question the use of /sys/fs/selinux/ but I'm not
>>>>>>> sure we have a good way to find that in a script.....  Do
>>>>>>> we have one?
>>>>>>> 
>>>>>> 
>>>>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
>>>>> 
>>>>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' 
>>>>> /selinux /chroot/selinux
>>>>> 
>>>>> -- This message was distributed to subscribers of the
>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>> "unsubscribe selinux" without quotes as the message.
>>>>> 
>>>>> 
>>>> 
>>>> Second attempt.
>>> 
>>> Technically I think we wanted to encapsulate all references to 
>>> selinuxfs by using libselinux, whether via direct bindings (as
>>> from python) or by adding utils to libselinux (for shell
>>> scripts).  For example: $ gcc -lselinux -o getinitialcontext
>>> getinitialcontext.c $ ./getinitialcontext unlabeled
>>> system_u:object_r:unlabeled_t:s0
>>> 
>> If we are going to add any more commands to libselinux I would
>> prefer them to be prefixed with selinux or at lease se.
> 
> no problem, I can call it anything we want.  Last issue I question
> is better handling of there being no result.  We wouldn't want to
> delete context'**'   :)
> 
Well it would actually delete *:*, and they are tmp files ...
echo "" | secon -t
secon:  Couldn't read security context: Invalid argument
[Exit 1]
 touch /tmp/dan1

# touch /tmp/empty
# cat /tmp/empty | secon -t
secon:  Couldn't read security context: Invalid argument
[Exit 1]

So I think you are going to get an error and the app will blow up.

> -Eric
> 
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk48DX4ACgkQrlYvE4MpobONaQCfTFsE84KQ4kiM1Y13+sz2ydyu
ZvcAoMihWiC9u+v0J/0gBrhc9iSkPbm5
=7VRP
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.