Problems with fixfiles and setfiles.

Problems with fixfiles and setfiles.

[Daniel J Walsh]

The fixfiles script is used to report and fix file contexts that are 
invalid, the problem is that it gets a lot of
false positives.  Reviewing fixfiles.cron shows that most of the files 
created by mozilla are reported as invalid.
It would be nice if we could remove these false positives by some means.

If we had some mechanism of saying a file could have one of several 
valid contexts, or be in a context that
has a certain attribute.

Ideas?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with fixfiles and setfiles.

[Luke Kenneth Casson Leighton]

On Tue, Sep 28, 2004 at 04:11:09PM -0400, Daniel J Walsh wrote:
> The fixfiles script is used to report and fix file contexts that are 
> invalid, the problem is that it gets a lot of
> false positives.  Reviewing fixfiles.cron shows that most of the files 
> created by mozilla are reported as invalid.
> It would be nice if we could remove these false positives by some means.
> 
> If we had some mechanism of saying a file could have one of several 
> valid contexts, or be in a context that
> has a certain attribute.
> 
> Ideas?
 
 this was... touched upon in a discussion two-ish weeks ago: the
 concept was that of having more than one context for a file,
 with a convenient (but from what i can gather unnecessary)
 123... 4'th parameter on the file_contexts entries.

 the mechanism would, as i understand it, define "additional" contexts
 with the first one being the "default".

 under such circumstances, mozilla could in fact save a file under a
 specific file context according to what was defined _in_ file_contexts
 (with a different 4th parameter being used as the lookup for the
 alternative context)
 
 ... such that then, yes, fixfiles could then go "oh, it's an
 alternative context for the same file".

 l.
 
-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with fixfiles and setfiles.

[Russell Coker]

On Wed, 29 Sep 2004 06:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
> The fixfiles script is used to report and fix file contexts that are
> invalid, the problem is that it gets a lot of
> false positives.  Reviewing fixfiles.cron shows that most of the files
> created by mozilla are reported as invalid.
> It would be nice if we could remove these false positives by some means.
>
> If we had some mechanism of saying a file could have one of several
> valid contexts, or be in a context that
> has a certain attribute.

For files under the home directory the valid contexts are all the contexts 
that the user in question can create (directly or indirectly).

If the user does "mv .ssh .ssh-old" we don't want .ssh-old relabelled at 
user_home_t.

Maybe we should just have fixfiles skip the home directories?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with fixfiles and setfiles.

[Daniel J Walsh]

Russell Coker wrote:

>On Wed, 29 Sep 2004 06:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>The fixfiles script is used to report and fix file contexts that are
>>invalid, the problem is that it gets a lot of
>>false positives.  Reviewing fixfiles.cron shows that most of the files
>>created by mozilla are reported as invalid.
>>It would be nice if we could remove these false positives by some means.
>>
>>If we had some mechanism of saying a file could have one of several
>>valid contexts, or be in a context that
>>has a certain attribute.
>>    
>>
>
>For files under the home directory the valid contexts are all the contexts 
>that the user in question can create (directly or indirectly).
>
>If the user does "mv .ssh .ssh-old" we don't want .ssh-old relabelled at 
>user_home_t.
>
>Maybe we should just have fixfiles skip the home directories?
>
>  
>
Yes I considered that, but fixfiles is just a front end to setfiles,  
which does not have an easy way of skipping home dirs.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.