Proposed patch for libselinux

Proposed patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 724 bytes --]

I would like to add getfileconperm and setfileconperm to libselinux.  
This will set a flag to indicate whether the security context of the
file was set via chcon (Permanently) or via setfiles/restorecon.  If 
this patch is approved, I have patches to coreutils and policycoreutils
to use them.

chcon will always set the permanent flag.

restorecon and setfiles will ignore permanent files, unless the -F flag 
is passed which will cause them to modify the
context.

Examples of where a sysadmin would want to use this is for html pages.

What do you think?

Downsides:
It will cause restorecon and setfiles to run a little slower.
It is not atomic so chcon could set the file context and not set the 
permanent flag.

Dan

[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 5207 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.17.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/include/selinux/selinux.h	2004-10-21 16:28:18.194233008 -0400
@@ -62,6 +62,13 @@
 extern int setfilecon(const char *path, security_context_t con);
 extern int lsetfilecon(const char *path, security_context_t con);
 extern int fsetfilecon(int fd, security_context_t con);
+/* setfileconperm marks a file context as permanent.  IE. a default setfiles 
+   will not relabel it.
+*/
+extern int setfileconperm(const char *path, int perm);
+extern int lsetfileconperm(const char *path, int perm);
+extern int getfileconperm(const char *path, int *perm);
+extern int lgetfileconperm(const char *path, int *perm);
 
 
 /* Wrappers for the socket API */
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/getfilecon.c	2004-10-20 16:35:52.000000000 -0400
@@ -4,7 +4,7 @@
 #include <selinux/selinux.h>
 #include <stdlib.h>
 #include <errno.h>
-#include <sys/xattr.h>
+#include <attr/xattr.h>
 #include "policy.h"
 
 int getfilecon(const char *path, security_context_t *context)
@@ -43,3 +43,9 @@
 		*context = buf;
 	return ret;
 }
+
+int getfileconperm(const char *path, int *perm)
+{
+	*perm=0;
+	return getxattr(path, XATTR_NAME_SELINUX_PERM, perm, sizeof(*perm));
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lgetfilecon.c libselinux-1.17.15/src/lgetfilecon.c
--- nsalibselinux/src/lgetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lgetfilecon.c	2004-10-20 16:29:56.000000000 -0400
@@ -4,7 +4,7 @@
 #include <selinux/selinux.h>
 #include <stdlib.h>
 #include <errno.h>
-#include <sys/xattr.h>
+#include <attr/xattr.h>
 #include "policy.h"
 
 int lgetfilecon(const char *path, security_context_t *context)
@@ -43,3 +43,8 @@
 		*context = buf;
 	return ret;
 }
+int lgetfileconperm(const char *path, int *perm)
+{
+	*perm=0;
+	return lgetxattr(path, XATTR_NAME_SELINUX_PERM, perm, sizeof(*perm));
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lsetfilecon.c libselinux-1.17.15/src/lsetfilecon.c
--- nsalibselinux/src/lsetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lsetfilecon.c	2004-10-21 16:49:41.127197552 -0400
@@ -11,3 +11,7 @@
 {
 	return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int lsetfileconperm(const char *path, int perm)
+{
+	return setxattr(path, XATTR_NAME_SELINUX_PERM, &perm, sizeof(perm), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/policy.h libselinux-1.17.15/src/policy.h
--- nsalibselinux/src/policy.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/policy.h	2004-10-20 14:23:35.000000000 -0400
@@ -5,6 +5,7 @@
 
 /* xattr name for SELinux attributes. */
 #define XATTR_NAME_SELINUX "security.selinux"
+#define XATTR_NAME_SELINUX_PERM "security.selinux.perm"
 
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
diff --exclude-from=exclude -N -u -r nsalibselinux/src/setfilecon.c libselinux-1.17.15/src/setfilecon.c
--- nsalibselinux/src/setfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/setfilecon.c	2004-10-21 16:49:31.985587288 -0400
@@ -11,3 +11,7 @@
 {
 	return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int setfileconperm(const char *path, int perm)
+{
+	return setxattr(path, XATTR_NAME_SELINUX_PERM, &perm, sizeof(perm), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getfileconperm.c libselinux-1.17.15/utils/getfileconperm.c
--- nsalibselinux/utils/getfileconperm.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/getfileconperm.c	2004-10-20 16:25:47.000000000 -0400
@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int perm;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = getfileconperm(argv[i], &perm);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  getfileconperm(%s) failed\n", argv[0], argv[i]);
+			exit(2);
+		}
+		printf("%s\t%d\n", argv[i], perm);
+	}
+	exit(0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setfileconperm.c libselinux-1.17.15/utils/setfileconperm.c
--- nsalibselinux/utils/setfileconperm.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/setfileconperm.c	2004-10-21 16:50:46.098320440 -0400
@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = setfileconperm(argv[i],1);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  setfileconperm(%s) failed: %s\n", argv[0], argv[i],strerror(errno));
+			exit(2);
+		}
+	}
+	exit(0);
+}

[-- Attachment #3: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 10248 bytes --]

Binary files nsapolicycoreutils/restorecon/restorecon and policycoreutils-1.17.6/restorecon/restorecon differ
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-21 17:11:08.741450432 -0400
@@ -8,11 +8,14 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -F	Restorecon files that have permanant changes
+ * -f	filename to read from for changing filecontext
  *
  * pathname...	The file(s) to label 
  *
@@ -42,11 +45,12 @@
 static char *progname;
 static int errors=0;
 static int recurse;
+static int force=0;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-FRnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -54,6 +58,7 @@
   int retval=0;
   security_context_t scontext;
   security_context_t prev_context;
+  int perm=0;
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
@@ -109,14 +114,25 @@
     return 0;
   }
   retcontext=lgetfilecon(filename,&prev_context);
-  
+   
   if (retcontext >= 0 || errno == ENODATA) {
     if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
-      if (outfile) {
-	fprintf(outfile, "%s\n", filename);
-      }
+      lgetfileconperm(filename, &perm);
+      if (outfile  && (!perm || force))
+	    fprintf(outfile, "%s\n", filename);
       if (change) {
-	retval=lsetfilecon(filename,scontext);
+	if (perm) {
+		if (force) {
+			lsetfileconperm(filename, 0);
+			retval=lsetfilecon(filename,scontext);
+		} else {
+			if (verbose)
+				fprintf(stderr,"%s did not reset context for %s, marked permanent\n",
+					progname, filename);
+		}
+	} else {
+		retval=lsetfilecon(filename,scontext);
+	}
       }
       if (retval<0) {
 	  fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +142,7 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	if (verbose)
+	if (verbose && (!perm || force))
 	  fprintf(stderr,"%s reset context %s->%s\n",
 		  progname, filename, scontext);
     } 
@@ -179,7 +195,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +203,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
Binary files nsapolicycoreutils/restorecon/restorecon.o and policycoreutils-1.17.6/restorecon/restorecon.o differ
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles	2004-10-18 15:35:41.000000000 -0400
@@ -31,6 +31,8 @@
 outfileFlag=0
 OUTFILES=""
 logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
 SETFILES=/usr/sbin/setfiles
 FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
     FC=/etc/security/selinux/file_contexts
 fi
 
+logit () {
+if [ $logfileFlag = 0 ]; then
+    logger -i $1
+else
+    echo $1 >> $LOGFILE
+fi
+}
 checkLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 fi
 }
 
 restoreLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 
 relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 relabelCheck() {
@@ -129,6 +135,8 @@
 fi
 if [ $logfileFlag = 2 ]; then
     LOGFILE="$i"
+    echo > $LOGFILE
+    SYSLOGFLAG=""
     logfileFlag=1
     continue
 fi
@@ -165,13 +173,6 @@
     exit 1
 fi
 
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
-    if [ ! -w $LOGFILE ] ; then
-	exit 1
-    fi
-fi
-
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron	2004-10-18 15:35:41.000000000 -0400
@@ -21,7 +21,8 @@
 	    mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
 	    rm -f $OUTFILE
 	else
-	    mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+	    MESSAGE="Invalid File Contexts listed in $OUTFILE"
+	    mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
 	fi
     else
 	rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile	2004-10-18 15:35:41.000000000 -0400
@@ -12,7 +12,7 @@
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
 	install -m 755 fixfiles $(DESTDIR)/sbin
-	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
 	-mkdir -p $(MANDIR)/man8
 	install -m 644 fixfiles.8.gz $(MANDIR)/man8/
 
Binary files nsapolicycoreutils/setfiles/setfiles and policycoreutils-1.17.6/setfiles/setfiles differ
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c	2004-10-21 17:17:30.557405584 -0400
@@ -24,6 +24,7 @@
  * -s   Use stdin for a list of files instead of searching a partition.
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
+ * -F	set file context even those that have permanant changes
  * -o filename write out file names with wrong context.
  *
  * spec_file	The specification file.
@@ -96,6 +97,7 @@
 static int use_stdin = 0;
 static int verbose = 0;
 static int log = 0;
+static int force = 1;
 static int warn_no_match = 0;
 static char *rootpath = NULL;
 static int rootpathlen = 0;
@@ -603,6 +605,7 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	int perm=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -675,7 +678,8 @@
 		return 0;
 	}
 
-	if (verbose) {
+	lgetfileconperm(my_file, &perm);
+	if (verbose && (!perm || force)) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
@@ -686,13 +690,13 @@
 		}
 	}
 
-	if (log &&
+	if (log && (!perm || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
+	if (outfile && (!perm || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) 
 		fprintf(outfile, "%s\n", my_file);
 
@@ -701,7 +705,7 @@
 	/*
 	 * Do not relabel the file if -n was used.
 	 */
-	if (!change)
+	if (!change || (perm && !force))
 		return 0;
 
 	/*
@@ -714,6 +718,7 @@
 			progname, my_file, spec_arr[i].context);
 		return 0;
 	}
+	lsetfileconperm(my_file, 0);
 
 	return 0;
 }
@@ -775,7 +780,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +842,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;
Binary files nsapolicycoreutils/setfiles/setfiles.o and policycoreutils-1.17.6/setfiles/setfiles.o differ

Re: Proposed patch for libselinux

[Stephen Smalley]

On Thu, 2004-10-21 at 17:35, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
> --- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
> +++ libselinux-1.17.15/src/getfilecon.c	2004-10-20 16:35:52.000000000 -0400
> @@ -4,7 +4,7 @@
>  #include <selinux/selinux.h>
>  #include <stdlib.h>
>  #include <errno.h>
> -#include <sys/xattr.h>
> +#include <attr/xattr.h>
>  #include "policy.h"

This is wrong; glibc directly provides [gs]etxattr for all modern glibc
versions built against modern kernel headers; you don't need to use
libattr.  We originally used attr/xattr.h and then migrated a long time
ago.

> +int getfileconperm(const char *path, int *perm)
> +{
> +	*perm=0;
> +	return getxattr(path, XATTR_NAME_SELINUX_PERM, perm, sizeof(*perm));
> +}

Directly storing an integer in the xattr?  Endianness issues; you need
to convert to a particular ordering before setting and convert back when
getting.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-10-21 at 17:35, Daniel J Walsh wrote:
>  
>
>>diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
>>--- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
>>+++ libselinux-1.17.15/src/getfilecon.c	2004-10-20 16:35:52.000000000 -0400
>>@@ -4,7 +4,7 @@
>> #include <selinux/selinux.h>
>> #include <stdlib.h>
>> #include <errno.h>
>>-#include <sys/xattr.h>
>>+#include <attr/xattr.h>
>> #include "policy.h"
>>    
>>
>
>This is wrong; glibc directly provides [gs]etxattr for all modern glibc
>versions built against modern kernel headers; you don't need to use
>libattr.  We originally used attr/xattr.h and then migrated a long time
>ago.
>
>  
>
I originally did this because the man page said to.  I also was looking 
using ENOATTR in a previous
attempt at this patch, described in the man page but only defined in 
attr/xattr, not sys/xattr.  So  I have no problem
removing the change.

>>+int getfileconperm(const char *path, int *perm)
>>+{
>>+	*perm=0;
>>+	return getxattr(path, XATTR_NAME_SELINUX_PERM, perm, sizeof(*perm));
>>+}
>>    
>>
>
>Directly storing an integer in the xattr?  Endianness issues; you need
>to convert to a particular ordering before setting and convert back when
>getting.
>
>  
>
I was looking at this as more of a TRUE/FALSE proposition.  So maybe 
changing it to
three functions

setfileconperm(path)
isfileconperm(path)
clearfileconperm(path)

How about that?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Stephen Smalley]

On Thu, 2004-10-21 at 17:35, Daniel J Walsh wrote:
> I would like to add getfileconperm and setfileconperm to libselinux.  
> This will set a flag to indicate whether the security context of the
> file was set via chcon (Permanently) or via setfiles/restorecon.  If 
> this patch is approved, I have patches to coreutils and policycoreutils
> to use them.

"perm" suggests "permission" to me, not "permanent".  Also, I'm not sure
that "permanent" conveys the right sense; Colin's earlier suggestion of
"customized" made more sense to me.

Obviously, a kernel change is required here as well, as any other
attribute in the security namespace should presently be restricted to
CAP_SYS_ADMIN.  The setxattr hook would need to check for this new
attribute and apply a different check if you want non-root users to be
able to do this, and we likely need a new permission for it then. 
Right?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Stephen Smalley]

On Fri, 2004-10-22 at 09:22, Daniel J Walsh wrote:
> I originally did this because the man page said to.  I also was looking 
> using ENOATTR in a previous
> attempt at this patch, described in the man page but only defined in 
> attr/xattr, not sys/xattr.  So  I have no problem
> removing the change.

Ok, the man page is out of date.  ENOATTR doesn't exist anyway as a
separate error code; the kernel returns ENODATA.

> I was looking at this as more of a TRUE/FALSE proposition.  So maybe 
> changing it to
> three functions
> 
> setfileconperm(path)
> isfileconperm(path)
> clearfileconperm(path)

Possibly, with "fileconperm" replaced by "customcon" or similar, but
don't you still want the stored "true" value to be consistent regardless
of local cpu endianness?  You could setxattr on a single byte I suppose
to avoid the issue entirely.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-10-21 at 17:35, Daniel J Walsh wrote:
>  
>
>>I would like to add getfileconperm and setfileconperm to libselinux.  
>>This will set a flag to indicate whether the security context of the
>>file was set via chcon (Permanently) or via setfiles/restorecon.  If 
>>this patch is approved, I have patches to coreutils and policycoreutils
>>to use them.
>>    
>>
>
>"perm" suggests "permission" to me, not "permanent".  Also, I'm not sure
>that "permanent" conveys the right sense; Colin's earlier suggestion of
>"customized" made more sense to me.
>
>Obviously, a kernel change is required here as well, as any other
>attribute in the security namespace should presently be restricted to
>CAP_SYS_ADMIN.  The setxattr hook would need to check for this new
>attribute and apply a different check if you want non-root users to be
>able to do this, and we likely need a new permission for it then. 
>Right?
>
>  
>
Why is this not covered by the current checks of setting file context.  
I don't think this is a special case.
If a domain can setfilecon, they should be able to set it permanently
setfileconfixed?
setfileconpermanent?
lockfilecon?
customizefilecon?

I don't  care what we call it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Stephen Smalley]

On Fri, 2004-10-22 at 09:45, Daniel J Walsh wrote:
> Why is this not covered by the current checks of setting file context.  
> I don't think this is a special case.
> If a domain can setfilecon, they should be able to set it permanently

Debatable.  Today, a domain may be able to relabel files, but an
explicit relabel of the filesystem will always override those settings,
which may be exactly what you want if you are doing a major policy
upgrade.  In general, one shouldn't be running setfiles on a system
after installation except for major policy upgrades anyway.  Allowing a
domain to opt-out of subsequent relabels by default is new
functionality; I think it requires a separate permission from
relabelfrom.

> setfileconfixed?
> setfileconpermanent?
> lockfilecon?
> customizefilecon?
> 
> I don't  care what we call it.

Do we think it possible that we may support other flags related to file
contexts in the future?  If so, then perhaps this should be a general
flags field associated with the file context with a
setfileconflags(path, flags), getfileconflags(path, flags) API and a
single flag defined initially for marking the context as explicitly
customized.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2004-10-22 at 09:22, Daniel J Walsh wrote:
>  
>
>>I originally did this because the man page said to.  I also was looking 
>>using ENOATTR in a previous
>>attempt at this patch, described in the man page but only defined in 
>>attr/xattr, not sys/xattr.  So  I have no problem
>>removing the change.
>>    
>>
>
>Ok, the man page is out of date.  ENOATTR doesn't exist anyway as a
>separate error code; the kernel returns ENODATA.
>
>  
>
>>I was looking at this as more of a TRUE/FALSE proposition.  So maybe 
>>changing it to
>>three functions
>>
>>setfileconperm(path)
>>isfileconperm(path)
>>clearfileconperm(path)
>>    
>>
>
>Possibly, with "fileconperm" replaced by "customcon" or similar, but
>don't you still want the stored "true" value to be consistent regardless
>of local cpu endianness?  You could setxattr on a single byte I suppose
>to avoid the issue entirely.
>
>  
>
Fine, single byte seems like a good idea.

so
setcustomcon(path)
lsetcustomcon(path)
Return < 0 on error, 0 on success
getcustomcon(path)
lgetcustomcom(path)
returns <0 on error, 0 means not customcon, >0 means customcon
clearcustompath(path)
lclearcustompath(path)
Return <0 on error, 0 on success



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2004-10-22 at 09:45, Daniel J Walsh wrote:
>  
>
>>Why is this not covered by the current checks of setting file context.  
>>I don't think this is a special case.
>>If a domain can setfilecon, they should be able to set it permanently
>>    
>>
>
>Debatable.  Today, a domain may be able to relabel files, but an
>explicit relabel of the filesystem will always override those settings,
>which may be exactly what you want if you are doing a major policy
>upgrade.  In general, one shouldn't be running setfiles on a system
>after installation except for major policy upgrades anyway.  Allowing a
>domain to opt-out of subsequent relabels by default is new
>functionality; I think it requires a separate permission from
>relabelfrom.
>
>  
>
>>setfileconfixed?
>>setfileconpermanent?
>>lockfilecon?
>>customizefilecon?
>>
>>I don't  care what we call it.
>>    
>>
>
>Do we think it possible that we may support other flags related to file
>contexts in the future?  If so, then perhaps this should be a general
>flags field associated with the file context with a
>setfileconflags(path, flags), getfileconflags(path, flags) API and a
>single flag defined initially for marking the context as explicitly
>customized.  
>
>  
>
That seems like a good idea.  But are are these different flags going to 
require different Access Controls?

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Stephen Smalley]

On Fri, 2004-10-22 at 10:24, Daniel J Walsh wrote:
> That seems like a good idea.  But are are these different flags going to 
> require different Access Controls?

We won't know until someone comes up with a second flag ;)
I suppose we would start with a single permission for setting the flags
at all, and then split it if necessary later.  Of course, this takes us
back to the endianness issue; you'll want to convert to a standard
endianness for storage of the flags and convert back upon reading; see
the libsepol code for reading and writing binary policies and note the
use of cpu_to_le32 and le32_to_cpu (defined in src/private.h).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Luke Kenneth Casson Leighton]

or if it's a boolean (1 or 0) then store a char instead:

	char val;
	int err = getxattr(path, ..., &val, sizeof(val);
	*perm = val;
	return err;

On Fri, Oct 22, 2004 at 08:48:39AM -0400, Stephen Smalley wrote:

> On Thu, 2004-10-21 at 17:35, Daniel J Walsh wrote:
> > diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
> > --- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
> > +++ libselinux-1.17.15/src/getfilecon.c	2004-10-20 16:35:52.000000000 -0400
> > @@ -4,7 +4,7 @@
> >  #include <selinux/selinux.h>
> >  #include <stdlib.h>
> >  #include <errno.h>
> > -#include <sys/xattr.h>
> > +#include <attr/xattr.h>
> >  #include "policy.h"
> 
> This is wrong; glibc directly provides [gs]etxattr for all modern glibc
> versions built against modern kernel headers; you don't need to use
> libattr.  We originally used attr/xattr.h and then migrated a long time
> ago.
> 
> > +int getfileconperm(const char *path, int *perm)
> > +{
> > +	*perm=0;
> > +	return getxattr(path, XATTR_NAME_SELINUX_PERM, perm, sizeof(*perm));
> > +}
> 
> Directly storing an integer in the xattr?  Endianness issues; you need
> to convert to a particular ordering before setting and convert back when
> getting.
> 
> -- 
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 86 bytes --]

Rewritten patch to use
setfileflag
getfileflag

Is this closer to what you want?

Dan

[-- Attachment #2: policycoreutils.diff --]
[-- Type: text/x-diff, Size: 12585 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2004-10-06 09:47:27.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.8	2004-10-22 13:56:06.683115096 -0400
@@ -7,7 +7,7 @@
 .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v] 
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-F
+restore file context even if admin customized file context.
+.TP 
 .B \-R
 change files and directories file labels recursively
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-22 13:53:13.847390120 -0400
@@ -8,11 +8,14 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -F	Restore file context even if the customize flag is set
+ * -f	filename to read from for changing filecontext
  *
  * pathname...	The file(s) to label 
  *
@@ -42,11 +45,12 @@
 static char *progname;
 static int errors=0;
 static int recurse;
+static int force=0;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-FRnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -54,6 +58,8 @@
   int retval=0;
   security_context_t scontext;
   security_context_t prev_context;
+  int customized=0;
+  int flag=0;
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
@@ -109,14 +115,27 @@
     return 0;
   }
   retcontext=lgetfilecon(filename,&prev_context);
-  
+   
   if (retcontext >= 0 || errno == ENODATA) {
     if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
-      if (outfile) {
-	fprintf(outfile, "%s\n", filename);
-      }
+      lgetfileflag(filename, &flag);
+      customized=flag && SELINUX_CUSTOMIZE;
+      if (outfile  && (!customized || force))
+	    fprintf(outfile, "%s\n", filename);
       if (change) {
-	retval=lsetfilecon(filename,scontext);
+	if (customized) {
+		if (force) {
+			retval=lsetfilecon(filename,scontext);
+			if (retval >= 0)
+				lsetfileflag(filename, flag && !SELINUX_CUSTOMIZE);
+		} else {
+			if (verbose)
+				fprintf(stderr,"%s did not reset context for %s, marked flaganent\n",
+					progname, filename);
+		}
+	} else {
+		retval=lsetfilecon(filename,scontext);
+	}
       }
       if (retval<0) {
 	  fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +145,7 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	if (verbose)
+	if (verbose && (!customized || force))
 	  fprintf(stderr,"%s reset context %s->%s\n",
 		  progname, filename, scontext);
     } 
@@ -179,7 +198,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +206,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles	2004-10-18 15:35:41.000000000 -0400
@@ -31,6 +31,8 @@
 outfileFlag=0
 OUTFILES=""
 logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
 SETFILES=/usr/sbin/setfiles
 FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
     FC=/etc/security/selinux/file_contexts
 fi
 
+logit () {
+if [ $logfileFlag = 0 ]; then
+    logger -i $1
+else
+    echo $1 >> $LOGFILE
+fi
+}
 checkLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 fi
 }
 
 restoreLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 
 relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 relabelCheck() {
@@ -129,6 +135,8 @@
 fi
 if [ $logfileFlag = 2 ]; then
     LOGFILE="$i"
+    echo > $LOGFILE
+    SYSLOGFLAG=""
     logfileFlag=1
     continue
 fi
@@ -165,13 +173,6 @@
     exit 1
 fi
 
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
-    if [ ! -w $LOGFILE ] ; then
-	exit 1
-    fi
-fi
-
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron	2004-10-18 15:35:41.000000000 -0400
@@ -21,7 +21,8 @@
 	    mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
 	    rm -f $OUTFILE
 	else
-	    mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+	    MESSAGE="Invalid File Contexts listed in $OUTFILE"
+	    mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
 	fi
     else
 	rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile	2004-10-18 15:35:41.000000000 -0400
@@ -12,7 +12,7 @@
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
 	install -m 755 fixfiles $(DESTDIR)/sbin
-	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
 	-mkdir -p $(MANDIR)/man8
 	install -m 644 fixfiles.8.gz $(MANDIR)/man8/
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.8	2004-10-22 13:56:03.453606056 -0400
@@ -4,7 +4,7 @@
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -47,6 +47,9 @@
 .B \-vv
 show changes in file labels, if type, role, or user are changing.
 .TP 
+.B \-F
+set file context even if admin customized file context.
+.TP 
 .B \-W
 display warnings about entries that had no matching files.
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c	2004-10-22 13:52:04.621913992 -0400
@@ -12,7 +12,7 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
+ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
  * 
  * -e   Specify directory to exclude
  * -c   Verify the specification file using a binary policy
@@ -24,6 +24,7 @@
  * -s   Use stdin for a list of files instead of searching a partition.
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
+ * -F	reset file context even if the customize flag is set
  * -o filename write out file names with wrong context.
  *
  * spec_file	The specification file.
@@ -96,6 +97,7 @@
 static int use_stdin = 0;
 static int verbose = 0;
 static int log = 0;
+static int force = 0;
 static int warn_no_match = 0;
 static char *rootpath = NULL;
 static int rootpathlen = 0;
@@ -515,9 +517,9 @@
 void usage(const char * const name)
 {
 	fprintf(stderr,
-		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
+		"usage:  %s [-FdnqvW] [-o filename] spec_file pathname...\n"
 		"usage:  %s [-c policyfile] spec_file\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
+		"usage:  %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -603,6 +605,7 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	int customize=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -675,7 +678,9 @@
 		return 0;
 	}
 
-	if (verbose) {
+	lgetfileflag(my_file, &flag);
+	customize=customize && SELINUX_CUSTOMIZE;
+	if (verbose && (!customize || force)) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
@@ -686,22 +691,22 @@
 		}
 	}
 
-	if (log &&
+	if (log && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
+	if (outfile && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) 
 		fprintf(outfile, "%s\n", my_file);
 
 	freecon(context);
 
 	/*
-	 * Do not relabel the file if -n was used.
+	 * Do not relabel the file if -n was used or if customized.
 	 */
-	if (!change)
+	if (!change || (customize && !force))
 		return 0;
 
 	/*
@@ -714,6 +719,7 @@
 			progname, my_file, spec_arr[i].context);
 		return 0;
 	}
+	lsetfileflag(my_file, flag && !SELINUX_CUSTOMIZE);
 
 	return 0;
 }
@@ -775,7 +781,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +843,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;

[-- Attachment #3: libselinux.diff --]
[-- Type: text/x-diff, Size: 5619 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.17.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/include/selinux/selinux.h	2004-10-22 13:23:55.405713888 -0400
@@ -62,6 +62,15 @@
 extern int setfilecon(const char *path, security_context_t con);
 extern int lsetfilecon(const char *path, security_context_t con);
 extern int fsetfilecon(int fd, security_context_t con);
+/* setfileflag marks a file context as customized.  IE. a default setfiles 
+   will not relabel it.
+*/
+/* The following bit constants can be used with flags */
+#define SELINUX_CUSTOMIZE 0 << 1
+extern int setfileflag(const char *path, int flag);
+extern int lsetfileflag(const char *path, int flag);
+extern int getfileflag(const char *path, int *flag);
+extern int lgetfileflag(const char *path, int *flag);
 
 
 /* Wrappers for the socket API */
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/getfilecon.c	2004-10-22 13:16:07.041916008 -0400
@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <sys/xattr.h>
+#include <netinet/in.h>
 #include "policy.h"
 
 int getfilecon(const char *path, security_context_t *context)
@@ -43,3 +44,15 @@
 		*context = buf;
 	return ret;
 }
+
+int getfileflag(const char *path, int *retflag)
+{
+	int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc==0) 
+		*retflag=ntohl(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lgetfilecon.c libselinux-1.17.15/src/lgetfilecon.c
--- nsalibselinux/src/lgetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lgetfilecon.c	2004-10-22 13:16:31.500197784 -0400
@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <sys/xattr.h>
+#include <netinet/in.h>
 #include "policy.h"
 
 int lgetfilecon(const char *path, security_context_t *context)
@@ -43,3 +44,14 @@
 		*context = buf;
 	return ret;
 }
+int lgetfileflag(const char *path, int *retflag)
+{
+	int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc==0) 
+		*retflag=ntohl(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lsetfilecon.c libselinux-1.17.15/src/lsetfilecon.c
--- nsalibselinux/src/lsetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lsetfilecon.c	2004-10-22 13:16:53.540847096 -0400
@@ -5,9 +5,15 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <sys/xattr.h>
+#include <netinet/in.h>
 #include "policy.h"
 
 int lsetfilecon(const char *path, security_context_t context)
 {
 	return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int lsetfileflag(const char *path, int flag)
+{
+	int nflag=htonl(flag);
+	return lsetxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/policy.h libselinux-1.17.15/src/policy.h
--- nsalibselinux/src/policy.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/policy.h	2004-10-20 14:23:35.000000000 -0400
@@ -5,6 +5,7 @@
 
 /* xattr name for SELinux attributes. */
 #define XATTR_NAME_SELINUX "security.selinux"
+#define XATTR_NAME_SELINUX_FLAG "security.selinux.flag"
 
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
diff --exclude-from=exclude -N -u -r nsalibselinux/src/setfilecon.c libselinux-1.17.15/src/setfilecon.c
--- nsalibselinux/src/setfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/setfilecon.c	2004-10-22 13:14:31.629420912 -0400
@@ -11,3 +11,8 @@
 {
 	return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int setfileflag(const char *path, int flag)
+{
+	int nflag=htonl(flag);
+	return setxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getfileflag.c libselinux-1.17.15/utils/getfileflag.c
--- nsalibselinux/utils/getfileflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/getfileflag.c	2004-10-22 13:20:33.392424576 -0400
@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = getfileflag(argv[i], &flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  getfileflag(%s) failed\n", argv[0], argv[i]);
+			exit(2);
+		}
+		printf("%s\t%d\n", argv[i], flag);
+	}
+	exit(0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setfileflag.c libselinux-1.17.15/utils/setfileflag.c
--- nsalibselinux/utils/setfileflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/setfileflag.c	2004-10-22 13:22:31.436479152 -0400
@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag=SELINUX_CUSTOMIZE;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = setfileflag(argv[i],flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  setfileflag(%s) failed: %s\n", argv[0], argv[i],strerror(errno));
+			exit(2);
+		}
+	}
+	exit(0);
+}

Re: Proposed patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 18 bytes --]

Another try.

Dan

[-- Attachment #2: policycoreutils.diff --]
[-- Type: text/x-diff, Size: 12665 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2004-10-06 09:47:27.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.8	2004-10-22 15:32:09.757994544 -0400
@@ -7,7 +7,7 @@
 .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v] 
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-F
+restore file context even if admin customized file context.
+.TP 
 .B \-R
 change files and directories file labels recursively
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-22 15:35:25.200282800 -0400
@@ -8,11 +8,14 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -F	Restore file context even if the customize flag is set
+ * -f	filename to read from for changing filecontext
  *
  * pathname...	The file(s) to label 
  *
@@ -42,11 +45,12 @@
 static char *progname;
 static int errors=0;
 static int recurse;
+static int force=0;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-FRnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -54,6 +58,8 @@
   int retval=0;
   security_context_t scontext;
   security_context_t prev_context;
+  unsigned int customized=0;
+  unsigned int flag=0;
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
@@ -109,14 +115,27 @@
     return 0;
   }
   retcontext=lgetfilecon(filename,&prev_context);
-  
+   
   if (retcontext >= 0 || errno == ENODATA) {
     if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
-      if (outfile) {
-	fprintf(outfile, "%s\n", filename);
-      }
+      lgetfileconflag(filename, &flag);
+      customized=flag & SELINUX_CUSTOMIZE;
+      if (outfile  && (!customized || force))
+	    fprintf(outfile, "%s\n", filename);
       if (change) {
-	retval=lsetfilecon(filename,scontext);
+	if (customized) {
+		if (force) {
+			retval=lsetfilecon(filename,scontext);
+			if (retval >= 0)
+				lsetfileconflag(filename, flag & !SELINUX_CUSTOMIZE);
+		} else {
+			if (verbose)
+				fprintf(stderr,"%s did not reset context for %s, marked flaganent\n",
+					progname, filename);
+		}
+	} else {
+		retval=lsetfilecon(filename,scontext);
+	}
       }
       if (retval<0) {
 	  fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +145,7 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	if (verbose)
+	if (verbose && (!customized || force))
 	  fprintf(stderr,"%s reset context %s->%s\n",
 		  progname, filename, scontext);
     } 
@@ -179,7 +198,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +206,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles	2004-10-22 15:32:09.759994240 -0400
@@ -31,6 +31,8 @@
 outfileFlag=0
 OUTFILES=""
 logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
 SETFILES=/usr/sbin/setfiles
 FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
     FC=/etc/security/selinux/file_contexts
 fi
 
+logit () {
+if [ $logfileFlag = 0 ]; then
+    logger -i $1
+else
+    echo $1 >> $LOGFILE
+fi
+}
 checkLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 fi
 }
 
 restoreLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 
 relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 relabelCheck() {
@@ -129,6 +135,8 @@
 fi
 if [ $logfileFlag = 2 ]; then
     LOGFILE="$i"
+    echo > $LOGFILE
+    SYSLOGFLAG=""
     logfileFlag=1
     continue
 fi
@@ -165,13 +173,6 @@
     exit 1
 fi
 
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
-    if [ ! -w $LOGFILE ] ; then
-	exit 1
-    fi
-fi
-
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron	2004-10-22 15:32:09.760994088 -0400
@@ -21,7 +21,8 @@
 	    mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
 	    rm -f $OUTFILE
 	else
-	    mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+	    MESSAGE="Invalid File Contexts listed in $OUTFILE"
+	    mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
 	fi
     else
 	rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile	2004-10-22 15:32:09.761993936 -0400
@@ -12,7 +12,7 @@
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
 	install -m 755 fixfiles $(DESTDIR)/sbin
-	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
 	-mkdir -p $(MANDIR)/man8
 	install -m 644 fixfiles.8.gz $(MANDIR)/man8/
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.8	2004-10-22 15:32:09.761993936 -0400
@@ -4,7 +4,7 @@
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -47,6 +47,9 @@
 .B \-vv
 show changes in file labels, if type, role, or user are changing.
 .TP 
+.B \-F
+set file context even if admin customized file context.
+.TP 
 .B \-W
 display warnings about entries that had no matching files.
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c	2004-10-22 15:36:18.282213120 -0400
@@ -12,7 +12,7 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
+ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
  * 
  * -e   Specify directory to exclude
  * -c   Verify the specification file using a binary policy
@@ -24,6 +24,7 @@
  * -s   Use stdin for a list of files instead of searching a partition.
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
+ * -F	reset file context even if the customize flag is set
  * -o filename write out file names with wrong context.
  *
  * spec_file	The specification file.
@@ -96,6 +97,7 @@
 static int use_stdin = 0;
 static int verbose = 0;
 static int log = 0;
+static int force = 0;
 static int warn_no_match = 0;
 static char *rootpath = NULL;
 static int rootpathlen = 0;
@@ -515,9 +517,9 @@
 void usage(const char * const name)
 {
 	fprintf(stderr,
-		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
+		"usage:  %s [-FdnqvW] [-o filename] spec_file pathname...\n"
 		"usage:  %s [-c policyfile] spec_file\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
+		"usage:  %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -603,6 +605,8 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	unsigned int customize=0;
+	unsigned int fileconflag=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -675,7 +679,9 @@
 		return 0;
 	}
 
-	if (verbose) {
+	lgetfileconflag(my_file, &fileconflag);
+	customize=fileconflag & SELINUX_CUSTOMIZE;
+	if (verbose && (!customize || force)) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
@@ -686,22 +692,22 @@
 		}
 	}
 
-	if (log &&
+	if (log && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
+	if (outfile && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) 
 		fprintf(outfile, "%s\n", my_file);
 
 	freecon(context);
 
 	/*
-	 * Do not relabel the file if -n was used.
+	 * Do not relabel the file if -n was used or if customized.
 	 */
-	if (!change)
+	if (!change || (customize & !force))
 		return 0;
 
 	/*
@@ -714,6 +720,7 @@
 			progname, my_file, spec_arr[i].context);
 		return 0;
 	}
+	lsetfileconflag(my_file, fileconflag & !SELINUX_CUSTOMIZE);
 
 	return 0;
 }
@@ -775,7 +782,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +844,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;

[-- Attachment #3: libselinux.diff --]
[-- Type: text/x-diff, Size: 12665 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2004-10-06 09:47:27.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.8	2004-10-22 15:32:09.757994544 -0400
@@ -7,7 +7,7 @@
 .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v] 
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-F
+restore file context even if admin customized file context.
+.TP 
 .B \-R
 change files and directories file labels recursively
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-22 15:35:25.200282800 -0400
@@ -8,11 +8,14 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -F	Restore file context even if the customize flag is set
+ * -f	filename to read from for changing filecontext
  *
  * pathname...	The file(s) to label 
  *
@@ -42,11 +45,12 @@
 static char *progname;
 static int errors=0;
 static int recurse;
+static int force=0;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-FRnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -54,6 +58,8 @@
   int retval=0;
   security_context_t scontext;
   security_context_t prev_context;
+  unsigned int customized=0;
+  unsigned int flag=0;
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
@@ -109,14 +115,27 @@
     return 0;
   }
   retcontext=lgetfilecon(filename,&prev_context);
-  
+   
   if (retcontext >= 0 || errno == ENODATA) {
     if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
-      if (outfile) {
-	fprintf(outfile, "%s\n", filename);
-      }
+      lgetfileconflag(filename, &flag);
+      customized=flag & SELINUX_CUSTOMIZE;
+      if (outfile  && (!customized || force))
+	    fprintf(outfile, "%s\n", filename);
       if (change) {
-	retval=lsetfilecon(filename,scontext);
+	if (customized) {
+		if (force) {
+			retval=lsetfilecon(filename,scontext);
+			if (retval >= 0)
+				lsetfileconflag(filename, flag & !SELINUX_CUSTOMIZE);
+		} else {
+			if (verbose)
+				fprintf(stderr,"%s did not reset context for %s, marked flaganent\n",
+					progname, filename);
+		}
+	} else {
+		retval=lsetfilecon(filename,scontext);
+	}
       }
       if (retval<0) {
 	  fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +145,7 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	if (verbose)
+	if (verbose && (!customized || force))
 	  fprintf(stderr,"%s reset context %s->%s\n",
 		  progname, filename, scontext);
     } 
@@ -179,7 +198,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +206,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles	2004-10-22 15:32:09.759994240 -0400
@@ -31,6 +31,8 @@
 outfileFlag=0
 OUTFILES=""
 logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
 SETFILES=/usr/sbin/setfiles
 FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
     FC=/etc/security/selinux/file_contexts
 fi
 
+logit () {
+if [ $logfileFlag = 0 ]; then
+    logger -i $1
+else
+    echo $1 >> $LOGFILE
+fi
+}
 checkLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 fi
 }
 
 restoreLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 
 relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 relabelCheck() {
@@ -129,6 +135,8 @@
 fi
 if [ $logfileFlag = 2 ]; then
     LOGFILE="$i"
+    echo > $LOGFILE
+    SYSLOGFLAG=""
     logfileFlag=1
     continue
 fi
@@ -165,13 +173,6 @@
     exit 1
 fi
 
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
-    if [ ! -w $LOGFILE ] ; then
-	exit 1
-    fi
-fi
-
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron	2004-10-22 15:32:09.760994088 -0400
@@ -21,7 +21,8 @@
 	    mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
 	    rm -f $OUTFILE
 	else
-	    mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+	    MESSAGE="Invalid File Contexts listed in $OUTFILE"
+	    mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
 	fi
     else
 	rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile	2004-10-22 15:32:09.761993936 -0400
@@ -12,7 +12,7 @@
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
 	install -m 755 fixfiles $(DESTDIR)/sbin
-	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
 	-mkdir -p $(MANDIR)/man8
 	install -m 644 fixfiles.8.gz $(MANDIR)/man8/
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.8	2004-10-22 15:32:09.761993936 -0400
@@ -4,7 +4,7 @@
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -47,6 +47,9 @@
 .B \-vv
 show changes in file labels, if type, role, or user are changing.
 .TP 
+.B \-F
+set file context even if admin customized file context.
+.TP 
 .B \-W
 display warnings about entries that had no matching files.
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c	2004-10-22 15:36:18.282213120 -0400
@@ -12,7 +12,7 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
+ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
  * 
  * -e   Specify directory to exclude
  * -c   Verify the specification file using a binary policy
@@ -24,6 +24,7 @@
  * -s   Use stdin for a list of files instead of searching a partition.
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
+ * -F	reset file context even if the customize flag is set
  * -o filename write out file names with wrong context.
  *
  * spec_file	The specification file.
@@ -96,6 +97,7 @@
 static int use_stdin = 0;
 static int verbose = 0;
 static int log = 0;
+static int force = 0;
 static int warn_no_match = 0;
 static char *rootpath = NULL;
 static int rootpathlen = 0;
@@ -515,9 +517,9 @@
 void usage(const char * const name)
 {
 	fprintf(stderr,
-		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
+		"usage:  %s [-FdnqvW] [-o filename] spec_file pathname...\n"
 		"usage:  %s [-c policyfile] spec_file\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
+		"usage:  %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -603,6 +605,8 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	unsigned int customize=0;
+	unsigned int fileconflag=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -675,7 +679,9 @@
 		return 0;
 	}
 
-	if (verbose) {
+	lgetfileconflag(my_file, &fileconflag);
+	customize=fileconflag & SELINUX_CUSTOMIZE;
+	if (verbose && (!customize || force)) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
@@ -686,22 +692,22 @@
 		}
 	}
 
-	if (log &&
+	if (log && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
+	if (outfile && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) 
 		fprintf(outfile, "%s\n", my_file);
 
 	freecon(context);
 
 	/*
-	 * Do not relabel the file if -n was used.
+	 * Do not relabel the file if -n was used or if customized.
 	 */
-	if (!change)
+	if (!change || (customize & !force))
 		return 0;
 
 	/*
@@ -714,6 +720,7 @@
 			progname, my_file, spec_arr[i].context);
 		return 0;
 	}
+	lsetfileconflag(my_file, fileconflag & !SELINUX_CUSTOMIZE);
 
 	return 0;
 }
@@ -775,7 +782,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +844,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;

Re: Proposed patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 37 bytes --]


Attached wrong patch.  Trying again

[-- Attachment #2: libselinux.diff --]
[-- Type: text/x-diff, Size: 5735 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.17.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/include/selinux/selinux.h	2004-10-22 15:07:41.496204264 -0400
@@ -62,6 +62,15 @@
 extern int setfilecon(const char *path, security_context_t con);
 extern int lsetfilecon(const char *path, security_context_t con);
 extern int fsetfilecon(int fd, security_context_t con);
+/* setfileflag marks a file context as customized.  IE. a default setfiles 
+   will not relabel it.
+*/
+/* The following bit constants can be used with flags */
+#define SELINUX_CUSTOMIZE 1 << 0
+extern int setfileconflag(const char *path, unsigned int flag);
+extern int lsetfileconflag(const char *path, unsigned int flag);
+extern int getfileconflag(const char *path, unsigned int *flag);
+extern int lgetfileconflag(const char *path, unsigned int *flag);
 
 
 /* Wrappers for the socket API */
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/getfilecon.c	2004-10-22 14:55:41.000000000 -0400
@@ -43,3 +43,15 @@
 		*context = buf;
 	return ret;
 }
+
+int getfileconflag(const char *path, unsigned int *retflag)
+{
+	unsigned int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc>=0) 
+		*retflag=le32_to_cpu(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lgetfilecon.c libselinux-1.17.15/src/lgetfilecon.c
--- nsalibselinux/src/lgetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lgetfilecon.c	2004-10-22 14:55:34.000000000 -0400
@@ -43,3 +43,14 @@
 		*context = buf;
 	return ret;
 }
+int lgetfileconflag(const char *path, unsigned int *retflag)
+{
+	unsigned int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc>=0) 
+		*retflag=le32_to_cpu(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lsetfilecon.c libselinux-1.17.15/src/lsetfilecon.c
--- nsalibselinux/src/lsetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lsetfilecon.c	2004-10-22 14:55:54.000000000 -0400
@@ -11,3 +11,8 @@
 {
 	return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int lsetfileconflag(const char *path, unsigned int flag)
+{
+	unsigned int nflag=cpu_to_le32(flag);
+	return lsetxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/policy.h libselinux-1.17.15/src/policy.h
--- nsalibselinux/src/policy.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/policy.h	2004-10-22 14:52:26.000000000 -0400
@@ -3,8 +3,26 @@
 
 /* Private definitions used internally by libselinux. */
 
+/* Endian conversion for reading and writing binary policies */
+
+#include <byteswap.h>
+#include <endian.h>
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define cpu_to_le32(x) (x)
+#define le32_to_cpu(x) (x)
+#define cpu_to_le64(x) (x)
+#define le64_to_cpu(x) (x)
+#else
+#define cpu_to_le32(x) bswap_32(x)
+#define le32_to_cpu(x) bswap_32(x)
+#define cpu_to_le64(x) bswap_64(x)
+#define le64_to_cpu(x) bswap_64(x)
+#endif
+
 /* xattr name for SELinux attributes. */
 #define XATTR_NAME_SELINUX "security.selinux"
+#define XATTR_NAME_SELINUX_FLAG "security.selinux.flag"
 
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
diff --exclude-from=exclude -N -u -r nsalibselinux/src/setfilecon.c libselinux-1.17.15/src/setfilecon.c
--- nsalibselinux/src/setfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/setfilecon.c	2004-10-22 14:53:02.000000000 -0400
@@ -11,3 +11,8 @@
 {
 	return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int setfileconflag(const char *path, unsigned int flag)
+{
+	unsigned int nflag=cpu_to_le32(flag);
+	return setxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getfileconflag.c libselinux-1.17.15/utils/getfileconflag.c
--- nsalibselinux/utils/getfileconflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/getfileconflag.c	2004-10-22 14:57:52.000000000 -0400
@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = getfileconflag(argv[i], &flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  getfileconflag(%s) failed\n", argv[0], argv[i]);
+			exit(2);
+		}
+		printf("%s\t%d\n", argv[i], flag);
+	}
+	exit(0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setfileconflag.c libselinux-1.17.15/utils/setfileconflag.c
--- nsalibselinux/utils/setfileconflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/setfileconflag.c	2004-10-22 14:57:28.000000000 -0400
@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag=SELINUX_CUSTOMIZE;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = setfileconflag(argv[i],flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  setfileconflag(%s) failed: %s\n", argv[0], argv[i],strerror(errno));
+			exit(2);
+		}
+	}
+	exit(0);
+}

[-- Attachment #3: policycoreutils.diff --]
[-- Type: text/x-diff, Size: 12665 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8	2004-10-06 09:47:27.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.8	2004-10-22 15:32:09.757994544 -0400
@@ -7,7 +7,7 @@
 .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v] 
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-F
+restore file context even if admin customized file context.
+.TP 
 .B \-R
 change files and directories file labels recursively
 .TP 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-22 15:35:25.200282800 -0400
@@ -8,11 +8,14 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -F	Restore file context even if the customize flag is set
+ * -f	filename to read from for changing filecontext
  *
  * pathname...	The file(s) to label 
  *
@@ -42,11 +45,12 @@
 static char *progname;
 static int errors=0;
 static int recurse;
+static int force=0;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-FRnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
 int restore(char *filename) {
@@ -54,6 +58,8 @@
   int retval=0;
   security_context_t scontext;
   security_context_t prev_context;
+  unsigned int customized=0;
+  unsigned int flag=0;
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
@@ -109,14 +115,27 @@
     return 0;
   }
   retcontext=lgetfilecon(filename,&prev_context);
-  
+   
   if (retcontext >= 0 || errno == ENODATA) {
     if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
-      if (outfile) {
-	fprintf(outfile, "%s\n", filename);
-      }
+      lgetfileconflag(filename, &flag);
+      customized=flag & SELINUX_CUSTOMIZE;
+      if (outfile  && (!customized || force))
+	    fprintf(outfile, "%s\n", filename);
       if (change) {
-	retval=lsetfilecon(filename,scontext);
+	if (customized) {
+		if (force) {
+			retval=lsetfilecon(filename,scontext);
+			if (retval >= 0)
+				lsetfileconflag(filename, flag & !SELINUX_CUSTOMIZE);
+		} else {
+			if (verbose)
+				fprintf(stderr,"%s did not reset context for %s, marked flaganent\n",
+					progname, filename);
+		}
+	} else {
+		retval=lsetfilecon(filename,scontext);
+	}
       }
       if (retval<0) {
 	  fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +145,7 @@
 	  freecon(scontext);
 	  return 1;
       } else 	
-	if (verbose)
+	if (verbose && (!customized || force))
 	  fprintf(stderr,"%s reset context %s->%s\n",
 		  progname, filename, scontext);
     } 
@@ -179,7 +198,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +206,9 @@
     case 'R':
       recurse = 1;
       break;
+    case 'F':
+      force = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles	2004-10-22 15:32:09.759994240 -0400
@@ -31,6 +31,8 @@
 outfileFlag=0
 OUTFILES=""
 logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
 SETFILES=/usr/sbin/setfiles
 FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
     FC=/etc/security/selinux/file_contexts
 fi
 
+logit () {
+if [ $logfileFlag = 0 ]; then
+    logger -i $1
+else
+    echo $1 >> $LOGFILE
+fi
+}
 checkLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
 fi
 }
 
 restoreLabels () {
-echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 
 relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
-        echo "Warning: Skipping the following R/O filesystems:"
-        echo "$FILESYSTEMSRO"
+        logit "Warning: Skipping the following R/O filesystems:"
+        logit "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+    ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
 fi
 }
 relabelCheck() {
@@ -129,6 +135,8 @@
 fi
 if [ $logfileFlag = 2 ]; then
     LOGFILE="$i"
+    echo > $LOGFILE
+    SYSLOGFLAG=""
     logfileFlag=1
     continue
 fi
@@ -165,13 +173,6 @@
     exit 1
 fi
 
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
-    if [ ! -w $LOGFILE ] ; then
-	exit 1
-    fi
-fi
-
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron	2004-10-22 15:32:09.760994088 -0400
@@ -21,7 +21,8 @@
 	    mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
 	    rm -f $OUTFILE
 	else
-	    mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+	    MESSAGE="Invalid File Contexts listed in $OUTFILE"
+	    mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
 	fi
     else
 	rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile	2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile	2004-10-22 15:32:09.761993936 -0400
@@ -12,7 +12,7 @@
 	-mkdir -p $(BINDIR)
 	install -m 755 $(TARGETS) $(BINDIR)
 	install -m 755 fixfiles $(DESTDIR)/sbin
-	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+	install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
 	-mkdir -p $(MANDIR)/man8
 	install -m 644 fixfiles.8.gz $(MANDIR)/man8/
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.8	2004-10-22 15:32:09.761993936 -0400
@@ -4,7 +4,7 @@
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -47,6 +47,9 @@
 .B \-vv
 show changes in file labels, if type, role, or user are changing.
 .TP 
+.B \-F
+set file context even if admin customized file context.
+.TP 
 .B \-W
 display warnings about entries that had no matching files.
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c	2004-10-22 15:36:18.282213120 -0400
@@ -12,7 +12,7 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
+ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
  * 
  * -e   Specify directory to exclude
  * -c   Verify the specification file using a binary policy
@@ -24,6 +24,7 @@
  * -s   Use stdin for a list of files instead of searching a partition.
  * -v	Show changes in file labels.  
  * -W   Warn about entries that have no matching file.
+ * -F	reset file context even if the customize flag is set
  * -o filename write out file names with wrong context.
  *
  * spec_file	The specification file.
@@ -96,6 +97,7 @@
 static int use_stdin = 0;
 static int verbose = 0;
 static int log = 0;
+static int force = 0;
 static int warn_no_match = 0;
 static char *rootpath = NULL;
 static int rootpathlen = 0;
@@ -515,9 +517,9 @@
 void usage(const char * const name)
 {
 	fprintf(stderr,
-		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
+		"usage:  %s [-FdnqvW] [-o filename] spec_file pathname...\n"
 		"usage:  %s [-c policyfile] spec_file\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
+		"usage:  %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -603,6 +605,8 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	unsigned int customize=0;
+	unsigned int fileconflag=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -675,7 +679,9 @@
 		return 0;
 	}
 
-	if (verbose) {
+	lgetfileconflag(my_file, &fileconflag);
+	customize=fileconflag & SELINUX_CUSTOMIZE;
+	if (verbose && (!customize || force)) {
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
@@ -686,22 +692,22 @@
 		}
 	}
 
-	if (log &&
+	if (log && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
+	if (outfile && (!customize || force) &&
 	    !only_changed_user(context, spec_arr[i].context)) 
 		fprintf(outfile, "%s\n", my_file);
 
 	freecon(context);
 
 	/*
-	 * Do not relabel the file if -n was used.
+	 * Do not relabel the file if -n was used or if customized.
 	 */
-	if (!change)
+	if (!change || (customize & !force))
 		return 0;
 
 	/*
@@ -714,6 +720,7 @@
 			progname, my_file, spec_arr[i].context);
 		return 0;
 	}
+	lsetfileconflag(my_file, fileconflag & !SELINUX_CUSTOMIZE);
 
 	return 0;
 }
@@ -775,7 +782,7 @@
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+	while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
 		switch (opt) {
 		case 'c':
 		{
@@ -837,6 +844,9 @@
 		case 'l':
 			log = 1;
 			break;
+		case 'F':
+			force = 1;
+			break;
 		case 'n':
 			change = 0;
 			break;

Re: Proposed patch for libselinux

[Stephen Smalley]

Let's step back for a moment from the implementation details and talk
about the concept/usage of this customized flag for SELinux attributes.

The file_contexts configuration and setfiles were only intended to
initialize the system, as previously noted.  After installation, one
should only do a make relabel upon a major policy upgrade, and even in
that case, it would be better to selectively relabel based on the
differences between the policies.  At runtime, the file attributes will
be set based on policy and in some cases refined by application and/or
user knowledge subject to policy (setfscreatecon(3) or setfilecon(3)),
reflecting the actual security properties of the objects.

At any given time, you can find all files that are no longer consistent
with the file_contexts configuration via setfiles -nv.  You don't need a
separate file attribute for that purpose, and the proposed flags
attribute will only show files relabeled via chcon(1).  Why should we
treat such files differently than a file whose security context was set
by any other application using setfilecon(3) or created after an
explicit setfscreatecon(3) or even created in accordance with a file
type transition rule?  Typically, we don't want any of those files to be
relabeled by a subsequent make relabel; we would only want them
relabeled if there was a policy bug or application bug that had allowed
those files to become mis-labeled in the first place at runtime, or if
there has been a change in policy that affects those files/types.

I'm inclined more towards the idea of alternatives in the file_contexts
configuration, e.g. you specify a "primary" security context to be
applied upon initialization, and you optionally specify alternatives
(either individually or via equivalence classes) that are equally
permissible.  setfiles then defaults to applying the primary context,
but will allow the file to remain unchanged if it has been set to any of
the alternatives.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Colin Walters]

On Mon, 2004-10-25 at 10:52 -0400, Stephen Smalley wrote:

> I'm inclined more towards the idea of alternatives in the file_contexts
> configuration, e.g. you specify a "primary" security context to be
> applied upon initialization, and you optionally specify alternatives
> (either individually or via equivalence classes) that are equally
> permissible.  setfiles then defaults to applying the primary context,
> but will allow the file to remain unchanged if it has been set to any of
> the alternatives.

I think you're right; this handles the use cases I can think of for the
custom attribute. 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:

>Let's step back for a moment from the implementation details and talk
>about the concept/usage of this customized flag for SELinux attributes.
>
>The file_contexts configuration and setfiles were only intended to
>initialize the system, as previously noted.  After installation, one
>should only do a make relabel upon a major policy upgrade, and even in
>that case, it would be better to selectively relabel based on the
>differences between the policies.  At runtime, the file attributes will
>be set based on policy and in some cases refined by application and/or
>user knowledge subject to policy (setfscreatecon(3) or setfilecon(3)),
>reflecting the actual security properties of the objects.
>
>At any given time, you can find all files that are no longer consistent
>with the file_contexts configuration via setfiles -nv.  You don't need a
>separate file attribute for that purpose, and the proposed flags
>attribute will only show files relabeled via chcon(1).  Why should we
>treat such files differently than a file whose security context was set
>by any other application using setfilecon(3) or created after an
>explicit setfscreatecon(3) or even created in accordance with a file
>type transition rule?  Typically, we don't want any of those files to be
>relabeled by a subsequent make relabel; we would only want them
>relabeled if there was a policy bug or application bug that had allowed
>those files to become mis-labeled in the first place at runtime, or if
>there has been a change in policy that affects those files/types.
>
>I'm inclined more towards the idea of alternatives in the file_contexts
>configuration, e.g. you specify a "primary" security context to be
>applied upon initialization, and you optionally specify alternatives
>(either individually or via equivalence classes) that are equally
>permissible.  setfiles then defaults to applying the primary context,
>but will allow the file to remain unchanged if it has been set to any of
>the alternatives.
>
>  
>
This is true.  But we still need an easy way for users to add additional 
security contexts to the environment.
without installing policy-*sources
IE I setup an alternate build environment under /opt/working that I want 
owned by dwalsh. 
To do that presently you would need to install sources and add a file 
under file_context/misc

We need to change setfiles or some tool to look in 
/etc/selinux/*/context/files/* and load all policy files in the directory.
Starting with file_context.


Dan

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Stephen Smalley]

On Tue, 2004-10-26 at 10:21, Luke Kenneth Casson Leighton wrote:
>  it would appear, therefore, that no provision has been made for
>  filesystem recovery.

star and (recently patched) rsync supports backing up security
attributes from live filesystems.

>  i find frequently that ext3 filesystem damage results in fsck.ext3
>  going "the extended attributes aren't valid: truncating".

I've never seen this.  Easily reproducible?

>  this leaves you with a (null) for an selinux access, as if you had
>  run your system with a non-selinux kernel and written some files.
> 
>  under such circumstances, i find that the only [simple] means
>  at present to recover such a damaged system is to run setfiles.

It seems that in that case, you would just want to relabel files that
have no label at all, not any files that already have labels.  It might
be reasonable to have an option to setfiles to cause it to only relabel
files that lack a SELinux attribute and leave all others intact.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Luke Kenneth Casson Leighton]

On Mon, Oct 25, 2004 at 10:52:37AM -0400, Stephen Smalley wrote:
> Let's step back for a moment from the implementation details and talk
> about the concept/usage of this customized flag for SELinux attributes.
> 
> The file_contexts configuration and setfiles were only intended to
> initialize the system, as previously noted.  

 it would appear, therefore, that no provision has been made for
 filesystem recovery.

 i find frequently that ext3 filesystem damage results in fsck.ext3
 going "the extended attributes aren't valid: truncating".

 this leaves you with a (null) for an selinux access, as if you had
 run your system with a non-selinux kernel and written some files.

 under such circumstances, i find that the only [simple] means
 at present to recover such a damaged system is to run setfiles.

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Luke Kenneth Casson Leighton]

On Tue, Oct 26, 2004 at 10:13:01AM -0400, Stephen Smalley wrote:
> On Tue, 2004-10-26 at 10:21, Luke Kenneth Casson Leighton wrote:
> >  it would appear, therefore, that no provision has been made for
> >  filesystem recovery.
> 
> star and (recently patched) rsync supports backing up security
> attributes from live filesystems.
> 
> >  i find frequently that ext3 filesystem damage results in fsck.ext3
> >  going "the extended attributes aren't valid: truncating".
> 
> I've never seen this.  Easily reproducible?
 
 this was four/five months ago - if you recall i sent details about it
 at the time, and part of the "solution" was to upgrade the / partition
 to ext3 (!)

 let me try and think.

 the circumstances under which this occurred were with a 2.6.7 selinux
 kernel, with an ext2 filesystem, i would do a make relabel: something
 was going badly wrong (which i never tracked down, i just moved on...)
 such that on the next reboot, the filesystem could not be shut down
 properly...

 ... it was related to that bug about having a program that would not
 let go of a file handle on the /usr partition, such that at shutdown
 time the /usr partition was remounted read-only, such that on startup
 /etc/mtab had a record of /usr being mounted read-only...

 ... and permission to overwrite /etc/mtab was banned from
 initrc_t, such that it was not possible to clear /etc/mtab,
 such that no mounting /usr AT ALL was done because /etc/mtab
 had a record of /usr being mounted read-only...

 ... at that point, things got very bad, i would have to shut down the
 computer: /etc/mtab would be cleared at shutdown (because no programs
 were or could be using the /usr partition)

 at _that_ point, on the next reboot, the filesystem would be severely
 damaged, and _that's_ when fsck.ext2 found stacks of damaged extended
 attributes, and would truncate them.

 
 so um... easily reproducible?  uhm... not really!!!

 slightly on the reassuring side:

 * i upgraded to 2.6.8 and haven't had the problem since.

 * i reported the problem about /etc/mtab and programs on /usr a couple
   of months back, and posted a fix for the /etc/init.d scripts (i
   think) which russell has since incorporated into initscripts.

   /etc/init.d/mountvirtfs.  yes.

   oh yes that's right it was to do with the detection of whether
   /etc was on a writeable partition by attempting to "touch /etc"
   from an initrc_t context - which of course will fail: the necessary
   change was to touch /etc/mtab instead.

 * i converted the / partition from ext2 to ext3 and thus "avoided"
   the issue.

 l.
 
-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux

[Luke Kenneth Casson Leighton]

On Tue, Oct 26, 2004 at 03:21:26PM +0100, Luke Kenneth Casson Leighton wrote:

>  i find frequently that ext3 filesystem damage results in fsck.ext3

 correction: found.
 correction: ext2.

>  going "the extended attributes aren't valid: truncating".


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch for libselinux -- xdr ???

[Nifty Hat Mitch]

On Fri, Oct 22, 2004 at 08:48:39AM -0400, Stephen Smalley wrote:
> > diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c...
....
> Directly storing an integer in the xattr?  Endianness issues; you need
> to convert to a particular ordering before setting and convert back when
> getting.

I am a little late to this party...
Should xdr be specified for data in cases like this?

If all the data had an external data representation specification (man
xdr) then the right thing could happen.

In the world of storage area networks this could be an interesting
topic when the raw bits of the disk are exposed to hardware with
different data representations.



-- 
	T o m  M i t c h e l l 
	May your cup runneth over with goodness and mercy
	and may your buffers never overflow.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.