Change of restorecon and setfiles to not modify context if only_user_section changed

Change of restorecon and setfiles to not modify context if only_user_section changed

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 42 bytes --]

Specifying force (-F) will override.

Dan

[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 4220 bytes --]

Binary files nsapolicycoreutils/load_policy/load_policy and policycoreutils-1.21.1/load_policy/load_policy differ
Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-1.21.1/newrole/newrole differ
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.1/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c	2005-01-20 15:59:21.000000000 -0500
+++ policycoreutils-1.21.1/restorecon/restorecon.c	2005-01-21 13:21:44.916873000 -0500
@@ -50,15 +50,12 @@
 static int only_changed_user(const char *a, const char *b)
 {
 	char *rest_a, *rest_b; /* Rest of the context after the user */
-	if (!a || !b)
-		return 0;
+	if (force) return 0;
+	if (!a || !b) return 0;
 	rest_a = strchr(a, ':');
 	rest_b = strchr(b, ':');
-	if (!rest_a || !rest_b)
-		return 0;
-	if (strcmp(rest_a, rest_b) == 0)
-		return 1;
-	return 0;
+	if (!rest_a || !rest_b) return 0;
+	return  (strcmp(rest_a, rest_b) == 0);
 }
 
 void usage(const char * const name)
@@ -75,6 +72,7 @@
   int len=strlen(filename);
   struct stat st;
   char path[PATH_MAX+1];
+  int user_only_changed=0;
   /* 
      Eliminate trailing /
   */
@@ -139,7 +137,8 @@
       if (outfile) {
 	fprintf(outfile, "%s\n", filename);
       }
-      if (change) {
+      user_only_changed = only_changed_user(scontext, prev_context);
+      if (change && !user_only_changed) {
 	retval=lsetfilecon(filename,scontext);
       }
       if (retval<0) {
@@ -151,7 +150,7 @@
 	  return 1;
       } else 	
 	      if (verbose && 
-		  (verbose > 1 || !only_changed_user(scontext, prev_context)))
+		  (verbose > 1 || !user_only_changed))
 		      fprintf(stderr,"%s reset context %s:%s->%s\n",
 			      progname, filename, (retcontext >= 0 ? prev_context : ""), scontext);
     }
Binary files nsapolicycoreutils/run_init/run_init and policycoreutils-1.21.1/run_init/run_init differ
Binary files nsapolicycoreutils/setfiles/setfiles and policycoreutils-1.21.1/setfiles/setfiles differ
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.21.1/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c	2005-01-20 15:59:22.000000000 -0500
+++ policycoreutils-1.21.1/setfiles/setfiles.c	2005-01-21 13:21:14.438382000 -0500
@@ -583,13 +583,12 @@
 static int only_changed_user(const char *a, const char *b)
 {
 	char *rest_a, *rest_b; /* Rest of the context after the user */
+	if (force) return 0;
+	if (!a || !b) return 0;
 	rest_a = strchr(a, ':');
 	rest_b = strchr(b, ':');
-	if (!rest_a || !rest_b)
-		return 0;
-	if (strcmp(rest_a, rest_b) == 0)
-		return 1;
-	return 0;
+	if (!rest_a || !rest_b) return 0;
+	return  (strcmp(rest_a, rest_b) == 0);
 }
 
 /*
@@ -605,6 +604,7 @@
 	struct stat my_sb;
 	int i, ret;
 	char *context; 
+	int user_only_changed=0;
 
 	/* Skip the extra slash at the beginning, if present. */
 	if (file[0] == '/' && file[1] == '/')
@@ -666,6 +666,8 @@
 		}
 	}
 
+	user_only_changed=only_changed_user(context, spec_arr[i].context);
+
 	/*
 	 * Do not relabel the file if the matching specification is 
 	 * <<none>> or the file is already labeled according to the 
@@ -690,21 +692,18 @@
 		/* If we're just doing "-v", trim out any relabels where
 		 * the user has changed but the role and type are the
 		 * same.  For "-vv", emit everything. */
-		if (verbose > 1 || 
-		    !only_changed_user(context, spec_arr[i].context)) {
+		if (verbose > 1 || !user_only_changed) {
 			printf("%s:  relabeling %s from %s to %s\n", progname,
 			       my_file, context, spec_arr[i].context);
 		}
 	}
 
-	if (log &&
-	    !only_changed_user(context, spec_arr[i].context)) {
+	if ( log && !user_only_changed ) {
 		syslog(LOG_INFO, "relabeling %s from %s to %s\n", 
 		       my_file, context, spec_arr[i].context);
 	}
 
-	if (outfile &&
-	    !only_changed_user(context, spec_arr[i].context)) 
+	if (outfile && !user_only_changed)
 		fprintf(outfile, "%s\n", my_file);
 
 	freecon(context);
@@ -712,7 +711,7 @@
 	/*
 	 * Do not relabel the file if -n was used.
 	 */
-	if (!change)
+	if (!change || user_only_changed) 
 		return 0;
 
 	/*
Binary files nsapolicycoreutils/setfiles/setfiles.o and policycoreutils-1.21.1/setfiles/setfiles.o differ

Re: Change of restorecon and setfiles to not modify context if only_user_section changed

[Stephen Smalley]

On Fri, 2005-01-21 at 13:23, Daniel J Walsh wrote:
> Specifying force (-F) will override.

Thanks, merged into sourceforge CVS as of policycoreutils 1.21.3.
Also includes the fix below for restorecon to avoid handling errors from
is_customizable_context() incorrectly as per Tom London's bug report.

Index: policycoreutils/restorecon/restorecon.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policycoreutils/restorecon/restorecon.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- policycoreutils/restorecon/restorecon.c	21 Jan 2005 19:14:20 -0000	1.21
+++ policycoreutils/restorecon/restorecon.c	21 Jan 2005 19:39:23 -0000	1.22
@@ -133,7 +133,7 @@ int restore(char *filename) {
     int customizable=0;
     if (retcontext < 0 || 
 	(strcmp(prev_context,scontext) != 0 && 	
-	 !(customizable=(force ? 0: is_context_customizable(prev_context))))) {
+	 !(customizable=(force ? 0: (is_context_customizable(prev_context) > 0))))) {
       if (outfile) {
 	fprintf(outfile, "%s\n", filename);
       }

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.