Change fixfiles to use file_context.local if it exists.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Change fixfiles to use file_context.local if it exists.
@ 2005-01-24 16:27 Daniel J Walsh
  2005-01-24 16:29 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2005-01-24 16:27 UTC (permalink / raw)
  To: SELinux, Stephen Smalley

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 857 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.1/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-24 11:19:10.103136000 -0500
+++ policycoreutils-1.21.1/scripts/fixfiles	2005-01-24 11:19:28.998223000 -0500
@@ -37,11 +37,19 @@
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
     . /etc/selinux/config
-    FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
+    FC=`mktemp /var/tmp/file_contexts.XXXXXX`
+    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
 else
     FC=/etc/security/selinux/file_contexts
 fi
 
+cleanup() {
+    if [ -e /etc/selinux/config -a -f "$FC" ]; then
+	rm -f $FC
+    fi
+}
+trap "cleanup" 0 1 2 3 13 15
+
 #
 # Log to either syslog or a LOGFILE
 #

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Change fixfiles to use file_context.local if it exists.
  2005-01-24 16:27 Change fixfiles to use file_context.local if it exists Daniel J Walsh
@ 2005-01-24 16:29 ` Stephen Smalley
  2005-01-24 17:41   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2005-01-24 16:29 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

On Mon, 2005-01-24 at 11:27, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.1/scripts/fixfiles
> --- nsapolicycoreutils/scripts/fixfiles	2005-01-24 11:19:10.103136000 -0500
> +++ policycoreutils-1.21.1/scripts/fixfiles	2005-01-24 11:19:28.998223000 -0500
> @@ -37,11 +37,19 @@
>  SELINUXTYPE="targeted"
>  if [ -e /etc/selinux/config ]; then
>      . /etc/selinux/config
> -    FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
> +    FC=`mktemp /var/tmp/file_contexts.XXXXXX`
> +    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null

Rather than using a temporary file in /var/tmp, I'd recommend creating
it in the same parent directory as the existing file_contexts
configuration (i.e. /etc/selinux/${SELINUXTYPE}/contexts/files). 
setfiles_t cannot read temporary files, and we don't especially want to
allow it to do so (to protect against low integrity input).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Change fixfiles to use file_context.local if it exists.
  2005-01-24 16:29 ` Stephen Smalley
@ 2005-01-24 17:41   ` Daniel J Walsh
  2005-01-25 18:52     ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2005-01-24 17:41 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SELinux

[-- Attachment #1: Type: text/plain, Size: 1166 bytes --]

Stephen Smalley wrote:

>On Mon, 2005-01-24 at 11:27, Daniel J Walsh wrote:
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.1/scripts/fixfiles
>>--- nsapolicycoreutils/scripts/fixfiles	2005-01-24 11:19:10.103136000 -0500
>>+++ policycoreutils-1.21.1/scripts/fixfiles	2005-01-24 11:19:28.998223000 -0500
>>@@ -37,11 +37,19 @@
>> SELINUXTYPE="targeted"
>> if [ -e /etc/selinux/config ]; then
>>     . /etc/selinux/config
>>-    FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
>>+    FC=`mktemp /var/tmp/file_contexts.XXXXXX`
>>+    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
>>    
>>
>
>Rather than using a temporary file in /var/tmp, I'd recommend creating
>it in the same parent directory as the existing file_contexts
>configuration (i.e. /etc/selinux/${SELINUXTYPE}/contexts/files). 
>setfiles_t cannot read temporary files, and we don't especially want to
>allow it to do so (to protect against low integrity input).
>
>  
>
Ah good point, change to

/etc/selinux/${SELINUXTYPE}/contexts/files



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 890 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.1/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2005-01-24 11:19:10.103136000 -0500
+++ policycoreutils-1.21.1/scripts/fixfiles	2005-01-24 11:19:28.998223000 -0500
@@ -37,11 +37,19 @@
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
     . /etc/selinux/config
-    FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
+    FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
+    cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
 else
     FC=/etc/security/selinux/file_contexts
 fi
 
+cleanup() {
+    if [ -e /etc/selinux/config -a -f "$FC" ]; then
+	rm -f $FC
+    fi
+}
+trap "cleanup" 0 1 2 3 13 15
+
 #
 # Log to either syslog or a LOGFILE
 #

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Change fixfiles to use file_context.local if it exists.
  2005-01-24 17:41   ` Daniel J Walsh
@ 2005-01-25 18:52     ` Stephen Smalley
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2005-01-25 18:52 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SELinux

On Mon, 2005-01-24 at 12:41, Daniel J Walsh wrote:
> Ah good point, change to
> 
> /etc/selinux/${SELINUXTYPE}/contexts/files

Thanks, merged into sourceforge CVS as of policycoreutils 1.21.4.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-01-25 18:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-24 16:27 Change fixfiles to use file_context.local if it exists Daniel J Walsh
2005-01-24 16:29 ` Stephen Smalley
2005-01-24 17:41   ` Daniel J Walsh
2005-01-25 18:52     ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.