New patch for libselinux

New patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 225 bytes --]

Patch to libselinux to fix handling of MATCHPATHCON_NOTRANS.

Also added two new functions to handle looking at files on disk and 
comparing to the default file_contexts,  These functions are
intended to be used by rpm -V.



[-- Attachment #2: libselinux-rhat.patch --]
[-- Type: text/x-patch, Size: 6433 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2006-06-16 15:08:24.000000000 -0400
+++ libselinux-1.30.15/include/selinux/selinux.h	2006-06-20 09:25:45.000000000 -0400
@@ -429,8 +429,17 @@
    Caller must free the returned strings via free. */
 extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
+/* This function allows you to compare two security context and ignore the 
+user component */
+int selinux_compare_context_without_user(const security_context_t a, const security_context_t b);
+
+/* This function looks at the file context on disk and compares it to the 
+system defaults, it returns 1 on match non 0 on failure */
+int selinux_verify_file_context(const char *path, mode_t mode);
+
 #ifdef __cplusplus
 }
 #endif
 
 #endif
+
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8
--- nsalibselinux/man/man8/matchpathcon.8	2006-05-15 09:43:24.000000000 -0400
+++ libselinux-1.30.15/man/man8/matchpathcon.8	2006-06-20 10:56:07.000000000 -0400
@@ -3,13 +3,25 @@
 matchpathcon \- get the default security context for the specified path from the file contexts configuration.
 
 .SH "SYNOPSIS"
-.B matchpathcon [-n] filepath...
-
+.B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath...
 .SH "DESCRIPTION"
 .B matchpathcon
 Prints the file path and the default security context associated with it.
+.SH OPTIONS
+.B \-n
+Do not display path.
+.br
+.B \-N
+Do not use translations.
+.br
+.B \-f file_context_file
+Use alternate file_context file
+.br
+.B \-p prefix
+Use prefix to speed translations
 .br
-If the -n option is given, do not display path.
+.B \-V
+Verify file context on disk matches defaults
 
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2006-05-18 12:11:17.000000000 -0400
+++ libselinux-1.30.15/src/matchpathcon.c	2006-06-20 11:27:47.000000000 -0400
@@ -26,6 +26,8 @@
 	va_end(ap);
 }
 
+static unsigned int myflags;
+
 static void 
 #ifdef __GNUC__
 __attribute__ ((format (printf, 1, 2)))
@@ -50,7 +52,12 @@
 static int default_canoncon(const char *path, unsigned lineno, char **context)
 {
 	char *tmpcon;
-	if (security_canonicalize_context(*context, &tmpcon) < 0) {
+	int rc;
+	if (myflags & MATCHPATHCON_NOTRANS)
+		rc = security_canonicalize_context_raw(*context, &tmpcon);
+	else
+		rc = security_canonicalize_context(*context, &tmpcon);
+	if ( rc < 0) {
 		if (errno == ENOENT)
 			return 0;
 		if (lineno)
@@ -74,8 +81,6 @@
 		mycanoncon = &default_canoncon;
 }
 
-static unsigned int myflags;
-
 void set_matchpathcon_flags(unsigned int flags)
 {
 	myflags = flags;
@@ -580,7 +585,6 @@
 				spec_arr[nspec].context_valid = 1;
 			}
 		}
-
 		spec_arr[nspec].context = context;
 		
 		/* Determine if specification has 
@@ -797,7 +801,6 @@
 		errno = ENOENT;
 		return -1;
 	}
-
 	spec_arr[i].matches++;
 
 	return i;
@@ -877,3 +880,47 @@
 		}
 	}
 }
+
+/* Compare two contexts to see if their differences are "significant",
+ * or whether the only difference is in the user. */
+int selinux_compare_context_without_user(const security_context_t a, const security_context_t b)
+{
+	char *rest_a, *rest_b; /* Rest of the context after the user */
+	if (!a || !b) return 0;
+	rest_a = strchr((char *)a, ':');
+	rest_b = strchr((char *)b, ':');
+	if (!rest_a || !rest_b) return 0;
+	return  (strcmp(rest_a, rest_b) == 0);
+}
+
+
+int selinux_verify_file_context(const char *path, mode_t mode)
+{
+ 	security_context_t con = NULL;
+ 	security_context_t fcontext = NULL;
+	int rc=0;
+
+	if (myflags & MATCHPATHCON_NOTRANS) 
+		rc = lgetfilecon_raw(path, &con);
+	else 
+		rc = lgetfilecon(path, &con);
+	if (rc == -1) {
+		if (errno != ENOTSUP)
+			return 1;
+	        else
+			return 0;
+	}
+
+	if (matchpathcon(path,mode,&fcontext) != 0)  {
+		if (fcontext == NULL && errno != ENOENT) 
+			rc = 1;
+		else
+			rc = 0;
+	} 
+	else 
+		rc = selinux_compare_context_without_user(fcontext, con);
+n	freecon(con);
+	freecon(fcontext); 
+	return rc;
+}
+
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c
--- nsalibselinux/utils/matchpathcon.c	2006-05-18 12:11:17.000000000 -0400
+++ libselinux-1.30.15/utils/matchpathcon.c	2006-06-20 11:30:26.000000000 -0400
@@ -12,19 +12,43 @@
 	exit(1);
 }
 
+int printmatchpathcon(char *path, int header) {
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "matchpathcon(%s) failed\n", path);
+		return 2;
+	}
+	if (header)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+	
+	freecon(buf);
+	return 0;
+}
+
 int main(int argc, char **argv) 
 {
-	char *buf;
-	int rc, i, init = 0;
+	int i, init = 0;
 	int header=1, opt;
+	int verify=0;
+	int notrans=0;
 
 	if (argc < 2) usage(argv[0]);
 
-	while ((opt = getopt(argc, argv, "nf:p:")) > 0) {
+	while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {
 		switch (opt) {
 		case 'n':
 			header=0;
 			break;
+		case 'V':
+			verify=1;
+			break;
+		case 'N':
+			notrans=1;
+			set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+			break;
 		case 'f':
 			if (init) {
 				fprintf(stderr, "%s:  -f and -p are exclusive\n", argv[0]);
@@ -54,17 +78,29 @@
 		}
 	}
 	for (i = optind; i < argc; i++) {
-		rc = matchpathcon(argv[i], 0, &buf);
-		if (rc < 0) {
-			fprintf(stderr, "%s:  matchpathcon(%s) failed\n", argv[0], argv[i]);
-			return 2;
-		}
-		if (header)
-			printf("%s\t%s\n", argv[i], buf);
-		else
-			printf("%s\n", buf);
+		if (verify) {
+			if (selinux_verify_file_context(argv[i], 0)) {
+				printf("%s verified.\n", argv[i]);
+			} else {
+				security_context_t con;
+				int rc;
+				if (notrans) 
+					rc = lgetfilecon_raw(argv[i], &con);
+				else
+					rc = lgetfilecon(argv[i], &con);
 
-		freecon(buf);
+				if (rc >= 0) {
+					printf("%s has context %s, should be ", argv[i], con);
+					printmatchpathcon(argv[i], 0);
+					freecon(con);
+				} else {
+					printf("actual context unknown: %s, should be ", strerror(errno));
+					printmatchpathcon(argv[i], 0);
+				}
+			}
+		} else {
+			printmatchpathcon(argv[i], header);
+		}
 	}
 	matchpathcon_fini();
 	return 0;

Re: New patch for libselinux

[Stephen Smalley]

On Tue, 2006-06-20 at 11:33 -0400, Daniel J Walsh wrote:
> Patch to libselinux to fix handling of MATCHPATHCON_NOTRANS.
> 
> Also added two new functions to handle looking at files on disk and 
> comparing to the default file_contexts,  These functions are
> intended to be used by rpm -V.

I don't think we want to directly export
selinux_compare_context_without_user(), or if we do, we want it
abstracted in some manner that covers the general case.

Also, I think selinux_verify_file_context needs to be generalized,
because if/when rpm begins to use contexts from the rpm headers again,
then rpm will need to pass in the context against which to compare
rather than having selinux_verify_file_context always use matchpathcon.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for libselinux

[Daniel J Walsh]

Stephen Smalley wrote:
> On Tue, 2006-06-20 at 11:33 -0400, Daniel J Walsh wrote:
>   
>> Patch to libselinux to fix handling of MATCHPATHCON_NOTRANS.
>>
>> Also added two new functions to handle looking at files on disk and 
>> comparing to the default file_contexts,  These functions are
>> intended to be used by rpm -V.
>>     
>
> I don't think we want to directly export
> selinux_compare_context_without_user(), or if we do, we want it
> abstracted in some manner that covers the general case.
>
>   
We are using similar functions in restorecon and I think somewhere else, 
so I thought
it would be good to move it into libselinux.  
> Also, I think selinux_verify_file_context needs to be generalized,
> because if/when rpm begins to use contexts from the rpm headers again,
> then rpm will need to pass in the context against which to compare
> rather than having selinux_verify_file_context always use matchpathcon.
>
>   
Not sure what you mean, You still have the other functions to use.   The 
idea with this
function is to compare a files on disk context with the system 
defaults.  You could also use
matchpathcon_init before calling this function to change the default 
file context file?


I also want to define a function

selinux_setdefault_filecon(file)

Which would do matchpathcon/setfilecon under the covers, and do the 
appropriate turn off translations stuff.
Since this code is propulgating into a series of programs.  (install, 
MAKEDEV, kadmin?, and Nautilus, restorecon and probably others.)



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for libselinux

[Stephen Smalley]

On Tue, 2006-06-20 at 13:11 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > I don't think we want to directly export
> > selinux_compare_context_without_user(), or if we do, we want it
> > abstracted in some manner that covers the general case.
> >
> >   
> We are using similar functions in restorecon and I think somewhere else, 
> so I thought
> it would be good to move it into libselinux.

Possibly, but _without_user is too much detail for the caller.  Caller
just wants some function that indicates equivalence (for some definition
of equivalence).  

> Not sure what you mean, You still have the other functions to use.   The 
> idea with this
> function is to compare a files on disk context with the system 
> defaults.  You could also use
> matchpathcon_init before calling this function to change the default 
> file context file?

Actually, I suppose at the point of verification, you already have the
module policy installed and integrated into the system file_contexts
file, so matchpathcon() should work.  I was thinking that rpm would have
to pass in the context originally obtained from the package header (and
saved in the rpm database?) instead.  But that should always match the
result yielded from matchpathcon once the module's .fc has been merged.

> I also want to define a function
> 
> selinux_setdefault_filecon(file)
> 
> Which would do matchpathcon/setfilecon under the covers, and do the 
> appropriate turn off translations stuff.
> Since this code is propulgating into a series of programs.  (install, 
> MAKEDEV, kadmin?, and Nautilus, restorecon and probably others.)

selinux_lsetfilecon_default(const char *path)?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New patch for libselinux

[Stephen Smalley]

On Tue, 2006-06-20 at 13:33 -0400, Stephen Smalley wrote:
> On Tue, 2006-06-20 at 13:11 -0400, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > I don't think we want to directly export
> > > selinux_compare_context_without_user(), or if we do, we want it
> > > abstracted in some manner that covers the general case.
> > >
> > >   
> > We are using similar functions in restorecon and I think somewhere else, 
> > so I thought
> > it would be good to move it into libselinux.
> 
> Possibly, but _without_user is too much detail for the caller.  Caller
> just wants some function that indicates equivalence (for some definition
> of equivalence).  
> 
> > Not sure what you mean, You still have the other functions to use.   The 
> > idea with this
> > function is to compare a files on disk context with the system 
> > defaults.  You could also use
> > matchpathcon_init before calling this function to change the default 
> > file context file?
> 
> Actually, I suppose at the point of verification, you already have the
> module policy installed and integrated into the system file_contexts
> file, so matchpathcon() should work.  I was thinking that rpm would have
> to pass in the context originally obtained from the package header (and
> saved in the rpm database?) instead.  But that should always match the
> result yielded from matchpathcon once the module's .fc has been merged.

This btw raises the question of whether rpm -V should check contexts at
all, or whether that support should drop out of rpm altogether, and
context verification handled entirely via setfiles/restorecon and
friends.  If rpm isn't using any internal data there and we are always
checking filesystem state vs. policy state, then why have rpm handle it?

> 
> > I also want to define a function
> > 
> > selinux_setdefault_filecon(file)
> > 
> > Which would do matchpathcon/setfilecon under the covers, and do the 
> > appropriate turn off translations stuff.
> > Since this code is propulgating into a series of programs.  (install, 
> > MAKEDEV, kadmin?, and Nautilus, restorecon and probably others.)
> 
> selinux_lsetfilecon_default(const char *path)?
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

I have redone the original patch for libselinux

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 797 bytes --]

Now have a function called selinux_context_cmp which will compare two 
context ignoring the user componant for equivalency.

Fixed selinux_verify_file_context to work properly,  default_canoncon 
now checks myflags for MATCHPATHCON_NOTRANS

Added selinux_lsetfilecon_default(const char* path)

to set a file context to match the entry in file_contexts file.  
Changing install command to use this function improved perfomance

# time install resolv.conf /etc/

real    0m0.251s
user    0m0.176s
sys     0m0.040s
# ls -lZ /etc/resolv.conf
-rwxr-xr-x  root root system_u:object_r:net_conf_t     /etc/resolv.conf
# time ./ginstall resolv.conf /etc/

real    0m0.007s
user    0m0.000s
sys     0m0.008s
# ls -lZ /etc/resolv.conf
-rwxr-xr-x  root root system_u:object_r:net_conf_t     /etc/resolv.conf


[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 7261 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2006-06-16 15:08:24.000000000 -0400
+++ libselinux-1.30.15/include/selinux/selinux.h	2006-06-20 15:48:14.000000000 -0400
@@ -429,8 +429,20 @@
    Caller must free the returned strings via free. */
 extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
 
+/* This function allows you to compare two security context, it will ignore the 
+user component */
+int selinux_context_cmp(const security_context_t a, const security_context_t b);
+
+/* This function looks at the file context on disk and compares it to the 
+system defaults, it returns 1 on match non 0 on failure */
+int selinux_verify_file_context(const char *path, mode_t mode);
+
+/* This function sets the file context on to the system defaults returns 0 on success */
+int selinux_lsetfilecon_default(const char *path);
+
 #ifdef __cplusplus
 }
 #endif
 
 #endif
+
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8
--- nsalibselinux/man/man8/matchpathcon.8	2006-05-15 09:43:24.000000000 -0400
+++ libselinux-1.30.15/man/man8/matchpathcon.8	2006-06-20 10:56:07.000000000 -0400
@@ -3,13 +3,25 @@
 matchpathcon \- get the default security context for the specified path from the file contexts configuration.
 
 .SH "SYNOPSIS"
-.B matchpathcon [-n] filepath...
-
+.B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath...
 .SH "DESCRIPTION"
 .B matchpathcon
 Prints the file path and the default security context associated with it.
+.SH OPTIONS
+.B \-n
+Do not display path.
+.br
+.B \-N
+Do not use translations.
+.br
+.B \-f file_context_file
+Use alternate file_context file
+.br
+.B \-p prefix
+Use prefix to speed translations
 .br
-If the -n option is given, do not display path.
+.B \-V
+Verify file context on disk matches defaults
 
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2006-05-18 12:11:17.000000000 -0400
+++ libselinux-1.30.15/src/matchpathcon.c	2006-06-20 15:37:25.000000000 -0400
@@ -26,6 +26,8 @@
 	va_end(ap);
 }
 
+static unsigned int myflags;
+
 static void 
 #ifdef __GNUC__
 __attribute__ ((format (printf, 1, 2)))
@@ -50,7 +52,12 @@
 static int default_canoncon(const char *path, unsigned lineno, char **context)
 {
 	char *tmpcon;
-	if (security_canonicalize_context(*context, &tmpcon) < 0) {
+	int rc;
+	if (myflags & MATCHPATHCON_NOTRANS)
+		rc = security_canonicalize_context_raw(*context, &tmpcon);
+	else
+		rc = security_canonicalize_context(*context, &tmpcon);
+	if ( rc < 0) {
 		if (errno == ENOENT)
 			return 0;
 		if (lineno)
@@ -74,8 +81,6 @@
 		mycanoncon = &default_canoncon;
 }
 
-static unsigned int myflags;
-
 void set_matchpathcon_flags(unsigned int flags)
 {
 	myflags = flags;
@@ -580,7 +585,6 @@
 				spec_arr[nspec].context_valid = 1;
 			}
 		}
-
 		spec_arr[nspec].context = context;
 		
 		/* Determine if specification has 
@@ -797,7 +801,6 @@
 		errno = ENOENT;
 		return -1;
 	}
-
 	spec_arr[i].matches++;
 
 	return i;
@@ -877,3 +880,73 @@
 		}
 	}
 }
+
+/* Compare two contexts to see if their differences are "significant",
+ * or whether the only difference is in the user. */
+int selinux_context_cmp(const security_context_t a, const security_context_t b)
+{
+	char *rest_a, *rest_b; /* Rest of the context after the user */
+	if (!a && !b) return 0;
+	if (!a && b) return -1;
+	if (a && !b) return 1;
+	rest_a = strchr((char *)a, ':');
+	rest_b = strchr((char *)b, ':');
+	if (!rest_a && !rest_b) return 0;
+	if (!rest_a && rest_b) return -1;
+	if (rest_a && !rest_b) return 1;
+	return  strcmp(rest_a, rest_b);
+}
+
+int selinux_verify_file_context(const char *path, mode_t mode)
+{
+ 	security_context_t con = NULL;
+ 	security_context_t fcontext = NULL;
+	int rc=0;
+
+	if (myflags & MATCHPATHCON_NOTRANS) 
+		rc = lgetfilecon_raw(path, &con);
+	else 
+		rc = lgetfilecon(path, &con);
+	if (rc == -1) {
+		if (errno != ENOTSUP)
+			return 1;
+	        else
+			return 0;
+	}
+
+	if (matchpathcon(path,mode,&fcontext) != 0)  {
+		if (fcontext == NULL && errno != ENOENT) 
+			rc = 1;
+		else
+			rc = 0;
+	} 
+	else 
+		rc = (selinux_context_cmp(fcontext, con) == 0);
+	freecon(con);
+	freecon(fcontext); 
+	return rc;
+}
+
+
+int selinux_lsetfilecon_default(const char *path) {
+	struct stat st;
+	int rc = -1;
+	security_context_t scontext=NULL;
+	unsigned int localflags=myflags;
+	if (lstat(path, &st) != 0)
+		return rc;
+
+	set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS);
+
+	/* If there's an error determining the context, or it has none, 
+	   return to allow default context */
+	if (matchpathcon(path, st.st_mode, &scontext)) {
+		if (scontext == NULL && errno != ENOENT) 
+			rc =0;
+	} else 	{
+		rc = lsetfilecon_raw(path, scontext);
+		freecon(scontext);
+	}
+	set_matchpathcon_flags(localflags);
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c
--- nsalibselinux/utils/matchpathcon.c	2006-05-18 12:11:17.000000000 -0400
+++ libselinux-1.30.15/utils/matchpathcon.c	2006-06-20 11:30:26.000000000 -0400
@@ -12,19 +12,43 @@
 	exit(1);
 }
 
+int printmatchpathcon(char *path, int header) {
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "matchpathcon(%s) failed\n", path);
+		return 2;
+	}
+	if (header)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+	
+	freecon(buf);
+	return 0;
+}
+
 int main(int argc, char **argv) 
 {
-	char *buf;
-	int rc, i, init = 0;
+	int i, init = 0;
 	int header=1, opt;
+	int verify=0;
+	int notrans=0;
 
 	if (argc < 2) usage(argv[0]);
 
-	while ((opt = getopt(argc, argv, "nf:p:")) > 0) {
+	while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {
 		switch (opt) {
 		case 'n':
 			header=0;
 			break;
+		case 'V':
+			verify=1;
+			break;
+		case 'N':
+			notrans=1;
+			set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+			break;
 		case 'f':
 			if (init) {
 				fprintf(stderr, "%s:  -f and -p are exclusive\n", argv[0]);
@@ -54,17 +78,29 @@
 		}
 	}
 	for (i = optind; i < argc; i++) {
-		rc = matchpathcon(argv[i], 0, &buf);
-		if (rc < 0) {
-			fprintf(stderr, "%s:  matchpathcon(%s) failed\n", argv[0], argv[i]);
-			return 2;
-		}
-		if (header)
-			printf("%s\t%s\n", argv[i], buf);
-		else
-			printf("%s\n", buf);
+		if (verify) {
+			if (selinux_verify_file_context(argv[i], 0)) {
+				printf("%s verified.\n", argv[i]);
+			} else {
+				security_context_t con;
+				int rc;
+				if (notrans) 
+					rc = lgetfilecon_raw(argv[i], &con);
+				else
+					rc = lgetfilecon(argv[i], &con);
 
-		freecon(buf);
+				if (rc >= 0) {
+					printf("%s has context %s, should be ", argv[i], con);
+					printmatchpathcon(argv[i], 0);
+					freecon(con);
+				} else {
+					printf("actual context unknown: %s, should be ", strerror(errno));
+					printmatchpathcon(argv[i], 0);
+				}
+			}
+		} else {
+			printmatchpathcon(argv[i], header);
+		}
 	}
 	matchpathcon_fini();
 	return 0;

Re: I have redone the original patch for libselinux

[Stephen Smalley]

On Tue, 2006-06-20 at 16:28 -0400, Daniel J Walsh wrote:
> diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h
> --- nsalibselinux/include/selinux/selinux.h	2006-06-16 15:08:24.000000000 -0400
> +++ libselinux-1.30.15/include/selinux/selinux.h	2006-06-20 15:48:14.000000000 -0400
> @@ -429,8 +429,20 @@
>     Caller must free the returned strings via free. */
>  extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
>  
> +/* This function allows you to compare two security context, it will ignore the 
> +user component */
> +int selinux_context_cmp(const security_context_t a, const security_context_t b);

I think I'd make this:
/* Compare two file security contexts.  Return 0 if equivalent. */
int selinux_file_context_cmp(const char *s1, const char *s2);

Rationale:  User identity does matter in process security contexts, so
we don't want people to use such a function on arbitrary contexts.  We
also don't want the user-specific aspect in the interface at all, even
in the comment; the caller just wants to know if the two file contexts
should be treated as equivalent.

> +/* This function looks at the file context on disk and compares it to the 
> +system defaults, it returns 1 on match non 0 on failure */
> +int selinux_verify_file_context(const char *path, mode_t mode);

Should that be return 0 on match?  

> +int selinux_verify_file_context(const char *path, mode_t mode)
> +{
> + 	security_context_t con = NULL;
> + 	security_context_t fcontext = NULL;
> +	int rc=0;
> +
> +	if (myflags & MATCHPATHCON_NOTRANS) 
> +		rc = lgetfilecon_raw(path, &con);
> +	else 
> +		rc = lgetfilecon(path, &con);

Why not just set MATCHPATHCON_NOTRANS as you do in
selinux_lsetfilecon_default, and then always use lgetfilecon_raw here?
Then the caller doesn't need to set it himself, and you always avoid
extraneous translations in this function.

> +	if (matchpathcon(path,mode,&fcontext) != 0)  {
> +		if (fcontext == NULL && errno != ENOENT) 
> +			rc = 1;
> +		else
> +			rc = 0;
> +	} 

fcontext == NULL test seems unnecessary; matchpathcon failed, so there
should be no result.

> +int selinux_lsetfilecon_default(const char *path) {
> +	struct stat st;
> +	int rc = -1;
> +	security_context_t scontext=NULL;
> +	unsigned int localflags=myflags;
> +	if (lstat(path, &st) != 0)
> +		return rc;
> +
> +	set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS);
> +
> +	/* If there's an error determining the context, or it has none, 
> +	   return to allow default context */
> +	if (matchpathcon(path, st.st_mode, &scontext)) {
> +		if (scontext == NULL && errno != ENOENT) 
> +			rc =0;

scontext == NULL test seems unnecessary.  Shouldn't that be errno ==
ENOENT (i.e. if there was no matching entry in file_contexts, return
success).

> +	} else 	{
> +		rc = lsetfilecon_raw(path, scontext);
> +		freecon(scontext);
> +	}
> +	set_matchpathcon_flags(localflags);
> +	return rc;
> +}

Likely should make myflags per-thread for safety in case we have any
threaded callers.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.