* newrole O_NONBLOCK change (Was: Re: policycoreutils patch) [not found] <45DB0AB8.3070803@redhat.com> @ 2007-02-20 16:17 ` Stephen Smalley 2007-02-20 17:42 ` Daniel J Walsh 2007-02-20 17:58 ` Linda Knippers 2007-02-20 16:22 ` chcat changes " Stephen Smalley 2007-02-21 17:22 ` policycoreutils patch Stephen Smalley 2 siblings, 2 replies; 7+ messages in thread From: Stephen Smalley @ 2007-02-20 16:17 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > newrole hangs on a attached terminal device. Nonblocking allows it to > proceed. Won't this have side effects on programs run from the newrole'd shell? Should newrole open them with O_NONBLOCK and then clear it via fcntl before exec'ing the child shell? > plain text document attachment (diff) > diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.1/newrole/newrole.c > --- nsapolicycoreutils/newrole/newrole.c 2007-01-24 10:03:59.000000000 -0500 > +++ policycoreutils-2.0.1/newrole/newrole.c 2007-02-15 15:16:09.000000000 -0500 > @@ -640,7 +640,7 @@ > } > > /* Re-open TTY descriptor */ > - fd = open(ttyn, O_RDWR); > + fd = open(ttyn, O_RDWR|O_NONBLOCK); > if (fd < 0) { > fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); > return fd; > @@ -1131,13 +1131,13 @@ > fprintf(stderr, _("Could not close descriptors.\n")); > goto err_close_pam; > } > - fd = open(ttyn, O_RDONLY); > + fd = open(ttyn, O_RDONLY|O_NONBLOCK); > if (fd != 0) > goto err_close_pam; > - fd = open(ttyn, O_RDWR); > + fd = open(ttyn, O_RDWR|O_NONBLOCK); > if (fd != 1) > goto err_close_pam; > - fd = open(ttyn, O_RDWR); > + fd = open(ttyn, O_RDWR|O_NONBLOCK); > if (fd != 2) > goto err_close_pam; > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newrole O_NONBLOCK change (Was: Re: policycoreutils patch) 2007-02-20 16:17 ` newrole O_NONBLOCK change (Was: Re: policycoreutils patch) Stephen Smalley @ 2007-02-20 17:42 ` Daniel J Walsh 2007-02-20 17:58 ` Linda Knippers 1 sibling, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2007-02-20 17:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE Linux Stephen Smalley wrote: > On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > >> newrole hangs on a attached terminal device. Nonblocking allows it to >> proceed. >> > > Won't this have side effects on programs run from the newrole'd shell? > Should newrole open them with O_NONBLOCK and then clear it via fcntl > before exec'ing the child shell > Linda Knippers submitted this patch for bugzilla. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228102 I am not sure if setting it back to non blocking would still cause the hang. > >> plain text document attachment (diff) >> diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.1/newrole/newrole.c >> --- nsapolicycoreutils/newrole/newrole.c 2007-01-24 10:03:59.000000000 -0500 >> +++ policycoreutils-2.0.1/newrole/newrole.c 2007-02-15 15:16:09.000000000 -0500 >> @@ -640,7 +640,7 @@ >> } >> >> /* Re-open TTY descriptor */ >> - fd = open(ttyn, O_RDWR); >> + fd = open(ttyn, O_RDWR|O_NONBLOCK); >> if (fd < 0) { >> fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); >> return fd; >> @@ -1131,13 +1131,13 @@ >> fprintf(stderr, _("Could not close descriptors.\n")); >> goto err_close_pam; >> } >> - fd = open(ttyn, O_RDONLY); >> + fd = open(ttyn, O_RDONLY|O_NONBLOCK); >> if (fd != 0) >> goto err_close_pam; >> - fd = open(ttyn, O_RDWR); >> + fd = open(ttyn, O_RDWR|O_NONBLOCK); >> if (fd != 1) >> goto err_close_pam; >> - fd = open(ttyn, O_RDWR); >> + fd = open(ttyn, O_RDWR|O_NONBLOCK); >> if (fd != 2) >> goto err_close_pam; >> >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newrole O_NONBLOCK change (Was: Re: policycoreutils patch) 2007-02-20 16:17 ` newrole O_NONBLOCK change (Was: Re: policycoreutils patch) Stephen Smalley 2007-02-20 17:42 ` Daniel J Walsh @ 2007-02-20 17:58 ` Linda Knippers 1 sibling, 0 replies; 7+ messages in thread From: Linda Knippers @ 2007-02-20 17:58 UTC (permalink / raw) To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux Stephen Smalley wrote: > On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > >>newrole hangs on a attached terminal device. Nonblocking allows it to >>proceed. > > > Won't this have side effects on programs run from the newrole'd shell? > Should newrole open them with O_NONBLOCK and then clear it via fcntl > before exec'ing the child shell? Yep, it causes 'more' to not work, for example, so this is no good. I'd like to understand why the open is hanging in the first place. -- ljk -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* chcat changes (Was: Re: policycoreutils patch) [not found] <45DB0AB8.3070803@redhat.com> 2007-02-20 16:17 ` newrole O_NONBLOCK change (Was: Re: policycoreutils patch) Stephen Smalley @ 2007-02-20 16:22 ` Stephen Smalley 2007-02-20 17:56 ` Daniel J Walsh 2007-02-21 17:22 ` policycoreutils patch Stephen Smalley 2 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2007-02-20 16:22 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > chcat fixes: > * Broken stderr handling fix > * if serange ends in a ":" chop it off. > * Switch chcat to exec semanage rather than use builtin so that > proper transitions happen, otherwise I would have to run chcat under an > semanage context. Why would a range end in a ":"? Context translation issue? > diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.1/scripts/chcat > --- nsapolicycoreutils/scripts/chcat 2006-11-16 17:14:27.000000000 -0500 > +++ policycoreutils-2.0.1/scripts/chcat 2007-02-15 15:16:09.000000000 -0500 > @@ -25,11 +25,22 @@ > import commands, sys, os, pwd, string, getopt, selinux > import seobject > import gettext > +import codecs > +import locale > +sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') > +sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') > > try: > gettext.install('policycoreutils') > -except: > - pass > +except IOError: > + import __builtin__ > + __builtin__.__dict__['_'] = unicode > + > +def errorExit(error): > + sys.stderr.write("%s: " % sys.argv[0]) > + sys.stderr.write("%s\n" % error) > + sys.stderr.flush() > + sys.exit(1) > > def verify_users(users): > for u in users: > @@ -62,12 +73,20 @@ > for i in newcat[1:]: > if i not in cats: > cats.append(i) > + > new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) > - > + if new_serange[-1:] == ":": > + new_serange = new_serange[:-1] > + > if add_ind: > - logins.add(u, user[0], new_serange) > + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) > else: > - logins.modify(u, user[0], new_serange) > + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) > + rc = commands.getstatusoutput(cmd) > + if rc[0] != 0: > + print rc[1] > + errors += 1 > + > return errors > > def chcat_add(orig, newcat, objects,login_ind): > @@ -133,11 +152,17 @@ > cats.remove(i) > > new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) > + if new_serange[-1:] == ":": > + new_serange = new_serange[:-1] > > if add_ind: > - logins.add(u, user[0], new_serange) > + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) > else: > - logins.modify(u, user[0], new_serange) > + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) > + rc = commands.getstatusoutput(cmd) > + if rc[0] != 0: > + print rc[1] > + errors += 1 > return errors > > def chcat_remove(orig, newcat, objects, login_ind): > @@ -198,11 +223,17 @@ > user = seusers["__default__"] > serange = user[1].split("-") > new_serange = "%s-%s:%s" % (serange[0],newcat[0], string.join(newcat[1:], ",")) > - > + if new_serange[-1:] == ":": > + new_serange = new_serange[:-1] > + > if add_ind: > - logins.add(u, user[0], new_serange) > + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) > else: > - logins.modify(u, user[0], new_serange) > + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) > + rc = commands.getstatusoutput(cmd) > + if rc[0] != 0: > + print rc[1] > + errors += 1 > return errors > > def chcat_replace(newcat, objects, login_ind): > @@ -362,6 +393,10 @@ > > if list_ind == 0 and len(cmds) < 1: > usage() > + > + except getopt.error, error: > + errorExit(_("Options Error %s ") % error.msg) > + > except ValueError, e: > usage() > > diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-2.0.1/scripts/chcat.8 > --- nsapolicycoreutils/scripts/chcat.8 2007-01-17 11:11:34.000000000 -0500 > +++ policycoreutils-2.0.1/scripts/chcat.8 2007-02-15 15:16:09.000000000 -0500 > @@ -3,30 +3,31 @@ > chcat \- change file SELinux security category > .SH SYNOPSIS > .B chcat > -\fICATEGORY FILE\fR... > +\fIcategory file\fR... > .br > .B chcat -l > -\fICATEGORY USER\fR... > +\fIcategory user\fR... > .br > .B chcat > -\fI[[+|-]CATEGORY],...] FILE\fR... > +\fI[[+|-]category...] file\fR... > .br > .B chcat -l > -\fI[[+|-]CATEGORY],...] USER\fR... > +\fI[[+|-]category...] user\fR... > .br > .B chcat > -[\fI-d\fR] \fIFILE\fR... > +[\fI-d\fR] \fIfile\fR... > .br > .B chcat -l > -[\fI-d\fR] \fIUSER\fR... > +[\fI-d\fR] \fIuser\fR... > .br > .B chcat > -\fI-L\fR [-l] [ USER ... ] > +\fI-L\fR [ -l ] [ user ... ] > .br > +.SH DESCRIPTION > .PP > -Change/Remove the security CATEGORY for each FILE/USER. > +Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR. > .PP > -Use +/- to add/remove categories from a FILE/USER. > +Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR. > .PP > .B > Note: -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: chcat changes (Was: Re: policycoreutils patch) 2007-02-20 16:22 ` chcat changes " Stephen Smalley @ 2007-02-20 17:56 ` Daniel J Walsh 2007-02-21 16:37 ` Karl MacMillan 0 siblings, 1 reply; 7+ messages in thread From: Daniel J Walsh @ 2007-02-20 17:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE Linux, Karl MacMillan Stephen Smalley wrote: > On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > >> chcat fixes: >> * Broken stderr handling fix >> * if serange ends in a ":" chop it off. >> * Switch chcat to exec semanage rather than use builtin so that >> proper transitions happen, otherwise I would have to run chcat under an >> semanage context. >> > > Why would a range end in a ":"? Context translation issue? > > No. new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) if new_serange[-1:] == ":": new_serange = new_serange[:-1] If you did not have cats you would end up with s0-s0: >> diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.1/scripts/chcat >> --- nsapolicycoreutils/scripts/chcat 2006-11-16 17:14:27.000000000 -0500 >> +++ policycoreutils-2.0.1/scripts/chcat 2007-02-15 15:16:09.000000000 -0500 >> @@ -25,11 +25,22 @@ >> import commands, sys, os, pwd, string, getopt, selinux >> import seobject >> import gettext >> +import codecs >> +import locale >> +sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') >> +sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') >> >> try: >> gettext.install('policycoreutils') >> -except: >> - pass >> +except IOError: >> + import __builtin__ >> + __builtin__.__dict__['_'] = unicode >> + >> +def errorExit(error): >> + sys.stderr.write("%s: " % sys.argv[0]) >> + sys.stderr.write("%s\n" % error) >> + sys.stderr.flush() >> + sys.exit(1) >> >> def verify_users(users): >> for u in users: >> @@ -62,12 +73,20 @@ >> for i in newcat[1:]: >> if i not in cats: >> cats.append(i) >> + >> new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) >> - >> + if new_serange[-1:] == ":": >> + new_serange = new_serange[:-1] >> + >> if add_ind: >> - logins.add(u, user[0], new_serange) >> + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) >> else: >> - logins.modify(u, user[0], new_serange) >> + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) >> + rc = commands.getstatusoutput(cmd) >> + if rc[0] != 0: >> + print rc[1] >> + errors += 1 >> + >> return errors >> >> def chcat_add(orig, newcat, objects,login_ind): >> @@ -133,11 +152,17 @@ >> cats.remove(i) >> >> new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) >> + if new_serange[-1:] == ":": >> + new_serange = new_serange[:-1] >> >> if add_ind: >> - logins.add(u, user[0], new_serange) >> + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) >> else: >> - logins.modify(u, user[0], new_serange) >> + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) >> + rc = commands.getstatusoutput(cmd) >> + if rc[0] != 0: >> + print rc[1] >> + errors += 1 >> return errors >> >> def chcat_remove(orig, newcat, objects, login_ind): >> @@ -198,11 +223,17 @@ >> user = seusers["__default__"] >> serange = user[1].split("-") >> new_serange = "%s-%s:%s" % (serange[0],newcat[0], string.join(newcat[1:], ",")) >> - >> + if new_serange[-1:] == ":": >> + new_serange = new_serange[:-1] >> + >> if add_ind: >> - logins.add(u, user[0], new_serange) >> + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) >> else: >> - logins.modify(u, user[0], new_serange) >> + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) >> + rc = commands.getstatusoutput(cmd) >> + if rc[0] != 0: >> + print rc[1] >> + errors += 1 >> return errors >> >> def chcat_replace(newcat, objects, login_ind): >> @@ -362,6 +393,10 @@ >> >> if list_ind == 0 and len(cmds) < 1: >> usage() >> + >> + except getopt.error, error: >> + errorExit(_("Options Error %s ") % error.msg) >> + >> except ValueError, e: >> usage() >> >> diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-2.0.1/scripts/chcat.8 >> --- nsapolicycoreutils/scripts/chcat.8 2007-01-17 11:11:34.000000000 -0500 >> +++ policycoreutils-2.0.1/scripts/chcat.8 2007-02-15 15:16:09.000000000 -0500 >> @@ -3,30 +3,31 @@ >> chcat \- change file SELinux security category >> .SH SYNOPSIS >> .B chcat >> -\fICATEGORY FILE\fR... >> +\fIcategory file\fR... >> .br >> .B chcat -l >> -\fICATEGORY USER\fR... >> +\fIcategory user\fR... >> .br >> .B chcat >> -\fI[[+|-]CATEGORY],...] FILE\fR... >> +\fI[[+|-]category...] file\fR... >> .br >> .B chcat -l >> -\fI[[+|-]CATEGORY],...] USER\fR... >> +\fI[[+|-]category...] user\fR... >> .br >> .B chcat >> -[\fI-d\fR] \fIFILE\fR... >> +[\fI-d\fR] \fIfile\fR... >> .br >> .B chcat -l >> -[\fI-d\fR] \fIUSER\fR... >> +[\fI-d\fR] \fIuser\fR... >> .br >> .B chcat >> -\fI-L\fR [-l] [ USER ... ] >> +\fI-L\fR [ -l ] [ user ... ] >> .br >> +.SH DESCRIPTION >> .PP >> -Change/Remove the security CATEGORY for each FILE/USER. >> +Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR. >> .PP >> -Use +/- to add/remove categories from a FILE/USER. >> +Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR. >> .PP >> .B >> Note: >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: chcat changes (Was: Re: policycoreutils patch) 2007-02-20 17:56 ` Daniel J Walsh @ 2007-02-21 16:37 ` Karl MacMillan 0 siblings, 0 replies; 7+ messages in thread From: Karl MacMillan @ 2007-02-21 16:37 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux Daniel J Walsh wrote: > Stephen Smalley wrote: >> On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: >> >>> chcat fixes: >>> * Broken stderr handling fix >>> * if serange ends in a ":" chop it off. >>> * Switch chcat to exec semanage rather than use builtin so that >>> proper transitions happen, otherwise I would have to run chcat under >>> an semanage context. >>> >> >> Why would a range end in a ":"? Context translation issue? >> >> > No. > new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, > ",")) > if new_serange[-1:] == ":": > new_serange = new_serange[:-1] > If you did not have cats you would end up with s0-s0: > Then why not something more direct (completely untested): new_serange = "%s-%s" % (searange[0], top[0]) new_cats = ",".join(cats) if new_cats != '': new_serange = new_serange + ":" + new_cats I think that the list subscripting with -1 and : is confusing to non-python programmers. Also, I think that use of string.join is discouraged in favor of using the join method on strings - though that likely looks as odd as a -1 index to a non-python programmer. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: policycoreutils patch [not found] <45DB0AB8.3070803@redhat.com> 2007-02-20 16:17 ` newrole O_NONBLOCK change (Was: Re: policycoreutils patch) Stephen Smalley 2007-02-20 16:22 ` chcat changes " Stephen Smalley @ 2007-02-21 17:22 ` Stephen Smalley 2 siblings, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2007-02-21 17:22 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Tue, 2007-02-20 at 09:50 -0500, Daniel J Walsh wrote: > newrole hangs on a attached terminal device. Nonblocking allows it to > proceed. I dropped this, per the bugzilla report (fixable by passing -L to agetty in inittab). > chcat fixes: > * Broken stderr handling fix > * if serange ends in a ":" chop it off. > * Switch chcat to exec semanage rather than use builtin so that > proper transitions happen, otherwise I would have to run chcat under an > semanage context. > > Man pages fixes to be more standard. > > > More translations. I merged the rest, except for the call to mcstrans reload from seobject.py. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-02-21 17:22 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <45DB0AB8.3070803@redhat.com>
2007-02-20 16:17 ` newrole O_NONBLOCK change (Was: Re: policycoreutils patch) Stephen Smalley
2007-02-20 17:42 ` Daniel J Walsh
2007-02-20 17:58 ` Linda Knippers
2007-02-20 16:22 ` chcat changes " Stephen Smalley
2007-02-20 17:56 ` Daniel J Walsh
2007-02-21 16:37 ` Karl MacMillan
2007-02-21 17:22 ` policycoreutils patch Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.