Several fixes to restorecond

Several fixes to restorecond

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Init script should be 755

libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.

restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.

So if a file has > 1 link and is an exact match complain, otherwise do not.

Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----

[-- Attachment #2: restorecond.patch --]
[-- Type: text/plain, Size: 5079 bytes --]

--- nsapolicycoreutils/restorecond/Makefile	2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/Makefile	2009-01-30 11:22:46.000000000 -0500
@@ -20,7 +20,7 @@
 	install -m 755 restorecond $(SBINDIR)
 	install -m 644 restorecond.8 $(MANDIR)/man8
 	-mkdir -p $(INITDIR)
-	install -m 644 restorecond.init $(INITDIR)/restorecond
+	install -m 755 restorecond.init $(INITDIR)/restorecond
 	-mkdir -p $(SELINUXDIR)
 	install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf
 
--- nsapolicycoreutils/restorecond/restorecond.conf	2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/restorecond.conf	2009-01-30 11:10:14.000000000 -0500
@@ -5,4 +5,3 @@
 /var/run/utmp
 /var/log/wtmp
 ~/*
-~/.mozilla/plugins/libflashplayer.so
--- nsapolicycoreutils/restorecond/restorecond.c	2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/restorecond.c	2009-01-30 11:21:09.000000000 -0500
@@ -1,7 +1,7 @@
 /*
  * restorecond
  *
- * Copyright (C) 2006 Red Hat 
+ * Copyright (C) 2006-2009 Red Hat 
  * see file 'COPYING' for use and warranty information
  *
  * This program is free software; you can redistribute it and/or
@@ -75,7 +75,7 @@
 static int debug_mode = 0;
 static int verbose_mode = 0;
 
-static void restore(const char *filename);
+static void restore(const char *filename, int exact);
 
 struct watchList {
 	struct watchList *next;
@@ -113,12 +113,13 @@
 		printf("%d: File=%s\n", wd, file);
 	while (ptr != NULL) {
 		if (ptr->wd == wd) {
-			if (strings_list_find(ptr->files, file) == 0) {
+			int exact=0;
+			if (strings_list_find(ptr->files, file, &exact) == 0) {
 				char *path = NULL;
 				if (asprintf(&path, "%s/%s", ptr->dir, file) <
 				    0)
 					exitApp("Error allocating memory.");
-				restore(path);
+				restore(path, exact);
 				free(path);
 				return 0;
 			}
@@ -155,7 +156,7 @@
    Set the file context to the default file context for this system.
    Same as restorecon.
 */
-static void restore(const char *filename)
+static void restore(const char *filename, int exact)
 {
 	int retcontext = 0;
 	security_context_t scontext = NULL;
@@ -181,9 +182,11 @@
 	}
 
 	if (!(st.st_mode & S_IFDIR) && st.st_nlink > 1) {
-		syslog(LOG_ERR,
-		       "Will not restore a file with more than one hard link (%s) %s\n",
-		       filename, strerror(errno));
+		if (exact) { 
+			syslog(LOG_ERR,
+			       "Will not restore a file with more than one hard link (%s) %s\n",
+			       filename, strerror(errno));
+		}
 		close(fd);
 		return;
 	}
@@ -283,6 +286,8 @@
 	inotify_rm_watch(fd, master_wd);
 	master_wd =
 	    inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
+	if (master_wd == -1)
+		exitApp("Error watching config file.");
 }
 
 /* 
@@ -396,7 +401,7 @@
 	char *file = basename(path);
 	ptr = firstDir;
 
-	restore(path);
+	restore(path, 1);
 
 	while (ptr != NULL) {
 		if (strcmp(dir, ptr->dir) == 0) {
@@ -411,7 +416,14 @@
 
 	if (!ptr)
 		exitApp("Out of Memory");
+
 	ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
+	if (ptr->wd == -1) {
+		free(ptr);
+		syslog(LOG_ERR, "Unable to watch (%s) %s\n",
+		       path, strerror(errno));
+		return;
+	}
 
 	ptr->dir = strdup(dir);
 	if (!ptr->dir)
--- nsapolicycoreutils/restorecond/stringslist.c	2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/stringslist.c	2009-01-30 11:20:48.000000000 -0500
@@ -55,9 +55,10 @@
 		*list = newptr;
 }
 
-int strings_list_find(struct stringsList *ptr, const char *string)
+int strings_list_find(struct stringsList *ptr, const char *string, int *exact)
 {
 	while (ptr) {
+		*exact = strcmp(ptr->string, string) == 0;
 		int cmp = fnmatch(ptr->string, string, 0);
 		if (cmp == 0) 
 			return 0;	/* Match found */
--- nsapolicycoreutils/restorecond/stringslist.h	2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/stringslist.h	2009-01-30 11:27:00.000000000 -0500
@@ -31,7 +31,7 @@
 void strings_list_free(struct stringsList *list);
 void strings_list_add(struct stringsList **list, const char *string);
 void strings_list_print(struct stringsList *list);
-int strings_list_find(struct stringsList *list, const char *string);
+int strings_list_find(struct stringsList *list, const char *string, int *exact);
 int strings_list_diff(struct stringsList *from, struct stringsList *to);
 
 #endif
--- nsapolicycoreutils/restorecond/utmpwatcher.c	2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.61/restorecond/utmpwatcher.c	2009-01-20 09:49:03.000000000 -0500
@@ -57,7 +57,7 @@
 	utmp_ptr = NULL;
 	FILE *cfg = fopen(utmp_path, "r");
 	if (!cfg)
-		exitApp("Error reading config file.");
+		exitApp("Error reading utmp file.");
 
 	while (fread(&u, sizeof(struct utmp), 1, cfg) > 0) {
 		if (u.ut_type == USER_PROCESS)
@@ -69,6 +69,9 @@
 
 	utmp_wd =
 	    inotify_add_watch(inotify_fd, utmp_path, IN_MOVED_FROM | IN_MODIFY);
+	if (utmp_wd == -1)
+		exitApp("Error watching utmp file.");
+
 	if (prev_utmp_ptr) {
 		changed = strings_list_diff(prev_utmp_ptr, utmp_ptr);
 		strings_list_free(prev_utmp_ptr);

[-- Attachment #3: restorecond.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: Several fixes to restorecond

[Joshua Brindle]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Init script should be 755
> 
> libflashplayer.so has moved in the homedir and is now correct so no
> longer needs to have labeling checked.
> 
> restorecond supports glob matching and should not complain on multiple
> hard links if they match a glob.
> 
> So if a file has > 1 link and is an exact match complain, otherwise do not.
> 
> Also fix a couple of error messages.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
> 9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
> =zcCj
> -----END PGP SIGNATURE-----
> 

Merged in policycoreutils 2.0.62

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Several fixes to restorecond

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> Init script should be 755
> 
> libflashplayer.so has moved in the homedir and is now correct so no
> longer needs to have labeling checked.
> 
> restorecond supports glob matching and should not complain on multiple
> hard links if they match a glob.
> 
> So if a file has > 1 link and is an exact match complain, otherwise do
> not.
> 
> Also fix a couple of error messages.
>>

> Merged in policycoreutils 2.0.62

> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

This is what the F10 homedir_template looks like

HOME_DIR/.+	system_u:object_r:user_home_t:s0
HOME_DIR/.pulse(/.*)?	system_u:object_r:gnome_home_t:s0
HOME_DIR/.gnome2(/.*)?	system_u:object_r:gnome_home_t:s0
HOME_DIR/.*/plugins/nppdf\.so	--	system_u:object_r:textrel_shlib_t:s0
HOME_DIR/.*/plugins/nppdf\.so.*	--	system_u:object_r:textrel_shlib_t:s0
HOME_DIR/.*/plugins/nprhapengine\.so.*	--	system_u:object_r:textrel_shlib_
t:s0
HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)?
system_u:object_r:httpd_
user_content_t:s0
HOME_ROOT/a?quota\.(user|group)	--	system_u:object_r:quota_db_t:s0
HOME_DIR/\.ssh(/.*)?	system_u:object_r:ssh_home_t:s0
HOME_DIR/\.uml(/.*)?	system_u:object_r:user_uml_rw_t:s0
HOME_DIR/\.java(/.*)?	system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.local.*	system_u:object_r:gconf_home_t:s0
HOME_DIR/\.xauth.*	--	system_u:object_r:xauth_home_t:s0
HOME_DIR/\.fonts(/.*)?	system_u:object_r:fonts_home_t:s0
HOME_DIR/\.gnupg(/.+)?	system_u:object_r:gpg_secret_t:s0
HOME_DIR/\.adobe(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.pyzor(/.*)?	system_u:object_r:pyzor_home_t:s0
HOME_DIR/\.spamd(/.*)?	system_u:object_r:pyzor_home_t:s0
HOME_DIR/\.razor(/.*)?	system_u:object_r:razor_home_t:s0
HOME_DIR/vmware(/.*)?	system_u:object_r:vmware_home_t:s0
HOME_DIR/\.gconf(d)?(/.*)?	system_u:object_r:gconf_home_t:s0
HOME_DIR/\.galeon(/.*)?	system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.vmware(/.*)?	system_u:object_r:vmware_home_t:s0
HOME_DIR/\.vmware[^/]*/.*\.cfg	--	system_u:object_r:vmware_home_t:s0
HOME_DIR/\.mozilla(/.*)?	system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.phoenix(/.*)?	system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.mplayer(/.*)?	system_u:object_r:mplayer_home_t:s0
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.*	--	system_u:object_
r:textrel_shlib_t:s0
HOME_DIR/\.ethereal(/.*)?	system_u:object_r:ethereal_home_t:s0
HOME_DIR/\.netscape(/.*)?	system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.gstreamer-.*	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.Xauthority.*	--	system_u:object_r:xauth_home_t:s0
HOME_DIR/\.fontconfig(/.*)?	system_u:object_r:fonts_config_home_t:s0
HOME_DIR/\.fonts/auto(/.*)?	system_u:object_r:fonts_cache_home_t:s0
HOME_DIR/\.macromedia(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.gstreamer-.*/plugins/.*\.so.*	--	system_u:object_r:textre
l_shlib_t:s0
HOME_ROOT/lost\+found/.*	<<none>>
HOME_DIR/\.config/gtk-.*	system_u:object_r:gnome_home_t:s0
HOME_DIR/\.fonts\.cache-.*	--	system_u:object_r:fonts_cache_home_t:s0
HOME_DIR/\.ICEauthority.*	--	system_u:object_r:iceauth_home_t:s0
HOME_DIR/\.config/totem(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.config/gxine(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.gcjwebplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.spamassassin(/.*)?	system_u:object_r:spamc_home_t:s0
HOME_DIR/\.icedteaplugin(/.*)?	system_u:object_r:nsplugin_home_t:s0
HOME_DIR/\.xsession-errors.*	--	system_u:object_r:xdm_home_t:s0
HOME_DIR	-d	system_u:object_r:user_home_dir_t:s0
HOME_DIR	-l	system_u:object_r:user_home_dir_t:s0
HOME_ROOT	-d	system_u:object_r:home_root_t:s0
HOME_DIR/\.ircmotd	--	system_u:object_r:ROLE_irc_home_t:s0
HOME_ROOT/\.journal	<<none>>
HOME_DIR/\.screenrc	--	system_u:object_r:user_screen_ro_home_t:s0
HOME_DIR/\.fonts\.conf	--	system_u:object_r:fonts_config_home_t:s0
HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t:s0

I Have no ROLE or USER, but I still need HOME_DIR and HOME_ROOT
translated, and these do not apply to /root
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmcfWIACgkQrlYvE4MpobOlaQCcCU5CDLlKZm/q8DSVqimz9u8z
m9AAoOIOFqm2RRzluq5Er3eraLARkIb+
=hWXM
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.