* [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and @ 2011-08-03 20:56 Daniel J Walsh 2011-08-04 14:56 ` Stephen Smalley 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2011-08-03 20:56 UTC (permalink / raw) To: eparis; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 346 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk45teYACgkQrlYvE4MpobN0IACfcWZx1inqKKn8GWqy2VpDu5Ls rSIAoNAYJ22tntOUF3elYf3u2fAFFTaM =GJMM -----END PGP SIGNATURE----- [-- Attachment #2: 0029-policycoreutils-fixfiles-clean-up-var-run-and-var-li.patch --] [-- Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-03 20:56 [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and Daniel J Walsh @ 2011-08-04 14:56 ` Stephen Smalley 2011-08-04 16:42 ` Daniel J Walsh 2011-08-04 17:33 ` Eric Paris 0 siblings, 2 replies; 15+ messages in thread From: Stephen Smalley @ 2011-08-04 14:56 UTC (permalink / raw) To: Daniel J Walsh; +Cc: eparis, selinux On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > This patch looks good to me. acked. >From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001 From: Eric Paris <eparis@redhat.com> Date: Sun, 10 Jul 2011 13:35:32 +0200 Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and /var/lib/debug clean up /var/run and /var/lib/debug just like we do for /tmp and /var/tmp since they can easily get unlabeled files. Signed-off-by: Eric Paris <eparis@redhat.com> --- policycoreutils/scripts/fixfiles | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 1da3fb2..c5c92bf 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; +find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; +[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; exit $? } Does it bother anyone else that you are hardcoding policy types into your scripts here? What happens when someone wants to use a different policy that doesn't define those types? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 14:56 ` Stephen Smalley @ 2011-08-04 16:42 ` Daniel J Walsh 2011-08-04 17:33 ` Eric Paris 1 sibling, 0 replies; 15+ messages in thread From: Daniel J Walsh @ 2011-08-04 16:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: eparis, selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/04/2011 10:56 AM, Stephen Smalley wrote: > On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> >> This patch looks good to me. acked. > >> From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 >> 2001 > From: Eric Paris <eparis@redhat.com> Date: Sun, 10 Jul 2011 13:35:32 > +0200 Subject: [PATCH 029/155] policycoreutils: fixfiles clean up > /var/run and /var/lib/debug > > clean up /var/run and /var/lib/debug just like we do for /tmp and > /var/tmp since they can easily get unlabeled files. > > Signed-off-by: Eric Paris <eparis@redhat.com> --- > policycoreutils/scripts/fixfiles | 2 ++ 1 files changed, 2 > insertions(+), 0 deletions(-) > > diff --git a/policycoreutils/scripts/fixfiles > b/policycoreutils/scripts/fixfiles index 1da3fb2..c5c92bf 100755 --- > a/policycoreutils/scripts/fixfiles +++ > b/policycoreutils/scripts/fixfiles @@ -142,6 +142,8 @@ rm -rf > /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context > "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) > -delete find /tmp \( -context "*:file_t*" -o -context > "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( > -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t > tmp_t {} \; +find /var/run \( -context "*:file_t*" -o -context > "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; +[ -e > /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o > -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; exit $? } > > > Does it bother anyone else that you are hardcoding policy types into > your scripts here? What happens when someone wants to use a > different policy that doesn't define those types? > I guess we could add a file to identify the types of files with no labels and files that the kernel does not understand. Patches welcome... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk46y/0ACgkQrlYvE4MpobPIOQCg4HMijy8wQbb2A8N6Oq/YK9Cd 3jkAnilxruKeLvqm9Ca/tIU/I7959dL2 =C1vN -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 14:56 ` Stephen Smalley 2011-08-04 16:42 ` Daniel J Walsh @ 2011-08-04 17:33 ` Eric Paris 2011-08-04 19:16 ` Christopher J. PeBenito [not found] ` <CACLa4puk2gO=aV=oNj-Kmj=eSmYmquX0skKoCxso6o9tWcf_Ng@mail.gmail.com> 1 sibling, 2 replies; 15+ messages in thread From: Eric Paris @ 2011-08-04 17:33 UTC (permalink / raw) To: Stephen Smalley; +Cc: Daniel J Walsh, eparis, selinux Is there a reasonable way for a script to determine SECINITSID_UNLABELED? You're right though, it does sound like a good todo. -Eric On Thu, Aug 4, 2011 at 10:56 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> This patch looks good to me. acked. > > >From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001 > From: Eric Paris <eparis@redhat.com> > Date: Sun, 10 Jul 2011 13:35:32 +0200 > Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and > /var/lib/debug > > clean up /var/run and /var/lib/debug just like we do for /tmp and > /var/tmp since they can easily get unlabeled files. > > Signed-off-by: Eric Paris <eparis@redhat.com> > --- > policycoreutils/scripts/fixfiles | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles > index 1da3fb2..c5c92bf 100755 > --- a/policycoreutils/scripts/fixfiles > +++ b/policycoreutils/scripts/fixfiles > @@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* > find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete > find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; > find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; > +find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; > +[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; > exit $? > } > > > Does it bother anyone else that you are hardcoding policy types into > your scripts here? What happens when someone wants to use a different > policy that doesn't define those types? > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 17:33 ` Eric Paris @ 2011-08-04 19:16 ` Christopher J. PeBenito [not found] ` <CACLa4puk2gO=aV=oNj-Kmj=eSmYmquX0skKoCxso6o9tWcf_Ng@mail.gmail.com> 1 sibling, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2011-08-04 19:16 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, Daniel J Walsh, eparis, selinux On 8/4/2011 1:33 PM, Eric Paris wrote: > Is there a reasonable way for a script to determine > SECINITSID_UNLABELED? You're right though, it does sound like a good > todo. cat /selinux/initial_contexts/unlabeled > On Thu, Aug 4, 2011 at 10:56 AM, Stephen Smalley<sds@tycho.nsa.gov> wrote: >> On Wed, 2011-08-03 at 16:56 -0400, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> This patch looks good to me. acked. >> >> > From dff45c3977973dfbdbc7261b6fef05215d3515d8 Mon Sep 17 00:00:00 2001 >> From: Eric Paris<eparis@redhat.com> >> Date: Sun, 10 Jul 2011 13:35:32 +0200 >> Subject: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and >> /var/lib/debug >> >> clean up /var/run and /var/lib/debug just like we do for /tmp and >> /var/tmp since they can easily get unlabeled files. >> >> Signed-off-by: Eric Paris<eparis@redhat.com> >> --- >> policycoreutils/scripts/fixfiles | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) >> >> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles >> index 1da3fb2..c5c92bf 100755 >> --- a/policycoreutils/scripts/fixfiles >> +++ b/policycoreutils/scripts/fixfiles >> @@ -142,6 +142,8 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* >> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete >> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; >> find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; >> +find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; >> +[ -e /var/lib/debug ]&& find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; >> exit $? >> } >> >> >> Does it bother anyone else that you are hardcoding policy types into >> your scripts here? What happens when someone wants to use a different >> policy that doesn't define those types? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <CACLa4puk2gO=aV=oNj-Kmj=eSmYmquX0skKoCxso6o9tWcf_Ng@mail.gmail.com>]
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and [not found] ` <CACLa4puk2gO=aV=oNj-Kmj=eSmYmquX0skKoCxso6o9tWcf_Ng@mail.gmail.com> @ 2011-08-04 19:33 ` Stephen Smalley 2011-08-04 20:26 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2011-08-04 19:33 UTC (permalink / raw) To: Eric Paris; +Cc: Daniel J Walsh, selinux On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote: > well I guess [selinuxfs]/initial_contexts/unlabeled works for the > first part, but how to come up with the lib_t/var_t I don't know.... > more initial sids :) chcon --reference=/lib ... chcon --reference=/var ... Or: chcon `matchpathcon /lib` ... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 19:33 ` Stephen Smalley @ 2011-08-04 20:26 ` Daniel J Walsh 2011-08-04 21:00 ` Eric Paris 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2011-08-04 20:26 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, selinux [-- Attachment #1: Type: text/plain, Size: 401 bytes --] On 08/04/2011 03:33 PM, Stephen Smalley wrote: > On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote: >> well I guess [selinuxfs]/initial_contexts/unlabeled works for the >> first part, but how to come up with the lib_t/var_t I don't >> know.... more initial sids :) > > chcon --reference=/lib ... chcon --reference=/var ... > > Or: chcon `matchpathcon /lib` ... > > How about this patch... [-- Attachment #2: unlabeled_file.patch --] [-- Type: text/plain, Size: 2412 bytes --] diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 6de710a..9c1e6dd 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -21,6 +21,31 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# Get the default label returned from the kernel for a file with a lable the +# kernel does not understand +# +get_undefined_type() { + if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then + UNKNOWN_LABEL=`cat /sys/fs/selinux/initial_contexts/unlabeled` + else + UNKNOWN_LABEL=`cat /selinux/initial_contexts/unlabeled` + fi + secon -t $UNKNOWN_LABEL +} + +# +# Get the default label for a file without a label +# +get_unlabeled_type() { + if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then + NOLABEL=`cat /sys/fs/selinux/initial_contexts/file` + else + NOLABEL=`cat /selinux/initial_contexts/file` + fi + secon -t $NOLABEL +} + +# # Get all mount points that support seclabel # get_all_labeled_mounts() { @@ -200,11 +225,13 @@ fi ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE -find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete -find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; -[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; +undefined=`get_undefined_type` +unlabeled=`get_unlabeled_type` +find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) \( -type s -o -type p \) -delete +find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /tmp {} \; +find /var/tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/tmp {} \; +find /var/run \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/run {} \; +[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /lib {} \; exit $? } ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 20:26 ` Daniel J Walsh @ 2011-08-04 21:00 ` Eric Paris 2011-08-04 21:06 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Eric Paris @ 2011-08-04 21:00 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Stephen Smalley, Eric Paris, selinux On 08/04/2011 04:26 PM, Daniel J Walsh wrote: > On 08/04/2011 03:33 PM, Stephen Smalley wrote: >> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote: >>> well I guess [selinuxfs]/initial_contexts/unlabeled works for the >>> first part, but how to come up with the lib_t/var_t I don't >>> know.... more initial sids :) >> >> chcon --reference=/lib ... chcon --reference=/var ... >> >> Or: chcon `matchpathcon /lib` ... >> >> > > > How about this patch... If you don't have /selinux mounted in one of those two places secon -t will return your process type, which might delete the wrong files. Not that it makes a huge difference, but we don't really need to pare it down to just the type with secon -t and then search using *$TYPE*. I also question the use of /sys/fs/selinux/ but I'm not sure we have a good way to find that in a script..... Do we have one? -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 21:00 ` Eric Paris @ 2011-08-04 21:06 ` Daniel J Walsh 2011-08-04 21:10 ` Eric Paris 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2011-08-04 21:06 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, Eric Paris, selinux On 08/04/2011 05:00 PM, Eric Paris wrote: > On 08/04/2011 04:26 PM, Daniel J Walsh wrote: >> On 08/04/2011 03:33 PM, Stephen Smalley wrote: >>> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote: >>>> well I guess [selinuxfs]/initial_contexts/unlabeled works for >>>> the first part, but how to come up with the lib_t/var_t I >>>> don't know.... more initial sids :) >>> >>> chcon --reference=/lib ... chcon --reference=/var ... >>> >>> Or: chcon `matchpathcon /lib` ... >>> >>> >> >> >> How about this patch... > > If you don't have /selinux mounted in one of those two places secon > -t will return your process type, which might delete the wrong > files. > I guess we should just exit with an error if this happens. > Not that it makes a huge difference, but we don't really need to pare > it down to just the type with secon -t and then search using > *$TYPE*. > Well if you are using mcstransd the MLS field could be translated. > I also question the use of /sys/fs/selinux/ but I'm not sure we have > a good way to find that in a script..... Do we have one? > grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' > -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 21:06 ` Daniel J Walsh @ 2011-08-04 21:10 ` Eric Paris 2011-08-04 21:50 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Eric Paris @ 2011-08-04 21:10 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Stephen Smalley, Eric Paris, selinux On 08/04/2011 05:06 PM, Daniel J Walsh wrote: > On 08/04/2011 05:00 PM, Eric Paris wrote: >> I also question the use of /sys/fs/selinux/ but I'm not sure we have >> a good way to find that in a script..... Do we have one? >> > > grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux /chroot/selinux -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 21:10 ` Eric Paris @ 2011-08-04 21:50 ` Daniel J Walsh 2011-08-05 14:18 ` Stephen Smalley 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2011-08-04 21:50 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, Eric Paris, selinux [-- Attachment #1: Type: text/plain, Size: 685 bytes --] On 08/04/2011 05:10 PM, Eric Paris wrote: > On 08/04/2011 05:06 PM, Daniel J Walsh wrote: >> On 08/04/2011 05:00 PM, Eric Paris wrote: > >>> I also question the use of /sys/fs/selinux/ but I'm not sure we >>> have a good way to find that in a script..... Do we have one? >>> >> >> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' > > $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux > /chroot/selinux > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. > > Second attempt. [-- Attachment #2: unlabeled_file.patch --] [-- Type: text/plain, Size: 2280 bytes --] diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 6de710a..899dce2 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -21,6 +21,23 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# Get the default label returned from the kernel for a file with a lable the +# kernel does not understand +# +get_undefined_type() { + SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` + cat ${SELINUXMNT}/initial_contexts/unlabeled | secon -t +} + +# +# Get the default label for a file without a label +# +get_unlabeled_type() { + SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` + cat $SELINUXMNT/initial_contexts/file | secon -t +} + +# # Get all mount points that support seclabel # get_all_labeled_mounts() { @@ -200,11 +217,13 @@ fi ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE -find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete -find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; -[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; +UNDEFINED=`get_undefined_type` || exit $? +UNLABELED=`get_unlabeled_type` || exit $? +find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete +find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; +find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; +find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; +[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; exit $? } ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-04 21:50 ` Daniel J Walsh @ 2011-08-05 14:18 ` Stephen Smalley 2011-08-05 14:45 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2011-08-05 14:18 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Eric Paris, Eric Paris, selinux [-- Attachment #1: Type: text/plain, Size: 1160 bytes --] On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote: > On 08/04/2011 05:10 PM, Eric Paris wrote: > > On 08/04/2011 05:06 PM, Daniel J Walsh wrote: > >> On 08/04/2011 05:00 PM, Eric Paris wrote: > > > >>> I also question the use of /sys/fs/selinux/ but I'm not sure we > >>> have a good way to find that in a script..... Do we have one? > >>> > >> > >> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' > > > > $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux > > /chroot/selinux > > > > -- This message was distributed to subscribers of the selinux mailing > > list. If you no longer wish to subscribe, send mail to > > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > > quotes as the message. > > > > > > Second attempt. Technically I think we wanted to encapsulate all references to selinuxfs by using libselinux, whether via direct bindings (as from python) or by adding utils to libselinux (for shell scripts). For example: $ gcc -lselinux -o getinitialcontext getinitialcontext.c $ ./getinitialcontext unlabeled system_u:object_r:unlabeled_t:s0 -- Stephen Smalley National Security Agency [-- Attachment #2: getinitialcontext.c --] [-- Type: text/x-csrc, Size: 370 bytes --] #include <selinux/selinux.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) { int rc; security_context_t con; if (argc != 2) { fprintf(stderr, "usage: %s sid-name\n", argv[0]); exit(1); } rc = security_get_initial_context(argv[1], &con); if (rc < 0) { perror(argv[1]); exit(2); } printf("%s\n", con); freecon(con); exit(0); } ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-05 14:18 ` Stephen Smalley @ 2011-08-05 14:45 ` Daniel J Walsh 2011-08-05 15:10 ` Eric Paris 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2011-08-05 14:45 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, Eric Paris, selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/05/2011 10:18 AM, Stephen Smalley wrote: > On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote: >> On 08/04/2011 05:10 PM, Eric Paris wrote: >>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote: >>>> On 08/04/2011 05:00 PM, Eric Paris wrote: >>> >>>>> I also question the use of /sys/fs/selinux/ but I'm not sure >>>>> we have a good way to find that in a script..... Do we have >>>>> one? >>>>> >>>> >>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>> >>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>> /selinux /chroot/selinux >>> >>> -- This message was distributed to subscribers of the selinux >>> mailing list. If you no longer wish to subscribe, send mail to >>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" >>> without quotes as the message. >>> >>> >> >> Second attempt. > > Technically I think we wanted to encapsulate all references to > selinuxfs by using libselinux, whether via direct bindings (as from > python) or by adding utils to libselinux (for shell scripts). For > example: $ gcc -lselinux -o getinitialcontext getinitialcontext.c $ > ./getinitialcontext unlabeled system_u:object_r:unlabeled_t:s0 > If we are going to add any more commands to libselinux I would prefer them to be prefixed with selinux or at lease se. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk48AgIACgkQrlYvE4MpobOaHgCeKeAXbKuKtI/0nSfZ0CWBgqcC ogsAoNbjsH0obxI3HVx44LrAQxNlUc67 =aG/T -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-05 14:45 ` Daniel J Walsh @ 2011-08-05 15:10 ` Eric Paris 2011-08-05 15:34 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Eric Paris @ 2011-08-05 15:10 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Stephen Smalley, Eric Paris, selinux On 08/05/2011 10:45 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 08/05/2011 10:18 AM, Stephen Smalley wrote: >> On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote: >>> On 08/04/2011 05:10 PM, Eric Paris wrote: >>>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote: >>>>> On 08/04/2011 05:00 PM, Eric Paris wrote: >>>> >>>>>> I also question the use of /sys/fs/selinux/ but I'm not sure >>>>>> we have a good way to find that in a script..... Do we have >>>>>> one? >>>>>> >>>>> >>>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>>> >>>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>>> /selinux /chroot/selinux >>>> >>>> -- This message was distributed to subscribers of the selinux >>>> mailing list. If you no longer wish to subscribe, send mail to >>>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" >>>> without quotes as the message. >>>> >>>> >>> >>> Second attempt. >> >> Technically I think we wanted to encapsulate all references to >> selinuxfs by using libselinux, whether via direct bindings (as from >> python) or by adding utils to libselinux (for shell scripts). For >> example: $ gcc -lselinux -o getinitialcontext getinitialcontext.c $ >> ./getinitialcontext unlabeled system_u:object_r:unlabeled_t:s0 >> > If we are going to add any more commands to libselinux I would prefer > them to be prefixed with selinux or at lease se. no problem, I can call it anything we want. Last issue I question is better handling of there being no result. We wouldn't want to delete context'**' :) -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and 2011-08-05 15:10 ` Eric Paris @ 2011-08-05 15:34 ` Daniel J Walsh 0 siblings, 0 replies; 15+ messages in thread From: Daniel J Walsh @ 2011-08-05 15:34 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, Eric Paris, selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/05/2011 11:10 AM, Eric Paris wrote: > On 08/05/2011 10:45 AM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 08/05/2011 10:18 AM, Stephen Smalley wrote: >>> On Thu, 2011-08-04 at 17:50 -0400, Daniel J Walsh wrote: >>>> On 08/04/2011 05:10 PM, Eric Paris wrote: >>>>> On 08/04/2011 05:06 PM, Daniel J Walsh wrote: >>>>>> On 08/04/2011 05:00 PM, Eric Paris wrote: >>>>> >>>>>>> I also question the use of /sys/fs/selinux/ but I'm not >>>>>>> sure we have a good way to find that in a script..... Do >>>>>>> we have one? >>>>>>> >>>>>> >>>>>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>>>> >>>>> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' >>>>> /selinux /chroot/selinux >>>>> >>>>> -- This message was distributed to subscribers of the >>>>> selinux mailing list. If you no longer wish to subscribe, >>>>> send mail to majordomo@tycho.nsa.gov with the words >>>>> "unsubscribe selinux" without quotes as the message. >>>>> >>>>> >>>> >>>> Second attempt. >>> >>> Technically I think we wanted to encapsulate all references to >>> selinuxfs by using libselinux, whether via direct bindings (as >>> from python) or by adding utils to libselinux (for shell >>> scripts). For example: $ gcc -lselinux -o getinitialcontext >>> getinitialcontext.c $ ./getinitialcontext unlabeled >>> system_u:object_r:unlabeled_t:s0 >>> >> If we are going to add any more commands to libselinux I would >> prefer them to be prefixed with selinux or at lease se. > > no problem, I can call it anything we want. Last issue I question > is better handling of there being no result. We wouldn't want to > delete context'**' :) > Well it would actually delete *:*, and they are tmp files ... echo "" | secon -t secon: Couldn't read security context: Invalid argument [Exit 1] touch /tmp/dan1 # touch /tmp/empty # cat /tmp/empty | secon -t secon: Couldn't read security context: Invalid argument [Exit 1] So I think you are going to get an error and the app will blow up. > -Eric > > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk48DX4ACgkQrlYvE4MpobONaQCfTFsE84KQ4kiM1Y13+sz2ydyu ZvcAoMihWiC9u+v0J/0gBrhc9iSkPbm5 =7VRP -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2011-08-05 15:34 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-03 20:56 [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and Daniel J Walsh
2011-08-04 14:56 ` Stephen Smalley
2011-08-04 16:42 ` Daniel J Walsh
2011-08-04 17:33 ` Eric Paris
2011-08-04 19:16 ` Christopher J. PeBenito
[not found] ` <CACLa4puk2gO=aV=oNj-Kmj=eSmYmquX0skKoCxso6o9tWcf_Ng@mail.gmail.com>
2011-08-04 19:33 ` Stephen Smalley
2011-08-04 20:26 ` Daniel J Walsh
2011-08-04 21:00 ` Eric Paris
2011-08-04 21:06 ` Daniel J Walsh
2011-08-04 21:10 ` Eric Paris
2011-08-04 21:50 ` Daniel J Walsh
2011-08-05 14:18 ` Stephen Smalley
2011-08-05 14:45 ` Daniel J Walsh
2011-08-05 15:10 ` Eric Paris
2011-08-05 15:34 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.