[PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 346 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk45tn8ACgkQrlYvE4MpobMCxgCfXH6HOZTQkP4COSovye5EM2H2
7zUAoN2kgLGrJ9Ust2zHvLNT7OHsP9fd
=iKy+
-----END PGP SIGNATURE-----

[-- Attachment #2: 0032-policycoreutils-fixfiles-use-new-kernel-seclabel-opt.patch --]
[-- Type: text/plain, Size: 0 bytes --]

Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Stephen Smalley]

On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> This patch looks good to me. acked.

When similar logic was added to setfiles, we included a kernel version
check (>= 2.6.30) to ensure that we didn't end up excluding all
filesystems on older kernels that do not report seclabel.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Eric Paris]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:

>> This patch looks good to me. acked.
>
> When similar logic was added to setfiles, we included a kernel version
> check (>= 2.6.30) to ensure that we didn't end up excluding all
> filesystems on older kernels that do not report seclabel.

Patch replaced with the attached.

-Eric

[-- Attachment #2: 0001-policycoreutils-fixfiles-use-new-kernel-seclabel-opt.patch --]
[-- Type: text/x-patch, Size: 2960 bytes --]

From 3d39e0e30ad34500917e695a3a3f3e4f3614dc8f Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Sun, 10 Jul 2011 16:09:11 +0200
Subject: [PATCH] policycoreutils: fixfiles: use new kernel seclabel option

The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling.  Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/scripts/fixfiles |   39 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ba59d87..adc95fe 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -20,6 +20,41 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
+VER=`uname -r`
+MAJOR=`echo $VER | cut -d. -f1`
+MINOR=`echo $VER | cut -d. -f2`
+MICRO=`echo $VER | cut -d. -f3`
+#
+# Get all mount points that support labeling.  Use the 'seclabel' field if it
+# is available.  Else fall back to known fs types which likely support xattrs
+# and we know were not context mounted.
+#
+get_all_labeled_mounts() {
+FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
+for i in $FS; do
+	if [ $MAJOR -le 2 ] && [ $MINOR -le 6 ] && [ $MICRO -lt 30 ]
+	then
+		grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+	else
+		grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
+	fi
+done
+}
+
+get_rw_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i
+done
+}
+
+get_ro_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i
+done
+}
+
 exclude_dirs_from_relabelling() {
     exclude_from_relabelling=
     if [ -e /etc/selinux/fixfiles_exclude_dirs ]
@@ -64,8 +99,8 @@ SYSLOGFLAG="-l"
 LOGGER=/usr/sbin/logger
 SETFILES=/sbin/setfiles
 RESTORECON=/sbin/restorecon
-FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';`
-FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';`
+FILESYSTEMSRW=`get_rw_labeled_mounts`
+FILESYSTEMSRO=`get_ro_labeled_mounts`
 FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
-- 
1.7.6

Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Stephen Smalley]

On Fri, 2011-08-12 at 14:22 -0400, Eric Paris wrote:
> On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:
> 
> >> This patch looks good to me. acked.
> >
> > When similar logic was added to setfiles, we included a kernel version
> > check (>= 2.6.30) to ensure that we didn't end up excluding all
> > filesystems on older kernels that do not report seclabel.
> 
> Patch replaced with the attached.

Your version comparison isn't quite right, e.g. consider 2.2.30.
If you want a reliable version compare, you probably want to do
something similar to KERNEL_VERSION() from include/linux/version.h and
convert both versions to simple integers that can be compared.  Or you
could do something based on this gem:
http://rubinium.org/blog/archives/2010/04/05/shell-script-version-compare-vercmp/

Or just rewrite fixfiles in a reasonable language ;)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2011 02:44 PM, Stephen Smalley wrote:
> On Fri, 2011-08-12 at 14:22 -0400, Eric Paris wrote:
>> On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley
>> <sds@tycho.nsa.gov> wrote:
>>> On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:
>> 
>>>> This patch looks good to me. acked.
>>> 
>>> When similar logic was added to setfiles, we included a kernel
>>> version check (>= 2.6.30) to ensure that we didn't end up
>>> excluding all filesystems on older kernels that do not report
>>> seclabel.
>> 
>> Patch replaced with the attached.
> 
> Your version comparison isn't quite right, e.g. consider 2.2.30. If
> you want a reliable version compare, you probably want to do 
> something similar to KERNEL_VERSION() from include/linux/version.h
> and convert both versions to simple integers that can be compared.
> Or you could do something based on this gem: 
> http://rubinium.org/blog/archives/2010/04/05/shell-script-version-compare-vercmp/
>
>  Or just rewrite fixfiles in a reasonable language ;)
> 

Or stop supporting really old versions of kernels with the latest tool
chain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5I9sAACgkQrlYvE4MpobMXqQCdHF3n5u/Yw6bHNteFU3UXOyoh
i58An2VSHBmLU1dgHGuybzUiU+c0H4zc
=F4xN
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Eric Paris]

[-- Attachment #1: Type: text/plain, Size: 1031 bytes --]

On 08/12/2011 02:44 PM, Stephen Smalley wrote:
> On Fri, 2011-08-12 at 14:22 -0400, Eric Paris wrote:
>> On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:
>>
>>>> This patch looks good to me. acked.
>>>
>>> When similar logic was added to setfiles, we included a kernel version
>>> check (>= 2.6.30) to ensure that we didn't end up excluding all
>>> filesystems on older kernels that do not report seclabel.
>>
>> Patch replaced with the attached.
> 
> Your version comparison isn't quite right, e.g. consider 2.2.30.
> If you want a reliable version compare, you probably want to do
> something similar to KERNEL_VERSION() from include/linux/version.h and
> convert both versions to simple integers that can be compared.  Or you
> could do something based on this gem:
> http://rubinium.org/blog/archives/2010/04/05/shell-script-version-compare-vercmp/
> 
> Or just rewrite fixfiles in a reasonable language ;)

Decided to go with the gem.




[-- Attachment #2: 0001-policycoreutils-fixfiles-use-new-kernel-seclabel-opt.patch --]
[-- Type: text/plain, Size: 3418 bytes --]

From 1da72eea266fdee3603204423ab1d9e68ff05f79 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Sun, 10 Jul 2011 16:09:11 +0200
Subject: [PATCH] policycoreutils: fixfiles: use new kernel seclabel option

The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling.  Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/scripts/fixfiles |   48 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ba59d87..54226eb 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -20,6 +20,50 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
+#
+# seclabel support was added in 2.6.30.  This function will return a positive
+# number if the current kernel version is greater than 2.6.30, a negative
+# number if the current is less than 2.6.30 and 0 if they are the same.
+#
+function useseclabel {
+        VER=`uname -r`
+        SUP=2.6.30
+        expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+             '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
+             '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
+}
+
+#
+# Get all mount points that support labeling.  Use the 'seclabel' field if it
+# is available.  Else fall back to known fs types which likely support xattrs
+# and we know were not context mounted.
+#
+get_all_labeled_mounts() {
+FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
+for i in $FS; do
+	if [ `useseclabel` -ge 0 ]
+	then
+		grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
+	else
+		grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+	fi
+done
+}
+
+get_rw_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i
+done
+}
+
+get_ro_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i
+done
+}
+
 exclude_dirs_from_relabelling() {
     exclude_from_relabelling=
     if [ -e /etc/selinux/fixfiles_exclude_dirs ]
@@ -64,8 +108,8 @@ SYSLOGFLAG="-l"
 LOGGER=/usr/sbin/logger
 SETFILES=/sbin/setfiles
 RESTORECON=/sbin/restorecon
-FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';`
-FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';`
+FILESYSTEMSRW=`get_rw_labeled_mounts`
+FILESYSTEMSRO=`get_ro_labeled_mounts`
 FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
-- 
1.7.6