From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Sven Vermeulen <sven.vermeulen@siphos.be>,
selinux@tycho.nsa.gov, Eric Paris <eparis@redhat.com>
Subject: Re: pcre 8.33 changes restorecon behavior
Date: Mon, 24 Jun 2013 10:24:19 -0400 [thread overview]
Message-ID: <51C85693.5040603@redhat.com> (raw)
In-Reply-To: <51C840AB.2030606@tycho.nsa.gov>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/24/2013 08:50 AM, Stephen Smalley wrote:
> On 06/22/2013 12:17 PM, Sven Vermeulen wrote:
>> Hi guys
>>
>> Since libpcre 8.33, the behavior of restorecon is different. Take the
>> context for /sbin for instance:
>>
>> Before libpcre 8.33: # matchpathcon /sbin /sbin
>> system_u:object_r:bin_t:s0
>>
>> With and after libpcre 8.33: # matchpathcon /sbin /sbin <<none>>
>>
>> As a result, trying to reset the label fails:
>>
>> # restorecon -Fv /sbin restorecon: Warning no default label for /sbin
>>
>> Is this a bug in libpcre or are we using it differently? According to
>> Alphat-PC, it is due to rev 1313 of libpcre:
>> http://vcs.pcre.org/viewvc?view=revision&revision=1313
>>
>> Thanks to Alphat-PC for reporting and debugging it at
>> https://bugs.gentoo.org/show_bug.cgi?id=471718
>
> Looks to me as if the compiled regex format changed. So that would be a
> problem for previously compiled regexes cached in the .bin files under
> /etc/selinux/$SELINUXTYPE/contexts/files. You would need to re-run
> sefcontext_compile to regenerate them or delete them and fall back to
> loading from the source configurations.
>
> Not sure if there is a way to automatically detect the change in format
> and handle the conversion on the libselinux side.
>
>
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
We could add a trigger when pcre is updated to rerun the commands.
Adding something like the following to selinux-policy, would rebuild the pcre
files.
%triggerin -- pcre
selinuxenabled && semodule -nB
exit 0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHIVpIACgkQrlYvE4MpobMpuwCfdb+UwZ74gavG11w42u+z4gTK
0oYAnj70/y55Ucg5IIUyEiFRFCprRKso
=8wim
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-06-24 14:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-22 16:17 pcre 8.33 changes restorecon behavior Sven Vermeulen
2013-06-24 12:50 ` Stephen Smalley
2013-06-24 14:24 ` Daniel J Walsh [this message]
2013-06-24 18:44 ` Eric Paris
2013-06-24 19:16 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C85693.5040603@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.