[PATCH] libsemanage: save homedir_template in the policy store for genhomedircon

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon
@ 2015-09-03 15:18 Steve Lawrence
  2015-09-03 15:26 ` Stephen Smalley
  2015-09-04  3:14 ` Jason Zaman
  0 siblings, 2 replies; 4+ messages in thread
From: Steve Lawrence @ 2015-09-03 15:18 UTC (permalink / raw)
  To: SELinux List

We don't currently store homedir_template in the policy store, which
means genhomedircon only has a template file to use if the
homedir_template was generated from the file contexts in the same
transaction.  But homedir_template isn't always generated, as in the
case with setsebool -P. In this and other cases, genhomedircon will not
have a template file resulting in an empty file_contexts.homedir file.

This commit changes this so that homedir_template is always stored in
the policy store so it can be used by genhomedircon regardless of how
policy was built. Also add the homedir_template file to the migration
script.

Signed-off by: Steve Lawrence <slawrence@tresys.com>
---
 libsemanage/src/direct_api.c             | 1 -
 libsemanage/utils/semanage_migrate_store | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 90a7b22..6e49cae 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -1415,7 +1415,6 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 
 	/* remove files that are automatically generated and no longer needed */
 	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
-	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL));
 	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA));
 
 	if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
index 539f469..297c71b 100755
--- a/libsemanage/utils/semanage_migrate_store
+++ b/libsemanage/utils/semanage_migrate_store
@@ -251,7 +251,8 @@ if __name__ == "__main__":
 		"disable_dontaudit",
 		"preserve_tunables",
 		"policy.kern",
-		"file_contexts"]
+		"file_contexts",
+		"homedir_template"]
 
 
 	create_dir(newroot_path(), 0o755)
-- 
2.4.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon
  2015-09-03 15:18 [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon Steve Lawrence
@ 2015-09-03 15:26 ` Stephen Smalley
  2015-09-03 16:57   ` Steve Lawrence
  2015-09-04  3:14 ` Jason Zaman
  1 sibling, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2015-09-03 15:26 UTC (permalink / raw)
  To: Steve Lawrence, SELinux List

On 09/03/2015 11:18 AM, Steve Lawrence wrote:
> We don't currently store homedir_template in the policy store, which
> means genhomedircon only has a template file to use if the
> homedir_template was generated from the file contexts in the same
> transaction.  But homedir_template isn't always generated, as in the
> case with setsebool -P. In this and other cases, genhomedircon will not
> have a template file resulting in an empty file_contexts.homedir file.
> 
> This commit changes this so that homedir_template is always stored in
> the policy store so it can be used by genhomedircon regardless of how
> policy was built. Also add the homedir_template file to the migration
> script.
> 
> Signed-off by: Steve Lawrence <slawrence@tresys.com>

Only question I have is whether either of the other two files that are
being unlinked below need to be kept around for the same reason?  Or are
they always generated, even upon setsebool -P?

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

> ---
>  libsemanage/src/direct_api.c             | 1 -
>  libsemanage/utils/semanage_migrate_store | 3 ++-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index 90a7b22..6e49cae 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -1415,7 +1415,6 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>  
>  	/* remove files that are automatically generated and no longer needed */
>  	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
> -	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL));
>  	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA));
>  
>  	if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
> diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
> index 539f469..297c71b 100755
> --- a/libsemanage/utils/semanage_migrate_store
> +++ b/libsemanage/utils/semanage_migrate_store
> @@ -251,7 +251,8 @@ if __name__ == "__main__":
>  		"disable_dontaudit",
>  		"preserve_tunables",
>  		"policy.kern",
> -		"file_contexts"]
> +		"file_contexts",
> +		"homedir_template"]
>  
>  
>  	create_dir(newroot_path(), 0o755)
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon
  2015-09-03 15:26 ` Stephen Smalley
@ 2015-09-03 16:57   ` Steve Lawrence
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Lawrence @ 2015-09-03 16:57 UTC (permalink / raw)
  To: Stephen Smalley, SELinux List

On 09/03/2015 11:26 AM, Stephen Smalley wrote:
> On 09/03/2015 11:18 AM, Steve Lawrence wrote:
>> We don't currently store homedir_template in the policy store, which
>> means genhomedircon only has a template file to use if the
>> homedir_template was generated from the file contexts in the same
>> transaction.  But homedir_template isn't always generated, as in the
>> case with setsebool -P. In this and other cases, genhomedircon will not
>> have a template file resulting in an empty file_contexts.homedir file.
>>
>> This commit changes this so that homedir_template is always stored in
>> the policy store so it can be used by genhomedircon regardless of how
>> policy was built. Also add the homedir_template file to the migration
>> script.
>>
>> Signed-off by: Steve Lawrence <slawrence@tresys.com>
> 
> Only question I have is whether either of the other two files that are
> being unlinked below need to be kept around for the same reason?  Or are
> they always generated, even upon setsebool -P?
> 

FC_TMPL is only in one place when splitting file contexts into
file_contexts and and homedir_template. So that's fine to not keep in
the store.

USERS_EXTRA does actually need to be kept around, since it appears to be
used to genhomedircon, which won't always occur before a policy rebuild.
I'll submit another patch shortly.

> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> 
>> ---
>>  libsemanage/src/direct_api.c             | 1 -
>>  libsemanage/utils/semanage_migrate_store | 3 ++-
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>> index 90a7b22..6e49cae 100644
>> --- a/libsemanage/src/direct_api.c
>> +++ b/libsemanage/src/direct_api.c
>> @@ -1415,7 +1415,6 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>>  
>>  	/* remove files that are automatically generated and no longer needed */
>>  	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
>> -	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL));
>>  	unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA));
>>  
>>  	if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
>> diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
>> index 539f469..297c71b 100755
>> --- a/libsemanage/utils/semanage_migrate_store
>> +++ b/libsemanage/utils/semanage_migrate_store
>> @@ -251,7 +251,8 @@ if __name__ == "__main__":
>>  		"disable_dontaudit",
>>  		"preserve_tunables",
>>  		"policy.kern",
>> -		"file_contexts"]
>> +		"file_contexts",
>> +		"homedir_template"]
>>  
>>  
>>  	create_dir(newroot_path(), 0o755)
>>
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon
  2015-09-03 15:18 [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon Steve Lawrence
  2015-09-03 15:26 ` Stephen Smalley
@ 2015-09-04  3:14 ` Jason Zaman
  1 sibling, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2015-09-04  3:14 UTC (permalink / raw)
  To: Steve Lawrence; +Cc: SELinux List

On Thu, Sep 03, 2015 at 11:18:01AM -0400, Steve Lawrence wrote:
> We don't currently store homedir_template in the policy store, which
> means genhomedircon only has a template file to use if the
> homedir_template was generated from the file contexts in the same
> transaction.  But homedir_template isn't always generated, as in the
> case with setsebool -P. In this and other cases, genhomedircon will not
> have a template file resulting in an empty file_contexts.homedir file.
> 
> This commit changes this so that homedir_template is always stored in
> the policy store so it can be used by genhomedircon regardless of how
> policy was built. Also add the homedir_template file to the migration
> script.
> 
> Signed-off by: Steve Lawrence <slawrence@tresys.com>

This does indeed fix my problem. Thanks for the quick fix!
I have backported the patch to gentoo. It seems fairly important so i'd
recommend any other distros on 2.4 do that too. I locked myself out of
one of my machines once :(

Tested by: Jason Zaman <jason@perfinion.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-09-04  3:15 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-03 15:18 [PATCH] libsemanage: save homedir_template in the policy store for genhomedircon Steve Lawrence
2015-09-03 15:26 ` Stephen Smalley
2015-09-03 16:57   ` Steve Lawrence
2015-09-04  3:14 ` Jason Zaman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.