[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: patch to policycoreutils
From: Chad Sellers <csellers () tresys ! com>
Date: 2009-04-23 20:01:57
Message-ID: C6164175.A6B07%csellers () tresys ! com
[Download RAW message or body]
On 4/22/09 9:50 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> On 04/22/2009 06:03 PM, Chad Sellers wrote:
>> On 4/1/09 10:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote:
>>
>>> Multiple patches to policycoreutils.
>>>
>>> First added /root/.ssh and /root/.ssh/* to allow people to place keys
>>> in /root directory and have them labeled by restorcond
>>>
>>> Fix transaction handling in semanage so you can update multiple records
>>> simultaniously.
>>>
>>> Clean up permissive domains creation in semanage so it does not leave
>>> crap in /var/lib/selinux
>>>
>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>> --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf
>>> policycoreutils-2.0.62/restorecond/restorecond.conf
>>> --- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18
>>> 16:44:47.000000000 -0500
>>> +++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-02-23
>>> 11:32:21.000000000 -0500
>>> @@ -5,3 +5,7 @@
>>> /var/run/utmp
>>> /var/log/wtmp
>>> ~/*
>>> +/root/.ssh
>>> +/root/.ssh/*
>>> +
>>> +
>>> diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui
>>> --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles
>>> policycoreutils-2.0.62/scripts/fixfiles
>>> --- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000
>>> -0500
>>> +++ policycoreutils-2.0.62/scripts/fixfiles 2009-02-19 10:07:49.000000000
>>> -0500
>>> @@ -122,7 +122,7 @@
>>> fi
>>> if [ ! -z "$RPMFILES" ]; then
>>> for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
>>> - rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1>>
>>> $LOGFILE
>>> + rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f -
>>> 2>&1>>
>>> $LOGFILE
>>> done
>>> exit $?
>>> fi
>> Not sure I understand this one, and it didn't seem to be mentioned in your
>> comment. You're changing fixfiles to relabel recursively when it's fixing
>> files from an rpm? Wouldn't an rpm already list all the files it owned?
>>
>> <snip due to previously ack'd patch>
>>> @@ -303,6 +308,12 @@
>>> if rc< 0:
>>> raise ValueError(_("Could not commit semanage
>>> transaction"))
>>>
>>> + def finish(self):
>>> + if not self.transaction:
>>> + raise ValueError(_("Semanage transaction not in
>>> progress"))
>>> + self.transaction = False
>>> + self.commit()
>>> +
>>> class permissiveRecords(semanageRecords):
>>> def __init__(self, store):
>>> semanageRecords.__init__(self, store)
>>> @@ -328,6 +339,7 @@
>>>
>>>
>>> def add(self, type):
>>> + import glob
>>> name = "permissive_%s" % type
>>> dirname = "/var/lib/selinux"
>>> os.chdir(dirname)
>>> @@ -351,16 +363,19 @@
>>> fd.close()
>>>
>>> rc = semanage_module_install(self.sh, data, len(data));
>>> - if rc< 0:
>>> - raise ValueError(_("Could not set permissive domain %s (module
>>> installation failed)") % name)
>>> -
>>> - self.commit()
>>> + if rc>= 0:
>>> + self.commit()
>>>
>>> for root, dirs, files in os.walk("tmp", topdown=False):
>>> for name in files:
>>> os.remove(os.path.join(root, name))
>>> for name in dirs:
>>> os.rmdir(os.path.join(root, name))
>>> + os.removedirs("tmp")
>>> + for i in glob.glob("permissive_%s.*" % type):
>>> + os.remove(i)
>>> + if rc< 0:
>>> + raise ValueError(_("Could not set permissive domain %s (module
>>> installation failed)") % name)
>>>
>>> def delete(self, name):
>>> for n in name.split():
>>
>> Other than that one thing, this looks fine to me.
>>
>> Thanks,
>> Chad
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> If a package owned a directory like /var/lib/libvirt/images, when it is
> relabeling we would want it to relabel not only the directory but the
> contents of the directory
Makes sense.
Acked-by: Chad Sellers <csellers@tresys.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic