208 lines
7 KiB
Diff
208 lines
7 KiB
Diff
From 9caebebd598de737f27cdc8d5253a2cebd67d5a9 Mon Sep 17 00:00:00 2001
|
|
From: Jason Zaman <jason@perfinion.com>
|
|
Date: Wed, 22 Apr 2015 18:27:09 +0400
|
|
Subject: [PATCH] libsemanage: do not copy contexts in semanage_migrate_store
|
|
|
|
The modules from the old store were previously copied to the new one
|
|
using setfscreatecon and shutil.copy2(). Now that refpolicy has rules
|
|
about the new policy location[1], copying the contexts is redundant.
|
|
|
|
More importantly, the setcreatefscon caused a constraint violation[2]
|
|
which made the migration fail. In python3, shutil.copy2() copies xattrs
|
|
as well which again causes problems. shutil.copy() is enough for our
|
|
needs here as it will copy the file and permissions in both py2 and 3.
|
|
We do not need the extra things that copy2() does (mtime, xattr, etc).
|
|
|
|
[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html
|
|
|
|
[2]
|
|
type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0
|
|
constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
|
|
allow semanage_t semanage_store_t:dir create;
|
|
|
|
Signed-off-by: Jason Zaman <jason@perfinion.com>
|
|
---
|
|
libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------
|
|
1 file changed, 18 insertions(+), 59 deletions(-)
|
|
|
|
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
|
|
index 03b492e..2f85e9c 100755
|
|
--- a/libsemanage/utils/semanage_migrate_store
|
|
+++ b/libsemanage/utils/semanage_migrate_store
|
|
@@ -8,7 +8,6 @@ import shutil
|
|
import sys
|
|
from optparse import OptionParser
|
|
|
|
-import bz2
|
|
import ctypes
|
|
|
|
sepol = ctypes.cdll.LoadLibrary('libsepol.so')
|
|
@@ -21,41 +20,20 @@ except:
|
|
exit(1)
|
|
|
|
|
|
-
|
|
-
|
|
-# For some reason this function doesn't exist in libselinux :\
|
|
-def copy_with_context(src, dst):
|
|
+def copy_file(src, dst):
|
|
if DEBUG:
|
|
print("copying %s to %s" % (src, dst))
|
|
try:
|
|
- con = selinux.lgetfilecon_raw(src)[1]
|
|
- except:
|
|
- print("Could not get file context of %s" % src, file=sys.stderr)
|
|
- exit(1)
|
|
-
|
|
- try:
|
|
- selinux.setfscreatecon_raw(con)
|
|
- except:
|
|
- print("Could not set fs create context: %s" %con, file=sys.stderr)
|
|
- exit(1)
|
|
-
|
|
- try:
|
|
- shutil.copy2(src, dst)
|
|
+ shutil.copy(src, dst)
|
|
except OSError as the_err:
|
|
(err, strerr) = the_err.args
|
|
print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr)
|
|
exit(1)
|
|
|
|
- try:
|
|
- selinux.setfscreatecon_raw(None)
|
|
- except:
|
|
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
|
|
|
|
-def create_dir_from(src, dst, mode):
|
|
+def create_dir(dst, mode):
|
|
if DEBUG: print("Making directory %s" % dst)
|
|
try:
|
|
- con = selinux.lgetfilecon_raw(src)[1]
|
|
- selinux.setfscreatecon_raw(con)
|
|
os.makedirs(dst, mode)
|
|
except OSError as the_err:
|
|
(err, stderr) = the_err.args
|
|
@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode):
|
|
print("Error creating %s" % dst, file=sys.stderr)
|
|
exit(1)
|
|
|
|
- try:
|
|
- selinux.setfscreatecon_raw(None)
|
|
- except:
|
|
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
|
|
|
|
-def create_file_from(src, dst):
|
|
+def create_file(dst):
|
|
if DEBUG: print("Making file %s" % dst)
|
|
try:
|
|
- con = selinux.lgetfilecon_raw(src)[1]
|
|
- selinux.setfscreatecon_raw(con)
|
|
open(dst, 'a').close()
|
|
except OSError as the_err:
|
|
(err, stderr) = the_err.args
|
|
print("Error creating %s" % dst, file=sys.stderr)
|
|
exit(1)
|
|
|
|
- try:
|
|
- selinux.setfscreatecon_raw(None)
|
|
- except:
|
|
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
|
|
|
|
-def copy_module(store, name, con, base):
|
|
+def copy_module(store, name, base):
|
|
if DEBUG: print("Install module %s" % name)
|
|
(file, ext) = os.path.splitext(name)
|
|
if ext != ".pp":
|
|
@@ -94,8 +62,6 @@ def copy_module(store, name, con, base):
|
|
print("warning: %s has invalid extension, skipping" % name, file=sys.stderr)
|
|
return
|
|
try:
|
|
- selinux.setfscreatecon_raw(con)
|
|
-
|
|
if base:
|
|
root = oldstore_path(store)
|
|
else:
|
|
@@ -105,7 +71,7 @@ def copy_module(store, name, con, base):
|
|
|
|
os.mkdir("%s/%s" % (bottomdir, file))
|
|
|
|
- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file))
|
|
+ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file))
|
|
|
|
# This is the ext file that will eventually be used to choose a compiler
|
|
efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600)
|
|
@@ -116,15 +82,11 @@ def copy_module(store, name, con, base):
|
|
print("Error installing module %s" % name, file=sys.stderr)
|
|
exit(1)
|
|
|
|
- try:
|
|
- selinux.setfscreatecon_raw(None)
|
|
- except:
|
|
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
|
|
|
|
-def disable_module(file, root, name, disabledmodules):
|
|
+def disable_module(file, name, disabledmodules):
|
|
if DEBUG: print("Disabling %s" % name)
|
|
(disabledname, disabledext) = os.path.splitext(file)
|
|
- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname))
|
|
+ create_file("%s/%s" % (disabledmodules, disabledname))
|
|
|
|
def migrate_store(store):
|
|
|
|
@@ -138,17 +100,14 @@ def migrate_store(store):
|
|
print("Migrating from %s to %s" % (oldstore, newstore))
|
|
|
|
# Build up new directory structure
|
|
- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755)
|
|
- create_dir_from(oldstore, newstore, 0o700)
|
|
- create_dir_from(oldstore, newmodules, 0o700)
|
|
- create_dir_from(oldstore, bottomdir, 0o700)
|
|
- create_dir_from(oldstore, disabledmodules, 0o700)
|
|
-
|
|
- # use whatever the file context of bottomdir is for the module directories
|
|
- con = selinux.lgetfilecon_raw(bottomdir)[1]
|
|
+ create_dir("%s/%s" % (newroot_path(), store), 0o755)
|
|
+ create_dir(newstore, 0o700)
|
|
+ create_dir(newmodules, 0o700)
|
|
+ create_dir(bottomdir, 0o700)
|
|
+ create_dir(disabledmodules, 0o700)
|
|
|
|
# Special case for base since it was in a different location
|
|
- copy_module(store, "base.pp", con, 1)
|
|
+ copy_module(store, "base.pp", 1)
|
|
|
|
# Dir structure built, start copying files
|
|
for root, dirs, files in os.walk(oldstore):
|
|
@@ -161,7 +120,7 @@ def migrate_store(store):
|
|
newname = "seusers.local"
|
|
else:
|
|
newname = name
|
|
- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname))
|
|
+ copy_file(os.path.join(root, name), os.path.join(newstore, newname))
|
|
|
|
elif root == oldmodules:
|
|
# This should be the modules directory
|
|
@@ -171,9 +130,9 @@ def migrate_store(store):
|
|
print("Error installing module %s, name conflicts with base" % name, file=sys.stderr)
|
|
exit(1)
|
|
elif ext == ".disabled":
|
|
- disable_module(file, root, name, disabledmodules)
|
|
+ disable_module(file, name, disabledmodules)
|
|
else:
|
|
- copy_module(store, name, con, 0)
|
|
+ copy_module(store, name, 0)
|
|
|
|
def rebuild_policy():
|
|
# Ok, the modules are loaded, lets try to rebuild the policy
|
|
@@ -287,7 +246,7 @@ if __name__ == "__main__":
|
|
"preserve_tunables" ]
|
|
|
|
|
|
- create_dir_from(oldroot_path(), newroot_path(), 0o755)
|
|
+ create_dir(newroot_path(), 0o755)
|
|
|
|
stores = None
|
|
if TYPE is not None:
|
|
--
|
|
2.0.5
|
|
|