From patchwork Sun Oct 1 18:01:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 9979799 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1A483602A0 for ; Sun, 1 Oct 2017 18:02:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 02CC928A20 for ; Sun, 1 Oct 2017 18:02:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EC07028A22; Sun, 1 Oct 2017 18:02:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from ucol19pa12.eemsg.mail.mil (ucol19pa12.eemsg.mail.mil [214.24.24.85]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F74C28A20 for ; Sun, 1 Oct 2017 18:02:25 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.42,465,1500940800"; d="scan'208";a="401601616" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by ucol19pa12.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 01 Oct 2017 18:02:24 +0000 Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 01 Oct 2017 18:02:23 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v91I20kZ026281; Sun, 1 Oct 2017 14:02:05 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v91I1wRi049910 for ; Sun, 1 Oct 2017 14:01:58 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v91I1vUt026278 for ; Sun, 1 Oct 2017 14:01:57 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DABADCLNFZWyMbGNZcHAEBBAEBCgEBg?= =?us-ascii?q?zIoA0QgF1cnjwyObZo0ChMQhRgChDNXAQIBAQEBAQIGGhWFdwYnYlFDFIh3gVI?= =?us-ascii?q?DDac1OosvDCEFgy2CAoFRgWqEeYFhgh6FCCAFoTKHXox6DYtMhz1IlQyBOYFlU?= =?us-ascii?q?yUVhhiBUHQBiU4BAQE?= X-IPAS-Result: =?us-ascii?q?A1DABADCLNFZWyMbGNZcHAEBBAEBCgEBgzIoA0QgF1cnjwy?= =?us-ascii?q?ObZo0ChMQhRgChDNXAQIBAQEBAQIGGhWFdwYnYlFDFIh3gVIDDac1OosvDCEFg?= =?us-ascii?q?y2CAoFRgWqEeYFhgh6FCCAFoTKHXox6DYtMhz1IlQyBOYFlUyUVhhiBUHQBiU4?= =?us-ascii?q?BAQE?= X-IronPort-AV: E=Sophos;i="5.42,465,1500955200"; d="scan'208";a="68928" Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34]) by goalie.tycho.ncsc.mil with ESMTP; 01 Oct 2017 14:01:55 -0400 Received: from upbd19pa02.eemsg.mail.mil ([214.24.27.35]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 01 Oct 2017 18:01:54 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;2a5ab9fb-b469-4d21-b14b-888597b6eca6 Authentication-Results: upbd19pa13.eemsg.mail.mil; dkim=neutral (message not signed) header.i=none X-EEMSG-check-008: 94071077|UPBD19PA13_EEMSG_MP13.csd.disa.mil X-EEMSG-check-001: false X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 209.132.183.28 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CMAACDKtFZhxy3hNFcHAEBBAEBCgEBgzIoAWZuJ44YdI5tmCKCEgojhRgChDM/GAECAQEBAQEBARMBAQEKCwkIKC+FGQMDJ2JRV4h3gVIQpyo6iy8MIQWDLYICgVGBaoR5gWGCHoUIIAWhModejHoNi0yHPUiVDIE5H4FGUyUVhXOBdT42AYlOAQEB X-IPAS-Result: A0CMAACDKtFZhxy3hNFcHAEBBAEBCgEBgzIoAWZuJ44YdI5tmCKCEgojhRgChDM/GAECAQEBAQEBARMBAQEKCwkIKC+FGQMDJ2JRV4h3gVIQpyo6iy8MIQWDLYICgVGBaoR5gWGCHoUIIAWhModejHoNi0yHPUiVDIE5H4FGUyUVhXOBdT42AYlOAQEB Received: from mx1.redhat.com ([209.132.183.28]) by upbd19pa13.eemsg.mail.mil with ESMTP; 01 Oct 2017 18:01:51 +0000 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AB4E981DF3 for ; Sun, 1 Oct 2017 18:01:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AB4E981DF3 Received: from Thinkpad_450.redhat.com (ovpn-204-59.brq.redhat.com [10.40.204.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 13C68612A2 for ; Sun, 1 Oct 2017 18:01:48 +0000 (UTC) From: Vit Mojzis To: selinux@tycho.nsa.gov Date: Sun, 1 Oct 2017 20:01:25 +0200 Message-Id: <20171001180127.3673-1-vmojzis@redhat.com> In-Reply-To: <1506536279.27095.13.camel@tycho.nsa.gov> References: <1506536279.27095.13.camel@tycho.nsa.gov> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Sun, 01 Oct 2017 18:01:49 +0000 (UTC) Subject: [PATCH 1/3] libsemanage: Keep copy of file_contexts.homedirs in policy store X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP This will allow listing the correct file_contexts.homedirs using libsemanage regardless of selected policy store. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 --- libsemanage/src/direct_api.c | 19 ++++++++++++++----- libsemanage/src/genhomedircon.c | 4 ++-- libsemanage/src/semanage_store.c | 1 + libsemanage/src/semanage_store.h | 1 + 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 65842df..971a08f 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -1577,11 +1577,20 @@ rebuild: /* run genhomedircon if its enabled, this should be the last operation * which requires the out policydb */ if (!sh->conf->disable_genhomedircon) { - if (out && (retval = - semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) { - ERR(sh, "semanage_genhomedircon returned error code %d.", - retval); - goto cleanup; + if (out){ + if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd, + sh->conf->ignoredirs)) != 0) { + ERR(sh, "semanage_genhomedircon returned error code %d.", retval); + goto cleanup; + } + /* file_contexts.homedirs was created in SEMANAGE_TMP store */ + retval = semanage_copy_file( + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; + } } } else { WARN(sh, "WARNING: genhomedircon is disabled. \ diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index b9a74b7..27a269e 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh, s.homedir_template_path = semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL); - s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP, - SEMANAGE_FC_HOMEDIRS); + s.fcfilepath = + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS); s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t)); if (s.fallback == NULL) { diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index 6158d08..63c80b0 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "/modules/disabled", "/policy.kern", "/file_contexts.local", + "/file_contexts.homedirs", "/file_contexts", "/seusers" }; diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h index fcaa505..34bf852 100644 --- a/libsemanage/src/semanage_store.h +++ b/libsemanage/src/semanage_store.h @@ -61,6 +61,7 @@ enum semanage_sandbox_defs { SEMANAGE_MODULES_DISABLED, SEMANAGE_STORE_KERNEL, SEMANAGE_STORE_FC_LOCAL, + SEMANAGE_STORE_FC_HOMEDIRS, SEMANAGE_STORE_FC, SEMANAGE_STORE_SEUSERS, SEMANAGE_STORE_NUM_PATHS