1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
From c79e3964b33fdb170bba900ba1f3c040f5f70312 Mon Sep 17 00:00:00 2001
From: Jason Zaman <jason@perfinion.com>
Date: Wed, 22 Apr 2015 23:05:48 +0400
Subject: [PATCH 1/5] libsemanage: do not copy contexts in
semanage_migrate_store
The modules from the old store were previously copied to the new one
using setfscreatecon and shutil.copy2(). Now that refpolicy has rules
about the new policy location[1], copying the contexts is redundant.
More importantly, the setcreatefscon caused a constraint violation[2]
which made the migration fail. In python3, shutil.copy2() copies xattrs
as well which again causes problems. shutil.copy() is enough for our
needs here as it will copy the file and permissions in both py2 and 3.
We do not need the extra things that copy2() does (mtime, xattr, etc).
[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html
[2]
type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0
constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
allow semanage_t semanage_store_t:dir create;
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Changes from v1:
- Changed some methods to not take a src param anymore.
---
libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------
1 file changed, 18 insertions(+), 59 deletions(-)
diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
index 03b492e05cbb..2f85e9c561ae 100755
--- a/libsemanage/utils/semanage_migrate_store
+++ b/libsemanage/utils/semanage_migrate_store
@@ -8,7 +8,6 @@ import shutil
import sys
from optparse import OptionParser
-import bz2
import ctypes
sepol = ctypes.cdll.LoadLibrary('libsepol.so')
@@ -21,41 +20,20 @@ except:
exit(1)
-
-
-# For some reason this function doesn't exist in libselinux :\
-def copy_with_context(src, dst):
+def copy_file(src, dst):
if DEBUG:
print("copying %s to %s" % (src, dst))
try:
- con = selinux.lgetfilecon_raw(src)[1]
- except:
- print("Could not get file context of %s" % src, file=sys.stderr)
- exit(1)
-
- try:
- selinux.setfscreatecon_raw(con)
- except:
- print("Could not set fs create context: %s" %con, file=sys.stderr)
- exit(1)
-
- try:
- shutil.copy2(src, dst)
+ shutil.copy(src, dst)
except OSError as the_err:
(err, strerr) = the_err.args
print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr)
exit(1)
- try:
- selinux.setfscreatecon_raw(None)
- except:
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
-def create_dir_from(src, dst, mode):
+def create_dir(dst, mode):
if DEBUG: print("Making directory %s" % dst)
try:
- con = selinux.lgetfilecon_raw(src)[1]
- selinux.setfscreatecon_raw(con)
os.makedirs(dst, mode)
except OSError as the_err:
(err, stderr) = the_err.args
@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode):
print("Error creating %s" % dst, file=sys.stderr)
exit(1)
- try:
- selinux.setfscreatecon_raw(None)
- except:
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
-def create_file_from(src, dst):
+def create_file(dst):
if DEBUG: print("Making file %s" % dst)
try:
- con = selinux.lgetfilecon_raw(src)[1]
- selinux.setfscreatecon_raw(con)
open(dst, 'a').close()
except OSError as the_err:
(err, stderr) = the_err.args
print("Error creating %s" % dst, file=sys.stderr)
exit(1)
- try:
- selinux.setfscreatecon_raw(None)
- except:
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
-def copy_module(store, name, con, base):
+def copy_module(store, name, base):
if DEBUG: print("Install module %s" % name)
(file, ext) = os.path.splitext(name)
if ext != ".pp":
@@ -94,8 +62,6 @@ def copy_module(store, name, con, base):
print("warning: %s has invalid extension, skipping" % name, file=sys.stderr)
return
try:
- selinux.setfscreatecon_raw(con)
-
if base:
root = oldstore_path(store)
else:
@@ -105,7 +71,7 @@ def copy_module(store, name, con, base):
os.mkdir("%s/%s" % (bottomdir, file))
- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file))
+ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file))
# This is the ext file that will eventually be used to choose a compiler
efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600)
@@ -116,15 +82,11 @@ def copy_module(store, name, con, base):
print("Error installing module %s" % name, file=sys.stderr)
exit(1)
- try:
- selinux.setfscreatecon_raw(None)
- except:
- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr)
-def disable_module(file, root, name, disabledmodules):
+def disable_module(file, name, disabledmodules):
if DEBUG: print("Disabling %s" % name)
(disabledname, disabledext) = os.path.splitext(file)
- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname))
+ create_file("%s/%s" % (disabledmodules, disabledname))
def migrate_store(store):
@@ -138,17 +100,14 @@ def migrate_store(store):
print("Migrating from %s to %s" % (oldstore, newstore))
# Build up new directory structure
- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755)
- create_dir_from(oldstore, newstore, 0o700)
- create_dir_from(oldstore, newmodules, 0o700)
- create_dir_from(oldstore, bottomdir, 0o700)
- create_dir_from(oldstore, disabledmodules, 0o700)
-
- # use whatever the file context of bottomdir is for the module directories
- con = selinux.lgetfilecon_raw(bottomdir)[1]
+ create_dir("%s/%s" % (newroot_path(), store), 0o755)
+ create_dir(newstore, 0o700)
+ create_dir(newmodules, 0o700)
+ create_dir(bottomdir, 0o700)
+ create_dir(disabledmodules, 0o700)
# Special case for base since it was in a different location
- copy_module(store, "base.pp", con, 1)
+ copy_module(store, "base.pp", 1)
# Dir structure built, start copying files
for root, dirs, files in os.walk(oldstore):
@@ -161,7 +120,7 @@ def migrate_store(store):
newname = "seusers.local"
else:
newname = name
- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname))
+ copy_file(os.path.join(root, name), os.path.join(newstore, newname))
elif root == oldmodules:
# This should be the modules directory
@@ -171,9 +130,9 @@ def migrate_store(store):
print("Error installing module %s, name conflicts with base" % name, file=sys.stderr)
exit(1)
elif ext == ".disabled":
- disable_module(file, root, name, disabledmodules)
+ disable_module(file, name, disabledmodules)
else:
- copy_module(store, name, con, 0)
+ copy_module(store, name, 0)
def rebuild_policy():
# Ok, the modules are loaded, lets try to rebuild the policy
@@ -287,7 +246,7 @@ if __name__ == "__main__":
"preserve_tunables" ]
- create_dir_from(oldroot_path(), newroot_path(), 0o755)
+ create_dir(newroot_path(), 0o755)
stores = None
if TYPE is not None:
--
2.5.1
|