I was trying to disable matchpathcon's validation of file contexts
because I wanted to be able use it in a python script to match against a
file_contexts that didn't have valid contexts on the running system
(file_contexts were standard, system was mcs). However, explicitly
clearing MATCHPATHCON_VALIDATE still resulted in errors both on stable
and trunk. Is this the way the flag is intended to work?
I've attached a modified utils/matchpathcon.c that I used for testing
the lib (I wanted to make sure it was the lib and not the python
wrapper). I was trying to test fcglob matches vs the original
matchpathcon "fcregex". So I was doing
./matchpathcon -f file_contexts.orig/file_contexts -V /bin/bash
with and without -V (the file_contexts is in the fcglob refpolicy
branch). On stable it always reports invalid context (and invalid
argument) and on trunk it always reports invalid argument.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/errno.h>
#include <selinux/selinux.h>
void usage(const char *progname)
{
fprintf(stderr,
"usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n",
progname);
exit(1);
}
int printmatchpathcon(char *path, int header, int mode)
{
char *buf;
int rc = matchpathcon(path, mode, &buf);
if (rc < 0) {
fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
strerror(errno));
return 1;
}
if (header)
printf("%s\t%s\n", path, buf);
else
printf("%s\n", buf);
freecon(buf);
return 0;
}
int main(int argc, char **argv)
{
int i, init = 0;
int header = 1, opt;
int error = 0;
unsigned int flags = 0;
if (argc < 2)
usage(argv[0]);
while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {
switch (opt) {
case 'n':
header = 0;
break;
case 'V':
flags |= MATCHPATHCON_VALIDATE;
break;
case 'N':
flags |= MATCHPATHCON_NOTRANS;
break;
case 'f':
if (init) {
fprintf(stderr,
"%s: -f and -p are exclusive\n",
argv[0]);
exit(1);
}
init = 1;
if (matchpathcon_init(optarg)) {
fprintf(stderr,
"Error while processing %s: %s\n",
optarg,
errno ? strerror(errno) : "invalid");
exit(1);
}
break;
case 'p':
if (init) {
fprintf(stderr,
"%s: -f and -p are exclusive\n",
argv[0]);
exit(1);
}
init = 1;
if (matchpathcon_init_prefix(NULL, optarg)) {
fprintf(stderr,
"Error while processing %s: %s\n",
optarg,
errno ? strerror(errno) : "invalid");
exit(1);
}
break;
default:
usage(argv[0]);
}
}
set_matchpathcon_flags(flags);
for (i = optind; i < argc; i++) {
int mode = 0;
struct stat buf;
if (lstat(argv[i], &buf) == 0)
mode = buf.st_mode;
error += printmatchpathcon(argv[i], header, mode);
}
matchpathcon_fini();
return error;
}
