Stephen Smalley wrote:
On Sat, 2008-05-24 at 18:58 -0500, Joe Nall wrote:Is there a command line tool that returns 1 if a file is in the wrong context?. I want to add a %verifyscript to our rpms to validate the installed file context when rpm -V is invoked.I was going to suggest matchpathcon -V, except when trying it, I found that there is a bug in the current libselinux that makes it seg fault and it also doesn't return the status but rather displays it. So how about the patch below to fix the bug and make the exit status usable? After this patch, you can run '/usr/sbin/matchpathcon -Vq path1 [path2...]' and check the exit status; 0 will mean that all verified; non-zero will be the count of failures.
Minor nit, but return codes are limited to 1 byte; multiples of 256 errors will "succeed":
$ for i in {250..260}; do sh -c "exit $i"; echo $? ; done
250
251
252
253
254
255
0
1
2
3
4
Index: libselinux/utils/matchpathcon.c =================================================================== --- libselinux/utils/matchpathcon.c (revision 2883) +++ libselinux/utils/matchpathcon.c (working copy) @@ -12,7 +12,7 @@ void usage(const char *progname) { fprintf(stderr, - "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n", + "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n", progname); exit(1); } @@ -42,11 +42,12 @@ int verify = 0; int notrans = 0; int error = 0; + int quiet = 0;if (argc < 2)usage(argv[0]);- while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {+ while ((opt = getopt(argc, argv, "Nnf:p:Vq")) > 0) { switch (opt) { case 'n': header = 0; @@ -90,6 +91,9 @@ exit(1); } break; + case 'q': + quiet = 1; + break; default: usage(argv[0]); } @@ -101,11 +105,18 @@ mode = buf.st_mode;if (verify) {+ if (quiet) { + if (selinux_file_context_verify(argv[i], 0)) + continue; + else + exit(1); + } if (selinux_file_context_verify(argv[i], 0)) { printf("%s verified.\n", argv[i]); } else { security_context_t con; int rc; + error++; if (notrans) rc = lgetfilecon_raw(argv[i], &con); else @@ -114,15 +125,13 @@ if (rc >= 0) { printf("%s has context %s, should be ", argv[i], con); - error += - printmatchpathcon(argv[i], 0, mode); + printmatchpathcon(argv[i], 0, mode); freecon(con); } else { printf ("actual context unknown: %s, should be ", strerror(errno)); - error += - printmatchpathcon(argv[i], 0, mode); + printmatchpathcon(argv[i], 0, mode); } } } else { Index: libselinux/src/matchpathcon.c =================================================================== --- libselinux/src/matchpathcon.c (revision 2883) +++ libselinux/src/matchpathcon.c (working copy) @@ -372,6 +372,9 @@ else return 0; } + + if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) + return -1;if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {if (errno != ENOENT) @@ -394,6 +397,9 @@ if (lstat(path, &st) != 0) return rc;+ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))+ return -1; +/* If there's an error determining the context, or it has none, return to allow default context */if (selabel_lookup_raw(hnd, &scontext, path, st.st_mode)) {
-- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
