On Tue, 2008-05-27 at 15:53 -0400, Eamon Walsh wrote:
> Stephen Smalley wrote:
> > On Sat, 2008-05-24 at 18:58 -0500, Joe Nall wrote:
> >
> >> Is there a command line tool that returns 1 if a file is in the wrong
> >> context?. I want to add a %verifyscript to our rpms to validate the
> >> installed file context when rpm -V is invoked.
> >>
> >
> > I was going to suggest matchpathcon -V, except when trying it, I found
> > that there is a bug in the current libselinux that makes it seg fault
> > and it also doesn't return the status but rather displays it. So how
> > about the patch below to fix the bug and make the exit status usable?
> >
> > After this patch, you can run '/usr/sbin/matchpathcon -Vq path1
> > [path2...]' and check the exit status; 0 will mean that all verified;
> > non-zero will be the count of failures.
> >
>
> Minor nit, but return codes are limited to 1 byte; multiples of 256
> errors will "succeed":
Ok, that's already a bug in the current matchpathcon utility in that
case. So I'll just make it always exit 0 or 1.
>
> $ for i in {250..260}; do sh -c "exit $i"; echo $? ; done
> 250
> 251
> 252
> 253
> 254
> 255
> 0
> 1
> 2
> 3
> 4
>
>
>
>
>
> > Index: libselinux/utils/matchpathcon.c
> > ===================================================================
> > --- libselinux/utils/matchpathcon.c (revision 2883)
> > +++ libselinux/utils/matchpathcon.c (working copy)
> > @@ -12,7 +12,7 @@
> > void usage(const char *progname)
> > {
> > fprintf(stderr,
> > - "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n",
> > + "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
> > progname);
> > exit(1);
> > }
> > @@ -42,11 +42,12 @@
> > int verify = 0;
> > int notrans = 0;
> > int error = 0;
> > + int quiet = 0;
> >
> > if (argc < 2)
> > usage(argv[0]);
> >
> > - while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {
> > + while ((opt = getopt(argc, argv, "Nnf:p:Vq")) > 0) {
> > switch (opt) {
> > case 'n':
> > header = 0;
> > @@ -90,6 +91,9 @@
> > exit(1);
> > }
> > break;
> > + case 'q':
> > + quiet = 1;
> > + break;
> > default:
> > usage(argv[0]);
> > }
> > @@ -101,11 +105,18 @@
> > mode = buf.st_mode;
> >
> > if (verify) {
> > + if (quiet) {
> > + if (selinux_file_context_verify(argv[i], 0))
> > + continue;
> > + else
> > + exit(1);
> > + }
> > if (selinux_file_context_verify(argv[i], 0)) {
> > printf("%s verified.\n", argv[i]);
> > } else {
> > security_context_t con;
> > int rc;
> > + error++;
> > if (notrans)
> > rc = lgetfilecon_raw(argv[i], &con);
> > else
> > @@ -114,15 +125,13 @@
> > if (rc >= 0) {
> > printf("%s has context %s, should be ",
> > argv[i], con);
> > - error +=
> > - printmatchpathcon(argv[i], 0, mode);
> > + printmatchpathcon(argv[i], 0, mode);
> > freecon(con);
> > } else {
> > printf
> > ("actual context unknown: %s, should be ",
> > strerror(errno));
> > - error +=
> > - printmatchpathcon(argv[i], 0, mode);
> > + printmatchpathcon(argv[i], 0, mode);
> > }
> > }
> > } else {
> > Index: libselinux/src/matchpathcon.c
> > ===================================================================
> > --- libselinux/src/matchpathcon.c (revision 2883)
> > +++ libselinux/src/matchpathcon.c (working copy)
> > @@ -372,6 +372,9 @@
> > else
> > return 0;
> > }
> > +
> > + if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
> > + return -1;
> >
> > if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
> > if (errno != ENOENT)
> > @@ -394,6 +397,9 @@
> > if (lstat(path, &st) != 0)
> > return rc;
> >
> > + if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
> > + return -1;
> > +
> > /* If there's an error determining the context, or it has none,
> > return to allow default context */
> > if (selabel_lookup_raw(hnd, &scontext, path, st.st_mode)) {
> >
> >
>
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
