In ancient days of yore, setfiles could only validate the base
file_contexts configuration because the .homedirs or .local
configurations might include local users that weren't defined by the
base policy since those definitions were brought in at policy load time.
These days the policy.N file contains all of the definitions required to
validate all file_contexts files and thus setfiles can and should
validate them.
Before:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /tmp
(no warnings)
After:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /tmp
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /tmp (system_u:object_r:httpd_sys_content_t:s0 and system_u:object_r:tmp_t:s0).
If we want it to be a fatal error, then libselinux should be patched to
return an error in this case on the selabel_open() (requires making
nodups_specs return an error to the caller and propagating it up).
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
Index: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c (revision 2927)
+++ trunk/policycoreutils/setfiles/setfiles.c (working copy)
@@ -72,7 +72,6 @@
static int abort_on_error; /* Abort the file tree walk upon an error. */
static int add_assoc; /* Track inode associations for conflict detection. */
static int nftw_flags; /* Flags to nftw, e.g. follow links, follow mounts */
-static int base_only; /* Don't use local file_contexts customizations */
static int ctx_validate; /* Validate contexts */
static const char *altpath; /* Alternate path to file_contexts */
@@ -748,7 +747,6 @@
char *base;
struct selinux_opt opts[] = {
{ SELABEL_OPT_VALIDATE, NULL },
- { SELABEL_OPT_BASEONLY, NULL },
{ SELABEL_OPT_PATH, NULL }
};
@@ -836,10 +834,6 @@
}
fclose(policystream);
- /* Only process the specified file_contexts file, not
- any .homedirs or .local files, and do not perform
- context translations. */
- base_only = 1;
ctx_validate = 1;
break;
@@ -972,10 +966,9 @@
/* Load the file contexts configuration and check it. */
opts[0].value = (ctx_validate ? (char*)1 : NULL);
- opts[1].value = (base_only ? (char *)1 : NULL);
- opts[2].value = altpath;
+ opts[1].value = altpath;
- hnd = selabel_open(SELABEL_CTX_FILE, opts, 3);
+ hnd = selabel_open(SELABEL_CTX_FILE, opts, 2);
if (!hnd) {
perror(altpath);
exit(1);
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
