On 04/22/2015 03:05 PM, Jason Zaman wrote: > The modules from the old store were previously copied to the new one > using setfscreatecon and shutil.copy2(). Now that refpolicy has rules > about the new policy location[1], copying the contexts is redundant. > > More importantly, the setcreatefscon caused a constraint violation[2] > which made the migration fail. In python3, shutil.copy2() copies xattrs > as well which again causes problems. shutil.copy() is enough for our > needs here as it will copy the file and permissions in both py2 and 3. > We do not need the extra things that copy2() does (mtime, xattr, etc). > > [1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html > > [2] > type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 > constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED > allow semanage_t semanage_store_t:dir create; > > Signed-off-by: Jason Zaman <jason@xxxxxxxxxxxxx> Acked-by: Steve Lawrence <slawrence@xxxxxxxxxx> Thanks! > > Changes from v1: > - Changed some methods to not take a src param anymore. > > --- > libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------ > 1 file changed, 18 insertions(+), 59 deletions(-) > > diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store > index 03b492e..2f85e9c 100755 > --- a/libsemanage/utils/semanage_migrate_store > +++ b/libsemanage/utils/semanage_migrate_store > @@ -8,7 +8,6 @@ import shutil > import sys > from optparse import OptionParser > > -import bz2 > import ctypes > > sepol = ctypes.cdll.LoadLibrary('libsepol.so') > @@ -21,41 +20,20 @@ except: > exit(1) > > > - > - > -# For some reason this function doesn't exist in libselinux :\ > -def copy_with_context(src, dst): > +def copy_file(src, dst): > if DEBUG: > print("copying %s to %s" % (src, dst)) > try: > - con = selinux.lgetfilecon_raw(src)[1] > - except: > - print("Could not get file context of %s" % src, file=sys.stderr) > - exit(1) > - > - try: > - selinux.setfscreatecon_raw(con) > - except: > - print("Could not set fs create context: %s" %con, file=sys.stderr) > - exit(1) > - > - try: > - shutil.copy2(src, dst) > + shutil.copy(src, dst) > except OSError as the_err: > (err, strerr) = the_err.args > print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr) > exit(1) > > - try: > - selinux.setfscreatecon_raw(None) > - except: > - print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) > > -def create_dir_from(src, dst, mode): > +def create_dir(dst, mode): > if DEBUG: print("Making directory %s" % dst) > try: > - con = selinux.lgetfilecon_raw(src)[1] > - selinux.setfscreatecon_raw(con) > os.makedirs(dst, mode) > except OSError as the_err: > (err, stderr) = the_err.args > @@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode): > print("Error creating %s" % dst, file=sys.stderr) > exit(1) > > - try: > - selinux.setfscreatecon_raw(None) > - except: > - print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) > > -def create_file_from(src, dst): > +def create_file(dst): > if DEBUG: print("Making file %s" % dst) > try: > - con = selinux.lgetfilecon_raw(src)[1] > - selinux.setfscreatecon_raw(con) > open(dst, 'a').close() > except OSError as the_err: > (err, stderr) = the_err.args > print("Error creating %s" % dst, file=sys.stderr) > exit(1) > > - try: > - selinux.setfscreatecon_raw(None) > - except: > - print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) > > -def copy_module(store, name, con, base): > +def copy_module(store, name, base): > if DEBUG: print("Install module %s" % name) > (file, ext) = os.path.splitext(name) > if ext != ".pp": > @@ -94,8 +62,6 @@ def copy_module(store, name, con, base): > print("warning: %s has invalid extension, skipping" % name, file=sys.stderr) > return > try: > - selinux.setfscreatecon_raw(con) > - > if base: > root = oldstore_path(store) > else: > @@ -105,7 +71,7 @@ def copy_module(store, name, con, base): > > os.mkdir("%s/%s" % (bottomdir, file)) > > - copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) > + copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) > > # This is the ext file that will eventually be used to choose a compiler > efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600) > @@ -116,15 +82,11 @@ def copy_module(store, name, con, base): > print("Error installing module %s" % name, file=sys.stderr) > exit(1) > > - try: > - selinux.setfscreatecon_raw(None) > - except: > - print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) > > -def disable_module(file, root, name, disabledmodules): > +def disable_module(file, name, disabledmodules): > if DEBUG: print("Disabling %s" % name) > (disabledname, disabledext) = os.path.splitext(file) > - create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname)) > + create_file("%s/%s" % (disabledmodules, disabledname)) > > def migrate_store(store): > > @@ -138,17 +100,14 @@ def migrate_store(store): > print("Migrating from %s to %s" % (oldstore, newstore)) > > # Build up new directory structure > - create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755) > - create_dir_from(oldstore, newstore, 0o700) > - create_dir_from(oldstore, newmodules, 0o700) > - create_dir_from(oldstore, bottomdir, 0o700) > - create_dir_from(oldstore, disabledmodules, 0o700) > - > - # use whatever the file context of bottomdir is for the module directories > - con = selinux.lgetfilecon_raw(bottomdir)[1] > + create_dir("%s/%s" % (newroot_path(), store), 0o755) > + create_dir(newstore, 0o700) > + create_dir(newmodules, 0o700) > + create_dir(bottomdir, 0o700) > + create_dir(disabledmodules, 0o700) > > # Special case for base since it was in a different location > - copy_module(store, "base.pp", con, 1) > + copy_module(store, "base.pp", 1) > > # Dir structure built, start copying files > for root, dirs, files in os.walk(oldstore): > @@ -161,7 +120,7 @@ def migrate_store(store): > newname = "seusers.local" > else: > newname = name > - copy_with_context(os.path.join(root, name), os.path.join(newstore, newname)) > + copy_file(os.path.join(root, name), os.path.join(newstore, newname)) > > elif root == oldmodules: > # This should be the modules directory > @@ -171,9 +130,9 @@ def migrate_store(store): > print("Error installing module %s, name conflicts with base" % name, file=sys.stderr) > exit(1) > elif ext == ".disabled": > - disable_module(file, root, name, disabledmodules) > + disable_module(file, name, disabledmodules) > else: > - copy_module(store, name, con, 0) > + copy_module(store, name, 0) > > def rebuild_policy(): > # Ok, the modules are loaded, lets try to rebuild the policy > @@ -287,7 +246,7 @@ if __name__ == "__main__": > "preserve_tunables" ] > > > - create_dir_from(oldroot_path(), newroot_path(), 0o755) > + create_dir(newroot_path(), 0o755) > > stores = None > if TYPE is not None: > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
