Re: [PATCH] libselinux: add selinux_snapperd_contexts_path()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/20/2016 07:09 AM, Petr Lautrbach wrote:
> Snapper needs a way how to set a proper selinux context on btrfs
> subvolumes originating in snapshot create command. Fs can't handle it on
> its own so snapper will enforce .snapshots subvolume relabeling
> according to a file returned by selinux_snapperd_contexts_path().
> 
> The format of the file will be similar to other contexts file:
> 
> snapperd_data = system_u:object_r:snapperd_data_t:s0
> 
> Fixes:
> https://bugzilla.redhat.com/show_bug.cgi?id=1247530
> https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Thanks, applied.  I would recommend that a bug be opened against the
kernel / btrfs about the fact that the inodes are initially unlabeled,
as otherwise snapper will always need permissions to relabel unlabeled
files and generally we would prefer that unlabeled be inaccessible.

> 
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
>  libselinux/include/selinux/selinux.h |  1 +
>  libselinux/src/file_path_suffixes.h  |  1 +
>  libselinux/src/selinux_config.c      | 10 +++++++++-
>  libselinux/src/selinux_internal.h    |  1 +
>  4 files changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index 2262086..3d8673f 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
>  extern const char *selinux_x_context_path(void);
>  extern const char *selinux_sepgsql_context_path(void);
>  extern const char *selinux_openssh_contexts_path(void);
> +extern const char *selinux_snapperd_contexts_path(void);
>  extern const char *selinux_systemd_contexts_path(void);
>  extern const char *selinux_contexts_path(void);
>  extern const char *selinux_securetty_types_path(void);
> diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
> index d1f9b48..95b228b 100644
> --- a/libselinux/src/file_path_suffixes.h
> +++ b/libselinux/src/file_path_suffixes.h
> @@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
>      S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
>      S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
>      S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> +    S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
>      S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
>      S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
>      S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> index bec5f3b..c519a77 100644
> --- a/libselinux/src/selinux_config.c
> +++ b/libselinux/src/selinux_config.c
> @@ -50,7 +50,8 @@
>  #define BOOLEAN_SUBS      27
>  #define OPENSSH_CONTEXTS  28
>  #define SYSTEMD_CONTEXTS  29
> -#define NEL               30
> +#define SNAPPERD_CONTEXTS 30
> +#define NEL               31
>  
>  /* Part of one-time lazy init */
>  static pthread_once_t once = PTHREAD_ONCE_INIT;
> @@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
>  
>  hidden_def(selinux_openssh_contexts_path)
>  
> +const char *selinux_snapperd_contexts_path(void)
> +{
> +    return get_path(SNAPPERD_CONTEXTS);
> +}
> +
> +hidden_def(selinux_snapperd_contexts_path)
> +
>  const char *selinux_systemd_contexts_path(void)
>  {
>  	return get_path(SYSTEMD_CONTEXTS);
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 46566f6..9b9145c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
>      hidden_proto(selinux_x_context_path)
>      hidden_proto(selinux_sepgsql_context_path)
>      hidden_proto(selinux_openssh_contexts_path)
> +    hidden_proto(selinux_snapperd_contexts_path)
>      hidden_proto(selinux_systemd_contexts_path)
>      hidden_proto(selinux_path)
>      hidden_proto(selinux_check_passwd_access)
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux