On 08/16/2016 09:32 AM, Vit Mojzis wrote:
> When given invalid regexp, semanage reports error, but adds the invalid
> context to "/etc/selinux/targeted/contexts/files/file_contexts.local",
> which breaks the system (won't boot in enforcing mode). The new context
> doesn't show up on "#semanage fcontext -l -C" and cannot be removed by
> "semanage fcontext --delete".
>
Slightly related to this. Now that we have this pretty nice priorities
feature and CIL in general. Can we not take advantage of that and
consider unifying the stuff in /var/lib/selinux where possible.
CIL should be perfect for things like this.
For example instead of maintaining these file_contexts.local files, just
make (lib)semanage load cil modules on some specified priority for these
type of customization's. That way the stuff is more uniform (its pretty
much all in cil modules and written in cil instead of these
{port_contexts,file_context}.local files etc. (there is then also
automatically a module to remove any invalid specs)
That will not deal with any regular expression validation, but if we
could make secilc smart enough to identify invalid regular expressions
then we have a solution for this in a central place as well.
I am pretty sure that I am overlooking things here but it seems like a
good idea to me.
> Investigation on Fedora version of libsemanage showed that
> "file_contexts.local" is not backed up before the new version is
> installed into the system and therefore cannot be restored after failure.
> For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=1362041
>
> # semanage fcontext -a -t httpd_exec_t "(/.*)?"
> specfiles SHA1 digest: 980289cabd78157523679695fd2e4fd0a5b5ff05
> calculated using the following specfile(s):
> /etc/selinux/targeted/contexts/files/file_contexts.subs_dist
> /etc/selinux/targeted/contexts/files/file_contexts.subs
> /etc/selinux/targeted/contexts/files/file_contexts
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs
> /etc/selinux/targeted/contexts/files/file_contexts.local
> libsemanage.semanage_exec_prog: Child process
> /sbin/sefcontext_compile did not exit cleanly. (No such file or directory).
> libsemanage.sefcontext_compile: sefcontext_compile returned
> error code -1. Compiling
> /etc/selinux/targeted/contexts/files/file_contexts.local (No such file
> or directory).
> specfiles SHA1 digest: 5097e1780892f53aedb6d30d5d61206a159a20e7
> calculated using the following specfile(s):
> /etc/selinux/targeted/contexts/files/file_contexts.subs_dist
> /etc/selinux/targeted/contexts/files/file_contexts.subs
> /etc/selinux/targeted/contexts/files/file_contexts.bin
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs
> /etc/selinux/targeted/contexts/files/file_contexts.local
> libsemanage.semanage_exec_prog: Child process
> /sbin/sefcontext_compile did not exit cleanly. (No such file or directory).
> libsemanage.sefcontext_compile: sefcontext_compile returned
> error code -1. Compiling
> /etc/selinux/targeted/contexts/files/file_contexts.local (No such file
> or directory).
> FileNotFoundError: [Errno 2] No such file or directory
> # semanage fcontext -l -C
> -
>
> # cat /etc/selinux/targeted/contexts/files/file_contexts.local
> # This file is auto-generated by libsemanage
> # Do not edit directly.
>
> (/.*)? system_u:object_r:httpd_exec_t:s0
>
> # semanage fcontext -d -t httpd_exec_t "(/.*)?"
> ValueError: File context for (/.*)? is not defined
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to
> Selinux-request@xxxxxxxxxxxxx.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
