Re: [PATCH] python/semanage: Do not sort local fcontext definitions

Petr Lautrbach <lautrbach@xxxxxxxxxx> · Wed, 14 Feb 2024 18:12:35 +0100

Vit Mojzis <vmojzis@xxxxxxxxxx> writes:

> Entries in file_contexts.local are processed from the most recent one to
> the oldest, with first match being used. Therefore it is important to
> preserve their order when listing (semanage fcontext -lC) and exporting
> (semanage export).
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
>

I think it's good approach. I just hit the following ui issue:

[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/selinux_testing(/.*)?'
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_rw_t '/opt/selinux_testing/webroot(/.*)?'
[root@localhost ~]# semanage fcontext -a -t httpd_log_t '/opt/selinux_testing/logs(/.*)?'
[root@localhost ~]# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/opt/selinux_testing(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0 
/opt/selinux_testing/webroot(/.*)?                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/opt/selinux_testing/logs(/.*)?                    all files          system_u:object_r:httpd_log_t:s0

[root@localhost ~]# matchpathcon /opt/selinux_testing/logs /opt/selinux_testing/webroot/
/opt/selinux_testing/logs       system_u:object_r:httpd_log_t:s0
/opt/selinux_testing/webroot    system_u:object_r:httpd_sys_rw_content_t:s0

If it's first match, I'd expect that both would be matched with
'/opt/selinux_testing(/.*)?' -> httpd_sys_content_t

[root@localhost ~]# semanage fcontext -d '/opt/selinux_testing(/.*)?'
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/selinux_testing(/.*)?'
[root@localhost ~]# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/opt/selinux_testing/webroot(/.*)?                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/opt/selinux_testing/logs(/.*)?                    all files          system_u:object_r:httpd_log_t:s0 
/opt/selinux_testing(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0

[root@localhost ~]# matchpathcon /opt/selinux_testing/logs /opt/selinux_testing/webroot/
/opt/selinux_testing/logs       system_u:object_r:httpd_sys_content_t:s0
/opt/selinux_testing/webroot    system_u:object_r:httpd_sys_content_t:s0

And here it looks like it should match webroot, resp logs.

So it's first match but from bottom to top. It kind of make sense as the
last added item is at bottom. OTOH people generally reads from top to
bottom.

What do you think?

> ---
> Not sure if this is the best solution since the local file context
> customizations are still sorted in the output of "semanage fcontext -l".
> Adding a new section for "Local file context changes" would make it
> clear that such changes are treated differently, but it would make it
> harder to find context definitions affecting specific path.
> The most important part of this patch is the change to "customized"
> since that stops "semanage export | semanage import" from reordering the
> local customizations.
>
> Note: The order of dictionary.keys() is only guaranteed in python 3.6+.
>
> Note2: The change to fcontextPage can only be seen when the user
> disables ordering by "File specification" column, which is enabled by
> defalut.
>
>  gui/fcontextPage.py         | 6 +++++-
>  python/semanage/seobject.py | 9 +++++++--
>  2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
> index 767664f2..c88df580 100644
> --- a/gui/fcontextPage.py
> +++ b/gui/fcontextPage.py
> @@ -133,7 +133,11 @@ class fcontextPage(semanagePage):
>          self.fcontext = seobject.fcontextRecords()
>          self.store.clear()
>          fcon_dict = self.fcontext.get_all(self.local)
> -        for k in sorted(fcon_dict.keys()):
> +        if self.local:
> +            fkeys = fcon_dict.keys()
> +        else:
> +            fkeys = sorted(fcon_dict.keys())
> +        for k in fkeys:
>              if not self.match(fcon_dict, k, filter):
>                  continue
>              iter = self.store.append()
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index dfb15b1d..25ec4315 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -2735,7 +2735,7 @@ class fcontextRecords(semanageRecords):
>      def customized(self):
>          l = []
>          fcon_dict = self.get_all(True)
> -        for k in sorted(fcon_dict.keys()):
> +        for k in fcon_dict.keys():
>              if fcon_dict[k]:
>                  if fcon_dict[k][3]:
>                      l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
> @@ -2752,7 +2752,12 @@ class fcontextRecords(semanageRecords):
>          if len(fcon_dict) != 0:
>              if heading:
>                  print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
> -            for k in sorted(fcon_dict.keys()):
> +            # do not sort local customizations since they are evaluated based on the order they where added in
> +            if locallist:
> +                fkeys = fcon_dict.keys()
> +            else:
> +                fkeys = sorted(fcon_dict.keys())
> +            for k in fkeys:
>                  if fcon_dict[k]:
>                      if is_mls_enabled:
>                          print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
> -- 
> 2.43.0