On Fri, Feb 16, 2024 at 8:13 AM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
>
> On 2/14/24 18:12, Petr Lautrbach wrote:
> > Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
> >
> >> Entries in file_contexts.local are processed from the most recent one to
> >> the oldest, with first match being used. Therefore it is important to
> >> preserve their order when listing (semanage fcontext -lC) and exporting
> >> (semanage export).
> >>
> >> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
> >>
> >
> > I think it's good approach. I just hit the following ui issue:
> >
> >
> > [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/selinux_testing(/.*)?'
> > [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_rw_t '/opt/selinux_testing/webroot(/.*)?'
> > [root@localhost ~]# semanage fcontext -a -t httpd_log_t '/opt/selinux_testing/logs(/.*)?'
> > [root@localhost ~]# semanage fcontext -l -C
> > SELinux fcontext type Context
> >
> > /opt/selinux_testing(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
> > /opt/selinux_testing/webroot(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
> > /opt/selinux_testing/logs(/.*)? all files system_u:object_r:httpd_log_t:s0
> >
> > [root@localhost ~]# matchpathcon /opt/selinux_testing/logs /opt/selinux_testing/webroot/
> > /opt/selinux_testing/logs system_u:object_r:httpd_log_t:s0
> > /opt/selinux_testing/webroot system_u:object_r:httpd_sys_rw_content_t:s0
> >
> >
> > If it's first match, I'd expect that both would be matched with
> > '/opt/selinux_testing(/.*)?' -> httpd_sys_content_ >
> >
> >
> > [root@localhost ~]# semanage fcontext -d '/opt/selinux_testing(/.*)?'
> > [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/selinux_testing(/.*)?'
> > [root@localhost ~]# semanage fcontext -l -C
> > SELinux fcontext type Context
> >
> > /opt/selinux_testing/webroot(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
> > /opt/selinux_testing/logs(/.*)? all files system_u:object_r:httpd_log_t:s0
> > /opt/selinux_testing(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
> >
> > [root@localhost ~]# matchpathcon /opt/selinux_testing/logs /opt/selinux_testing/webroot/
> > /opt/selinux_testing/logs system_u:object_r:httpd_sys_content_t:s0
> > /opt/selinux_testing/webroot system_u:object_r:httpd_sys_content_t:s0
> >
> > And here it looks like it should match webroot, resp logs.
> >
> >
> > So it's first match but from bottom to top. It kind of make sense as the
> > last added item is at bottom. OTOH people generally reads from top to
> > bottom.
> >
> > What do you think?
>
> To me it makes more sense to leave it as is, since the fist added item
> is at the top (same as file_contexts.local file).
> The man page also says that entries are processed from the most recent
> one to the oldest, so you should read them from the bottom up.
>
> But I'm happy to reverse the order if you feel it will be more intuitive
> for users.
>
> Vit
>
The order with the most recently added item at the bottom makes the
most sense to me.
Jim
> >
> >
> >
> >
> >
> >> ---
> >> Not sure if this is the best solution since the local file context
> >> customizations are still sorted in the output of "semanage fcontext -l".
> >> Adding a new section for "Local file context changes" would make it
> >> clear that such changes are treated differently, but it would make it
> >> harder to find context definitions affecting specific path.
> >> The most important part of this patch is the change to "customized"
> >> since that stops "semanage export | semanage import" from reordering the
> >> local customizations.
> >>
> >> Note: The order of dictionary.keys() is only guaranteed in python 3.6+.
> >>
> >> Note2: The change to fcontextPage can only be seen when the user
> >> disables ordering by "File specification" column, which is enabled by
> >> defalut.
> >>
> >> gui/fcontextPage.py | 6 +++++-
> >> python/semanage/seobject.py | 9 +++++++--
> >> 2 files changed, 12 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
> >> index 767664f2..c88df580 100644
> >> --- a/gui/fcontextPage.py
> >> +++ b/gui/fcontextPage.py
> >> @@ -133,7 +133,11 @@ class fcontextPage(semanagePage):
> >> self.fcontext = seobject.fcontextRecords()
> >> self.store.clear()
> >> fcon_dict = self.fcontext.get_all(self.local)
> >> - for k in sorted(fcon_dict.keys()):
> >> + if self.local:
> >> + fkeys = fcon_dict.keys()
> >> + else:
> >> + fkeys = sorted(fcon_dict.keys())
> >> + for k in fkeys:
> >> if not self.match(fcon_dict, k, filter):
> >> continue
> >> iter = self.store.append()
> >> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> >> index dfb15b1d..25ec4315 100644
> >> --- a/python/semanage/seobject.py
> >> +++ b/python/semanage/seobject.py
> >> @@ -2735,7 +2735,7 @@ class fcontextRecords(semanageRecords):
> >> def customized(self):
> >> l = []
> >> fcon_dict = self.get_all(True)
> >> - for k in sorted(fcon_dict.keys()):
> >> + for k in fcon_dict.keys():
> >> if fcon_dict[k]:
> >> if fcon_dict[k][3]:
> >> l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
> >> @@ -2752,7 +2752,12 @@ class fcontextRecords(semanageRecords):
> >> if len(fcon_dict) != 0:
> >> if heading:
> >> print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
> >> - for k in sorted(fcon_dict.keys()):
> >> + # do not sort local customizations since they are evaluated based on the order they where added in
> >> + if locallist:
> >> + fkeys = fcon_dict.keys()
> >> + else:
> >> + fkeys = sorted(fcon_dict.keys())
> >> + for k in fkeys:
> >> if fcon_dict[k]:
> >> if is_mls_enabled:
> >> print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
> >> --
> >> 2.43.0
> >
>
>
