From patchwork Wed Oct 4 15:36:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vit Mojzis X-Patchwork-Id: 9985159 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D39066028E for ; Wed, 4 Oct 2017 16:21:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C5C4F28B51 for ; Wed, 4 Oct 2017 16:21:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BA93A28B5E; Wed, 4 Oct 2017 16:21:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil [214.24.24.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 401B528B51 for ; Wed, 4 Oct 2017 16:21:23 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.42,477,1500940800"; d="scan'208";a="348453503" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UCOL19PA11.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 04 Oct 2017 16:21:22 +0000 Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 04 Oct 2017 16:19:58 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v94GHGCX007031; Wed, 4 Oct 2017 12:18:05 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v94GGwI5126834 for ; Wed, 4 Oct 2017 12:16:58 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v94GGuHq006748 for ; Wed, 4 Oct 2017 12:16:57 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DyAgDhCNVZfyoaGNZdHQEFAQsBgzIoZ?= =?us-ascii?q?24njw2OdZo0CiOFGAKEW1cBAgEBAQEBAhMBAQsWhXYDAydiUVcZiF6BUgMNp1I?= =?us-ascii?q?6izAMIQWDLYICgVGBaoR5gWGHJiAFoTKHXox6DYtMhz1IlQyBOYFlUyUVhhiBU?= =?us-ascii?q?HQBiUMBAQE?= X-IPAS-Result: =?us-ascii?q?A1DyAgDhCNVZfyoaGNZdHQEFAQsBgzIoZ24njw2OdZo0CiO?= =?us-ascii?q?FGAKEW1cBAgEBAQEBAhMBAQsWhXYDAydiUVcZiF6BUgMNp1I6izAMIQWDLYICg?= =?us-ascii?q?VGBaoR5gWGHJiAFoTKHXox6DYtMhz1IlQyBOYFlUyUVhhiBUHQBiUMBAQE?= X-IronPort-AV: E=Sophos;i="5.42,477,1500955200"; d="scan'208";a="72170" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 04 Oct 2017 12:16:48 -0400 Received: from uphb3cpa03.eemsg.mail.mil (HELO USFB19PA03.eemsg.mail.mil) ([214.24.26.42]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 04 Oct 2017 16:16:43 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;07becef6-e022-445b-acfe-11b77f9ccf89 Authentication-Results: USFB19PA18.eemsg.mail.mil; dkim=neutral (message not signed) header.i=none X-EEMSG-check-008: 119405898|USFB19PA18_EEMSG_MP14.csd.disa.mil X-EEMSG-check-001: false X-EEMSG-SBRS: 3.5 X-EEMSG-ORIG-IP: 209.132.183.28 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BRAABW/tRZhxy3hNFdg2IoAWZuJ48NjnGYIoISChOFKAKEWz8YAwEBAQEBAQETAQEBCA0JCCgvhRkGgQlRVxmIXoFSqB2LWAWDLYICgVGGY4kHIAWhModejHoNi0yHPUiVDIE5H4FGUyUVhXOBdT43iUMBAQE X-IPAS-Result: A0BRAABW/tRZhxy3hNFdg2IoAWZuJ48NjnGYIoISChOFKAKEWz8YAwEBAQEBAQETAQEBCA0JCCgvhRkGgQlRVxmIXoFSqB2LWAWDLYICgVGGY4kHIAWhModejHoNi0yHPUiVDIE5H4FGUyUVhXOBdT43iUMBAQE Received: from mx1.redhat.com ([209.132.183.28]) by USFB19PA18.eemsg.mail.mil with ESMTP; 04 Oct 2017 15:36:19 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 26094C04B92A for ; Wed, 4 Oct 2017 15:36:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 26094C04B92A Received: from Thinkpad_450.redhat.com (unknown [10.40.205.103]) by smtp.corp.redhat.com (Postfix) with ESMTP id 609E46FF11 for ; Wed, 4 Oct 2017 15:36:13 +0000 (UTC) From: Vit Mojzis To: selinux@tycho.nsa.gov Date: Wed, 4 Oct 2017 17:36:02 +0200 Message-Id: <20171004153604.5817-1-vmojzis@redhat.com> In-Reply-To: <1dcea489-7584-e7a3-aa50-99a974440734@redhat.com> References: <1dcea489-7584-e7a3-aa50-99a974440734@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 04 Oct 2017 15:36:14 +0000 (UTC) Subject: [PATCH 1/3] libsemanage: Keep copy of file_contexts.homedirs in policy store X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP This will allow listing the correct file_contexts.homedirs using libsemanage regardless of selected policy store. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 Signed-off-by: Vit Mojzis --- libsemanage/src/direct_api.c | 19 ++++++++++++++----- libsemanage/src/genhomedircon.c | 4 ++-- libsemanage/src/semanage_store.c | 1 + libsemanage/src/semanage_store.h | 1 + 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 65842df..971a08f 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -1577,11 +1577,20 @@ rebuild: /* run genhomedircon if its enabled, this should be the last operation * which requires the out policydb */ if (!sh->conf->disable_genhomedircon) { - if (out && (retval = - semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) { - ERR(sh, "semanage_genhomedircon returned error code %d.", - retval); - goto cleanup; + if (out){ + if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd, + sh->conf->ignoredirs)) != 0) { + ERR(sh, "semanage_genhomedircon returned error code %d.", retval); + goto cleanup; + } + /* file_contexts.homedirs was created in SEMANAGE_TMP store */ + retval = semanage_copy_file( + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; + } } } else { WARN(sh, "WARNING: genhomedircon is disabled. \ diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index b9a74b7..27a269e 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh, s.homedir_template_path = semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL); - s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP, - SEMANAGE_FC_HOMEDIRS); + s.fcfilepath = + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS); s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t)); if (s.fallback == NULL) { diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index 6158d08..63c80b0 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "/modules/disabled", "/policy.kern", "/file_contexts.local", + "/file_contexts.homedirs", "/file_contexts", "/seusers" }; diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h index fcaa505..34bf852 100644 --- a/libsemanage/src/semanage_store.h +++ b/libsemanage/src/semanage_store.h @@ -61,6 +61,7 @@ enum semanage_sandbox_defs { SEMANAGE_MODULES_DISABLED, SEMANAGE_STORE_KERNEL, SEMANAGE_STORE_FC_LOCAL, + SEMANAGE_STORE_FC_HOMEDIRS, SEMANAGE_STORE_FC, SEMANAGE_STORE_SEUSERS, SEMANAGE_STORE_NUM_PATHS