| Message ID | 65111b4f-23b9-6758-9cd6-d2f8429916fb@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | policycoretuils: sestatus belongs to bin not sbin | expand |
On Sat, Feb 13, 2021 at 9:44 PM bauen1 <j2468h@googlemail.com> wrote: > > It is quite useful even to non-privileged users and doesn't require any > privileges to work, except for maybe -v. > > Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> I agree with the reasoning, but changing the location of an existing tool has the potential to break software which depends on the precise location of sestatus (like https://github.com/openstack/cookbook-openstack-dashboard/blob/86127240974041b456086b5fff6f8f525c9cf555/spec/spec_helper.rb#L82 and https://github.com/rapid7/metasploit-framework/blob/4a380771d3a18011af153e47e1d08a4a83feb452/lib/msf/core/post/linux/kernel.rb#L276 and https://github.com/RedHatInsights/insights-core/blob/6fd58aeab11232a62ea97ba576220abca808c660/insights/specs/default.py#L815 and ...). On the other hand, if you have a clear use-case of non-privileged users refusing to add /usr/sbin to their $PATH but willing to use sestatus, and that supporting this use-case seems more important than not breaking programs which rely on sestatus being in /usr/sbin, this patch will be acceptable. Do you know of such a use-case? (By the way, there is a misspelling in the patch subject: you wrote "policycoretuils" instead of "policycoreutils") Thanks, Nicolas > --- > > Only tested by running `make DESTDIR="$PWD" install` and checking that > sestatus ends up at /usr/bin/sestatus > > policycoreutils/sestatus/Makefile | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile > index 8c4f45f8..ac113814 100644 > --- a/policycoreutils/sestatus/Makefile > +++ b/policycoreutils/sestatus/Makefile > @@ -1,7 +1,7 @@ > # Installation directories. > LINGUAS ?= ru > PREFIX ?= /usr > -SBINDIR ?= $(PREFIX)/sbin > +BINDIR ?= $(PREFIX)/bin > MANDIR = $(PREFIX)/share/man > ETCDIR ?= /etc > > @@ -16,8 +16,8 @@ sestatus: sestatus.o > install: all > [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 > [ -d $(DESTDIR)$(MANDIR)/man5 ] || mkdir -p $(DESTDIR)$(MANDIR)/man5 > - -mkdir -p $(DESTDIR)$(SBINDIR) > - install -m 755 sestatus $(DESTDIR)$(SBINDIR) > + -mkdir -p $(DESTDIR)$(BINDIR) > + install -m 755 sestatus $(DESTDIR)$(BINDIR) > install -m 644 sestatus.8 $(DESTDIR)$(MANDIR)/man8 > install -m 644 sestatus.conf.5 $(DESTDIR)$(MANDIR)/man5 > for lang in $(LINGUAS) ; do \ > -- > 2.30.0 >
On 2/16/21 10:31 PM, Nicolas Iooss wrote: > On Sat, Feb 13, 2021 at 9:44 PM bauen1 <j2468h@googlemail.com> wrote: >> >> It is quite useful even to non-privileged users and doesn't require any >> privileges to work, except for maybe -v. >> >> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> > > I agree with the reasoning, but changing the location of an existing > tool has the potential to break software which depends on the precise > location of sestatus (like > https://github.com/openstack/cookbook-openstack-dashboard/blob/86127240974041b456086b5fff6f8f525c9cf555/spec/spec_helper.rb#L82 > and https://github.com/rapid7/metasploit-framework/blob/4a380771d3a18011af153e47e1d08a4a83feb452/lib/msf/core/post/linux/kernel.rb#L276 > and https://github.com/RedHatInsights/insights-core/blob/6fd58aeab11232a62ea97ba576220abca808c660/insights/specs/default.py#L815 > and ...). While I personally believe those shouldn't have been hard-coded in the first place, that is a good argument. Would it be acceptable, if a symlink is added to /usr/sbin/sestatus to link to /usr/bin/sestatus (or the other way) ? > On the other hand, if you have a clear use-case of non-privileged > users refusing to add /usr/sbin to their $PATH but willing to use > sestatus, and that supporting this use-case seems more important than > not breaking programs which rely on sestatus being in /usr/sbin, this > patch will be acceptable. Do you know of such a use-case? My use case is logging in as my normal user account and checking if SELinux is properly working. I'm not sure _why_ I should have to add sbin to $PATH to access a tool that works properly for non-privileged users, not that I couldn't do that. IIRC I did once (~2 years ago) have /sbin, /usr/sbin in $PATH, but then I end up with a lot of tools in tab-complete that I can't actually use (properly) and I don't like that. > (By the way, there is a misspelling in the patch subject: you wrote > "policycoretuils" instead of "policycoreutils") Thanks, I'll fix that if necessary.
Nicolas Iooss <nicolas.iooss@m4x.org> writes: > On Sat, Feb 13, 2021 at 9:44 PM bauen1 <j2468h@googlemail.com> wrote: >> >> It is quite useful even to non-privileged users and doesn't require any >> privileges to work, except for maybe -v. >> >> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> > > I agree with the reasoning, but changing the location of an existing > tool has the potential to break software which depends on the precise > location of sestatus (like > https://github.com/openstack/cookbook-openstack-dashboard/blob/86127240974041b456086b5fff6f8f525c9cf555/spec/spec_helper.rb#L82 > and https://github.com/rapid7/metasploit-framework/blob/4a380771d3a18011af153e47e1d08a4a83feb452/lib/msf/core/post/linux/kernel.rb#L276 > and https://github.com/RedHatInsights/insights-core/blob/6fd58aeab11232a62ea97ba576220abca808c660/insights/specs/default.py#L815 > and ...). > > On the other hand, if you have a clear use-case of non-privileged > users refusing to add /usr/sbin to their $PATH but willing to use > sestatus, and that supporting this use-case seems more important than > not breaking programs which rely on sestatus being in /usr/sbin, this > patch will be acceptable. Do you know of such a use-case? > > (By the way, there is a misspelling in the patch subject: you wrote > "policycoretuils" instead of "policycoreutils") > Could a symlink /usr/bin/sestatus -> ../sbin/sestatus solve this? > Thanks, > Nicolas > >> --- >> >> Only tested by running `make DESTDIR="$PWD" install` and checking that >> sestatus ends up at /usr/bin/sestatus >> >> policycoreutils/sestatus/Makefile | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile >> index 8c4f45f8..ac113814 100644 >> --- a/policycoreutils/sestatus/Makefile >> +++ b/policycoreutils/sestatus/Makefile >> @@ -1,7 +1,7 @@ >> # Installation directories. >> LINGUAS ?= ru >> PREFIX ?= /usr >> -SBINDIR ?= $(PREFIX)/sbin >> +BINDIR ?= $(PREFIX)/bin >> MANDIR = $(PREFIX)/share/man >> ETCDIR ?= /etc >> >> @@ -16,8 +16,8 @@ sestatus: sestatus.o >> install: all >> [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 >> [ -d $(DESTDIR)$(MANDIR)/man5 ] || mkdir -p $(DESTDIR)$(MANDIR)/man5 >> - -mkdir -p $(DESTDIR)$(SBINDIR) >> - install -m 755 sestatus $(DESTDIR)$(SBINDIR) >> + -mkdir -p $(DESTDIR)$(BINDIR) >> + install -m 755 sestatus $(DESTDIR)$(BINDIR) >> install -m 644 sestatus.8 $(DESTDIR)$(MANDIR)/man8 >> install -m 644 sestatus.conf.5 $(DESTDIR)$(MANDIR)/man5 >> for lang in $(LINGUAS) ; do \ >> -- >> 2.30.0 >>
diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile index 8c4f45f8..ac113814 100644 --- a/policycoreutils/sestatus/Makefile +++ b/policycoreutils/sestatus/Makefile @@ -1,7 +1,7 @@ # Installation directories. LINGUAS ?= ru PREFIX ?= /usr -SBINDIR ?= $(PREFIX)/sbin +BINDIR ?= $(PREFIX)/bin MANDIR = $(PREFIX)/share/man ETCDIR ?= /etc @@ -16,8 +16,8 @@ sestatus: sestatus.o install: all [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 [ -d $(DESTDIR)$(MANDIR)/man5 ] || mkdir -p $(DESTDIR)$(MANDIR)/man5 - -mkdir -p $(DESTDIR)$(SBINDIR) - install -m 755 sestatus $(DESTDIR)$(SBINDIR) + -mkdir -p $(DESTDIR)$(BINDIR) + install -m 755 sestatus $(DESTDIR)$(BINDIR) install -m 644 sestatus.8 $(DESTDIR)$(MANDIR)/man8 install -m 644 sestatus.conf.5 $(DESTDIR)$(MANDIR)/man5 for lang in $(LINGUAS) ; do \
It is quite useful even to non-privileged users and doesn't require any privileges to work, except for maybe -v. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> --- Only tested by running `make DESTDIR="$PWD" install` and checking that sestatus ends up at /usr/bin/sestatus policycoreutils/sestatus/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)