diff options
| author | Peter Jones <pjones@redhat.com> | 2007-10-18 20:27:32 +0000 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2007-10-18 20:27:32 +0000 |
| commit | d32c58af29e8ca27fa53726b9e37ba664d44d225 (patch) | |
| tree | d4756b19b26f55764e020b58a64d881f000d78df | |
| parent | cfa0b4b12266e8e44f13bc458204b3a11abd9a80 (diff) | |
| download | anaconda-d32c58af29e8ca27fa53726b9e37ba664d44d225.tar.gz anaconda-d32c58af29e8ca27fa53726b9e37ba664d44d225.tar.xz anaconda-d32c58af29e8ca27fa53726b9e37ba664d44d225.zip | |
- fix selinux labels on $MOUNTPOINT/ and $MOUNTPOINT/lost+found (#335621)
| -rw-r--r-- | ChangeLog | 14 | ||||
| -rw-r--r-- | fsset.py | 11 | ||||
| -rw-r--r-- | isys/isys.c | 43 | ||||
| -rw-r--r-- | isys/isys.py | 19 |
4 files changed, 70 insertions, 17 deletions
@@ -1,8 +1,20 @@ +2007-10-17 Peter Jones <pjones@redhat.com> + + * isys/isys.c: add matchPathContext and setFileContext calls, + remove resetFileContext call. + + * isys/isys.py: add wrappers for matchPathContext and setFileContext, + and refactor resetFileContext to use them. + + * fsset.py (FileSystemType.mount): label the root directory of + newly mounted filesystems and the lost+found directory when we mount + the fs (#335621). + 2007-10-18 Bill Nottingham <notting@redhat.com> * network.py: add ATTR{type}=="1" to rule to avoid matching wmaster* -2007-10-17 Peter Jones <pjones@redhat.com> +2007-10-18 Peter Jones <pjones@redhat.com> * gptsync/Makefile: use Makefile.inc's CFLAGS (mostly) @@ -160,6 +160,8 @@ labelFactory = LabelFactory() class FileSystemType: kernelFilesystems = {} + lostAndFoundContext = None + def __init__(self): self.deviceArguments = {} self.formattable = 0 @@ -192,6 +194,15 @@ class FileSystemType: fstype = self.getName(), readOnly = readOnly, bindMount = bindMount) + if flags.selinux: + ret = isys.resetFileContext(mountpoint, instroot) + log.info("set SELinux context for newly mounted filesystem root at %s to %s" %(mountpoint, ret)) + if FileSystemType.lostAndFoundContext is None: + FileSystemType.lostAndFoundContext = \ + isys.matchPathContext("/lost+found") + isys.setFileContext("%s/lost+found" % (mountpoint,), + FileSystemType.lostAndFoundContext, instroot) + def umount(self, device, path): isys.umount(path, removeDir = 0) diff --git a/isys/isys.c b/isys/isys.c index d759a55b8..60e9a353d 100644 --- a/isys/isys.c +++ b/isys/isys.c @@ -108,7 +108,8 @@ static PyObject * py_isLdlDasd(PyObject * s, PyObject * args); static PyObject * doGetMacAddress(PyObject * s, PyObject * args); static PyObject * doGetIPAddress(PyObject * s, PyObject * args); #ifdef USESELINUX -static PyObject * doResetFileContext(PyObject * s, PyObject * args); +static PyObject * doMatchPathContext(PyObject * s, PyObject * args); +static PyObject * doSetFileContext(PyObject * s, PyObject * args); #endif static PyObject * isWireless(PyObject * s, PyObject * args); static PyObject * doProbeBiosDisks(PyObject * s, PyObject * args); @@ -159,7 +160,8 @@ static PyMethodDef isysModuleMethods[] = { { "getMacAddress", (PyCFunction) doGetMacAddress, METH_VARARGS, NULL}, { "getIPAddress", (PyCFunction) doGetIPAddress, METH_VARARGS, NULL}, #ifdef USESELINUX - { "resetFileContext", (PyCFunction) doResetFileContext, METH_VARARGS, NULL }, + { "matchPathContext", (PyCFunction) doMatchPathContext, METH_VARARGS, NULL }, + { "setFileContext", (PyCFunction) doSetFileContext, METH_VARARGS, NULL }, #endif { "isWireless", (PyCFunction) isWireless, METH_VARARGS, NULL }, { "biosDiskProbe", (PyCFunction) doProbeBiosDisks, METH_VARARGS,NULL}, @@ -1066,27 +1068,38 @@ static PyObject * doGetIPAddress(PyObject * s, PyObject * args) { return Py_BuildValue("s", ret); } #ifdef USESELINUX -static PyObject * doResetFileContext(PyObject * s, PyObject * args) { +static PyObject * doMatchPathContext(PyObject * s, PyObject * args) { char *fn, *buf = NULL; + int ret; + + if (!PyArg_ParseTuple(args, "s", &fn)) + return NULL; + + ret = matchpathcon(fn, 0, &buf); + if (ret == 0) + return Py_BuildValue("s", buf); + + Py_INCREF(Py_None); + return Py_None; +} + +static PyObject * doSetFileContext(PyObject * s, PyObject * args) { + char *fn, *con; char * root = NULL; char path[PATH_MAX]; int ret; - if (!PyArg_ParseTuple(args, "s|s", &fn, &root)) + if (!PyArg_ParseTuple(args, "ss|s", &fn, &con, &root)) return NULL; - ret = matchpathcon(fn, 0, &buf); - /* fprintf(stderr, "matchpathcon returned %d: set %s to %s\n", ret, fn, buf);*/ - if (ret == 0) { - if (root != NULL) - snprintf(path, PATH_MAX, "%s/%s", root, fn); - else - snprintf(path, PATH_MAX, "%s", root); - - ret = lsetfilecon(path, buf); - } + if (root != NULL) + snprintf(path, PATH_MAX, "%s/%s", root, fn); + else + snprintf(path, PATH_MAX, "%s", root); + + ret = lsetfilecon(path, con); - return Py_BuildValue("s", buf); + return Py_BuildValue("i", ret); } #endif static PyObject * py_getDasdPorts(PyObject * o, PyObject * args) { diff --git a/isys/isys.py b/isys/isys.py index cb3d67c96..5628f8a70 100644 --- a/isys/isys.py +++ b/isys/isys.py @@ -1079,11 +1079,28 @@ def isWireless(dev): def getIPAddress(dev): return _isys.getIPAddress(dev) +## Get the correct context for a file from loaded policy. +# @param fn The filename to query. +def matchPathContext(fn): + return _isys.matchPathContext(fn) + +## Set the SELinux file context of a file +# @param fn The filename to fix. +# @param con The context to use. +# @param instroot An optional root filesystem to look under for fn. +def setFileContext(fn, con, instroot = '/'): + if con is not None and os.access("%s/%s" % (instroot, fn), os.F_OK): + return (_isys.setFileContext(fn, con, instroot) != 0) + return False + ## Restore the SELinux file context of a file to its default. # @param fn The filename to fix. # @param instroot An optional root filesystem to look under for fn. def resetFileContext(fn, instroot = '/'): - return _isys.resetFileContext(fn, instroot) + con = matchPathContext(fn) + if con: + return setFileContext(fn, con, instroot) + return False def prefix2netmask(prefix): return _isys.prefix2netmask(prefix) |