python/chcat: fix removing categories on users with Fedora default setup

Using Vagrant with fedora/28-cloud-base image, SELinux logins are configured this way: # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * vagrant unconfined_u s0-s0:c0.c1023 * Using "chcat -l +c42 vagrant" successfully adds the category to user vagrant, but "chcat -l -- -c42 vagrant" fails to remove it. semanage login -l returns: vagrant unconfined_u s0-s0:c0.c1023,c42 * This issue is caused by expandCats(), which refuses to return a list of more than 25 categories. This causes chcat_user_remove() to work with cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to it not been able to remove 'c42' from the list. Fix this issue by splitting the list of categories before calling expandCats(). Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2024-12-27 16:32:05 +00:00 · 2018-12-09 15:23:23 +01:00 · 2018-12-09 15:23:23 +01:00 · f39c0ac637
commit f39c0ac637
parent 69c56bd2f6
1 changed files with 2 additions and 4 deletions
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@ -82,8 +82,7 @@ def chcat_user_add(newcat, users):
        if len(serange) > 1:
            top = serange[1].split(":")
            if len(top) > 1:
-                cats.append(top[1])
-                cats = expandCats(cats)
+                cats = expandCats(top[1].split(','))

        for i in newcat[1:]:
            if i not in cats:
@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users):
        if len(serange) > 1:
            top = serange[1].split(":")
            if len(top) > 1:
-                cats.append(top[1])
-                cats = expandCats(cats)
+                cats = expandCats(top[1].split(','))

        for i in newcat[1:]:
            if i in cats: