Commit Graph

6 Commits

Author SHA1 Message Date
Nicolas Iooss
f39c0ac637 python/chcat: fix removing categories on users with Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:

    # semanage login -l
    Login Name           SELinux User         MLS/MCS Range        Service

    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
    vagrant              unconfined_u         s0-s0:c0.c1023       *

Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:

    vagrant              unconfined_u         s0-s0:c0.c1023,c42   *

This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.

Fix this issue by splitting the list of categories before calling
expandCats().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:09 +01:00
Nicolas Iooss
69c56bd2f6 python/chcat: improve the code readability
flake8 reports many warnings for chcat:

    chcat:7:1: E265 block comment should start with '# '
    chcat:29:1: F401 'string' imported but unused
    chcat:44:1: E722 do not use bare 'except'
    chcat:104:9: F841 local variable 'e' is assigned to but never used
    chcat:144:9: F841 local variable 'e' is assigned to but never used
    chcat:186:9: F841 local variable 'e' is assigned to but never used
    chcat:234:9: F841 local variable 'e' is assigned to but never used
    chcat:262:9: F841 local variable 'e' is assigned to but never used
    chcat:281:5: F841 local variable 'e' is assigned to but never used
    chcat:385:9: E722 do not use bare 'except'
    chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
    chcat:436:5: F841 local variable 'e' is assigned to but never used

Fix all of them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:07 +01:00
Vit Mojzis
2923d9d21e python/chcat: use check_call instead of getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-11 12:39:05 +01:00
Marcus Folkesson
11aaf180ef python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:01 +01:00
Stephen Smalley
7b5699bfd7 Fix BINDIR/SBINDIR/... variables in Makefiles
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.

Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin

After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin

This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-20 12:18:26 -04:00
Stephen Smalley
48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:50 -05:00