We open and take a flock on the .restorecond file. But we could leak
this file across exec. Open O_CLOEXEC.
Signed-off-by: Eric Paris <eparis@redhat.com>
Instead of all calls to the usage output resulting in a 0 return code we
should show the usage menu when something is wrong but we should return
non-zero.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor. The kernel has been fixed to not reuse watch descriptors.
However as some kernels do reuse them, and its possible they may again,
this patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Signed-off-by: Martin Orr <martin@martinorr.name>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Make restorecond -u watch the terminal io channel for and exit indicator
and then exit itself if it is not being run from dbus. If being run
from dbus, dbus takes care of the session cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Do not assume it is always a success and error gracefully when it isn't.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically this patch makes restorecond a dbus session service that can
be run in the users session to watch the creation of files in the
homedir. Most of the changes are just to get it to run as a dbus
session and then to allow it to read its own config.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The first user that logs in will not be caught by restorecond. The utmp
checking function only returns that there was a change when the previous
list of users was non-NULL.
Here's a patch that works for me (this is against the latest Red Hat
Enterprise Linux 5 policycoreutils release, but I checked the current
source tree and the same problem is present):
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
With kernel 2.6.31, restorecond uses 99% of my CPU.
This is because removing and readding the watch on utmp triggers inotify to
return an IN_IGNORED event for the old watch descriptor. If the watch gets
allocated the same wd when it is readded, then restorecond thinks that utmp
has changed, so removes and readds the watch again, potentially looping.
With kernel <= 2.6.30, this never happened, because the kernel didn't reuse
watch descriptors. So the IN_IGNORED event comes with a wd that is no
longer in use, and gets ignored. But kernel 2.6.31 reuses the same watch
descriptor.
This patch fixes that by ignoring inotify events whose only bit set is
IN_IGNORED.
Note: it is not clear to me why it is necessary to remove and readd the
watch in the first place.
Note for testing: you need to log in (to cause a change in utmp) after
starting restorecond to trigger the bug. In fact you need to log in twice
before the kernel reuses a watch descriptor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400
Multiple patches to policycoreutils.
First added /root/.ssh and /root/.ssh/* to allow people to place keys
in /root directory and have them labeled by restorcond
<snipdue to previously ack'd patch>
Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux
---
Also have fixfiles operate recursively when in RPM mode, per:
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400
If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Several fixes to restorecond
Date: Tue, 17 Feb 2009 11:40:54 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Init script should be 755
libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.
restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.
So if a file has > 1 link and is an exact match complain, otherwise do not.
Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add glob support for restorecond
Date: Mon, 08 Sep 2008 15:03:51 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have added supported for GLOB expressions in restorecond. In order to
get nsplugin to work well, you need all of the contents of the homedir
labeled correctly. Unfortunately gnome creates directories at a fairly
random pace. FCFS. So it is very difficult to get transitions to
happen properly. As a tradeoff, we can use restorecond to watch the
homedir and relabel the directory when it is created. I know this is a
potential race condition. where some of the files created in the
directory will still have the wrong context, but I don't know of a
better solution.
Telling everyone they need to restorcon -R -v ~ is not a great solution.
If you are worried about information flow you should never rely on
restorecond.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjFdxcACgkQrlYvE4MpobPtjACg3uyqaHD78FRxdaG5mfitnoB/
lh0AnjvfDC2vmCWisxzWq2qFsZMMu3XK
=JiG7
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Eric Paris
Dan Walsh
Martin Orr
Chris Adams
Joshua Brindle