This is a new 'compiler' which tranforms the file context database into
a binary format. This binary format may be mmap'd in later removing the
need to compile the regular expression at run time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We may want to force matchpathcon to respond if the path is question is
a dir, sockfile, chr, blk, etc. Add an option so you can force it to
hit the right rule types.
Signed-off-by: Eric Paris <eparis@redhat.com>
Use selinux_boolean_sub to translate the boolean name handed in by the user.
Report back the correct name of the boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add a -s option to getdefaultcon which allows one to specify the
service in question. This exposes all of the abilities of getseuser
instead of only the abilities of getseuserbyname.
Signed-off-by: Eric Paris <eparis@redhat.com>
It's not special and doesn't need its own Makefile lines. Just make it
a normal target.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Annotating the die method as taking printf format exposes
a bug in error reporting
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We declare rc both for a function and inside a stanze. We only need it in the
stanze so remove the declaration for the whole function.
Signed-off-by: Eric Paris <eparis@redhat.com>
selinux_file_context_verify(3) should now return the correct codes and
matchpathcon(8) has been modified to handle them.
The selinux_file_context_verify(3)and selinux_file_context_cmp(3) man pages
have also been updated (re-written really) to correct return codes.
I found that selabel_open left errno set to ENOENT because a
file_contexts.subs file did not exist on my system, but left selabel_open
alone and set errno = 0 before calling selinux_filecontext_cmp.
[fix uninitialize init variable in matchpathcon.c::main - eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of only doing path simplification and symlink following for the
matchpathcon helper instead do it in the library potion. This was an
issue when in python some called selinux.matchpatchcon("//lib64", 0) and
got the wrong answer (because the // wasn't being dealt with)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
matchpathcon cannot handle ./ or ../ in pathnames and doesn't do well
with symlinks. This patch uses the glibc function realpath() to try to
determine a real path with resolved symlinks and dot directories. For
example before this pach we would see:
$ matchpathcon /tmp/../eric
/tmp/../eric <<none>>
$ matchpathcon /eric
/eric system_u:object_r:default_t:s0
Whereas after the path we get the same results. The one quirk with the
patch is that we need special code to make sure that realpath() does not
follow a symlink if it is the final component. aka if we have a symlink
from /eric to /tmp/eric we do not want to resolv to /tmp/eric. We want
to just resolv to the actual symlink /eric.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There is a .gitignore at the head of the directory but only contains
entries for the utils directory. Move to the utils directory.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This utility will tell what context a new task will have after exec
based on the pathname and the context of the launching task.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Email: dwalsh@redhat.com
Subject: Patch to getdefaultcon to print just the correct match and add verbose option
Date: Wed, 04 Mar 2009 15:41:37 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I really want to rename this to selinuxdefaultcon, which is what we ship
in Fedora.
Also exit with proper error on failure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu54AACgkQrlYvE4MpobNoZACdHgQDP2Hp/KDBpGCD7G08HjOX
p68An25Uu83SlOqjKyy9EG8ZgdIcuTCB
=L6UU
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: We have moved matchpathcon to /sbin from /usr/sbin
Date: Wed, 01 Apr 2009 10:21:53 -0400
Some init scripts wanted to use matchpathcon before /usr is mounted.
Author: Chad Sellers
Email: csellers@tresys.com
Added matchpathcon to clean target
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Patch matchpathcon to eliminate file "/"
Date: Wed, 04 Mar 2009 15:39:31 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So
matchpathcon /etc/
Will work the same as
matchpathcon /etc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmu5wMACgkQrlYvE4MpobNK4gCgiVeXXEZcCMsJKXM7jqh6r1u3
OScAoLcmXBIR63gpvA8RS3g07pcPC6IF
=e+Re
-----END PGP SIGNATURE-----
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: matchpathcon -V does not always work as expected.
Date: Tue, 30 Sep 2008 08:54:18 -0400
matchpathcon -V should be passing the mode when checking whether the
file context on a file is correct.
Signed-off-by: Joshua Brindle <method@manicmethod.com>