diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 13:49:04 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 17:38:18 -0700 |
commit | 56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch) | |
tree | 3f91093cdb475e565ae857f1c5a7fd339e2d781e /sys-libs/libsemanage/files | |
download | gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2 gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip |
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'sys-libs/libsemanage/files')
-rw-r--r-- | sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch b/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch new file mode 100644 index 000000000000..8e523dcbf7e3 --- /dev/null +++ b/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch @@ -0,0 +1,208 @@ +From 9caebebd598de737f27cdc8d5253a2cebd67d5a9 Mon Sep 17 00:00:00 2001 +From: Jason Zaman <jason@perfinion.com> +Date: Wed, 22 Apr 2015 18:27:09 +0400 +Subject: [PATCH] libsemanage: do not copy contexts in semanage_migrate_store + +The modules from the old store were previously copied to the new one +using setfscreatecon and shutil.copy2(). Now that refpolicy has rules +about the new policy location[1], copying the contexts is redundant. + +More importantly, the setcreatefscon caused a constraint violation[2] +which made the migration fail. In python3, shutil.copy2() copies xattrs +as well which again causes problems. shutil.copy() is enough for our +needs here as it will copy the file and permissions in both py2 and 3. +We do not need the extra things that copy2() does (mtime, xattr, etc). + +[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html + +[2] +type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 + constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED +allow semanage_t semanage_store_t:dir create; + +Signed-off-by: Jason Zaman <jason@perfinion.com> +--- + libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------ + 1 file changed, 18 insertions(+), 59 deletions(-) + +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 03b492e..2f85e9c 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -8,7 +8,6 @@ import shutil + import sys + from optparse import OptionParser + +-import bz2 + import ctypes + + sepol = ctypes.cdll.LoadLibrary('libsepol.so') +@@ -21,41 +20,20 @@ except: + exit(1) + + +- +- +-# For some reason this function doesn't exist in libselinux :\ +-def copy_with_context(src, dst): ++def copy_file(src, dst): + if DEBUG: + print("copying %s to %s" % (src, dst)) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- except: +- print("Could not get file context of %s" % src, file=sys.stderr) +- exit(1) +- +- try: +- selinux.setfscreatecon_raw(con) +- except: +- print("Could not set fs create context: %s" %con, file=sys.stderr) +- exit(1) +- +- try: +- shutil.copy2(src, dst) ++ shutil.copy(src, dst) + except OSError as the_err: + (err, strerr) = the_err.args + print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def create_dir_from(src, dst, mode): ++def create_dir(dst, mode): + if DEBUG: print("Making directory %s" % dst) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- selinux.setfscreatecon_raw(con) + os.makedirs(dst, mode) + except OSError as the_err: + (err, stderr) = the_err.args +@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode): + print("Error creating %s" % dst, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def create_file_from(src, dst): ++def create_file(dst): + if DEBUG: print("Making file %s" % dst) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- selinux.setfscreatecon_raw(con) + open(dst, 'a').close() + except OSError as the_err: + (err, stderr) = the_err.args + print("Error creating %s" % dst, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def copy_module(store, name, con, base): ++def copy_module(store, name, base): + if DEBUG: print("Install module %s" % name) + (file, ext) = os.path.splitext(name) + if ext != ".pp": +@@ -94,8 +62,6 @@ def copy_module(store, name, con, base): + print("warning: %s has invalid extension, skipping" % name, file=sys.stderr) + return + try: +- selinux.setfscreatecon_raw(con) +- + if base: + root = oldstore_path(store) + else: +@@ -105,7 +71,7 @@ def copy_module(store, name, con, base): + + os.mkdir("%s/%s" % (bottomdir, file)) + +- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) ++ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) + + # This is the ext file that will eventually be used to choose a compiler + efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600) +@@ -116,15 +82,11 @@ def copy_module(store, name, con, base): + print("Error installing module %s" % name, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def disable_module(file, root, name, disabledmodules): ++def disable_module(file, name, disabledmodules): + if DEBUG: print("Disabling %s" % name) + (disabledname, disabledext) = os.path.splitext(file) +- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname)) ++ create_file("%s/%s" % (disabledmodules, disabledname)) + + def migrate_store(store): + +@@ -138,17 +100,14 @@ def migrate_store(store): + print("Migrating from %s to %s" % (oldstore, newstore)) + + # Build up new directory structure +- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755) +- create_dir_from(oldstore, newstore, 0o700) +- create_dir_from(oldstore, newmodules, 0o700) +- create_dir_from(oldstore, bottomdir, 0o700) +- create_dir_from(oldstore, disabledmodules, 0o700) +- +- # use whatever the file context of bottomdir is for the module directories +- con = selinux.lgetfilecon_raw(bottomdir)[1] ++ create_dir("%s/%s" % (newroot_path(), store), 0o755) ++ create_dir(newstore, 0o700) ++ create_dir(newmodules, 0o700) ++ create_dir(bottomdir, 0o700) ++ create_dir(disabledmodules, 0o700) + + # Special case for base since it was in a different location +- copy_module(store, "base.pp", con, 1) ++ copy_module(store, "base.pp", 1) + + # Dir structure built, start copying files + for root, dirs, files in os.walk(oldstore): +@@ -161,7 +120,7 @@ def migrate_store(store): + newname = "seusers.local" + else: + newname = name +- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname)) ++ copy_file(os.path.join(root, name), os.path.join(newstore, newname)) + + elif root == oldmodules: + # This should be the modules directory +@@ -171,9 +130,9 @@ def migrate_store(store): + print("Error installing module %s, name conflicts with base" % name, file=sys.stderr) + exit(1) + elif ext == ".disabled": +- disable_module(file, root, name, disabledmodules) ++ disable_module(file, name, disabledmodules) + else: +- copy_module(store, name, con, 0) ++ copy_module(store, name, 0) + + def rebuild_policy(): + # Ok, the modules are loaded, lets try to rebuild the policy +@@ -287,7 +246,7 @@ if __name__ == "__main__": + "preserve_tunables" ] + + +- create_dir_from(oldroot_path(), newroot_path(), 0o755) ++ create_dir(newroot_path(), 0o755) + + stores = None + if TYPE is not None: +-- +2.0.5 + |