[PATCH] genhomedircon
Stephen Smalley
sds at tycho.nsa.gov
Fri May 11 11:53:11 UTC 2007
On Fri, 2007-05-11 at 18:39 +0800, Lee Kok Seng wrote:
> I believe the logic in testing the file_contexts fc regular
> expression against
> candidate home directory listed in /etc/passwd for non-system user may
> have a problem.
>
> For example,
>
> I have postgresql installed under /opt/pgsql, database at /pgsql/pgdb
> and have a username pgsql, setting the home directory to /pgsql/home.
>
> Currently, FC5 selinux policy has serveral fc rules like this:
>
> /var/lib/pgsql/data/*
>
> Due to the way python's re.search is called, instead of using all
> possible
> fc rules in file_context to try match the candidate home directory,
> it does
> it the other way. Resulting in erroneously flagging rule conflict.
>
> Have I confused myself? If not, the following patch will fix the
> problem,
> which it did for me.
>
> Note that if you do not place home directories away from /home, you may
> never experience this problem, and hence has no need for this patch.
>
> /ks
> ------------------------------------------------------------------------
> ------------------------------------
>
> --- /usr/sbin/genhomedircon.orig 2006-06-07 23:10:33.000000000
> +0800
> +++ /usr/sbin/genhomedircon 2007-05-09 15:14:23.000000000 +0800
> @@ -295,8 +295,8 @@
>
> regex = re.sub("\(\/\.\*\)\?", "", regex)
> regex = regex + "/*$"
> - if re.search(home, regex, 0):
> - return 1
> + if re.search(regex, home, 0):
> + return 1
> except:
> continue
> return 0
>
Thanks, already received this from Dan Walsh on the upstream selinux
list. Applied in policycoreutils 2.0.17 (trunk) and 1.34.10 (stable).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list