[PATCH] genhomedircon
Lee Kok Seng
kokseng at ieee.org
Fri May 11 10:39:06 UTC 2007
I believe the logic in testing the file_contexts fc regular
expression against
candidate home directory listed in /etc/passwd for non-system user may
have a problem.
For example,
I have postgresql installed under /opt/pgsql, database at /pgsql/pgdb
and have a username pgsql, setting the home directory to /pgsql/home.
Currently, FC5 selinux policy has serveral fc rules like this:
/var/lib/pgsql/data/*
Due to the way python's re.search is called, instead of using all
possible
fc rules in file_context to try match the candidate home directory,
it does
it the other way. Resulting in erroneously flagging rule conflict.
Have I confused myself? If not, the following patch will fix the
problem,
which it did for me.
Note that if you do not place home directories away from /home, you may
never experience this problem, and hence has no need for this patch.
/ks
------------------------------------------------------------------------
------------------------------------
--- /usr/sbin/genhomedircon.orig 2006-06-07 23:10:33.000000000
+0800
+++ /usr/sbin/genhomedircon 2007-05-09 15:14:23.000000000 +0800
@@ -295,8 +295,8 @@
regex = re.sub("\(\/\.\*\)\?", "", regex)
regex = regex + "/*$"
- if re.search(home, regex, 0):
- return 1
+ if re.search(regex, home, 0):
+ return 1
except:
continue
return 0
More information about the fedora-selinux-list
mailing list