windows with selinux running. Part of the reason for this was because
libselinux called into the kernel /selinux/create interface for every
object. This patch caches the results of /selinux/create in the
userspace avc to significantly increase the speed of these types of
operations.
Revised to correct locking, interface issues.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: Add restorecon and install methods for libselinux python bindings.
Date: Tue, 06 Jan 2009 10:31:04 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>> Luke Macken wrote restorecon and install functions used in Fedora
>> Infrastructure which can be used to install files with the proper
>> context and to fix the labels of files/directories without having to
>> exec restorecon.
>
>> diff --exclude-from=exclude -N -u -r
>> nsalibselinux/src/selinuxswig_python.i
>> libselinux-2.0.75/src/selinuxswig_python.i
>> --- nsalibselinux/src/selinuxswig_python.i 2008-08-28
>> 09:34:24.000000000 -0400
>> +++ libselinux-2.0.75/src/selinuxswig_python.i 2008-11-14
>> 17:09:50.000000000 -0500
>> @@ -6,6 +6,32 @@
>> #include "selinux/selinux.h"
>> %}
>
>> +%pythoncode %{
>> +
>> +import shutil, os
>> +
>> +def restorecon(path, recursive=False):
>> + """ Restore SELinux context on a given path """
>> + mode = os.stat(path)[stat.ST_MODE]
>
>> stat doesn't exist here, perhaps he meant mode?
>
>> + status, context = matchpathcon(path, mode)
>> + if status == 0:
>> + lsetfilecon(path, context)
>> + if recursive:
>> + os.path.walk(path, lambda arg, dirname, fnames:
>> + map(restorecon, [os.path.join(dirname, fname)
>> + s for fname in fnames]),
>> None)
>
>> typo, the s causes a syntax error
>
>> +
>> +def copytree(src, dest):
>> + """ An SELinux-friendly shutil.copytree method """
>> + shutil.copytree(src, dest)
>> + restorecon(dest, recursive=True)
>> +
>> +def install(src, dest):
>> + """ An SELinux-friendly shutil.move method """
>> + shutil.move(src, dest)
>> + restorecon(dest, recursive=True)
>> +%}
>> +
>> /* security_get_boolean_names() typemap */
>> %typemap(argout) (char ***names, int *len) {
>> PyObject* list = PyList_New(*$2);
>
>> This patch doesn't appear correct, I'll fix the things above, have you
>> been testing this at all?
>
> Must have sent you a bad patch.
>
>
> This is what the current patch looks like.
>
And this is still broken.
One more fix.
+ mode = os.stat(path)[stat.ST_MODE]
should be
+ mode = os.lstat(path)[stat.ST_MODE]
Modified to remove copytree and install functions
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Currently, the message types are defined but not used.
This will allow better separation of messages when logging to facilities
such as libaudit.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: matchpathcon -V does not always work as expected.
Date: Tue, 30 Sep 2008 08:54:18 -0400
matchpathcon -V should be passing the mode when checking whether the
file context on a file is correct.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Some missing man pages from libselinux
Date: Wed, 24 Sep 2008 08:57:44 -0400
We are still missing the following man pages.
Perhaps some of these functions should be removed?
selinux_users_path seems to return a bogus directory?
Also do not have _raw functions defined in man pages.
matchpathcon_checkmatches
matchpathcon_filespec_add
matchpathcon_filespec_destroy
matchpathcon_filespec_eval
matchpathcon_index
matchpathcon_init_prefix
print_access_vector
security_canonicalize_context
security_disable
security_set_boolean_list
selinux_check_passwd_access
selinux_customizable_types_path
selinux_file_context_cmp
selinux_file_context_verify
selinux_get_callback
selinux_init_load_policy
selinux_lsetfilecon_default
selinux_mkload_policy
selinux_raw_to_trans_context
selinux_trans_to_raw_context
selinux_translations_path
selinux_users_path
set_selinuxmnt
Signed-off-by: Joshua Brindle <method@manicmethod.com>
