From aca3def462ab141c3991a2d27c44341b809cf970 Mon Sep 17 00:00:00 2001 From: rwmjones Date: Thu, 6 Oct 2022 12:15:56 +0100 Subject: [PATCH 3/3] semanage: Fix parsing of ignoredirs (#758) From /etc/selinux/semanage.conf from a RHEL 9.1 system, this line caused problems: ignoredirs=/root;/bin;/boot;/dev;/etc [...] Parse this as a list of modified Rx.fspath, generating a tree like: /files/etc/selinux/semanage.conf/ignoredirs/1 = /root /files/etc/selinux/semanage.conf/ignoredirs/2 = /bin /files/etc/selinux/semanage.conf/ignoredirs/3 = /dev /files/etc/selinux/semanage.conf/ignoredirs/4 = /etc [...] Also this adds the RHEL 9 file as another test case and adjusts the output of the existing test case. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2077120 Signed-off-by: Richard W.M. Jones Signed-off-by: Richard W.M. Jones (cherry picked from commit a3ba6e2d32b95507e2474a219e788ac3d54bc4a1) --- lenses/semanage.aug | 7 +++- lenses/tests/test_semanage.aug | 4 +- tests/root/etc/selinux/semanage.conf | 60 ++++++++++++++++++++++++++++ tests/xpath.tests | 1 + 4 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 tests/root/etc/selinux/semanage.conf diff --git a/lenses/semanage.aug b/lenses/semanage.aug index 46f93b32..edd97131 100644 --- a/lenses/semanage.aug +++ b/lenses/semanage.aug @@ -23,7 +23,12 @@ let sep = IniFile.sep "=" "=" let empty = IniFile.empty let eol = IniFile.eol -let entry = IniFile.entry IniFile.entry_re sep comment +let list_keys = "ignoredirs" +let scl = del ";" ";" +let fspath = /[^ \t\n;#]+/ (* Rx.fspath without ; or # *) + +let entry = IniFile.entry_list list_keys sep fspath scl comment + | IniFile.entry (IniFile.entry_re - list_keys) sep comment | empty let title = IniFile.title_label "@group" (IniFile.record_re - /^end$/) diff --git a/lenses/tests/test_semanage.aug b/lenses/tests/test_semanage.aug index a6ceaca0..f76b95f3 100644 --- a/lenses/tests/test_semanage.aug +++ b/lenses/tests/test_semanage.aug @@ -68,7 +68,9 @@ test Semanage.lns get conf = { "usepasswd" = "False" } { "bzip-small" = "true" } { "bzip-blocksize" = "5" } - { "ignoredirs" = "/root" } + { "ignoredirs" + { "1" = "/root" } + } { } { "@group" = "sefcontext_compile" { "path" = "/usr/sbin/sefcontext_compile" } diff --git a/tests/root/etc/selinux/semanage.conf b/tests/root/etc/selinux/semanage.conf new file mode 100644 index 00000000..406f16f1 --- /dev/null +++ b/tests/root/etc/selinux/semanage.conf @@ -0,0 +1,60 @@ +# Authors: Jason Tang +# +# Copyright (C) 2004-2005 Tresys Technology, LLC +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +# Specify how libsemanage will interact with a SELinux policy manager. +# The four options are: +# +# "source" - libsemanage manipulates a source SELinux policy +# "direct" - libsemanage will write directly to a module store. +# /foo/bar - Write by way of a policy management server, whose +# named socket is at /foo/bar. The path must begin +# with a '/'. +# foo.com:4242 - Establish a TCP connection to a remote policy +# management server at foo.com. If there is a colon +# then the remainder is interpreted as a port number; +# otherwise default to port 4242. +module-store = direct + +# When generating the final linked and expanded policy, by default +# semanage will set the policy version to POLICYDB_VERSION_MAX, as +# given in . Change this setting if a different +# version is necessary. +#policy-version = 19 + +# expand-check check neverallow rules when executing all semanage +# commands. There might be a penalty in execution time if this +# option is enabled. +expand-check=0 + +# usepasswd check tells semanage to scan all pass word records for home directories +# and setup the labeling correctly. If this is turned off, SELinux will label only /home +# and home directories of users with SELinux login mappings defined, see +# semanage login -l for the list of such users. +# If you want to use a different home directory, you will need to use semanage fcontext command. +# For example, if you had home dirs in /althome directory you would have to execute +# semanage fcontext -a -e /home /althome +usepasswd=False +bzip-small=true +bzip-blocksize=5 +ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var +optimize-policy=true + +[sefcontext_compile] +path = /usr/sbin/sefcontext_compile +args = -r $@ +[end] diff --git a/tests/xpath.tests b/tests/xpath.tests index 4278e433..71c998b8 100644 --- a/tests/xpath.tests +++ b/tests/xpath.tests @@ -109,6 +109,7 @@ test descendant-or-self /files/descendant-or-self :: 4 /files/etc/ssh/ssh_config/Host/SendEnv[1]/4 = LC_TIME /files/etc/ssh/ssh_config/Host/SendEnv[2]/4 = LC_TELEPHONE /files/etc/aliases/4 + /files/etc/selinux/semanage.conf/ignoredirs/4 = /dev /files/etc/fstab/4 /files/etc/pam.d/login/4 /files/etc/pam.d/newrole/4 -- 2.31.1