date:20170326

FOSSASIA 2017 SELinux intro talk

2017-03-26 Thread Jason Zaman

Hey all,

I gave an introductory talk at FOSSASIA in Singapore last week and
figured some people here might be interested. The slides and link to the
video are up on my blog:
http://blog.perfinion.com/2017/03/fossasia-2017-selinux-introduction/

-- Jason
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/3] policycoreutils/setfiles: stdout messages don't need program prefix

2017-03-26 Thread Alan Jenkins

I suggested that if you run a command for its informational output (by
passing  `-v`), you don't expect it to be prefixed with the program name.
Prefixing is used for error messages, so you can tell where your shell
script blew up :).  If a script is running a command for its informational
output, it's usually the script's responsibility to make sure it's in
context, e.g. providing headers if there are multiple sections of output.

Removing the program name from setfiles/restorecon output is particularly
useful because it generates very long lines.  But also, it actually helps
highlight where there are error messages - the prefix will make them
stand out visually.

Signed-off-by: Alan Jenkins 
---
 policycoreutils/setfiles/setfiles.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/setfiles/setfiles.c 
b/policycoreutils/setfiles/setfiles.c
index 6f69c90..83e0b2a 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -142,9 +142,15 @@ static int __attribute__ ((format(printf, 2, 3)))
 log_callback(int type, const char *fmt, ...)
 {
int rc;
-   FILE *out = (type == SELINUX_INFO) ? stdout : stderr;
+   FILE *out;
va_list ap;
-   fprintf(out, "%s: ", r_opts.progname);
+
+   if (type == SELINUX_INFO) {
+   out = stdout;
+   } else {
+   out = stderr;
+   fprintf(out, "%s: ", r_opts.progname);
+   }
va_start(ap, fmt);
rc = vfprintf(out, fmt, ap);
va_end(ap);
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/3] policycoreutils/setfiles: don't scramble stdout and stderr together

2017-03-26 Thread Alan Jenkins

https://bugzilla.redhat.com/show_bug.cgi?id=1435894

When output to a non-tty (as caused by the implementation of fixfiles),
stdout is fully buffered.  stdout should be flushed before writes to
stderr.

See e.g. https://news.ycombinator.com/item?id=1271015

Signed-off-by: Alan Jenkins 
---
 policycoreutils/setfiles/setfiles.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policycoreutils/setfiles/setfiles.c 
b/policycoreutils/setfiles/setfiles.c
index 83e0b2a..bc83c27 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -149,6 +149,7 @@ log_callback(int type, const char *fmt, ...)
out = stdout;
} else {
out = stderr;
+   fflush(stdout);
fprintf(out, "%s: ", r_opts.progname);
}
va_start(ap, fmt);
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 3/3] policycoreutils: fixfiles: remove useless use of cat

2017-03-26 Thread Alan Jenkins

Don't force output through a pipe - let them access the TTY.

When run interactively, this acts as a workaround for
"Output of fixfiles gets garbled?"
https://bugzilla.redhat.com/show_bug.cgi?id=1435894

E.g. it would also be useful if restorecon ever decides it doesn't want to
output backspace characters on non-TTY outputs.

Signed-off-by: Alan Jenkins 
---
 policycoreutils/scripts/fixfiles | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 58a364f..bc74d69 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -243,17 +243,17 @@ FC=$TEMPFCFILE
 fi
 if [ ! -z "$RPMFILES" ]; then
 for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
-   rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R 
-i -f - 2>&1 | cat >> $LOGFILE
+   rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R 
-i -f - >>$LOGFILE 2>&1
 done
 exit $?
 fi
 if [ ! -z "$FILEPATH" ]; then
-${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" 
2>&1 | cat >> $LOGFILE
+${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" 
>>$LOGFILE 2>&1
 return
 fi
 if [  -n "${FILESYSTEMSRW}" ]; then
 echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
-${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} 
${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
+${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} 
${FILESYSTEMSRW} >>$LOGFILE 2>&1
 else
 echo >&2 "fixfiles: No suitable file systems found"
 fi
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/2] policycoreutils: fixfiles: handle unexpected spaces in command

2017-03-26 Thread Alan Jenkins

I accidently ran `fixfiles "a b"` during testing.  Let's fix this too.
Before:

   /sbin/fixfiles: line 394: [: a: binary operator expected

   Usage: ...

After:

Usage: ...

Signed-off-by: Alan Jenkins 
---
 policycoreutils/scripts/fixfiles | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index d3a53ba..58a364f 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -378,8 +378,8 @@ done
 shift $(( OPTIND - 1 ))
 
 # Check for the command
-command=$1
-if [ -z $command ]; then
+command="$1"
+if [ -z "$command" ]; then
 usage
 fi
 
@@ -391,17 +391,17 @@ shift
 #
 
 if [ ! -z "$RPMFILES" ]; then
-process $command
+process "$command"
 if [ $# -gt 0 ]; then
usage
 fi
 else
 if [ -z "$1" ]; then
-   process $command
+   process "$command"
 else
while [ -n "$1" ]; do
FILEPATH="$1"
-   process $command
+   process "$command"
shift
done
 fi
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/2] policycoreutils: fixfiles should handle path arguments more robustly

2017-03-26 Thread Alan Jenkins

E.g. `fixfiles restore -v /usr` - before:

Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Progress and Verbose mutually exclusive
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname...
usage:  /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k

after:

Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon:  lstat(-v) failed:  No such file or directory
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k

This matches the usage shown in the manual page.  While we're in there,
we should handle spaces as well e.g `fixfiles restore "a b"`.  Before:

Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon:  lstat(b) failed:  No such file or directory

After:

Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon:  lstat(a b) failed:  No such file or directory

Signed-off-by: Alan Jenkins 
---
 policycoreutils/scripts/fixfiles | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 3896d19..d3a53ba 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -248,7 +248,7 @@ if [ ! -z "$RPMFILES" ]; then
 exit $?
 fi
 if [ ! -z "$FILEPATH" ]; then
-${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | 
cat >> $LOGFILE
+${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" 
2>&1 | cat >> $LOGFILE
 return
 fi
 if [  -n "${FILESYSTEMSRW}" ]; then
@@ -400,7 +400,7 @@ else
process $command
 else
while [ -n "$1" ]; do
-   FILEPATH=$1
+   FILEPATH="$1"
process $command
shift
done
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

FOSSASIA 2017 SELinux intro talk

[PATCH 1/3] policycoreutils/setfiles: stdout messages don't need program prefix

[PATCH 2/3] policycoreutils/setfiles: don't scramble stdout and stderr together

[PATCH 3/3] policycoreutils: fixfiles: remove useless use of cat

[PATCH 2/2] policycoreutils: fixfiles: handle unexpected spaces in command

[PATCH 1/2] policycoreutils: fixfiles should handle path arguments more robustly

6 matches

Site Navigation

Mail list logo

Footer information