FOSSASIA 2017 SELinux intro talk
Hey all, I gave an introductory talk at FOSSASIA in Singapore last week and figured some people here might be interested. The slides and link to the video are up on my blog: http://blog.perfinion.com/2017/03/fossasia-2017-selinux-introduction/ -- Jason ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/3] policycoreutils/setfiles: stdout messages don't need program prefix
I suggested that if you run a command for its informational output (by passing `-v`), you don't expect it to be prefixed with the program name. Prefixing is used for error messages, so you can tell where your shell script blew up :). If a script is running a command for its informational output, it's usually the script's responsibility to make sure it's in context, e.g. providing headers if there are multiple sections of output. Removing the program name from setfiles/restorecon output is particularly useful because it generates very long lines. But also, it actually helps highlight where there are error messages - the prefix will make them stand out visually. Signed-off-by: Alan Jenkins--- policycoreutils/setfiles/setfiles.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 6f69c90..83e0b2a 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -142,9 +142,15 @@ static int __attribute__ ((format(printf, 2, 3))) log_callback(int type, const char *fmt, ...) { int rc; - FILE *out = (type == SELINUX_INFO) ? stdout : stderr; + FILE *out; va_list ap; - fprintf(out, "%s: ", r_opts.progname); + + if (type == SELINUX_INFO) { + out = stdout; + } else { + out = stderr; + fprintf(out, "%s: ", r_opts.progname); + } va_start(ap, fmt); rc = vfprintf(out, fmt, ap); va_end(ap); -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/3] policycoreutils/setfiles: don't scramble stdout and stderr together
https://bugzilla.redhat.com/show_bug.cgi?id=1435894 When output to a non-tty (as caused by the implementation of fixfiles), stdout is fully buffered. stdout should be flushed before writes to stderr. See e.g. https://news.ycombinator.com/item?id=1271015 Signed-off-by: Alan Jenkins--- policycoreutils/setfiles/setfiles.c | 1 + 1 file changed, 1 insertion(+) diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 83e0b2a..bc83c27 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -149,6 +149,7 @@ log_callback(int type, const char *fmt, ...) out = stdout; } else { out = stderr; + fflush(stdout); fprintf(out, "%s: ", r_opts.progname); } va_start(ap, fmt); -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 3/3] policycoreutils: fixfiles: remove useless use of cat
Don't force output through a pipe - let them access the TTY. When run interactively, this acts as a workaround for "Output of fixfiles gets garbled?" https://bugzilla.redhat.com/show_bug.cgi?id=1435894 E.g. it would also be useful if restorecon ever decides it doesn't want to output backspace characters on non-TTY outputs. Signed-off-by: Alan Jenkins--- policycoreutils/scripts/fixfiles | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 58a364f..bc74d69 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -243,17 +243,17 @@ FC=$TEMPFCFILE fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do - rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE + rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - >>$LOGFILE 2>&1 done exit $? fi if [ ! -z "$FILEPATH" ]; then -${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" 2>&1 | cat >> $LOGFILE +${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" >>$LOGFILE 2>&1 return fi if [ -n "${FILESYSTEMSRW}" ]; then echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" -${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE +${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} >>$LOGFILE 2>&1 else echo >&2 "fixfiles: No suitable file systems found" fi -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/2] policycoreutils: fixfiles: handle unexpected spaces in command
I accidently ran `fixfiles "a b"` during testing. Let's fix this too. Before: /sbin/fixfiles: line 394: [: a: binary operator expected Usage: ... After: Usage: ... Signed-off-by: Alan Jenkins--- policycoreutils/scripts/fixfiles | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index d3a53ba..58a364f 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -378,8 +378,8 @@ done shift $(( OPTIND - 1 )) # Check for the command -command=$1 -if [ -z $command ]; then +command="$1" +if [ -z "$command" ]; then usage fi @@ -391,17 +391,17 @@ shift # if [ ! -z "$RPMFILES" ]; then -process $command +process "$command" if [ $# -gt 0 ]; then usage fi else if [ -z "$1" ]; then - process $command + process "$command" else while [ -n "$1" ]; do FILEPATH="$1" - process $command + process "$command" shift done fi -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] policycoreutils: fixfiles should handle path arguments more robustly
E.g. `fixfiles restore -v /usr` - before: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup Progress and Verbose mutually exclusive usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname... usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename Warning: Skipping the following R/O filesystems: /sys/fs/cgroup 229k after: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(-v) failed: No such file or directory Warning: Skipping the following R/O filesystems: /sys/fs/cgroup 229k This matches the usage shown in the manual page. While we're in there, we should handle spaces as well e.g `fixfiles restore "a b"`. Before: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(b) failed: No such file or directory After: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(a b) failed: No such file or directory Signed-off-by: Alan Jenkins--- policycoreutils/scripts/fixfiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 3896d19..d3a53ba 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -248,7 +248,7 @@ if [ ! -z "$RPMFILES" ]; then exit $? fi if [ ! -z "$FILEPATH" ]; then -${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE +${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" 2>&1 | cat >> $LOGFILE return fi if [ -n "${FILESYSTEMSRW}" ]; then @@ -400,7 +400,7 @@ else process $command else while [ -n "$1" ]; do - FILEPATH=$1 + FILEPATH="$1" process $command shift done -- 2.9.3 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.