[Puppet-dev] Re: [PATCH] Setting SELinux contexts with chcon should not dereference symbolic links

Wed, 15 Oct 2008 12:19:52 -0700 

On Tue, 2008-10-14 at 12:07 -0500, Luke Kanies wrote:
> On Oct 14, 2008, at 9:26 AM, Sean E. Millichamp wrote:
> 
> > -        Puppet.debug "Running chcon #{flag} #{value} #{file}"
> > -        retval = system("chcon #{flag} #{value} #{file}")
> > +        Puppet.debug "Running chcon -h #{flag} #{value} #{file}"
> > +        retval = system("chcon -h #{flag} #{value} #{file}")
> 
> I know I should have mentioned this ages ago, but in general I prefer  
> fully-qualified binaries when possible.  I know this is meant to run  
> as root anyway, but path attacks are still out there.

FWIW, I prefer fully-qualified binaries too.  I just kept them
unqualified since that was the way the original patch had them.  Fixed
now.  I also adjusted it to use Puppet's execute() function to make it
more Puppet-like.

Additive patch on the previous patch:

---
 lib/puppet/util/selinux.rb |   10 ++--------
 spec/unit/util/selinux.rb  |   16 ++++++++--------
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/lib/puppet/util/selinux.rb b/lib/puppet/util/selinux.rb
index d91a694..0a4af3c 100644
--- a/lib/puppet/util/selinux.rb
+++ b/lib/puppet/util/selinux.rb
@@ -20,7 +20,7 @@ module Puppet::Util::SELinux
         end
         context = ""
         begin
-            execpipe("stat -c %C #{file}") do |out|
+            execpipe("/usr/bin/stat -c %C #{file}") do |out|
                 out.each do |line|
                     context << line
                 end
@@ -106,13 +106,7 @@ module Puppet::Util::SELinux
                 flag = ""
         end
 
-        Puppet.debug "Running chcon -h #{flag} #{value} #{file}"
-        retval = system("chcon -h #{flag} #{value} #{file}")
-        unless retval
-            error = Puppet::Error.new("failed to chcon %s" % [EMAIL 
PROTECTED]:path]])
-            raise error
-            return false
-        end
+        execute(["/usr/bin/chcon","-h",flag,value,file])
         return true
     end
 
diff --git a/spec/unit/util/selinux.rb b/spec/unit/util/selinux.rb
index 2d54d0a..515c3a2 100644
--- a/spec/unit/util/selinux.rb
+++ b/spec/unit/util/selinux.rb
@@ -27,19 +27,19 @@ describe Puppet::Util::SELinux do
 
         it "should return a context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:execpipe).with("stat -c %C /foo").yields 
["user_u:role_r:type_t:s0\n"]
+            self.expects(:execpipe).with("/usr/bin/stat -c %C /foo").yields 
["user_u:role_r:type_t:s0\n"]
             get_selinux_current_context("/foo").should == 
"user_u:role_r:type_t:s0"
         end
 
         it "should return nil if an exception is raised calling stat" do
             self.expects(:selinux_support?).returns true
-            self.expects(:execpipe).with("stat -c %C 
/foo").raises(Puppet::ExecutionFailure, 'error')
+            self.expects(:execpipe).with("/usr/bin/stat -c %C 
/foo").raises(Puppet::ExecutionFailure, 'error')
             get_selinux_current_context("/foo").should be_nil
         end
 
         it "should return nil if stat finds an unlabeled file" do
             self.expects(:selinux_support?).returns true
-            self.expects(:execpipe).with("stat -c %C /foo").yields ["(null)\n"]
+            self.expects(:execpipe).with("/usr/bin/stat -c %C /foo").yields 
["(null)\n"]
             get_selinux_current_context("/foo").should be_nil
         end
     end
@@ -117,31 +117,31 @@ describe Puppet::Util::SELinux do
 
         it "should use chcon to set a context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:system).with("chcon -h  user_u:role_r:type_t:s0 
/foo").returns 0
+            
self.expects(:execute).with(["/usr/bin/chcon","-h","","user_u:role_r:type_t:s0","/foo"]).returns
 0
             set_selinux_context("/foo", "user_u:role_r:type_t:s0").should 
be_true
         end
 
         it "should use chcon to set user_u user context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:system).with("chcon -h -u user_u /foo").returns 0
+            
self.expects(:execute).with(["/usr/bin/chcon","-h","-u","user_u","/foo"]).returns
 0
             set_selinux_context("/foo", "user_u", :seluser).should be_true
         end
 
         it "should use chcon to set role_r role context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:system).with("chcon -h -r role_r /foo").returns 0
+            
self.expects(:execute).with(["/usr/bin/chcon","-h","-r","role_r","/foo"]).returns
 0
             set_selinux_context("/foo", "role_r", :selrole).should be_true
         end
 
         it "should use chcon to set type_t type context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:system).with("chcon -h -t type_t /foo").returns 0
+            
self.expects(:execute).with(["/usr/bin/chcon","-h","-t","type_t","/foo"]).returns
 0
             set_selinux_context("/foo", "type_t", :seltype).should be_true
         end
 
         it "should use chcon to set s0:c3,c5 range context" do
             self.expects(:selinux_support?).returns true
-            self.expects(:system).with("chcon -h -l s0:c3,c5 /foo").returns 0
+            
self.expects(:execute).with(["/usr/bin/chcon","-h","-l","s0:c3,c5","/foo"]).returns
 0
             set_selinux_context("/foo", "s0:c3,c5", :selrange).should be_true
         end
     end
-- 
1.5.5.1




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to