Re: [PATCH 1/2] find: add SELinux support
So, the attached two patches are a version of Kamil's patch rebased
against current 'master'. I propose to apply them to 4.5.x soon,
unless there is a problem (e.g. something missing or a build failure
on some less common system, etc.).
Feedback appreciated.
James.
From 856b432316ea8215bf04906b27a49714bbb98e38 Mon Sep 17 00:00:00 2001
From: Kamil Dudka kdu...@redhat.com
Date: Tue, 11 Aug 2009 16:47:29 +0200
Subject: [PATCH] find: add SELinux support
To: findutils-patc...@gnu.org
* find/defs.h: Add SELinux related definitions.
* find/tree.c: Add -context predicate to lookup.
* find/pred.c: Handle %Z printf directive.
* find/parser.c: Parse -context predicate and %Z printf directive.
* find/find.1: Mention -context predicate and %Z printf directive.
* doc/find.texi: Mention -context predicate and %Z printf directive.
* find/Makefile.am: Add SELinux libraries.
* import-gnulib.config: Require module selinux-at and the corresponding
version of gnulib.
Signed-off-by: Kamil Dudka kdu...@redhat.com
---
ChangeLog| 13 +
NEWS |4 ++
doc/find.texi| 17 +++
find/Makefile.am |2 +-
find/defs.h |6 ++
find/find.1 |4 ++
find/parser.c| 125 -
find/pred.c | 40
find/tree.c |2 +
import-gnulib.config |1 +
10 files changed, 210 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 950f0a4..fc87147 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2009-08-11 Kamil Dudka kdu...@redhat.com
+
+ find: add SELinux support
+ * find/defs.h: Add SELinux related definitions.
+ * find/tree.c: Add -context predicate to lookup.
+ * find/pred.c: Handle %Z printf directive.
+ * find/parser.c: Parse -context predicate and %Z printf directive.
+ * find/find.1: Mention -context predicate and %Z printf directive.
+ * doc/find.texi: Mention -context predicate and %Z printf directive.
+ * find/Makefile.am: Add SELinux libraries.
+ * import-gnulib.config: Require module selinux-at and the corresponding
+ version of gnulib.
+
2009-08-15 James Youngman j...@gnu.org
* import-gnulib.config (gnulib_version): Update to the current
diff --git a/NEWS b/NEWS
index 314022b..194ae33 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ GNU findutils NEWS - User visible changes. -*- outline -*- (allout)
* Major changes in release 4.5.6-git, -MM-DD
+** Functional Enhancements to find
+
+patch #4848: Patch - Support for SELinux
+
** Bug Fixes
#27017: find -D opt / -fstype ext3 -print , -quit coredumps.
diff --git a/doc/find.texi b/doc/find.texi
index 24ee8a8..1d6603e 100644
--- a/doc/find.texi
+++ b/doc/find.texi
@@ -1256,6 +1256,14 @@ situation.
@end deffn
+...@deffn Test -context pattern
+True if file's SELinux context matches the pattern @var{pattern}.
+The pattern uses shell glob matching.
+
+This predicate is supported only on @code{find} versions compiled with
+SELinux support and only when SELinux is enabled.
+...@end deffn
+
@node Contents
@section Contents
@@ -1747,6 +1755,7 @@ from the novel you are reading.
* Size Directives::
* Location Directives::
* Time Directives::
+* Other Directives::
* Formatting Flags::
@end menu
@@ -1904,6 +1913,14 @@ File's last modification time in the format specified by @var{k}
(@pxref{Time Formats}).
@end table
+...@node Other Directives
+...@subsubsection Other Directives
+
+...@table @code
+...@item %Z
+File's SELinux context, or empty string if the file has no SELinux context.
+...@end table
+
@node Time Formats
@subsection Time Formats
diff --git a/find/Makefile.am b/find/Makefile.am
index 91dba85..c0a4164 100644
--- a/find/Makefile.am
+++ b/find/Makefile.am
@@ -27,7 +27,7 @@ endif
EXTRA_DIST = defs.h sharefile.h $(man_MANS)
INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\$(localedir)\
-LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@
+LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@ @LIB_SELINUX@
man_MANS = find.1
SUBDIRS = . testsuite
diff --git a/find/defs.h b/find/defs.h
index 155927f..481c013 100644
--- a/find/defs.h
+++ b/find/defs.h
@@ -48,6 +48,7 @@ Please stop compiling the program now
#include stdbool.h /* for bool/boolean */
#include stdint.h /* for uintmax_t */
#include sys/stat.h /* S_ISUID etc. */
+#include selinux/selinux.h
@@ -319,6 +320,7 @@ struct predicate
struct samefile_file_id samefileid; /* samefile */
mode_t type; /* type */
struct format_val printf_vec; /* printf fprintf fprint ls fls print0 fprint0 print */
+security_context_t scontext; /* security context */
} args;
/* The next predicate in the user input sequence,
@@ -463,6 +465,7 @@ PREDICATEFUNCTION pred_used;
PREDICATEFUNCTION
Re: [PATCH 1/2] find: add SELinux support
On Thu August 6 2009 18:15:28 Jim Meyering wrote:
Kamil Dudka wrote:
Thanks for the quick response. An incremental patch is attached for
review. I'll merge it with the original patch if the change is ok.
I glanced through quickly, and didn't see anything fishy.
Thanks for the review! I am attaching the merged patch. Note that the James'
patch [1] is not included and should be applied on top of this one.
Kamil
[1] http://lists.gnu.org/archive/html/bug-findutils/2009-07/msg00041.html
From 0aaef3e5d4e72fb6944343f3611d6947a8fb42b6 Mon Sep 17 00:00:00 2001
From: Kamil Dudka kdu...@redhat.com
Date: Tue, 11 Aug 2009 16:47:29 +0200
Subject: [PATCH] find: add SELinux support
* find/defs.h: Add SELinux related definitions.
* find/tree.c: Add -context predicate to lookup.
* find/pred.c: Handle %Z printf directive.
* find/parser.c: Parse -context predicate and %Z printf directive.
* find/find.1: Mention -context predicate and %Z printf directive.
* doc/find.texi: Mention -context predicate and %Z printf directive.
* find/Makefile.am: Add SELinux libraries.
* import-gnulib.config: Require module selinux-at and the corresponding
version of gnulib.
Signed-off-by: Kamil Dudka kdu...@redhat.com
---
ChangeLog| 13 +
NEWS |4 ++
doc/find.texi| 17 +++
find/Makefile.am |2 +-
find/defs.h |6 ++
find/find.1 |4 ++
find/parser.c| 125 -
find/pred.c | 40
find/tree.c |2 +
import-gnulib.config |3 +-
10 files changed, 211 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9c3290a..b4b956e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2009-08-11 Kamil Dudka kdu...@redhat.com
+
+ find: add SELinux support
+ * find/defs.h: Add SELinux related definitions.
+ * find/tree.c: Add -context predicate to lookup.
+ * find/pred.c: Handle %Z printf directive.
+ * find/parser.c: Parse -context predicate and %Z printf directive.
+ * find/find.1: Mention -context predicate and %Z printf directive.
+ * doc/find.texi: Mention -context predicate and %Z printf directive.
+ * find/Makefile.am: Add SELinux libraries.
+ * import-gnulib.config: Require module selinux-at and the corresponding
+ version of gnulib.
+
2009-07-18 James Youngman j...@gnu.org
Fix up some problems introduced in a manual conflict resolution.
diff --git a/NEWS b/NEWS
index 314022b..194ae33 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ GNU findutils NEWS - User visible changes. -*- outline -*- (allout)
* Major changes in release 4.5.6-git, -MM-DD
+** Functional Enhancements to find
+
+patch #4848: Patch - Support for SELinux
+
** Bug Fixes
#27017: find -D opt / -fstype ext3 -print , -quit coredumps.
diff --git a/doc/find.texi b/doc/find.texi
index 24ee8a8..1d6603e 100644
--- a/doc/find.texi
+++ b/doc/find.texi
@@ -1256,6 +1256,14 @@ situation.
@end deffn
+...@deffn Test -context pattern
+True if file's SELinux context matches the pattern @var{pattern}.
+The pattern uses shell glob matching.
+
+This predicate is supported only on @code{find} versions compiled with
+SELinux support and only when SELinux is enabled.
+...@end deffn
+
@node Contents
@section Contents
@@ -1747,6 +1755,7 @@ from the novel you are reading.
* Size Directives::
* Location Directives::
* Time Directives::
+* Other Directives::
* Formatting Flags::
@end menu
@@ -1904,6 +1913,14 @@ File's last modification time in the format specified by @var{k}
(@pxref{Time Formats}).
@end table
+...@node Other Directives
+...@subsubsection Other Directives
+
+...@table @code
+...@item %Z
+File's SELinux context, or empty string if the file has no SELinux context.
+...@end table
+
@node Time Formats
@subsection Time Formats
diff --git a/find/Makefile.am b/find/Makefile.am
index 91dba85..c0a4164 100644
--- a/find/Makefile.am
+++ b/find/Makefile.am
@@ -27,7 +27,7 @@ endif
EXTRA_DIST = defs.h sharefile.h $(man_MANS)
INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\$(localedir)\
-LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@
+LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@ @LIB_SELINUX@
man_MANS = find.1
SUBDIRS = . testsuite
diff --git a/find/defs.h b/find/defs.h
index 155927f..481c013 100644
--- a/find/defs.h
+++ b/find/defs.h
@@ -48,6 +48,7 @@ Please stop compiling the program now
#include stdbool.h /* for bool/boolean */
#include stdint.h /* for uintmax_t */
#include sys/stat.h /* S_ISUID etc. */
+#include selinux/selinux.h
@@ -319,6 +320,7 @@ struct predicate
struct samefile_file_id samefileid; /* samefile */
mode_t type; /* type */
struct format_val printf_vec; /* printf fprintf fprint ls fls print0 fprint0 print
Re: [PATCH 1/2] find: add SELinux support
On Thu August 6 2009 12:36:06 Kamil Dudka wrote: On Thu August 6 2009 12:16:58 Jim Meyering wrote: Kamil Dudka wrote: On Thu July 30 2009 13:57:00 Jim Meyering wrote: The attached incremental patch fixes it. Now it works on both Fedora and Debian. But unfortunately it does not work with the stable version (4.4.2) of findutils. Could anybody point me to the relevant change in findutils code? Thanks in advance! With the FTS_CWDFD-adding change you spotted, I suspect that you should be using an FD-based function, like getfileconat or lgetfileconat from coreutils. It's probably always better to use a FD-based function when working with an opened file. However this is not the case I think. Only FD of the traversed directory is available when getfilecon() is called. If I want to use FD of an opened file, I need to open the file first. Then I am obviously encountering the same problem with relative paths. With FTS_CWDFD, the working directory does not change. Instead, fts-fts_cwd_fd is what changes. You can use getfileconat (fts-fts_cwd_fd, relative_name, context) to get the desired context. Thanks for the explanation! But the module selinux-at does not seem to be in gnulib. How can I then use it within findutils? I guess it's not good idea to copy the code to findutils repo... I can see it's heavily based on modules openat and selinux-h which are available in gnulib. Anyway what's the reason why the selinux-at module is not included in gnulib? Would by possible to move it from coreutils to gnulib? Kamil
Re: [PATCH 1/2] find: add SELinux support
Kamil Dudka wrote: On Thu August 6 2009 12:16:58 Jim Meyering wrote: Kamil Dudka wrote: On Thu July 30 2009 13:57:00 Jim Meyering wrote: The attached incremental patch fixes it. Now it works on both Fedora and Debian. But unfortunately it does not work with the stable version (4.4.2) of findutils. Could anybody point me to the relevant change in findutils code? Thanks in advance! With the FTS_CWDFD-adding change you spotted, I suspect that you should be using an FD-based function, like getfileconat or lgetfileconat from coreutils. It's probably always better to use a FD-based function when working with an opened file. However this is not the case I think. Only FD of the traversed directory is available when getfilecon() is called. If I want to use FD of an opened file, I need to open the file first. Then I am obviously encountering the same problem with relative paths. With FTS_CWDFD, the working directory does not change. Instead, fts-fts_cwd_fd is what changes. You can use getfileconat (fts-fts_cwd_fd, relative_name, context) to get the desired context. Thanks for the explanation! But the module selinux-at does not seem to be in gnulib. How can I then use it within findutils? I guess it's not good idea to copy the code to findutils repo... I'll move them to gnulib.
Re: [PATCH 1/2] find: add SELinux support
On Thu August 6 2009 13:23:38 Jim Meyering wrote: Kamil Dudka wrote: On Thu August 6 2009 12:16:58 Jim Meyering wrote: Kamil Dudka wrote: On Thu July 30 2009 13:57:00 Jim Meyering wrote: The attached incremental patch fixes it. Now it works on both Fedora and Debian. But unfortunately it does not work with the stable version (4.4.2) of findutils. Could anybody point me to the relevant change in findutils code? Thanks in advance! With the FTS_CWDFD-adding change you spotted, I suspect that you should be using an FD-based function, like getfileconat or lgetfileconat from coreutils. It's probably always better to use a FD-based function when working with an opened file. However this is not the case I think. Only FD of the traversed directory is available when getfilecon() is called. If I want to use FD of an opened file, I need to open the file first. Then I am obviously encountering the same problem with relative paths. With FTS_CWDFD, the working directory does not change. Instead, fts-fts_cwd_fd is what changes. You can use getfileconat (fts-fts_cwd_fd, relative_name, context) to get the desired context. Thanks for the explanation! But the module selinux-at does not seem to be in gnulib. How can I then use it within findutils? I guess it's not good idea to copy the code to findutils repo... I'll move them to gnulib. Thanks! Just let me note there is no explicit dependency on the openat module (namely lib/at-func.c). Is the dependency implied somehow? Kamil
Re: [PATCH 1/2] find: add SELinux support
On Thursday 06 of August 2009 14:01:37 Jim Meyering wrote:
...
I'll move them to gnulib.
Thanks!
Just let me note there is no explicit dependency on the openat module
(namely lib/at-func.c). Is the dependency implied somehow?
Good point.
I'll add that module dependency. Thanks.
I'll also do a stand-alone test, which should
expose any other missing dependencies.
Thanks for the quick response. An incremental patch is attached for review.
I'll merge it with the original patch if the change is ok.
Kamil
diff --git a/find/defs.h b/find/defs.h
index c834baa..481c013 100644
--- a/find/defs.h
+++ b/find/defs.h
@@ -613,7 +613,7 @@ struct options
int regex_options;
/* function used to get file context */
- int (*x_getfilecon) ();
+ int (*x_getfilecon) (int, const char *, security_context_t *);
/* Optimisation level. One is the default.
*/
diff --git a/find/parser.c b/find/parser.c
index c8b847f..330eb38 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -53,7 +53,7 @@
#include unistd.h
#include sys/stat.h
-#include selinux/selinux.h
+#include selinux-at.h
#if ENABLE_NLS
# include libintl.h
@@ -352,7 +352,8 @@ static const char *first_nonoption_arg = NULL;
static const struct parser_table *noop = NULL;
static int
-fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
+fallback_getfilecon (int fd, const char *name, security_context_t *p,
+ int prev_rv)
{
/* Our original getfilecon () call failed. Perhaps we can't follow a
* symbolic link. If that might be the problem, lgetfilecon () the link.
@@ -365,7 +366,7 @@ fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
fprintf (stderr, fallback_getfilecon(): getfilecon(%s) failed; falling
back on lgetfilecon()\n, name);
#endif
- return lgetfilecon (name, p);
+ return lgetfileconat (fd, name, p);
case EACCES:
case EIO:
@@ -389,23 +390,23 @@ fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
* If the item to be examined is not a command-line argument, we
* examine the link itself. */
int
-optionh_getfilecon (const char *name, security_context_t *p)
+optionh_getfilecon (int fd, const char *name, security_context_t *p)
{
int rv;
if (0 == state.curdepth)
{
/* This file is from the command line; dereference the link (if it is
a link). */
- rv = getfilecon (name, p);
+ rv = getfileconat (fd, name, p);
if (0 == rv)
return 0; /* success */
else
- return fallback_getfilecon (name, p, rv);
+ return fallback_getfilecon (fd, name, p, rv);
}
else
{
/* Not a file on the command line; do not dereference the link. */
- return lgetfilecon (name, p);
+ return lgetfileconat (fd, name, p);
}
}
@@ -413,22 +414,22 @@ optionh_getfilecon (const char *name, security_context_t *p)
* -L option is in effect. That option makes us examine the thing the
* symbolic link points to, not the symbolic link itself. */
int
-optionl_getfilecon (const char *name, security_context_t *p)
+optionl_getfilecon (int fd, const char *name, security_context_t *p)
{
- int rv = getfilecon (name, p);
+ int rv = getfileconat (fd, name, p);
if (0 == rv)
return 0; /* normal case. */
else
-return fallback_getfilecon (name, p, rv);
+return fallback_getfilecon (fd, name, p, rv);
}
/* optionp_getfilecon () implements the stat operation when the -P
* option is in effect (this is also the default). That option makes
* us examine the symbolic link itself, not the thing it points to. */
int
-optionp_getfilecon (const char *name, security_context_t *p)
+optionp_getfilecon (int fd, const char *name, security_context_t *p)
{
- return lgetfilecon (name, p);
+ return lgetfileconat (fd, name, p);
}
void
@@ -2706,7 +2707,7 @@ parse_context (const struct parser_table* entry, char **argv, int *arg_ptr)
error (1, 0, _(invalid predicate -context: SELinux is not enabled.));
return false;
}
- our_pred = insert_primary (entry);
+ our_pred = insert_primary (entry, NULL);
our_pred-est_success_rate = 0.01f;
our_pred-need_stat = false;
#ifdef DEBUG
diff --git a/find/pred.c b/find/pred.c
index 77c2aac..5c47290 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1061,7 +1061,8 @@ do_fprintf(struct format_val *dest,
case 'Z': /* SELinux security context */
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv = (*options.x_getfilecon) (state.cwd_dir_fd, state.rel_pathname,
+ scontext);
if (rv 0)
{
/* If getfilecon fails, there will in the general case
@@ -1899,7 +1900,8 @@ pred_context (const char *pathname, struct stat *stat_buf,
struct predicate *pred_ptr)
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv =
Re: [PATCH 1/2] find: add SELinux support
Kamil Dudka wrote: On Thu August 6 2009 12:36:06 Kamil Dudka wrote: On Thu August 6 2009 12:16:58 Jim Meyering wrote: Kamil Dudka wrote: On Thu July 30 2009 13:57:00 Jim Meyering wrote: The attached incremental patch fixes it. Now it works on both Fedora and Debian. But unfortunately it does not work with the stable version (4.4.2) of findutils. Could anybody point me to the relevant change in findutils code? Thanks in advance! With the FTS_CWDFD-adding change you spotted, I suspect that you should be using an FD-based function, like getfileconat or lgetfileconat from coreutils. It's probably always better to use a FD-based function when working with an opened file. However this is not the case I think. Only FD of the traversed directory is available when getfilecon() is called. If I want to use FD of an opened file, I need to open the file first. Then I am obviously encountering the same problem with relative paths. With FTS_CWDFD, the working directory does not change. Instead, fts-fts_cwd_fd is what changes. You can use getfileconat (fts-fts_cwd_fd, relative_name, context) to get the desired context. Thanks for the explanation! But the module selinux-at does not seem to be in gnulib. How can I then use it within findutils? I guess it's not good idea to copy the code to findutils repo... I can see it's heavily based on modules openat and selinux-h which are available in gnulib. Anyway what's the reason why the selinux-at module is not included in gnulib? Would by possible to move it from coreutils to gnulib? Before now, afaik, coreutils was the only package using selinux-at.
Re: [PATCH 1/2] find: add SELinux support
Kamil Dudka wrote:
On Tue July 14 2009 21:31:22 Eric Blake wrote:
Kamil Dudka kdudka at redhat.com writes:
In other words on Debian find does not change the working directory
before calling lgetxattr syscall. That's why lgetxattr does not see the
file and returns ENOENT (No such file or directory).
One thing to look at would be kernel versions; not all kernels support
openat and friends, so on older kernels, the fts traversal algorithms have
to fake openat by using chdir, but on newer kernels, there are no chdir.
Meanwhile, it may be worth begging the kernel and glibc folks to consider
implementing lgetxattrat and friends.
Sorry for confusion. My previous testing was completely wrong because I ran
older version of findutils on Fedora. With the current git version it fails
on Fedora, too. It means something has been changed within findutils and/or
gnulib in the meantime.
The attached incremental patch fixes it. Now it works on both Fedora and
Debian. But unfortunately it does not work with the stable version (4.4.2)
of findutils. Could anybody point me to the relevant change in findutils
code? Thanks in advance!
With the FTS_CWDFD-adding change you spotted,
I suspect that you should be using an FD-based function,
like getfileconat or lgetfileconat from coreutils.
diff --git a/find/pred.c b/find/pred.c
index 77c2aac..ffc239b 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1061,7 +1061,7 @@ do_fprintf(struct format_val *dest,
case 'Z': /* SELinux security context */
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv = (*options.x_getfilecon) (pathname, scontext);
if (rv 0)
{
/* If getfilecon fails, there will in the general case
@@ -1899,7 +1899,7 @@ pred_context (const char *pathname, struct stat
*stat_buf,
struct predicate *pred_ptr)
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv = (*options.x_getfilecon) (pathname, scontext);
if (rv 0)
{
error (0, errno, getfilecon: %s, safely_quote_err_filename (0,
pathname));
Re: [PATCH 1/2] find: add SELinux support
On Tue July 14 2009 21:31:22 Eric Blake wrote:
Kamil Dudka kdudka at redhat.com writes:
In other words on Debian find does not change the working directory
before calling lgetxattr syscall. That's why lgetxattr does not see the
file and returns ENOENT (No such file or directory).
One thing to look at would be kernel versions; not all kernels support
openat and friends, so on older kernels, the fts traversal algorithms have
to fake openat by using chdir, but on newer kernels, there are no chdir.
Meanwhile, it may be worth begging the kernel and glibc folks to consider
implementing lgetxattrat and friends.
Sorry for confusion. My previous testing was completely wrong because I ran
older version of findutils on Fedora. With the current git version it fails
on Fedora, too. It means something has been changed within findutils and/or
gnulib in the meantime.
The attached incremental patch fixes it. Now it works on both Fedora and
Debian. But unfortunately it does not work with the stable version (4.4.2)
of findutils. Could anybody point me to the relevant change in findutils
code? Thanks in advance!
Kamil
diff --git a/find/pred.c b/find/pred.c
index 77c2aac..ffc239b 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1061,7 +1061,7 @@ do_fprintf(struct format_val *dest,
case 'Z': /* SELinux security context */
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv = (*options.x_getfilecon) (pathname, scontext);
if (rv 0)
{
/* If getfilecon fails, there will in the general case
@@ -1899,7 +1899,7 @@ pred_context (const char *pathname, struct stat *stat_buf,
struct predicate *pred_ptr)
{
security_context_t scontext;
- int rv = (*options.x_getfilecon) (state.rel_pathname, scontext);
+ int rv = (*options.x_getfilecon) (pathname, scontext);
if (rv 0)
{
error (0, errno, getfilecon: %s, safely_quote_err_filename (0, pathname));
Re: [PATCH 1/2] find: add SELinux support
On Mon July 20 2009 13:33:23 Kamil Dudka wrote: Sorry for confusion. My previous testing was completely wrong because I ran older version of findutils on Fedora. With the current git version it fails on Fedora, too. It means something has been changed within findutils and/or gnulib in the meantime. The attached incremental patch fixes it. Now it works on both Fedora and Debian. But unfortunately it does not work with the stable version (4.4.2) of findutils. Could anybody point me to the relevant change in findutils code? Thanks in advance! This seems to be the relevant change: http://git.savannah.gnu.org/gitweb/?p=findutils.git;a=commitdiff;h=214320ca225da9c3f85c35fddd59c07045d6a6ff Kamil
Re: [PATCH 1/2] find: add SELinux support
Hello,
On Mon July 13 2009 17:48:15 Kamil Dudka wrote:
As time permits I will keep on trying to zero in this.
attached are strace outputs from Fedora and Debian. I can see one suspicious
place in that - this is the first main difference between Fedora and Debian:
Fedora strace:
open(m4, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
fcntl(5, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fchdir(5) = 0
getdents(5, /* 14 entries */, 32768)= 456
getdents(5, /* 0 entries */, 32768) = 0
close(5)= 0
Debian strace:
open(m4, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
fcntl(5, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fchdir(5) = 0
getdents(5, /* 14 entries */, 32768)= 456
getdents(5, /* 0 entries */, 32768) = 0
close(5)= 0
In other words on Debian find does not change the working directory before
calling lgetxattr syscall. That's why lgetxattr does not see the file and
returns ENOENT (No such file or directory).
Does anybody here guess what's going on? (before I investigate it further)
Kamil
execve(/usr/local/bin/find, [find, m4, -printf, %Z\\n], [/* 17 vars
*/]) = 0
brk(0) = 0xe52000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fb7e04a3000
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fb7e04a1000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=61363, ...}) = 0
mmap(NULL, 61363, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb7e0492000
close(3)= 0
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
open(/lib/librt.so.1, O_RDONLY) = 3
read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0p!\0\0\0\0\0\0@...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31656, ...}) = 0
mmap(NULL, 2128848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fb7e008
mprotect(0x7fb7e0087000, 2093056, PROT_NONE) = 0
mmap(0x7fb7e0286000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb7e0286000
close(3)= 0
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
open(/lib/libm.so.6, O_RDONLY)= 3
read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0P\0\0\0\0\0\0@...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=534736, ...}) = 0
mmap(NULL, 2629848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fb7dfdfd000
mprotect(0x7fb7dfe7f000, 2093056, PROT_NONE) = 0
mmap(0x7fb7e007e000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x81000) = 0x7fb7e007e000
close(3)= 0
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
open(/lib/libselinux.so.1, O_RDONLY) = 3
read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\240]\0\0\0\0\0\0@...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=113672, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fb7e0491000
mmap(NULL, 2213648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fb7dfbe
mprotect(0x7fb7dfbfb000, 2093056, PROT_NONE) = 0
mmap(0x7fb7dfdfa000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7fb7dfdfa000
mmap(0x7fb7dfdfc000, 1808, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb7dfdfc000
close(3)= 0
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
open(/lib/libc.so.6, O_RDONLY)= 3
read(3,
\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\300\346\1\0\0\0\0\0@..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fb7df88d000
mprotect(0x7fb7df9d6000, 2097152, PROT_NONE) = 0
mmap(0x7fb7dfbd6000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7fb7dfbd6000
mmap(0x7fb7dfbdb000, 17048, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb7dfbdb000
close(3)= 0
access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file or directory)
open(/lib/libpthread.so.0, O_RDONLY) = 3
read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\300W\0\0\0\0\0\0@...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=125836, ...}) = 0
mmap(NULL, 2204512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fb7df672000
mprotect(0x7fb7df688000, 2093056, PROT_NONE) = 0
mmap(0x7fb7df887000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) =
Re: [PATCH 1/2] find: add SELinux support
On Tue July 14 2009 14:02:36 Kamil Dudka wrote:
attached are strace outputs from Fedora and Debian. I can see one
suspicious place in that - this is the first main difference between Fedora
and Debian:
Oops, once again:
Fedora strace:
open(m4, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
fcntl(5, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fchdir(5) = 0
getdents(5, /* 14 entries */, 32768)= 456
getdents(5, /* 0 entries */, 32768) = 0
close(5)= 0
Debian strace:
openat(AT_FDCWD, m4, O_RDONLY)= 4
fstat(4, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(4, F_GETFL) = 0x8000 (flags O_RDONLY|
O_LARGEFILE)
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_DUPFD, 3)= 5
getdents(4, /* 14 entries */, 4096) = 456
getdents(4, /* 0 entries */, 4096) = 0
close(4)= 0
In other words on Debian find does not change the working directory before
calling lgetxattr syscall. That's why lgetxattr does not see the file and
returns ENOENT (No such file or directory).
Does anybody here guess what's going on? (before I investigate it further)
Kamil
Re: [PATCH 1/2] find: add SELinux support
Kamil Dudka kdudka at redhat.com writes: In other words on Debian find does not change the working directory before calling lgetxattr syscall. That's why lgetxattr does not see the file and returns ENOENT (No such file or directory). One thing to look at would be kernel versions; not all kernels support openat and friends, so on older kernels, the fts traversal algorithms have to fake openat by using chdir, but on newer kernels, there are no chdir. Meanwhile, it may be worth begging the kernel and glibc folks to consider implementing lgetxattrat and friends. -- Eric Blake
Re: [PATCH 1/2] find: add SELinux support
On Sat July 11 2009 18:10:49 James Youngman wrote: On Sat, Jul 11, 2009 at 4:58 PM, Kamil Dudkakdu...@redhat.com wrote: Thanks for digging up the SELinux patch! No problem. From memory, I think the SELinux kernel support in Debian doesn't play nicely with Xen. That means that if I turn on SELinux on the kernel command line on my development machine, it crashes. So it's not that easy for me to to SELinux-related testing. What I'm saying really is that I will apply bugfixes and try to resolve issues, but there may well be cases where I just can't reproduce problems. I've conducted some testing on Debian and it behaves a bit weird. I am not sure yet, if the find is broken, or my Debian installation itself: # uname -a Linux debian 2.6.26-2-amd64 #1 SMP Sun Jun 21 04:47:08 UTC 2009 x86_64 GNU/Linux # (cd find find -maxdepth 1 -printf %p %Z\n) . user_u:object_r:user_home_t:s0 ./.cvsignore user_u:object_r:user_home_t:s0 ./fstype.o unconfined_u:object_r:user_home_t:s0 ... # find find -maxdepth 1 -printf %p %Z\n find user_u:object_r:user_home_t:s0 find/.cvsignore user_u:object_r:user_home_t:s0 find/fstype.o find: getfilecon: `find/fstype.o': No such file or directory find/finddata.o find: getfilecon: `find/finddata.o': No such file or directory ... As time permits I will keep on trying to zero in this. Kamil
Re: [PATCH 1/2] find: add SELinux support
On Saturday 11 of July 2009 17:05:18 James Youngman wrote: From: Kamil Dudka kdu...@redhat.com * find/defs.h: Add SELinux related definitions. * find/tree.c: Add -context predicate to lookup. * find/pred.c: Handle %Z printf directive. * find/parser.c: Parse -context predicate and %Z printf directive. * find/find.1: Mention -context predicate and %Z printf directive. * doc/find.texi: Mention -context predicate and %Z printf directive. * find/Makefile.am: Add SELinux libraries. * import-gnulib.config: Require gnulib module selinux-h. Thanks for digging up the SELinux patch! Kamil
