Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2884] trunk/libselinux
|
From: <ssm...@us...> - 2008-05-27 19:53:33
|
Revision: 2884
http://selinux.svn.sourceforge.net/selinux/?rev=2884&view=rev
Author: ssmalley
Date: 2008-05-27 12:53:31 -0700 (Tue, 27 May 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: Is there a command line tool that returns 1 if a file is in the wrong context?
Date: Tue, 27 May 2008 11:28:38 -0400
On Sat, 2008-05-24 at 18:58 -0500, Joe Nall wrote:
> Is there a command line tool that returns 1 if a file is in the wrong
> context?. I want to add a %verifyscript to our rpms to validate the
> installed file context when rpm -V is invoked.
I was going to suggest matchpathcon -V, except when trying it, I found
that there is a bug in the current libselinux that makes it seg fault
and it also doesn't return the status but rather displays it. So how
about the patch below to fix the bug and make the exit status usable?
After this patch, you can run '/usr/sbin/matchpathcon -Vq path1
[path2...]' and check the exit status; 0 will mean that all verified;
non-zero will be the count of failures.
Modified Paths:
--------------
trunk/libselinux/src/matchpathcon.c
trunk/libselinux/utils/matchpathcon.c
Modified: trunk/libselinux/src/matchpathcon.c
===================================================================
--- trunk/libselinux/src/matchpathcon.c 2008-05-16 13:29:32 UTC (rev 2883)
+++ trunk/libselinux/src/matchpathcon.c 2008-05-27 19:53:31 UTC (rev 2884)
@@ -372,6 +372,9 @@
else
return 0;
}
+
+ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
+ return -1;
if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
if (errno != ENOENT)
@@ -394,6 +397,9 @@
if (lstat(path, &st) != 0)
return rc;
+ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
+ return -1;
+
/* If there's an error determining the context, or it has none,
return to allow default context */
if (selabel_lookup_raw(hnd, &scontext, path, st.st_mode)) {
Modified: trunk/libselinux/utils/matchpathcon.c
===================================================================
--- trunk/libselinux/utils/matchpathcon.c 2008-05-16 13:29:32 UTC (rev 2883)
+++ trunk/libselinux/utils/matchpathcon.c 2008-05-27 19:53:31 UTC (rev 2884)
@@ -12,7 +12,7 @@
void usage(const char *progname)
{
fprintf(stderr,
- "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n",
+ "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
progname);
exit(1);
}
@@ -42,11 +42,12 @@
int verify = 0;
int notrans = 0;
int error = 0;
+ int quiet = 0;
if (argc < 2)
usage(argv[0]);
- while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) {
+ while ((opt = getopt(argc, argv, "Nnf:p:Vq")) > 0) {
switch (opt) {
case 'n':
header = 0;
@@ -90,6 +91,9 @@
exit(1);
}
break;
+ case 'q':
+ quiet = 1;
+ break;
default:
usage(argv[0]);
}
@@ -101,11 +105,18 @@
mode = buf.st_mode;
if (verify) {
+ if (quiet) {
+ if (selinux_file_context_verify(argv[i], 0))
+ continue;
+ else
+ exit(1);
+ }
if (selinux_file_context_verify(argv[i], 0)) {
printf("%s verified.\n", argv[i]);
} else {
security_context_t con;
int rc;
+ error++;
if (notrans)
rc = lgetfilecon_raw(argv[i], &con);
else
@@ -114,15 +125,13 @@
if (rc >= 0) {
printf("%s has context %s, should be ",
argv[i], con);
- error +=
- printmatchpathcon(argv[i], 0, mode);
+ printmatchpathcon(argv[i], 0, mode);
freecon(con);
} else {
printf
("actual context unknown: %s, should be ",
strerror(errno));
- error +=
- printmatchpathcon(argv[i], 0, mode);
+ printmatchpathcon(argv[i], 0, mode);
}
}
} else {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
