1. 10 Jul, 2020 2 commits
    • Petr Lautrbach's avatar
    • Antoine Tenart's avatar
      policycoreutils: setfiles: do not restrict checks against a binary policy · c94e542c
      Antoine Tenart authored
      The -c option allows to check the validity of contexts against a
      specified binary policy. Its use is restricted: no pathname can be used
      when a binary policy is given to setfiles. It's not clear if this is
      intentional as the built-in help and the man page are not stating the
      same thing about this (the man page document -c as a normal option,
      while the built-in help shows it is restricted).
      
      When generating full system images later used with SELinux in enforcing
      mode, the extended attributed of files have to be set by the build
      machine. The issue is setfiles always checks the contexts against a
      policy (ctx_validate = 1) and using an external binary policy is not
      currently possible when using a pathname. This ends up in setfiles
      failing early as the contexts of the target image are not always
      compatible with the ones of the build machine.
      
      This patch reworks a check on optind only made when -c is used, that
      enforced the use of a single argument to allow 1+ arguments, allowing to
      use setfiles with an external binary policy and pathnames. The following
      command is then allowed, as already documented in the man page:
      
        $ setfiles -m -r target/ -c policy.32 file_contexts target/
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Acked-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
      c94e542c
  2. 25 Jun, 2020 2 commits
  3. 19 Jun, 2020 1 commit
  4. 18 Jun, 2020 10 commits
  5. 09 Jun, 2020 2 commits
  6. 04 Jun, 2020 1 commit
  7. 02 Jun, 2020 1 commit
  8. 01 Jun, 2020 1 commit
    • Topi Miettinen's avatar
      secilc/docs: fix use of TMPDIR · 4ad0abd9
      Topi Miettinen authored
      Environment variable TMPDIR may be already set for the user building
      and this could be equal to $XDG_RUNTIME_DIR or /tmp which are existing
      directories. Then when running 'make clean', there are unintended side
      effects:
      
      rm -rf /run/user/1000
      rm: cannot remove '/run/user/1000/dconf/user': Permission denied
      rm: cannot remove '/run/user/1000/systemd': Permission denied
      rm: cannot remove '/run/user/1000/gnupg': Permission denied
      rm: cannot remove '/run/user/1000/dbus-1': Is a directory
      rm: cannot remove '/run/user/1000/inaccessible': Permission denied
      make[1]: *** [Makefile:68: clean] Error 1
      
      Fix by always setting the variable.
      Signed-off-by: default avatarTopi Miettinen <toiwoton@gmail.com>
      Suggested-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      Acked-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      4ad0abd9
  9. 29 May, 2020 7 commits
  10. 15 May, 2020 4 commits
  11. 13 May, 2020 5 commits
  12. 12 May, 2020 1 commit
  13. 06 May, 2020 3 commits