SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Patch to policycoreutils This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Mon, 31 Jan 2005 09:14:59 -0500 On Fri, 2005-01-28 at 15:25, Daniel J Walsh wrote: > diff_filecontext() { > if [ -f ${PREFC} -a -x /usr/bin/diff ]; then > TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` > test -z "$TEMPFILE" && exit > /usr/bin/diff $PREFC $FILE_CONTEXT \| egrep '^[<>]'\|cut -c3-\| grep ^/ \| \ > sed -e 's,\\.,,g' -e 's,(.,,g' -e 's,\[.,,g' -e 's,\..,,g' \ > -e 's,[[:blank:]].,,g' -e 's,\?.,,g' \| sort -u \| \ > while read pattern ; do if ! echo "$pattern" \| grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in "") echo "$pattern" \|sed 's,\$,,g'>> ${TEMPFILE};; esac; fi; done \| \ > while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null \| \ > ${RESTORECON} $2 -v -f -R - > rm -f ${TEMPFILE} > fi > } To try to understand this better, I split the pipeline and wrote each stage into a separate temporary file, then looked at diffs between each pair of stages. I'm not sure if the filter pipline is functioning as you intend, e.g.: The first sed substitution changes: /var/tmp/vi\.recover -d system_u:object_r:tmp_t to: /var/tmp/vi* A \. is not a regex; it is a regular dot character, so I would have expected you to just remove the backslash for passing along to restorecon. 2) The second sed substitution changes: /usr/lib(64)?/[^/]thunderbird[^/]/thunderbird -- system_u:object_r:bin_t to: /usr/lib* This is due to sed itself performing regex matching for the .* sequence, i.e. it consumes anything after an open parens. Possibly you could escape it if that is what you intended, e.g. \.\. Similar issues with the other substitutions that are using ., I think, e.g. changing: /usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t to: /usr/bin/* But the shell would have correctly handled /usr/bin/[xgkw]dm without any change at all. Also seems to have a problem with the /u?dev entries, changing: /u?dev/microcode to: /u* which won't actually catch /dev nodes. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 31 Jan 2005 - 09:21:31 EST This message: [ Message body ] Next message: Stephen Smalley: "NSA web site offline 4-7 Feb" Previous message: Stephen Smalley: "Re: Updated version of open_init_pty" In reply to: Daniel J Walsh: "Re: Patch to policycoreutils" Next in thread: Daniel J Walsh: "Re: Patch to policycoreutils" Reply: Daniel J Walsh: "Re: Patch to policycoreutils" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom