Jira (PUP-10962) Migrate SELinux util from matchpathcon(3) to selabel_lookup(3)

15 views
Skip to first unread message

Tobias Urdin (Jira)

unread,
Mar 11, 2021, 5:13:01 AM3/11/21
to puppe...@googlegroups.com
Tobias Urdin created an issue
 
Puppet / Task PUP-10962
Migrate SELinux util from matchpathcon(3) to selabel_lookup(3)
Issue Type: Task Task
Assignee: Unassigned
Created: 2021/03/11 2:12 AM
Priority: Normal Normal
Reporter: Tobias Urdin

Puppet::Util::SElinux uses the deprecated matchpathcon(3) exposed by the C bindings for SELinux.

 

This should be changed to instead open a handle with selabel_open, doing the lookup with selabel_lookup then closing the handle with selabel_close.

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Tobias Urdin (Jira)

unread,
Mar 11, 2021, 5:15:02 AM3/11/21
to puppe...@googlegroups.com
Tobias Urdin updated an issue
Change By: Tobias Urdin
Puppet::Util::SElinux uses the deprecated matchpathcon(3) exposed by the C bindings for SELinux.

  

 This should be changed to instead open a handle with selabel_open, doing the lookup with selabel_lookup then closing the handle with selabel_close.

 


This has been available since mid 2015 when it was introduced in [1] just need to verify it's included in all new major versions of supported operating systems.

 [1] [https://github.com/SELinuxProject/selinux/commit/e7f970ffd1a8dbb26051405719a2288d34e856f6]

 

Tobias Urdin (Jira)

unread,
Mar 11, 2021, 5:18:02 AM3/11/21
to puppe...@googlegroups.com
Tobias Urdin commented on Task PUP-10962
 
Re: Migrate SELinux util from matchpathcon(3) to selabel_lookup(3)

I won't have time to push a patch right now, but it's a simple fix in https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/selinux.rb#L55-L59

 

Replacing the first snippet below with the second one and fixing testing.

retval = Selinux.matchpathcon(file, mode)
 
if retval == -1
 
  return nil
 
end
 
retval[1]
 

begin
 
  hnd = Selinux.selabel_open(SELABEL_CTX_FILE, nil, 0)
 
  retval = Selinux.selabel_lookup(hnd, nil, file, mode)
 
  if retval == -1
 
    return nil
 
  end
 
  retval[1]
 
rescue
 
  nil
 
ensure
 
  Selinux.selabel_close(hnd) if hnd
 
 end

 

Ciprian Badescu (Jira)

unread,
Jun 15, 2021, 4:53:02 AM6/15/21
to puppe...@googlegroups.com
Ciprian Badescu updated an issue
 
Puppet / Improvement PUP-10962
Change By: Ciprian Badescu
Issue Type: Task Improvement
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Ciprian Badescu (Jira)

unread,
Jun 15, 2021, 4:54:02 AM6/15/21
to puppe...@googlegroups.com
Ciprian Badescu updated an issue
Change By: Ciprian Badescu
Labels: community

Ciprian Badescu (Jira)

unread,
Jun 15, 2021, 10:46:03 AM6/15/21
to puppe...@googlegroups.com
Ciprian Badescu updated an issue
Change By: Ciprian Badescu
Team: Night's Watch

Ciprian Badescu (Jira)

unread,
Jun 15, 2021, 10:47:02 AM6/15/21
to puppe...@googlegroups.com
Ciprian Badescu updated an issue
Change By: Ciprian Badescu
Epic Link: PUP-7384

Ciprian Badescu (Jira)

unread,
Jun 29, 2021, 2:57:02 AM6/29/21
to puppe...@googlegroups.com

Ciprian Badescu (Jira)

unread,
Jul 13, 2021, 10:56:03 AM7/13/21
to puppe...@googlegroups.com
Ciprian Badescu updated an issue
Change By: Ciprian Badescu
Epic Link: PUP-11132
Reply all
Reply to author
Forward
0 new messages