[yocto] [meta-selinux][RFC 01/10] policycoreutils: Add FTS_NOCHDIR flag to fts_open.
Philip Tricca
flihp at twobit.us
Sat Jun 6 17:36:59 PDT 2015
This works around a bug in the libc currently in use. FTS functions are
supposed to change the current working directory as they walk the file
hierarchy. The fts_accpath member of the FTSENT structure relies on this
behavior and without it the path is not relative to cwd as expected.
Supplying the FTS_NOCHDIR disables this optimization and causes
fts_accpath to be relative to the directory where the traversal started.
An alternative fix could replace the use of fts_accpath with fts_path
which is absolute.
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
.../policycoreutils-setfiles-path.patch | 27 ++++++++++++++++++++++
recipes-security/selinux/policycoreutils_2.3.bb | 1 +
2 files changed, 28 insertions(+)
create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch
new file mode 100644
index 0000000..c87af98
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch
@@ -0,0 +1,27 @@
+Subject: Replace fts_accpath with fts_path in restore.c.
+Author: Philip Tricca <flihp at twobit.us>
+
+To label filesystems in an alternative root directory we need to use the
+'-r' flag with the setfiles utility. The current implementation uses the
+fts_accpath member of the FTSENT structure which is reletive to the "current
+directory". This fails in the pseudo environment but for a reason I don't
+fully understand.
+
+This patch replaces the use of fts_accpath with fts_path which is relative
+to the root specified in the traversal. By invoking setfiles with an absolute
+path we're ensured that fts_path will be an absolute path to the file being
+relabeled.
+
+Index: policycoreutils/setfiles/setfiles.c
+===================================================================
+--- policycoreutils.orig/setfiles/setfiles.c
++++ policycoreutils/setfiles/setfiles.c
+@@ -194,7 +194,7 @@ int main(int argc, char **argv)
+ r_opts.expand_realpath = 0;
+ r_opts.abort_on_error = 1;
+ r_opts.add_assoc = 1;
+- r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
++ r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV | FTS_NOCHDIR;
+ ctx_validate = 1;
+ } else {
+ /*
diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
index 447e6c9..2dee62e 100644
--- a/recipes-security/selinux/policycoreutils_2.3.bb
+++ b/recipes-security/selinux/policycoreutils_2.3.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
file://policycoreutils-semanage-edit-user.patch \
file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
file://policycoreutils-fix-TypeError-for-seobject.py.patch \
+ file://policycoreutils-setfiles-path.patch \
"
--
2.1.4
More information about the yocto
mailing list