210622 – selinux-policy-targeted-sources package currepts file_context file if CDPATH variable is set

Bug 210622 - selinux-policy-targeted-sources package currepts file_context file if CDPATH variable is set

Summary: selinux-policy-targeted-sources package currepts file_context file if CDPATH ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-13 12:05 UTC by Ramesh Hegde
Modified:	2007-11-17 01:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-02-14 14:57:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ramesh Hegde 2006-10-13 12:05:11 UTC

Description of problem:
When selinux-policy-targeted-sources is installed , it currupts  the file 
file_contexts and policy.conf if CDPATH environment variable is set.
The package should not depend on this kind of behavior as this environment 
variable can be set by any package.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.140

How reproducible:
export CDPATH=.:/tmp
install selinux-policy-targeted-sources. Installation may be successful as the 
output of compilation of policy is not visibile due to redirection to /dev/null

Now if you manually run 
make -C  /etc/selinux/targeted/src/policy/ load
make: Entering directory `/etc/selinux/targeted/src/policy'
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
tmp/program_used_flags.te:2:ERROR 'syntax error' at 
token '/etc/selinux/targeted/src/policy/domains/program' on line 1164:
/etc/selinux/targeted/src/policy/domains/program
#line 1 "tmp/program_used_flags.te"
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
make: Leaving directory `/etc/selinux/targeted/src/policy'
make -C  /etc/selinux/targeted/src/policy/ load


If you open file "/etc/selinux/targeted/contexts/files/file_contexts" there 
will be two wrong entries in line num 17 and line num 42.



Steps to Reproduce:
1.export CDPATH=.:/tmp

2. rpm -ivh selinux-policy-targeted-sources-1.17.30-2.140.noarch.rpm
3. make -C  /etc/selinux/targeted/src/policy/ load
  
Actual results:
make: Entering directory `/etc/selinux/targeted/src/policy'
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
tmp/program_used_flags.te:2:ERROR 'syntax error' at 
token '/etc/selinux/targeted/src/policy/domains/program' on line 1164:
/etc/selinux/targeted/src/policy/domains/program
#line 1 "tmp/program_used_flags.te"
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
make: Leaving directory `/etc/selinux/targeted/src/policy'


Also the file /etc/selinux/targeted/contexts/files/file_contexts contains 
wrong entries as below.

# Distro-specific customizations.

# Comment out all but the one that matches your distro.
# The policy .te files can then wrap distro-specific customizations with
# appropriate ifdefs.











/etc/selinux/targeted/src/policy/domains/program
























/etc/selinux/targeted/src/policy/domains/misc

#
# This file describes the security contexts to be applied to files


Expected results:
Policies should be compiled without any errors

Additional info:

This is because in the sources installation scripts following is done

( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > 
tmp/program_used_flags.te.tmp

Here "cd" behavior changes when CDPATH variable is set. A cd to 
domain/program/ directory will echo the absolute path to the new directory 
which will also get directed to the file and hence currupts the file.

This behavior of cd command is documented well in man pages when CDPATH is set 
and hence it not advisible to use cd in such cases or use absolute path which 
start with /
Man page extract:

  cd [-L|-P] [dir]
              Change the current directory to dir.  The variable HOME is the 
default dir.  The variable CDPATH defines the
              search  path  for  the  directory  containing dir.  Alternative 
directory names in CDPATH are separated by a
              colon (:).  A null directory name in CDPATH is the same as the  
current  directory,  i.e.,  ââ.ââ.   If  dir
              begins with a slash (/), then CDPATH is not used. The -P option 
says to use the physical directory structure
              instead of following symbolic links (see also the -P option to 
the  set  builtin  command);  the  -L  option
              forces  symbolic links to be followed.  An argument of - is 
equivalent to $OLDPWD.  If a non-empty directory
              name from CDPATH is used, or if - is the first argument, and the 
directory change is successful,  the  abso-
              lute  pathname  of the new working directory is written to the 
standard output.  The return value is true if
              the directory was successfully changed; false otherwise.

Comment 1 Daniel Walsh 2007-02-14 14:57:47 UTC

Since we no longer use this method in RHEL5 or any of the Fedora Releases.  I am
going to close this as a wontfix.  It is easily worked around.

Note You need to log in before you can comment on or make changes to this bug.