Description of problem:
semange does not work correctly when a space appears in the path to file
Version-Release number of selected component (if applicable):
from rpm: policycoreutils-1.33.12-14.2.el5
Steps to Reproduce:
1. Create a directory with a space and two files ("/home/user/test me/file1" and "/home/user/test me/file2")
2. chcon -t <context>_t /home/user/test me/file1
3. chcon -t <context>_t /home/user/test me/file2
4. semanage fcontext -a -t <context>_t /home/user/test me/file1
5. semanage fcontext -a -t <context>_t /home/user/test me/file2
Step 4 completes correctly, Step 5 produces the following error(s):
#semanage fcontext -a -t <context>_t file2
libsepol.sepol_context_from_string: malformed context "me/file1"
libsepol.sepol_context_from_string: could not construct context from string
libsemanage.fcontext_parse: invalid security context "me/file1" (/etc/selinux/targeted/modules/tmp//file_contexts.local: 4)
/home/user/test me/file1 system_u:object_r:<context>_t:s0
libsemanage.fcontext_parse: could not parse file context record
libsemanage.dbase_file_cache: could not cache file database
libsemanage.enter_rw: could not enter read-write section
/usr/sbin/semanage: Could not add file context for file2
Policy addition would be added to /etc/selinux/targeted/modules/tmp/file_contexts.local normally.
This appears to happen with any file where the path has a space in it. I've attempted quoting the string passed to semanage as well as quoting and escaping the string in /etc/selinux/targeted/modules/tmp/file_contexts.local, but since it is generated, it gets overwritten.
Sadly neither to the tools or libraries. We do not have a good solution to this other then, dont do that.
Use a regular expression to get around it.
Not my choice, it is a piece of software called Sassafras KeyServer that we are installing that is creating directories with spaces in it, and then has an executeable that is trying to do text relocation with libraries.
It appears the parser of the policy files just needs to be fixed. Is this something that is in the pipeline to be one? "Just don't do that" doesn't sound like a good long term solution.
I'm not sure what exactly you mean by using a regular expression to get around it either.
semanage fcontext -a -t <context>_t '/home/user/.*/file1'
semanage fcontext -a -t <context>_t '/home/user/[^/]*/file1'
This is too difficult to fix and has an easy work around.