Restore selinux context after published files are moved.

[jortel]

https://pulp.plan.io/issues/2277

Call selinux.restorecon() after moving published files. The path passed to restorecon() cannot be unicode.

The Requires: libselinux-python needs to be added to the .spec file but I have no idea which one is actually being used.

[mention-bot]

@jortel, thanks for your PR! By analyzing the annotation information on this pull request, we identified @mhrivnak, @dkliban and @bmbouter to be potential reviewers

[bmbouter]

This looks all correct to me. Thanks @jortel !

[mhrivnak]

Here's a minor question: should the commit message say "context" instead of "content"?

[bmbouter]

It should. I recommend:

s/selinux content/SELinux file context/

On Fri, Sep 23, 2016 at 4:24 PM, Michael Hrivnak notifications@github.com
wrote:

Here's a minor question: should the commit message say "context" instead
of "content"?

—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
#2770 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AALAX5OsETvEN5ENdHkwFY2l_bN7cYjuks5qtDVqgaJpZM4KFVMw
.

Brian Bouterse

[jortel]

Seeing this problem while testing on f23:

[root@nec-em26 ~]# make -f /usr/share/selinux/devel/Makefile pulp-celery.pp
Compiling targeted pulp-celery module
pulp-celery.te:121: Warning: miscfiles_manage_cert_dirs() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.
/usr/bin/checkmodule:  loading policy configuration from tmp/pulp-celery.tmp
pulp-celery.te:149:ERROR 'syntax error' at token ':' on line 5433:
#line 149
    allow celery_t :dir { getattr relabelto };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/pulp-celery.mod' failed
make: *** [tmp/pulp-celery.mod] Error 1

[jortel]

Updated as requested. Also, updated the pulp.spec and replaced macros with rules.

@bmbouter, please re-review.

[bmbouter]

I'm looking into the failure.

[bmbouter]

The compilation failure is because this refpol statement takes 3 arguments not 2 like the upstream one I had looked at before. Here is a snippet from /usr/share/selinux/devel/include/support/file_patterns.spt:

define(`relabelto_dirs_pattern',`
        allow $1 $2:dir search_dir_perms;
        allow $1 $3:dir relabelto_dir_perms;
')

The $1, $3, and $3 are the arguments to the statement like.

relabelto_dirs_pattern(celery_t, httpd_sys_rw_content_t)

which does not have enough arguments. This works though:

relabelto_dirs_pattern(celery_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t)

Since refpol isn't saving us anything here in terms of line count and there may be argument signature incompatability between RHEL and Fedora, let's merge the allow statements you have in the PR currently.

In other words, LGTM. Thanks for putting it together @jortel !