[PATCH] python/semanage: Do not sort local fcontext definitions

SELinux Archive mirror
 help / color / mirror / Atom feed

From: Vit Mojzis <vmojzis@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH] python/semanage: Do not sort local fcontext definitions
Date: Wed,  7 Feb 2024 15:46:23 +0100	[thread overview]
Message-ID: <20240207150003.174701-1-vmojzis@redhat.com> (raw)

Entries in file_contexts.local are processed from the most recent one to
the oldest, with first match being used. Therefore it is important to
preserve their order when listing (semanage fcontext -lC) and exporting
(semanage export).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Not sure if this is the best solution since the local file context
customizations are still sorted in the output of "semanage fcontext -l".
Adding a new section for "Local file context changes" would make it
clear that such changes are treated differently, but it would make it
harder to find context definitions affecting specific path.
The most important part of this patch is the change to "customized"
since that stops "semanage export | semanage import" from reordering the
local customizations.

Note: The order of dictionary.keys() is only guaranteed in python 3.6+.

Note2: The change to fcontextPage can only be seen when the user
disables ordering by "File specification" column, which is enabled by
defalut.

 gui/fcontextPage.py         | 6 +++++-
 python/semanage/seobject.py | 9 +++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index 767664f2..c88df580 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -133,7 +133,11 @@ class fcontextPage(semanagePage):
         self.fcontext = seobject.fcontextRecords()
         self.store.clear()
         fcon_dict = self.fcontext.get_all(self.local)
-        for k in sorted(fcon_dict.keys()):
+        if self.local:
+            fkeys = fcon_dict.keys()
+        else:
+            fkeys = sorted(fcon_dict.keys())
+        for k in fkeys:
             if not self.match(fcon_dict, k, filter):
                 continue
             iter = self.store.append()
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index dfb15b1d..25ec4315 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2735,7 +2735,7 @@ class fcontextRecords(semanageRecords):
     def customized(self):
         l = []
         fcon_dict = self.get_all(True)
-        for k in sorted(fcon_dict.keys()):
+        for k in fcon_dict.keys():
             if fcon_dict[k]:
                 if fcon_dict[k][3]:
                     l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
@@ -2752,7 +2752,12 @@ class fcontextRecords(semanageRecords):
         if len(fcon_dict) != 0:
             if heading:
                 print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
-            for k in sorted(fcon_dict.keys()):
+            # do not sort local customizations since they are evaluated based on the order they where added in
+            if locallist:
+                fkeys = fcon_dict.keys()
+            else:
+                fkeys = sorted(fcon_dict.keys())
+            for k in fkeys:
                 if fcon_dict[k]:
                     if is_mls_enabled:
                         print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
-- 
2.43.0

next             reply	other threads:[~2024-02-07 15:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-07 14:46 Vit Mojzis [this message]
2024-02-14 17:12 ` [PATCH] python/semanage: Do not sort local fcontext definitions Petr Lautrbach
2024-02-16 13:12   ` Vit Mojzis
2024-02-29 14:15     ` James Carter
2024-02-29 14:17 ` James Carter
2024-03-04 19:16   ` James Carter

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:767664f dfblob:dfb15b1 dfblob:c88df58 dfblob:25ec431
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240207150003.174701-1-vmojzis@redhat.com \
    --to=vmojzis@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).