Fix SELinux labeling for Usermin runtime data#135
Conversation
This PR adds SELinux context handling for Usermin’s default runtime directory on EL systems. Setup now persists and applies a `var_run_t` fcontext rule when SELinux is enabled, falls back safely when SELinux tooling is unavailable, and removes the local fcontext rule when `/var/usermin` is deleted during uninstall.
| if [ "\$?" = 0 ]; then | ||
| # RPM is being removed, and no new version of usermin | ||
| # has taken it's place. Delete the config files | ||
| if command -v semanage >/dev/null 2>&1; then |
There was a problem hiding this comment.
Does if command work on all operating systems, including those without bash ?
Better to use which or maybe just -x instead
There was a problem hiding this comment.
Definitely not which. command -v is specified by POSIX sh, so it works without Bash on normal Unix/POSIX shells such as dash, ash, ksh, BusyBox sh, etc.
There was a problem hiding this comment.
Actually I may have mis-understood what command does. Are you using it to check if the semanage command is installed, or something else?
There was a problem hiding this comment.
Yes command -v semanage is being used to check whether semanage is available in the current PATH.
And, we cannot use has_command in this context, just in case.
There was a problem hiding this comment.
So I checked the man page for sh on some other operating systems we support, and it seems like command is not supported on Solaris : https://docs.oracle.com/cd/E86824_01/html/E54763/sh-1.html
Hence I don't think we can use it, and in fact we should be very careful to not use bash-specific code in setup.sh
There was a problem hiding this comment.
setup.sh already had a pre-existing command -v systemctl use, so this is not a brand-new portability and makerpm.pl RPM scriptlet does not matter for Solaris at all.
And, even though the Oracle docs show command is not a built-in of Solaris legacy sh, their shell_builtins table lists command only for ksh, while type is listed for sh too.
The same docs also say Solaris has /usr/xpg4/bin/sh as the standards-compliant shell, and note that /usr/bin/sh links to ksh93 on Solaris 11, where command should exist.
Therefore, I don’t think we should change style just for legacy Solaris /usr/sunos/bin/sh, especially since setup.sh has already used command -v for a long time without reported issues.
There was a problem hiding this comment.
Well I guess we got lucky with that systemctl case, although it probably generated an odd error message on systems using legacy /bin/sh. Don't forget that there are also embedded system Linuxes that don't have the full bash because they lack storage space, and people do run Webmin on them.
Please just change this to if [ -x /usr/sbin/semanage ]; or something. It's a tiny change for improved cross-system compatability!
There was a problem hiding this comment.
Alright, updated to use type which is better than which and also supported by older versions of Solaris.
Hello Jamie,
This PR adds SELinux context handling for Usermin’s default runtime directory on EL systems.
Setup now persists and applies a
var_run_tfcontext rule when SELinux is enabled, falls back safely when SELinux tooling is unavailable, and removes the local fcontext rule when/var/userminis deleted during uninstall.Discussed originally here:
https://forum.virtualmin.com/t/usermin-needs-selinux-fix/137474