From patchwork Sun May 1 17:54:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 1624922 X-Patchwork-Delegate: daniel@makrotopia.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=IZ9PIWTB; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=defensec.nl header.i=@defensec.nl header.a=rsa-sha256 header.s=default header.b=LliH4q8W; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Krv8P5hvRz9s5V for ; Mon, 2 May 2022 03:57:57 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Rcm7AFtmq6foR5u5v/XLJBqvVVhvM9+KkbnTMZjItf8=; b=IZ9PIWTBXDcW40 kGuHrg2I3iJ9D0Lqrr7kA3CSqSV3eckhIvpYPi5E2SXUlfJk+0MqC/ppeHrwMG6nemlkXh1EYizgH Ri/m4wYPThytOyZChZk2gxF+8D8RcnJtHIdOzrnKSmHT5RMPjWdp4J299Y/zRBDbRPqSd8xU4gDOL GynYKempMdwFoUAHiSqObpxv2MXa5dldLBu6Shz+MfeAvStNsrBB4BybfeiXVJC+KDyRl/Ek9DoQP sXQuCNqndnwNKno0hYHJ0DiVcBwjMvOS9vZHjO3Q/5XhuradVI7jaYaJ7MIbJbA5mJnAg0ObYW/uK YuCWOmTCCtod8TGINZZw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nlDmM-00Gf70-8R; Sun, 01 May 2022 17:54:42 +0000 Received: from markus.defensec.nl ([45.80.168.93]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nlDmI-00Gf5e-NF for openwrt-devel@lists.openwrt.org; Sun, 01 May 2022 17:54:40 +0000 Received: from brutus.. (brutus.lan [IPv6:2a10:3781:2099::438]) by markus.defensec.nl (Postfix) with ESMTPSA id C6B9EFC135E; Sun, 1 May 2022 19:54:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1651427671; bh=DT06RBusdxTTJd2XG0hATg0EJcqrQRZZyF1O9CzxOFU=; h=From:To:Cc:Subject:Date:From; b=LliH4q8WMI6QinDxWkESb+A+NWKmq0iaNwhe8onyVVGfwpXet7pF1EGAJu+KEUCoV EL9A65/iVSiEVz7tE8Z7h8N6egD/p+u5WnH34KTGWotVlyLqVkijQ3nV8I9tmrp/UL Eklk1rnltNeKHV5esJ3uLWYFMTwX9HozyPyJlk6Y= From: Dominick Grift To: openwrt-devel@lists.openwrt.org Cc: Dominick Grift Subject: [PATCH] Addresses sed in-place without SELinux awareness Date: Sun, 1 May 2022 19:54:04 +0200 Message-Id: <20220501175404.182574-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.36.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220501_105438_947924_C48228AB X-CRM114-Status: UNSURE ( 5.28 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: sed(1) in busybox does not support this functionality: https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598 This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [45.80.168.93 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org sed(1) in busybox does not support this functionality: https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598 This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux Signed-off-by: Dominick Grift --- package/base-files/files/lib/functions.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/package/base-files/files/lib/functions.sh b/package/base-files/files/lib/functions.sh index ee0c33845c..cb08f91d4f 100644 --- a/package/base-files/files/lib/functions.sh +++ b/package/base-files/files/lib/functions.sh @@ -387,6 +387,7 @@ group_add_user() { [ -n "$IPKG_INSTROOT" ] || lock /var/lock/passwd sed -i "s/$grp/$grp$delim$2/g" ${IPKG_INSTROOT}/etc/group [ -n "$IPKG_INSTROOT" ] || lock -u /var/lock/passwd + selinuxenabled 2>/dev/null && restorecon /etc/group } user_add() {