diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 40ddfb7..5e11a60 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -96,21 +96,32 @@ index 8674e37..89bb4d3 100644 .BR selinux (8) - diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8 -index 8a010d6..9a779db 100644 +index 8a010d6..639883e 100644 --- a/libselinux/man/man8/setenforce.8 +++ b/libselinux/man/man8/setenforce.8 -@@ -7,11 +7,6 @@ setenforce \- modify the mode SELinux is running in. +@@ -6,18 +6,14 @@ setenforce \- modify the mode SELinux is running in. + .SH "DESCRIPTION" Use Enforcing or 1 to put SELinux in enforcing mode. ++.br Use Permissive or 0 to put SELinux in permissive mode. -You need to modify -.I /etc/grub.conf -or -.I /etc/selinux/config -to disable SELinux. ++ ++If SELinux is disabled and you want to enable it, or SELinux is enabled and you want to disable it, please see ++.B selinux(8). .SH AUTHOR Dan Walsh, + + .SH "SEE ALSO" + selinux(8), getenforce(8), selinuxenabled(8) +- +-.SH FILES +-/etc/grub.conf, /etc/selinux/config diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c index b245364..7c47222 100644 --- a/libselinux/src/callbacks.c @@ -123,8 +134,72 @@ index b245364..7c47222 100644 va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); +diff --git a/libselinux/src/label.c b/libselinux/src/label.c +index f1c9a25..a9e0853 100644 +--- a/libselinux/src/label.c ++++ b/libselinux/src/label.c +@@ -184,6 +184,12 @@ selabel_lookup_common(struct selabel_handle *rec, int translating, + const char *key, int type) + { + struct selabel_lookup_rec *lr; ++ ++ if (key == NULL) { ++ errno = EINVAL; ++ return NULL; ++ } ++ + char *ptr = selabel_sub(rec->subs, key); + if (ptr) { + lr = rec->func_lookup(rec, ptr, type); +@@ -194,7 +200,7 @@ selabel_lookup_common(struct selabel_handle *rec, int translating, + if (!lr) + return NULL; + +- if (compat_validate(rec, lr, "file_contexts", 0)) ++ if (compat_validate(rec, lr, rec->spec_file, 0)) + return NULL; + + if (translating && !lr->ctx_trans && +@@ -234,6 +240,7 @@ void selabel_close(struct selabel_handle *rec) + { + selabel_subs_fini(rec->subs); + rec->func_close(rec); ++ free(rec->spec_file); + free(rec); + } + +diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c +index 7afacf0..ab0696a 100644 +--- a/libselinux/src/label_db.c ++++ b/libselinux/src/label_db.c +@@ -230,7 +230,7 @@ db_stats(struct selabel_handle *rec) + * selabel_open() handler + */ + static catalog_t * +-db_init(struct selinux_opt *opts, unsigned nopts) ++db_init(struct selinux_opt *opts, unsigned nopts, struct selabel_handle *rec) + { + catalog_t *catalog; + FILE *filp; +@@ -275,6 +275,7 @@ db_init(struct selinux_opt *opts, unsigned nopts) + free(catalog); + return NULL; + } ++ rec->spec_file = strdup(path); + + /* + * Parse for each lines +@@ -332,7 +333,7 @@ int selabel_db_init(struct selabel_handle *rec, + rec->func_close = &db_close; + rec->func_lookup = &db_lookup; + rec->func_stats = &db_stats; +- rec->data = db_init(opts, nopts); ++ rec->data = db_init(opts, nopts, rec); + + return !rec->data ? -1 : 0; + } diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index ac11b37..42889cf 100644 +index ac11b37..82a608c 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -27,6 +27,7 @@ @@ -197,7 +272,15 @@ index ac11b37..42889cf 100644 break; case SELABEL_OPT_BASEONLY: baseonly = !!opts[n].value; -@@ -480,7 +497,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, +@@ -462,6 +479,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, + if (localfp != NULL) + __fsetlocking(localfp, FSETLOCKING_BYCALLER); + } ++ rec->spec_file = strdup(path); + + /* + * Perform two passes over the specification file. +@@ -480,7 +498,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, while (getline(&line_buf, &line_len, fp) > 0) { if (data->nspec >= maxnspec) break; @@ -206,7 +289,7 @@ index ac11b37..42889cf 100644 if (status) goto finish; } -@@ -496,7 +513,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, +@@ -496,7 +514,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, while (getline(&line_buf, &line_len, homedirfp) > 0) { if (data->nspec >= maxnspec) break; @@ -215,7 +298,7 @@ index ac11b37..42889cf 100644 if (status) goto finish; } -@@ -506,7 +523,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, +@@ -506,7 +524,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, while (getline(&line_buf, &line_len, localfp) > 0) { if (data->nspec >= maxnspec) break; @@ -224,8 +307,49 @@ index ac11b37..42889cf 100644 if (status) goto finish; } +diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h +index 02dbe73..79d5495 100644 +--- a/libselinux/src/label_internal.h ++++ b/libselinux/src/label_internal.h +@@ -59,6 +59,12 @@ struct selabel_handle { + /* supports backend-specific state information */ + void *data; + ++ /* ++ * The main spec file used. Note for file contexts the local and/or ++ * homedirs could also have been used to resolve a context. ++ */ ++ char *spec_file; ++ + /* substitution support */ + struct selabel_sub *subs; + }; +diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c +index f8986e4..227785f 100644 +--- a/libselinux/src/label_media.c ++++ b/libselinux/src/label_media.c +@@ -100,6 +100,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, + errno = EINVAL; + return -1; + } ++ rec->spec_file = strdup(path); + + /* + * Perform two passes over the specification file. +diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c +index a9bfaa5..896ef02 100644 +--- a/libselinux/src/label_x.c ++++ b/libselinux/src/label_x.c +@@ -127,6 +127,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, + errno = EINVAL; + return -1; + } ++ rec->spec_file = strdup(path); + + /* + * Perform two passes over the specification file. diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index c396add..489ef3a 100644 +index c396add..c625f55 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c @@ -2,6 +2,7 @@ @@ -279,6 +403,24 @@ index c396add..489ef3a 100644 hidden_def(matchpathcon_init_prefix) int matchpathcon_init(const char *path) +@@ -531,9 +539,14 @@ int compat_validate(struct selabel_handle *rec, + else { + rc = selabel_validate(rec, contexts); + if (rc < 0) { +- COMPAT_LOG(SELINUX_WARNING, +- "%s: line %d has invalid context %s\n", +- path, lineno, *ctx); ++ if (lineno) { ++ COMPAT_LOG(SELINUX_WARNING, ++ "%s: line %d has invalid context %s\n", ++ path, lineno, *ctx); ++ } else { ++ COMPAT_LOG(SELINUX_WARNING, ++ "%s: has invalid context %s\n", path, *ctx); ++ } + } + } + diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index 710396a..9a3fc14 100644 --- a/libselinux/src/selinux_internal.h diff --git a/libselinux.spec b/libselinux.spec index 06818d9..2233788 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -7,7 +7,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.1.8 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz @@ -231,6 +231,15 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Mon Dec 18 2011 Dan Walsh - 2.1.8-5 +- Add patch from Richard Haines + When selabel_lookup found an invalid context with validation enabled, it + always stated it was 'file_contexts' whether media, x, db or file. + The fix is to store the spec file name in the selabel_lookup_rec on + selabel_open and use this as output for logs. Also a minor fix if key is + NULL to stop seg faults. +- Fix setenforce manage page. + * Thu Dec 15 2011 Dan Walsh - 2.1.8-4 - Rebuild with new libsepol