diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index f19db9d..990a59b 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,25 +1,3 @@ -diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h -index 0725b57..f110dcf 100644 ---- a/libselinux/include/selinux/selinux.h -+++ b/libselinux/include/selinux/selinux.h -@@ -482,6 +482,7 @@ extern const char *selinux_file_context_path(void); - extern const char *selinux_file_context_homedir_path(void); - extern const char *selinux_file_context_local_path(void); - extern const char *selinux_file_context_subs_path(void); -+extern const char *selinux_file_context_subs_dist_path(void); - extern const char *selinux_homedir_context_path(void); - extern const char *selinux_media_context_path(void); - extern const char *selinux_virtual_domain_context_path(void); -@@ -514,6 +515,9 @@ extern int selinux_check_securetty_context(const security_context_t tty_context) - which performs the initial mount of selinuxfs. */ - void set_selinuxmnt(char *mnt); - -+/* clear selinuxmnt variable and free allocated memory */ -+void fini_selinuxmnt(void); -+ - /* Execute a helper for rpm in an appropriate security context. */ - extern int rpm_execcon(unsigned int verified, - const char *filename, diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index bf665ab..ccd08ae 100644 --- a/libselinux/src/Makefile @@ -196,99 +174,8 @@ index b245364..7c47222 100644 va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); -diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h -index ccf43e1..0b00156 100644 ---- a/libselinux/src/file_path_suffixes.h -+++ b/libselinux/src/file_path_suffixes.h -@@ -23,4 +23,5 @@ S_(BINPOLICY, "/policy/policy") - S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context") - S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") - S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") -+ S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist") - S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts") -diff --git a/libselinux/src/init.c b/libselinux/src/init.c -index 1dd9838..a948920 100644 ---- a/libselinux/src/init.c -+++ b/libselinux/src/init.c -@@ -96,12 +96,14 @@ static void init_selinuxmnt(void) - return; - } - --static void fini_selinuxmnt(void) -+void fini_selinuxmnt(void) - { - free(selinux_mnt); - selinux_mnt = NULL; - } - -+hidden_def(fini_selinuxmnt) -+ - void set_selinuxmnt(char *mnt) - { - selinux_mnt = strdup(mnt); -diff --git a/libselinux/src/label.c b/libselinux/src/label.c -index 2fd19c5..ba316df 100644 ---- a/libselinux/src/label.c -+++ b/libselinux/src/label.c -@@ -56,12 +56,11 @@ static char *selabel_sub(struct selabel_sub *ptr, const char *src) - return NULL; - } - --static struct selabel_sub *selabel_subs_init(void) -+static struct selabel_sub *selabel_subs_init(const char *path,struct selabel_sub *list) - { - char buf[1024]; -- FILE *cfg = fopen(selinux_file_context_subs_path(), "r"); -+ FILE *cfg = fopen(path, "r"); - struct selabel_sub *sub; -- struct selabel_sub *list = NULL; - - if (cfg) { - while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) { -@@ -160,7 +159,10 @@ struct selabel_handle *selabel_open(unsigned int backend, - memset(rec, 0, sizeof(*rec)); - rec->backend = backend; - rec->validating = selabel_is_validate_set(opts, nopts); -- rec->subs = selabel_subs_init(); -+ -+ rec->subs = NULL; -+ rec->subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->subs); -+ rec->subs = selabel_subs_init(selinux_file_context_subs_path(), rec->subs); - - if ((*initfuncs[backend])(rec, opts, nopts)) { - free(rec); -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 36ce029..83d2143 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -329,7 +329,7 @@ int selinux_init_load_policy(int *enforce) - selinux_getenforcemode(&seconfig); - - /* Check for an override of the mode via the kernel command line. */ -- rc = mount("none", "/proc", "proc", 0, 0); -+ rc = mount("proc", "/proc", "proc", 0, 0); - cfg = fopen("/proc/cmdline", "r"); - if (cfg) { - char *tmp; -@@ -369,7 +369,7 @@ int selinux_init_load_policy(int *enforce) - * Check for the existence of SELinux via selinuxfs, and - * mount it if present for use in the calls below. - */ -- if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) { -+ if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) { - if (errno == ENODEV) { - /* - * SELinux was disabled in the kernel, either -@@ -398,6 +398,7 @@ int selinux_init_load_policy(int *enforce) - if (rc == 0) { - /* Successfully disabled, so umount selinuxfs too. */ - umount(SELINUXMNT); -+ fini_selinuxmnt(); - } - /* - * If we failed to disable, SELinux will still be diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index f3e45af..da5cab9 100644 +index 5fd8fe4..da5cab9 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c @@ -2,6 +2,7 @@ @@ -299,15 +186,7 @@ index f3e45af..da5cab9 100644 #include "selinux_internal.h" #include "label_internal.h" #include "callbacks.h" -@@ -17,6 +18,7 @@ static __thread int con_array_used; - - static pthread_once_t once = PTHREAD_ONCE_INIT; - static pthread_key_t destructor_key; -+static int destructor_key_initialized = 0; - - static int add_array_elt(char *con) - { -@@ -60,7 +62,7 @@ static void +@@ -61,7 +62,7 @@ static void { va_list ap; va_start(ap, fmt); @@ -316,23 +195,6 @@ index f3e45af..da5cab9 100644 va_end(ap); } -@@ -292,12 +294,14 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr) - - void __attribute__((destructor)) matchpathcon_lib_destructor(void) - { -- __selinux_key_delete(destructor_key); -+ if (destructor_key_initialized) -+ __selinux_key_delete(destructor_key); - } - - static void matchpathcon_init_once(void) - { -- __selinux_key_create(&destructor_key, matchpathcon_thread_destructor); -+ if (__selinux_key_create(&destructor_key, matchpathcon_thread_destructor) == 0) -+ destructor_key_initialized = 1; - } - - int matchpathcon_init_prefix(const char *path, const char *subset) diff --git a/libselinux/src/selinux.py b/libselinux/src/selinux.py index fd63a4f..705012c 100644 --- a/libselinux/src/selinux.py @@ -394,65 +256,6 @@ index fd63a4f..705012c 100644 def selinux_contexts_path(): return _selinux.selinux_contexts_path() selinux_contexts_path = _selinux.selinux_contexts_path -diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c -index e040959..f4c33df 100644 ---- a/libselinux/src/selinux_config.c -+++ b/libselinux/src/selinux_config.c -@@ -45,7 +45,8 @@ - #define VIRTUAL_IMAGE 22 - #define FILE_CONTEXT_SUBS 23 - #define SEPGSQL_CONTEXTS 24 --#define NEL 25 -+#define FILE_CONTEXT_SUBS_DIST 25 -+#define NEL 26 - - /* Part of one-time lazy init */ - static pthread_once_t once = PTHREAD_ONCE_INIT; -@@ -423,6 +424,12 @@ const char * selinux_file_context_subs_path(void) { - - hidden_def(selinux_file_context_subs_path) - -+const char * selinux_file_context_subs_dist_path(void) { -+ return get_path(FILE_CONTEXT_SUBS_DIST); -+} -+ -+hidden_def(selinux_file_context_subs_dist_path) -+ - const char *selinux_sepgsql_context_path() - { - return get_path(SEPGSQL_CONTEXTS); -diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h -index fdddfaf..806e87c 100644 ---- a/libselinux/src/selinux_internal.h -+++ b/libselinux/src/selinux_internal.h -@@ -3,6 +3,7 @@ - #include "dso.h" - - hidden_proto(selinux_mkload_policy) -+ hidden_proto(fini_selinuxmnt) - hidden_proto(set_selinuxmnt) - hidden_proto(security_disable) - hidden_proto(security_policyvers) -@@ -65,6 +66,7 @@ hidden_proto(selinux_mkload_policy) - hidden_proto(selinux_file_context_path) - hidden_proto(selinux_file_context_homedir_path) - hidden_proto(selinux_file_context_local_path) -+ hidden_proto(selinux_file_context_subs_dist_path) - hidden_proto(selinux_file_context_subs_path) - hidden_proto(selinux_netfilter_context_path) - hidden_proto(selinux_homedir_context_path) -@@ -114,10 +116,7 @@ extern int selinux_page_size hidden; - - /* Pthread key macros */ - #define __selinux_key_create(KEY, DESTRUCTOR) \ -- do { \ -- if (pthread_key_create != NULL) \ -- pthread_key_create(KEY, DESTRUCTOR); \ -- } while (0) -+ (pthread_key_create != NULL ? pthread_key_create(KEY, DESTRUCTOR) : -1) - - #define __selinux_key_delete(KEY) \ - do { \ diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i index dea0e80..bb227e9 100644 --- a/libselinux/src/selinuxswig_python.i @@ -1537,36 +1340,3 @@ index e0884f6..b131d2e 100644 SWIG_Python_SetConstant(d, "SELINUX_AVD_FLAGS_PERMISSIVE",SWIG_From_int((int)(0x0001))); SWIG_Python_SetConstant(d, "SELINUX_CB_LOG",SWIG_From_int((int)(0))); SWIG_Python_SetConstant(d, "SELINUX_CB_AUDIT",SWIG_From_int((int)(1))); -diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c -index 4bdbe08..e074142 100644 ---- a/libselinux/src/setrans_client.c -+++ b/libselinux/src/setrans_client.c -@@ -35,6 +35,7 @@ static __thread security_context_t prev_r2c_raw = NULL; - - static pthread_once_t once = PTHREAD_ONCE_INIT; - static pthread_key_t destructor_key; -+static int destructor_key_initialized = 0; - static __thread char destructor_initialized; - - /* -@@ -254,7 +255,8 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused) - - void __attribute__((destructor)) setrans_lib_destructor(void) - { -- __selinux_key_delete(destructor_key); -+ if (destructor_key_initialized) -+ __selinux_key_delete(destructor_key); - } - - static inline void init_thread_destructor(void) -@@ -267,7 +269,9 @@ static inline void init_thread_destructor(void) - - static void init_context_translations(void) - { -- __selinux_key_create(&destructor_key, setrans_thread_destructor); -+ if (__selinux_key_create(&destructor_key, setrans_thread_destructor) == 0) -+ destructor_key_initialized = 1; -+ - mls_enabled = is_selinux_mls_enabled(); - } -