Add systemd_contexts support

- Do substitutions on a local sub followed by a dist sub
2013-10-04 10:16:56 -04:00 · 2013-10-04 10:16:56 -04:00 · 82deec5e5b
parent 0695b75fac
commit 82deec5e5b
2 changed files with 135 additions and 9 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,5 +1,5 @@
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index a4079aa..0b122af 100644
+index a4079aa..52d6700 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
@ -26,6 +26,14 @@ index a4079aa..0b122af 100644
 extern const char *selinux_binary_policy_path(void);
 extern const char *selinux_failsafe_context_path(void);
 extern const char *selinux_removable_context_path(void);
+@@ -515,6 +523,7 @@ extern const char *selinux_virtual_image_context_path(void);
+ extern const char *selinux_lxc_contexts_path(void);
+ extern const char *selinux_x_context_path(void);
+ extern const char *selinux_sepgsql_context_path(void);
+extern const char *selinux_systemd_contexts_path(void);
+ extern const char *selinux_contexts_path(void);
+ extern const char *selinux_securetty_types_path(void);
+ extern const char *selinux_booleans_subs_path(void);
 diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
 index c6837fc..de62d26 100644
 --- a/libselinux/man/man3/security_compute_av.3
@ -705,6 +713,18 @@ index 802a07f..6ff83a7 100644
 	return rc;
 }
 
+diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
+index d11c8dc..3c92424 100644
+--- a/libselinux/src/file_path_suffixes.h
+++ b/libselinux/src/file_path_suffixes.h
+@@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
+     S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
+     S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
+     S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
+    S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
+     S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
+     S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
+     S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts")
 diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
 index 309105c..0e9278e 100644
 --- a/libselinux/src/fsetfilecon.c
@ -819,7 +839,7 @@ index b9e8002..1d91123 100644
 
 hidden_def(get_ordered_context_list)
 diff --git a/libselinux/src/label.c b/libselinux/src/label.c
-index 11f6e96..f5cb52a 100644
+index 11f6e96..b6b3639 100644
 --- a/libselinux/src/label.c
 +++ b/libselinux/src/label.c
@@ -43,12 +43,18 @@ static void selabel_subs_fini(struct selabel_sub *ptr)
@ -842,10 +862,68 @@ index 11f6e96..f5cb52a 100644
 					return NULL;
 				return dst;
 			}
+@@ -58,7 +64,7 @@ static char *selabel_sub(struct selabel_sub *ptr, const char *src)
+ 	return NULL;
+ }
+ 
+-struct selabel_sub *selabel_subs_init(const char *path,struct selabel_sub *list)
+struct selabel_sub *selabel_subs_init(const char *path, struct selabel_sub *list)
+ {
+ 	char buf[1024];
+ 	FILE *cfg = fopen(path, "r");
+@@ -171,6 +177,7 @@ struct selabel_handle *selabel_open(unsigned int backend,
+ 	rec->validating = selabel_is_validate_set(opts, nopts);
+ 
+ 	rec->subs = NULL;
+	rec->dist_subs = NULL;
+ 
+ 	if ((*initfuncs[backend])(rec, opts, nopts)) {
+ 		free(rec);
+@@ -186,13 +193,24 @@ selabel_lookup_common(struct selabel_handle *rec, int translating,
+ 		      const char *key, int type)
+ {
+ 	struct selabel_lookup_rec *lr;
+	char *ptr = NULL;
+	char *dptr = NULL;
+ 
+ 	if (key == NULL) {
+ 		errno = EINVAL;
+ 		return NULL;
+ 	}
+ 
+-	char *ptr = selabel_sub(rec->subs, key);
+	ptr = selabel_sub(rec->subs, key);
+	if (ptr) {
+		dptr = selabel_sub(rec->dist_subs, ptr);
+		if (dptr) {
+			free(ptr);
+			ptr = dptr;
+		}
+	} else {
+		ptr = selabel_sub(rec->dist_subs, key);
+	}
+ 	if (ptr) {
+ 		lr = rec->func_lookup(rec, ptr, type); 
+ 		free(ptr);
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 5f697f3..9b0d6b0 100644
+index 5f697f3..c424a21 100644
 --- a/libselinux/src/label_file.c
 +++ b/libselinux/src/label_file.c
+@@ -496,12 +496,12 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ 
+ 	/* Process local and distribution substitution files */
+ 	if (!path) {
+-		rec->subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->subs);
+		rec->dist_subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->dist_subs);
+ 		rec->subs = selabel_subs_init(selinux_file_context_subs_path(), rec->subs);
+ 		path = selinux_file_context_path();
+ 	} else {
+ 		snprintf(subs_file, sizeof(subs_file), "%s.subs_dist", path);
+-		rec->subs = selabel_subs_init(subs_file, rec->subs);
+		rec->dist_subs = selabel_subs_init(subs_file, rec->dist_subs);
+ 		snprintf(subs_file, sizeof(subs_file), "%s.subs", path);
+ 		rec->subs = selabel_subs_init(subs_file, rec->subs);
+ 	}
@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
 				break;
 			} else if (rc == PCRE_ERROR_NOMATCH)
@ -863,6 +941,18 @@ index 5f697f3..9b0d6b0 100644
 	ret = &spec_arr[i].lr;
 
 finish:
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 435ecf2..b6ae140 100644
+--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
+@@ -68,6 +68,7 @@ struct selabel_handle {
+ 	char *spec_file;
+ 
+ 	/* substitution support */
+	struct selabel_sub *dist_subs;
+ 	struct selabel_sub *subs;
+ };
+ 
 diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
 index 461e3f7..ab85155 100644
 --- a/libselinux/src/lsetfilecon.c
@ -1019,7 +1109,7 @@ index 6c5b45a..ecaccc6 100644
 		return 0;
 	}
 diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 296f357..9aee32f 100644
+index 296f357..2cd6d54 100644
 --- a/libselinux/src/selinux_config.c
 +++ b/libselinux/src/selinux_config.c
@@ -8,6 +8,8 @@
@ -1031,7 +1121,17 @@ index 296f357..9aee32f 100644
 #include "selinux_internal.h"
 #include "get_default_type_internal.h"
 
-@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type)
+@@ -48,7 +50,8 @@
+ #define FILE_CONTEXT_SUBS_DIST 25
+ #define LXC_CONTEXTS      26
+ #define BOOLEAN_SUBS      27
+-#define NEL               28
+#define SYSTEMD_CONTEXTS  28
+#define NEL               29
+ 
+ /* Part of one-time lazy init */
+ static pthread_once_t once = PTHREAD_ONCE_INIT;
+@@ -138,6 +141,13 @@ int selinux_getpolicytype(char **type)
 
 hidden_def(selinux_getpolicytype)
 
@ -1045,7 +1145,7 @@ index 296f357..9aee32f 100644
 static char *selinux_policyroot = NULL;
 static const char *selinux_rootpath = SELINUXDIR;
 
-@@ -261,6 +270,37 @@ const char *selinux_policy_root(void)
+@@ -261,6 +271,37 @@ const char *selinux_policy_root(void)
 	return selinux_policyroot;
 }
 
@ -1083,7 +1183,7 @@ index 296f357..9aee32f 100644
 const char *selinux_path(void)
 {
 	return selinux_rootpath;
-@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void)
+@@ -303,6 +344,31 @@ const char *selinux_binary_policy_path(void)
 
 hidden_def(selinux_binary_policy_path)
 
@ -1115,8 +1215,22 @@ index 296f357..9aee32f 100644
 const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
+@@ -427,6 +493,13 @@ const char *selinux_lxc_contexts_path(void)
+ 
+ hidden_def(selinux_lxc_contexts_path)
+ 
+const char *selinux_systemd_contexts_path(void)
+{
+	return get_path(SYSTEMD_CONTEXTS);
+}
+
+hidden_def(selinux_systemd_contexts_path)
+
+ const char * selinux_booleans_subs_path(void) {
+ 	return get_path(BOOLEAN_SUBS);
+ }
 diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
-index 2c7c85c..4a4aebc 100644
+index 2c7c85c..afb2170 100644
 --- a/libselinux/src/selinux_internal.h
 +++ b/libselinux/src/selinux_internal.h
@@ -60,6 +60,7 @@ hidden_proto(selinux_mkload_policy)
@ -1127,6 +1241,14 @@ index 2c7c85c..4a4aebc 100644
     hidden_proto(selinux_binary_policy_path)
     hidden_proto(selinux_booleans_subs_path)
     hidden_proto(selinux_default_context_path)
+@@ -82,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
+     hidden_proto(selinux_media_context_path)
+     hidden_proto(selinux_x_context_path)
+     hidden_proto(selinux_sepgsql_context_path)
+    hidden_proto(selinux_systemd_contexts_path)
+     hidden_proto(selinux_path)
+     hidden_proto(selinux_check_passwd_access)
+     hidden_proto(selinux_check_securetty_context)
 diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
 index 359bd02..9884454 100644
 --- a/libselinux/src/selinuxswig_python.i
--- a/libselinux.spec
+++ b/libselinux.spec
@ -10,7 +10,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.13
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@ -240,6 +240,10 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so

 %changelog
+* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-21
+- Add systemd_contexts support
+- Do substitutions on a local sub followed by a dist sub
+
 * Thu Oct 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-20
 - Eliminate requirement on pthread library, by applying patch for Jakub Jelinek 
 Resolves #1013801