diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 6fd8710..43559e6 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,3 +1,33 @@ +diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h +index d29b0c1..792e68e 100644 +--- a/libselinux/include/selinux/selinux.h ++++ b/libselinux/include/selinux/selinux.h +@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(void); + extern const char *selinux_netfilter_context_path(void); + extern const char *selinux_path(void); + ++/** ++ * selinux_check_access - Check permissions and perform appropriate auditing. ++ * @scon: source security context ++ * @tcon: target security context ++ * @tclass: target security class string ++ * @perm: requested permissions string, interpreted based on @tclass ++ * @auditdata: auxiliary audit data ++ * ++ * Check the AVC to determine whether the @perm permissions are granted ++ * for the SID pair (@scon, @tcon), interpreting the permissions ++ * based on @tclass. ++ * Return %0 if all @perm permissions are granted, -%1 with ++ * @errno set to %EACCES if any permissions are denied or to another ++ * value upon other errors. ++ * If auditing or logging is configured the appropriate callbacks will be called ++ * and passed the auditdata field ++ */ ++extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata); ++ + /* Check a permission in the passwd class. + Return 0 if granted or -1 otherwise. */ + extern int selinux_check_passwd_access(access_vector_t requested); diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3 index cdbb252..e2a4371 100644 --- a/libselinux/man/man3/matchpathcon.3 @@ -20,6 +50,29 @@ index cdbb252..e2a4371 100644 .sp .B matchpathcon_fini frees the memory allocated by a prior call to +diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 +index f2d9f30..1e36952 100644 +--- a/libselinux/man/man3/security_compute_av.3 ++++ b/libselinux/man/man3/security_compute_av.3 +@@ -24,6 +24,8 @@ the SELinux policy database in the kernel. + .BI "int security_get_initial_context(const char *" name ", security_context_t + "con ); + .sp ++.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata); ++.sp + .BI "int selinux_check_passwd_access(access_vector_t " requested ); + .sp + .BI "int checkPasswdAccess(access_vector_t " requested ); +@@ -74,6 +76,9 @@ source context. It is mainly used by + is used to get the context of a kernel initial security identifier specified by + .I name + ++.B selinux_check_access ++is used to check if the source context has the access permission for the specified class on the target context. ++ + .B selinux_check_passwd_access + is used to check for a permission in the + .I passwd diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 index 8674e37..89bb4d3 100644 --- a/libselinux/man/man3/selabel_open.3 @@ -43,6 +96,27 @@ index 8674e37..89bb4d3 100644 .BR selinux_set_callback (3), .BR selinux (8) - +diff --git a/libselinux/man/man3/selinux_check_access.3 b/libselinux/man/man3/selinux_check_access.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/selinux_check_access.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c +index 74591b4..e7ad31d 100644 +--- a/libselinux/src/avc.c ++++ b/libselinux/src/avc.c +@@ -165,6 +165,9 @@ int avc_init(const char *prefix, + struct avc_node *new; + int i, rc = 0; + ++ if (avc_running) ++ return 0; ++ + if (prefix) + strncpy(avc_prefix, prefix, AVC_PREFIX_SIZE - 1); + diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c index b245364..7c47222 100644 --- a/libselinux/src/callbacks.c @@ -55,6 +129,51 @@ index b245364..7c47222 100644 va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); +diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c +index c1982c7..37ccc15 100644 +--- a/libselinux/src/checkAccess.c ++++ b/libselinux/src/checkAccess.c +@@ -4,8 +4,40 @@ + #include + #include "selinux_internal.h" + #include ++#include + #include + ++static pthread_once_t once = PTHREAD_ONCE_INIT; ++ ++static void avc_init_once(void) ++{ ++ avc_open(NULL, 0); ++} ++ ++int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) { ++ int status = -1; ++ int rc = -1; ++ security_id_t scon_id; ++ security_id_t tcon_id; ++ security_class_t sclass; ++ access_vector_t av; ++ ++ if (is_selinux_enabled() == 0) ++ return 0; ++ ++ __selinux_once(once, avc_init_once); ++ ++ if ((rc = avc_context_to_sid(scon, &scon_id)) < 0) return rc; ++ ++ if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0) return rc; ++ ++ if ((sclass = string_to_security_class(class)) == 0) return status; ++ ++ if ((av = string_to_av_perm(sclass, perm)) == 0) return status; ++ ++ return (avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux); ++} ++ + int selinux_check_passwd_access(access_vector_t requested) + { + int status = -1; diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 3b8346d..02f3f98 100644 --- a/libselinux/src/label_file.c diff --git a/libselinux.spec b/libselinux.spec index fb4c1e5..e46ab06 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -7,7 +7,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.1.6 -Release: 2%{?dist} +Release: 3%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz @@ -231,6 +231,9 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Wed Oct 19 2011 Dan Walsh - 2.1.6-3 +- Add selinux_check_access function. Needed for passwd, chfn, chsh + * Thu Sep 22 2011 Dan Walsh - 2.1.6-2 - Handle situation where selinux=0 passed to the kernel and both /selinux and