- Turn off error printing in library. Need to compile with DEBUG to get it
back
This commit is contained in:
parent
f4b45ddd03
commit
d8849af170
|
@ -1,17 +1,16 @@
|
||||||
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h
|
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h
|
||||||
--- nsalibselinux/include/selinux/selinux.h 2006-06-16 15:08:24.000000000 -0400
|
--- nsalibselinux/include/selinux/selinux.h 2006-06-16 15:08:24.000000000 -0400
|
||||||
+++ libselinux-1.30.15/include/selinux/selinux.h 2006-06-20 15:48:14.000000000 -0400
|
+++ libselinux-1.30.15/include/selinux/selinux.h 2006-06-21 15:26:36.000000000 -0400
|
||||||
@@ -429,8 +429,20 @@
|
@@ -429,8 +429,19 @@
|
||||||
Caller must free the returned strings via free. */
|
Caller must free the returned strings via free. */
|
||||||
extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
|
extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
|
||||||
|
|
||||||
+/* This function allows you to compare two security context, it will ignore the
|
+/* This function compares two file context, ignoring the user component */
|
||||||
+user component */
|
+int selinux_file_context_cmp(const security_context_t a, const security_context_t b);
|
||||||
+int selinux_context_cmp(const security_context_t a, const security_context_t b);
|
|
||||||
+
|
+
|
||||||
+/* This function looks at the file context on disk and compares it to the
|
+/* This function looks at the file context on disk and compares it to the
|
||||||
+system defaults, it returns 1 on match non 0 on failure */
|
+system defaults, it returns 0 on match non 0 on failure */
|
||||||
+int selinux_verify_file_context(const char *path, mode_t mode);
|
+int selinux_file_context_verify(const char *path, mode_t mode);
|
||||||
+
|
+
|
||||||
+/* This function sets the file context on to the system defaults returns 0 on success */
|
+/* This function sets the file context on to the system defaults returns 0 on success */
|
||||||
+int selinux_lsetfilecon_default(const char *path);
|
+int selinux_lsetfilecon_default(const char *path);
|
||||||
|
@ -24,7 +23,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8
|
||||||
--- nsalibselinux/man/man8/matchpathcon.8 2006-05-15 09:43:24.000000000 -0400
|
--- nsalibselinux/man/man8/matchpathcon.8 2006-05-15 09:43:24.000000000 -0400
|
||||||
+++ libselinux-1.30.15/man/man8/matchpathcon.8 2006-06-20 10:56:07.000000000 -0400
|
+++ libselinux-1.30.15/man/man8/matchpathcon.8 2006-06-21 15:26:36.000000000 -0400
|
||||||
@@ -3,13 +3,25 @@
|
@@ -3,13 +3,25 @@
|
||||||
matchpathcon \- get the default security context for the specified path from the file contexts configuration.
|
matchpathcon \- get the default security context for the specified path from the file contexts configuration.
|
||||||
|
|
||||||
|
@ -56,8 +55,8 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libse
|
||||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||||
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c
|
||||||
--- nsalibselinux/src/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400
|
--- nsalibselinux/src/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400
|
||||||
+++ libselinux-1.30.15/src/matchpathcon.c 2006-06-21 14:31:19.000000000 -0400
|
+++ libselinux-1.30.15/src/matchpathcon.c 2006-06-21 15:37:18.000000000 -0400
|
||||||
@@ -20,12 +20,16 @@
|
@@ -20,10 +20,12 @@
|
||||||
#endif
|
#endif
|
||||||
default_printf(const char *fmt, ...)
|
default_printf(const char *fmt, ...)
|
||||||
{
|
{
|
||||||
|
@ -69,58 +68,69 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
|
||||||
+#endif
|
+#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
+static unsigned int myflags;
|
|
||||||
+
|
|
||||||
static void
|
static void
|
||||||
#ifdef __GNUC__
|
@@ -50,7 +52,7 @@
|
||||||
__attribute__ ((format (printf, 1, 2)))
|
|
||||||
@@ -50,7 +54,12 @@
|
|
||||||
static int default_canoncon(const char *path, unsigned lineno, char **context)
|
static int default_canoncon(const char *path, unsigned lineno, char **context)
|
||||||
{
|
{
|
||||||
char *tmpcon;
|
char *tmpcon;
|
||||||
- if (security_canonicalize_context(*context, &tmpcon) < 0) {
|
- if (security_canonicalize_context(*context, &tmpcon) < 0) {
|
||||||
+ int rc;
|
+ if (security_canonicalize_context_raw(*context, &tmpcon) < 0) {
|
||||||
+ if (myflags & MATCHPATHCON_NOTRANS)
|
|
||||||
+ rc = security_canonicalize_context_raw(*context, &tmpcon);
|
|
||||||
+ else
|
|
||||||
+ rc = security_canonicalize_context(*context, &tmpcon);
|
|
||||||
+ if ( rc < 0) {
|
|
||||||
if (errno == ENOENT)
|
if (errno == ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
if (lineno)
|
if (lineno)
|
||||||
@@ -74,8 +83,6 @@
|
@@ -74,7 +76,7 @@
|
||||||
mycanoncon = &default_canoncon;
|
mycanoncon = &default_canoncon;
|
||||||
}
|
}
|
||||||
|
|
||||||
-static unsigned int myflags;
|
-static unsigned int myflags;
|
||||||
-
|
+static __thread unsigned int myflags;
|
||||||
|
|
||||||
void set_matchpathcon_flags(unsigned int flags)
|
void set_matchpathcon_flags(unsigned int flags)
|
||||||
{
|
{
|
||||||
myflags = flags;
|
@@ -552,21 +554,6 @@
|
||||||
@@ -580,7 +587,6 @@
|
|
||||||
spec_arr[nspec].context_valid = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-
|
|
||||||
spec_arr[nspec].context = context;
|
|
||||||
|
|
||||||
/* Determine if specification has
|
skip_type:
|
||||||
@@ -797,7 +803,6 @@
|
if (strcmp(context, "<<none>>")) {
|
||||||
errno = ENOENT;
|
- char *tmpcon = NULL;
|
||||||
return -1;
|
-
|
||||||
|
- if (myflags & MATCHPATHCON_NOTRANS)
|
||||||
|
- goto skip_trans;
|
||||||
|
-
|
||||||
|
- if (selinux_raw_to_trans_context(context, &tmpcon)) {
|
||||||
|
- myprintf("%s: line %u has invalid "
|
||||||
|
- "context %s\n",
|
||||||
|
- path, lineno, context);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- free(context);
|
||||||
|
- context = tmpcon;
|
||||||
|
-
|
||||||
|
-skip_trans:
|
||||||
|
if (myflags & MATCHPATHCON_VALIDATE) {
|
||||||
|
if (myinvalidcon) {
|
||||||
|
/* Old-style validation of context. */
|
||||||
|
@@ -831,7 +818,12 @@
|
||||||
|
spec_arr[i].context_valid = 1;
|
||||||
}
|
}
|
||||||
-
|
|
||||||
spec_arr[i].matches++;
|
|
||||||
|
|
||||||
return i;
|
- *con = strdup(spec_arr[i].context);
|
||||||
@@ -877,3 +882,73 @@
|
+ if (myflags & MATCHPATHCON_NOTRANS) {
|
||||||
|
+ *con = strdup(spec_arr[i].context);
|
||||||
|
+ } else {
|
||||||
|
+ if (selinux_raw_to_trans_context(spec_arr[i].context, con))
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (!(*con))
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
@@ -877,3 +869,72 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+/* Compare two contexts to see if their differences are "significant",
|
+/* Compare two contexts to see if their differences are "significant",
|
||||||
+ * or whether the only difference is in the user. */
|
+ * or whether the only difference is in the user. */
|
||||||
+int selinux_context_cmp(const security_context_t a, const security_context_t b)
|
+int selinux_file_context_cmp(const security_context_t a, const security_context_t b)
|
||||||
+{
|
+{
|
||||||
+ char *rest_a, *rest_b; /* Rest of the context after the user */
|
+ char *rest_a, *rest_b; /* Rest of the context after the user */
|
||||||
+ if (!a && !b) return 0;
|
+ if (!a && !b) return 0;
|
||||||
|
@ -134,16 +144,14 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
|
||||||
+ return strcmp(rest_a, rest_b);
|
+ return strcmp(rest_a, rest_b);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int selinux_verify_file_context(const char *path, mode_t mode)
|
+int selinux_file_context_verify(const char *path, mode_t mode)
|
||||||
+{
|
+{
|
||||||
+ security_context_t con = NULL;
|
+ security_context_t con = NULL;
|
||||||
+ security_context_t fcontext = NULL;
|
+ security_context_t fcontext = NULL;
|
||||||
|
+ unsigned int localflags=myflags;
|
||||||
+ int rc=0;
|
+ int rc=0;
|
||||||
+
|
+
|
||||||
+ if (myflags & MATCHPATHCON_NOTRANS)
|
+ rc = lgetfilecon_raw(path, &con);
|
||||||
+ rc = lgetfilecon_raw(path, &con);
|
|
||||||
+ else
|
|
||||||
+ rc = lgetfilecon(path, &con);
|
|
||||||
+ if (rc == -1) {
|
+ if (rc == -1) {
|
||||||
+ if (errno != ENOTSUP)
|
+ if (errno != ENOTSUP)
|
||||||
+ return 1;
|
+ return 1;
|
||||||
|
@ -151,14 +159,16 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
|
+ set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS);
|
||||||
+ if (matchpathcon(path,mode,&fcontext) != 0) {
|
+ if (matchpathcon(path,mode,&fcontext) != 0) {
|
||||||
+ if (fcontext == NULL && errno != ENOENT)
|
+ if (errno != ENOENT)
|
||||||
+ rc = 1;
|
+ rc = 1;
|
||||||
+ else
|
+ else
|
||||||
+ rc = 0;
|
+ rc = 0;
|
||||||
+ }
|
+ }
|
||||||
+ else
|
+ else
|
||||||
+ rc = (selinux_context_cmp(fcontext, con) == 0);
|
+ rc = (selinux_file_context_cmp(fcontext, con) == 0);
|
||||||
|
+ set_matchpathcon_flags(localflags);
|
||||||
+ freecon(con);
|
+ freecon(con);
|
||||||
+ freecon(fcontext);
|
+ freecon(fcontext);
|
||||||
+ return rc;
|
+ return rc;
|
||||||
|
@ -178,8 +188,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
|
||||||
+ /* If there's an error determining the context, or it has none,
|
+ /* If there's an error determining the context, or it has none,
|
||||||
+ return to allow default context */
|
+ return to allow default context */
|
||||||
+ if (matchpathcon(path, st.st_mode, &scontext)) {
|
+ if (matchpathcon(path, st.st_mode, &scontext)) {
|
||||||
+ if (scontext == NULL && errno != ENOENT)
|
+ if (errno == ENOENT) rc = 0;
|
||||||
+ rc =0;
|
|
||||||
+ } else {
|
+ } else {
|
||||||
+ rc = lsetfilecon_raw(path, scontext);
|
+ rc = lsetfilecon_raw(path, scontext);
|
||||||
+ freecon(scontext);
|
+ freecon(scontext);
|
||||||
|
@ -189,7 +198,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
|
||||||
+}
|
+}
|
||||||
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c
|
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c
|
||||||
--- nsalibselinux/utils/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400
|
--- nsalibselinux/utils/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400
|
||||||
+++ libselinux-1.30.15/utils/matchpathcon.c 2006-06-21 09:05:20.000000000 -0400
|
+++ libselinux-1.30.15/utils/matchpathcon.c 2006-06-21 15:26:36.000000000 -0400
|
||||||
@@ -12,19 +12,44 @@
|
@@ -12,19 +12,44 @@
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
@ -252,7 +261,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselin
|
||||||
- else
|
- else
|
||||||
- printf("%s\n", buf);
|
- printf("%s\n", buf);
|
||||||
+ if (verify) {
|
+ if (verify) {
|
||||||
+ if (selinux_verify_file_context(argv[i], 0)) {
|
+ if (selinux_file_context_verify(argv[i], 0)) {
|
||||||
+ printf("%s verified.\n", argv[i]);
|
+ printf("%s verified.\n", argv[i]);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ security_context_t con;
|
+ security_context_t con;
|
||||||
|
|
Loading…
Reference in New Issue