Add new function mode_to_security_class which takes mode instead of a string.

- Possibly will be used with coreutils.
2012-10-25 16:27:52 -04:00 · 2012-10-25 16:27:52 -04:00 · e1c914df47
parent 166aec5994
commit e1c914df47
2 changed files with 182 additions and 12 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,8 +1,17 @@
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index 6b9089d..85b0cfc 100644
+index 6b9089d..aba6e33 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
-@@ -496,7 +496,9 @@ extern const char *selinux_policy_root(void);
+@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map);
+ 
+ /* Common helpers */
+ 
+/* Convert between mode and security class values */
+extern security_class_t mode_to_security_class(mode_t mode);
+ /* Convert between security class values and string names */
+ extern security_class_t string_to_security_class(const char *name);
+ extern const char *security_class_to_string(security_class_t cls);
+@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void);
 
 /* These functions return the paths to specific files under the 
    policy root directory. */
@ -12,6 +21,45 @@ index 6b9089d..85b0cfc 100644
 extern const char *selinux_failsafe_context_path(void);
 extern const char *selinux_removable_context_path(void);
 extern const char *selinux_default_context_path(void);
+diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3
+index 140737e..e82e1d8 100644
+--- a/libselinux/man/man3/security_class_to_string.3
+++ b/libselinux/man/man3/security_class_to_string.3
+@@ -3,7 +3,7 @@
+ .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+ .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation"
+ .SH "NAME"
+-security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
+security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert
+ between SELinux class and permission values and string names.
+ 
+ print_access_vector \- display an access vector in human-readable form. 
+@@ -21,6 +21,8 @@ print_access_vector \- display an access vector in human-readable form.
+ .sp
+ .BI "security_class_t string_to_security_class(const char *" name ");"
+ .sp
+.BI "security_class_t mode_to_security_class(mode_t " mode ");"
+.sp
+ .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
+ .sp
+ .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
+@@ -53,6 +55,11 @@ returns the class value corresponding to the string name
+ .IR name ,
+ or zero if no such class exists.
+ 
+.B mode_to_security_class
+returns the class value corresponding to the specified 
+.IR mode ,
+or zero if no such class exists.
+
+ .B string_to_av_perm
+ returns the access vector bit corresponding to the string name
+ .I name
+@@ -88,3 +95,4 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
+ .BR selinux (8),
+ .BR getcon (3),
+ .BR getfilecon (3)
+.BR stat (3)
 diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
 index 8ead1a4..c68ace5 100644
 --- a/libselinux/man/man3/selinux_binary_policy_path.3
@ -36,11 +84,64 @@ index 8ead1a4..c68ace5 100644
 .sp
 selinux_default_type_path - context file mapping roles to default types.
 .sp
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 9f16f77..4835f2f 100644
+--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
+@@ -69,14 +69,27 @@ Many domains that are protected by SELinux also include SELinux man pages explai
+ All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended attributes of the file system.
+ Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel.  If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.  
+ 
+-The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-securitylevel, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
+The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-selinux, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
+   
+ .SH AUTHOR	
+ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ 
+ .SH "SEE ALSO"
+-booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
+booleans(8), setsebool(8), selinuxenabled(8), restorecon(8), setfiles(8), semanage(8), sepolicy(8)
+.br
+ 
+Every confined service on the system has a man page in the following format:
+.br
+
+.B <servicename>_selinux(8)
+
+For example, httpd has the 
+.B httpd_selinux(8) 
+man page.
+
+.B man -k selinux 
+
+Will list all SELinux man pages.
+ 
+ .SH FILES
+ /etc/selinux/config
 diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
-index 02483a3..89953d7 100644
+index 02483a3..c804e84 100644
 --- a/libselinux/src/audit2why.c
 +++ b/libselinux/src/audit2why.c
-@@ -206,27 +206,12 @@ static int __policy_init(const char *init_path)
+@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
+   
+ 	if (PyArg_ParseTuple(args,(char *)":finish")) {
+ 		int i = 0;
+		if (! avc)
+			Py_RETURN_NONE;
+
+ 		for (i = 0; i < boolcnt; i++) {
+ 			free(boollist[i]->name);
+ 			free(boollist[i]);
+@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
+ 		avc = NULL;
+ 		boollist = NULL;
+ 		boolcnt = 0;
+-	  
+
+ 		/* Boilerplate to return "None" */
+ 		Py_RETURN_NONE;
+ 	}
+@@ -206,27 +209,12 @@ static int __policy_init(const char *init_path)
 			return 1;
 		}
 	} else {
@ -72,6 +173,17 @@ index 02483a3..89953d7 100644
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
+@@ -295,6 +283,10 @@ static int __policy_init(const char *init_path)
+ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
+   int result;
+   char *init_path=NULL;
+  if (avc) {
+	  PyErr_SetString( PyExc_RuntimeError, "init called multiple times");
+	  return NULL;
+  }
+   if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
+     return NULL;
+   result = __policy_init(init_path);
 diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
 index 802a07f..6ff83a7 100644
 --- a/libselinux/src/avc.c
@ -625,6 +737,38 @@ index cfea186..8b1eba6 100644
 	      char **r_seuser, char **r_level) {
 	int ret = -1;
 	int len = 0;
+diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
+index 176ac34..082778e 100644
+--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
+@@ -436,6 +436,27 @@ security_class_t string_to_security_class(const char *s)
+ 	return map_class(node->value);
+ }
+ 
+security_class_t mode_to_security_class(mode_t m) {
+
+	if (S_ISREG(m))
+		return string_to_security_class("file");
+	if (S_ISDIR(m))
+		return string_to_security_class("dir");
+	if (S_ISCHR(m))
+		return string_to_security_class("chr_file");
+	if (S_ISBLK(m))
+		return string_to_security_class("blk_file");
+	if (S_ISFIFO(m))
+		return string_to_security_class("fifo_file");
+	if (S_ISLNK(m))
+		return string_to_security_class("lnk_file");
+	if (S_ISSOCK(m))
+		return string_to_security_class("sock_file");
+
+	errno=EINVAL;
+	return 0;
+}
+
+ access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
+ {
+ 	struct discover_class_node *node;
 diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
 index 8b9294d..060eaab 100644
 --- a/libselinux/utils/.gitignore
@ -651,10 +795,10 @@ index 5f3e047..f469924 100644
 	UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
 diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
 new file mode 100644
-index 0000000..f8a5fea
+index 0000000..15cc836
 --- /dev/null
 +++ b/libselinux/utils/sefcontext_compile.c
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,350 @@
 +#include <ctype.h>
 +#include <errno.h>
 +#include <pcre.h>
@ -676,8 +820,10 @@ index 0000000..f8a5fea
 +	FILE *context_file;
 +
 +	context_file = fopen(filename, "r");
-+	if (!context_file)
+	if (!context_file) {
+		fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno));
 +		return -1;
+	}
 +
 +	line_num = 0;
 +	while ((len = getline(&line_buf, &line_len, context_file)) != -1) {
@ -715,8 +861,10 @@ index 0000000..f8a5fea
 +		}
 +
 +		rc = grow_specs(data);
-+		if (rc)
+		if (rc) {
+			fprintf(stderr, "grow_specs failed: %s\n", strerror(errno));
 +			return rc;
+		}
 +
 +		spec = &data->spec_arr[data->nspec];
 +
@ -738,9 +886,10 @@ index 0000000..f8a5fea
 +
 +		regex_len = strlen(regex);
 +		cp = anchored_regex = malloc(regex_len + 3);
-+		if (!cp)
+		if (!cp) {
+			fprintf(stderr, "Malloc Failed: %s\n", strerror(errno));
 +			return -1;
-+
+		}
 +		*cp++ = '^';
 +		memcpy(cp, regex, regex_len);
 +		cp += regex_len;
--- a/libselinux.spec
+++ b/libselinux.spec
@ -4,16 +4,18 @@

 %define ruby_inc %(pkg-config --cflags ruby-1.9)
 %define ruby_sitearch %(ruby -rrbconfig -e "puts RbConfig::CONFIG['vendorarchdir']")
-%define libsepolver 2.1.8-1
+%define libsepolver 2.1.7-4
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}

 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.12
-Release: 1%{?dist}
+Release: 6%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
+Source1: selinuxconlist.8
+Source2: selinuxdefcon.8
 Url: http://oss.tresys.com/git/selinux.git
 Patch1: libselinux-rhat.patch
 BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel
@ -174,6 +176,9 @@ rm -f %{buildroot}%{_sbindir}/getseuser
 rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
 mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
 mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/

 %clean
 rm -rf %{buildroot}
@ -236,6 +241,22 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so

 %changelog
+* Fri Oct 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-6
+- Add new function mode_to_security_class which takes mode instead of a string.
+- Possibly will be used with coreutils.
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-5
+- Add back selinuxconlist and selinuxdefcon man pages
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
+- Fix segfault from calling audit2why.finish() multiple times
+
+* Fri Oct 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
+- Fix up selinux man page to reference service man pages
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
+- Rebuild with fixed libsepol
+
 * Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
 - Update to upstream 
 	* Add support for lxc_contexts_path