Return EPERM if login program can not reach default label for user

- Attempt to return container info from audit2why
This commit is contained in:
Dan Walsh 2012-11-16 16:49:57 -05:00
parent 8c2b32a881
commit edd5aaafc0
2 changed files with 78 additions and 29 deletions

View File

@ -126,7 +126,7 @@ index 9f16f77..4835f2f 100644
.SH FILES
/etc/selinux/config
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 02483a3..c804e84 100644
index 02483a3..647ea4c 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
@ -191,6 +191,32 @@ index 02483a3..c804e84 100644
if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
return NULL;
result = __policy_init(init_path);
@@ -306,6 +298,7 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
return result;
static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
+ char *reason_buf = NULL;
security_context_t scon;
security_context_t tcon;
char *tclassstr;
@@ -376,7 +369,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
/* Reproduce the computation. */
- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
+ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf);
if (rc < 0) {
RETURN(BADCOMPUTE)
}
@@ -417,6 +410,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
if (reason & SEPOL_COMPUTEAV_CONS) {
+ printf("%s\n", reason_buf);
+ free(reason_buf);
RETURN(CONSTRAINT);
}
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 802a07f..6ff83a7 100644
--- a/libselinux/src/avc.c
@ -213,6 +239,24 @@ index 825f295..d11c8dc 100644
S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts")
- S_(BOOLEAN_SUBS, "/booleans.subs")
+ S_(BOOLEAN_SUBS, "/booleans.subs_dist")
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index e02157c..e653ecc 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -489,7 +489,12 @@ int get_ordered_context_list(const char *user,
reachable[nordered] = NULL;
rc = nordered;
} else {
- rc = nreach;
+ if (security_getenforce()) {
+ errno = EPERM;
+ rc = -1;
+ } else {
+ rc = nreach;
+ }
}
out:
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 02b3cd2..301e4d6 100644
--- a/libselinux/src/label_file.c

View File

@ -10,7 +10,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.1.12
Release: 7%{?dist}
Release: 8%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
@ -241,6 +241,10 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
* Fri Nov 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-8
- Return EPERM if login program can not reach default label for user
- Attempt to return container info from audit2why
* Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7
- Apply patch from eparis to fix leaked file descriptor in new labeling code
@ -401,7 +405,7 @@ rm -rf %{buildroot}
* Cleanup Man pages
* merge freecon with getcon man page
* Mon Dec 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
* Mon Dec 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
- Add patch from Richard Haines
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
@ -558,7 +562,7 @@ context
by Dan Walsh.
* Update man pages for selinux_color_* functions by Richard Haines.
* Wed Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
* Wed Apr 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
- Clean up patch to make handling of constructor cleanup more portable
* db_language object class support for selabel_lookup from KaiGai Kohei.
* Library destructors for thread local storage keys from Eamon Walsh.
@ -607,10 +611,10 @@ pthread_key_delete, and is ignored.
- Update to upstream
* Thread local storage fixes from Eamon Walsh.
* Wed Dec 2 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
* Sat Dec 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
- Add /etc/tmpfiles.d support for /var/run/setrans
* Sun Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
* Wed Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
- Ghost /var/run/setrans
* Wed Sep 29 2010 jkeating - 2.0.96-7
@ -643,7 +647,7 @@ pthread_key_delete, and is ignored.
* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1
* Set errno=EINVAL for invalid contexts from Dan Walsh.
* Sun Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
- Update to upstream
* Show strerror for security_getenforce() by Colin Waters.
* Merged selabel database support by KaiGai Kohei.
@ -1172,23 +1176,23 @@ pthread_key_delete, and is ignored.
* Merged patch to drop support for old /etc/sysconfig/selinux and
/etc/security policy file layout from Steve Grubb.
* Tue Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
* Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
- Do not fail on permission denied in getsebool
* Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1
- Upgrade to upstream
* Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
* Fri Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
* Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
- Upgrade to upstream
* Removed sending of setrans init message.
* Merged matchpathcon memory leak fix from Steve Grubb.
* Thu Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
- Upgrade to upstream
* Merged more swig initializers from Dan Walsh.
* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
* Sun Feb 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
- Upgrade to upstream
* Merged patch from Todd Miller to convert int types over to C99 style.
@ -1208,7 +1212,8 @@ pthread_key_delete, and is ignored.
* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1
- Upgrade to upstream
* Merged man page updates to make "apropos selinux" work from Dan Walsh.
* Wed Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
- Upgrade to upstream
* Merged getdefaultcon utility from Dan Walsh.
@ -1274,7 +1279,7 @@ Resolves: #200110
* Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3
- really make -devel depend on libsepol-devel
* Wed Sep 25 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
* Wed Sep 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
- Add sgrubb patch for polmatch
* Wed Sep 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1
@ -1441,7 +1446,7 @@ Resolves: #200110
a regular file.
* Merged python binding t_output_helper removal patch from Dan Walsh.
* Mon Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
- Fix python bindings for matchpathcon
- Fix booleans man page
@ -1476,7 +1481,7 @@ Resolves: #200110
- Upgrade to latest from NSA
* Added getseuser test program.
* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
- Upgrade to latest from NSA
* Added format attribute to myprintf in matchpathcon.c and
removed obsoleted rootlen variable in init_selinux_config().
@ -1682,13 +1687,13 @@ Resolves: #200110
- Update to latest from NSA
- Add getseuserbyname
* Fri Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
* Fri Sep 16 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
- Fix patch call
* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
- Fix strip_con call
* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
- Go back to original libsetrans code
* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
@ -1754,13 +1759,13 @@ Resolves: #200110
* Changed security_load_booleans to process booleans.local
even if booleans file doesn't exist.
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
- Fix avcstat to clear totals
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
- Add info to man page
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
- Update from NSA
* Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
* Rewrote get_ordered_context_list and helpers, including
@ -1875,7 +1880,7 @@ Resolves: #200110
* Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3
- rpmexeccon should not fail in permissive mode.
* Fri Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
* Fri Jan 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
- fix printf in avcstat
* Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
@ -2039,7 +2044,7 @@ Resolves: #200110
- Update from NSA
- Add optflags
* Fri Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
* Fri Aug 27 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
- Update from NSA
* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
@ -2081,7 +2086,7 @@ Resolves: #200110
* Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2
- Add man page for boolean functions and SELinux
* Sat Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
* Sun Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
- Latest from NSA
* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
@ -2107,7 +2112,7 @@ Resolves: #200110
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Sat Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
* Sun Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
- Fix selinux_config to break once it finds SELINUXTYPE.
* Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1
@ -2119,7 +2124,7 @@ Resolves: #200110
* Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2
- add man patch
* Thu May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
* Fri May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
- Update with latest from NSA
* Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1
@ -2211,7 +2216,7 @@ Resolves: #200110
* Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2
- Fix x86_64 build
* Wed Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
* Wed Oct 22 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
- Latest tarball from NSA.
* Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9
@ -2235,12 +2240,12 @@ Resolves: #200110
* Fri Sep 12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3
- Update with latest from NSA.
* Fri Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
- Fix to build on x86_64
* Thu Aug 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
- update for version 1.2
* Wed May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
* Tue May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version