From edd5aaafc0ae153141117e68135f7aea42c066f1 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 16 Nov 2012 16:49:57 -0500 Subject: [PATCH] Return EPERM if login program can not reach default label for user - Attempt to return container info from audit2why --- libselinux-rhat.patch | 46 +++++++++++++++++++++++++++++++- libselinux.spec | 61 +++++++++++++++++++++++-------------------- 2 files changed, 78 insertions(+), 29 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 2157f0f..bd52906 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -126,7 +126,7 @@ index 9f16f77..4835f2f 100644 .SH FILES /etc/selinux/config diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index 02483a3..c804e84 100644 +index 02483a3..647ea4c 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) @@ -191,6 +191,32 @@ index 02483a3..c804e84 100644 if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) return NULL; result = __policy_init(init_path); +@@ -306,6 +298,7 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { + return result; + + static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) { ++ char *reason_buf = NULL; + security_context_t scon; + security_context_t tcon; + char *tclassstr; +@@ -376,7 +369,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + } + + /* Reproduce the computation. */ +- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason); ++ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf); + if (rc < 0) { + RETURN(BADCOMPUTE) + } +@@ -417,6 +410,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + } + + if (reason & SEPOL_COMPUTEAV_CONS) { ++ printf("%s\n", reason_buf); ++ free(reason_buf); + RETURN(CONSTRAINT); + } + diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c index 802a07f..6ff83a7 100644 --- a/libselinux/src/avc.c @@ -213,6 +239,24 @@ index 825f295..d11c8dc 100644 S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts") - S_(BOOLEAN_SUBS, "/booleans.subs") + S_(BOOLEAN_SUBS, "/booleans.subs_dist") +diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c +index e02157c..e653ecc 100644 +--- a/libselinux/src/get_context_list.c ++++ b/libselinux/src/get_context_list.c +@@ -489,7 +489,12 @@ int get_ordered_context_list(const char *user, + reachable[nordered] = NULL; + rc = nordered; + } else { +- rc = nreach; ++ if (security_getenforce()) { ++ errno = EPERM; ++ rc = -1; ++ } else { ++ rc = nreach; ++ } + } + + out: diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 02b3cd2..301e4d6 100644 --- a/libselinux/src/label_file.c diff --git a/libselinux.spec b/libselinux.spec index 43a057e..f76c2cd 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -10,7 +10,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.1.12 -Release: 7%{?dist} +Release: 8%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz @@ -241,6 +241,10 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Fri Nov 16 2012 Dan Walsh - 2.1.12-8 +- Return EPERM if login program can not reach default label for user +- Attempt to return container info from audit2why + * Thu Nov 1 2012 Dan Walsh - 2.1.12-7 - Apply patch from eparis to fix leaked file descriptor in new labeling code @@ -401,7 +405,7 @@ rm -rf %{buildroot} * Cleanup Man pages * merge freecon with getcon man page -* Mon Dec 18 2011 Dan Walsh - 2.1.8-5 +* Mon Dec 19 2011 Dan Walsh - 2.1.8-5 - Add patch from Richard Haines When selabel_lookup found an invalid context with validation enabled, it always stated it was 'file_contexts' whether media, x, db or file. @@ -558,7 +562,7 @@ context by Dan Walsh. * Update man pages for selinux_color_* functions by Richard Haines. -* Wed Apr 5 2011 Dan Walsh - 2.0.101-1 +* Wed Apr 6 2011 Dan Walsh - 2.0.101-1 - Clean up patch to make handling of constructor cleanup more portable * db_language object class support for selabel_lookup from KaiGai Kohei. * Library destructors for thread local storage keys from Eamon Walsh. @@ -607,10 +611,10 @@ pthread_key_delete, and is ignored. - Update to upstream * Thread local storage fixes from Eamon Walsh. -* Wed Dec 2 2010 Dan Walsh - 2.0.96-9 +* Sat Dec 4 2010 Dan Walsh - 2.0.96-9 - Add /etc/tmpfiles.d support for /var/run/setrans -* Sun Nov 24 2010 Dan Walsh - 2.0.96-8 +* Wed Nov 24 2010 Dan Walsh - 2.0.96-8 - Ghost /var/run/setrans * Wed Sep 29 2010 jkeating - 2.0.96-7 @@ -643,7 +647,7 @@ pthread_key_delete, and is ignored. * Wed Mar 24 2010 Dan Walsh - 2.0.94-1 * Set errno=EINVAL for invalid contexts from Dan Walsh. -* Sun Mar 16 2010 Dan Walsh - 2.0.93-1 +* Tue Mar 16 2010 Dan Walsh - 2.0.93-1 - Update to upstream * Show strerror for security_getenforce() by Colin Waters. * Merged selabel database support by KaiGai Kohei. @@ -1172,23 +1176,23 @@ pthread_key_delete, and is ignored. * Merged patch to drop support for old /etc/sysconfig/selinux and /etc/security policy file layout from Steve Grubb. -* Tue Mar 8 2007 Dan Walsh - 2.0.5-2 +* Thu Mar 8 2007 Dan Walsh - 2.0.5-2 - Do not fail on permission denied in getsebool * Tue Feb 27 2007 Dan Walsh - 2.0.5-1 - Upgrade to upstream * Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb. -* Fri Feb 21 2007 Dan Walsh - 2.0.4-1 +* Wed Feb 21 2007 Dan Walsh - 2.0.4-1 - Upgrade to upstream * Removed sending of setrans init message. * Merged matchpathcon memory leak fix from Steve Grubb. -* Thu Feb 20 2007 Dan Walsh - 2.0.2-1 +* Tue Feb 20 2007 Dan Walsh - 2.0.2-1 - Upgrade to upstream * Merged more swig initializers from Dan Walsh. -* Tue Feb 20 2007 Dan Walsh - 2.0.1-1 +* Sun Feb 18 2007 Dan Walsh - 2.0.1-1 - Upgrade to upstream * Merged patch from Todd Miller to convert int types over to C99 style. @@ -1208,7 +1212,8 @@ pthread_key_delete, and is ignored. * Wed Jan 17 2007 Dan Walsh - 1.33.6-1 - Upgrade to upstream * Merged man page updates to make "apropos selinux" work from Dan Walsh. -* Wed Jan 15 2007 Dan Walsh - 1.33.5-1 + +* Wed Jan 17 2007 Dan Walsh - 1.33.5-1 - Upgrade to upstream * Merged getdefaultcon utility from Dan Walsh. @@ -1274,7 +1279,7 @@ Resolves: #200110 * Wed Sep 27 2006 Jeremy Katz - 1.30.28-3 - really make -devel depend on libsepol-devel -* Wed Sep 25 2006 Dan Walsh - 1.30.28-2 +* Wed Sep 27 2006 Dan Walsh - 1.30.28-2 - Add sgrubb patch for polmatch * Wed Sep 13 2006 Dan Walsh - 1.30.28-1 @@ -1441,7 +1446,7 @@ Resolves: #200110 a regular file. * Merged python binding t_output_helper removal patch from Dan Walsh. -* Mon Apr 11 2006 Dan Walsh 1.30.1-2 +* Tue Apr 11 2006 Dan Walsh 1.30.1-2 - Fix python bindings for matchpathcon - Fix booleans man page @@ -1476,7 +1481,7 @@ Resolves: #200110 - Upgrade to latest from NSA * Added getseuser test program. -* Fri Jan 7 2006 Dan Walsh 1.29.4-1 +* Fri Jan 6 2006 Dan Walsh 1.29.4-1 - Upgrade to latest from NSA * Added format attribute to myprintf in matchpathcon.c and removed obsoleted rootlen variable in init_selinux_config(). @@ -1682,13 +1687,13 @@ Resolves: #200110 - Update to latest from NSA - Add getseuserbyname -* Fri Sep 12 2005 Dan Walsh 1.26-6 +* Fri Sep 16 2005 Dan Walsh 1.26-6 - Fix patch call -* Tue Sep 12 2005 Dan Walsh 1.26-5 +* Tue Sep 13 2005 Dan Walsh 1.26-5 - Fix strip_con call -* Tue Sep 12 2005 Dan Walsh 1.26-3 +* Tue Sep 13 2005 Dan Walsh 1.26-3 - Go back to original libsetrans code * Mon Sep 12 2005 Dan Walsh 1.26-2 @@ -1754,13 +1759,13 @@ Resolves: #200110 * Changed security_load_booleans to process booleans.local even if booleans file doesn't exist. -* Fri Apr 26 2005 Dan Walsh 1.23.10-3 +* Fri Apr 29 2005 Dan Walsh 1.23.10-3 - Fix avcstat to clear totals -* Fri Apr 26 2005 Dan Walsh 1.23.10-2 +* Fri Apr 29 2005 Dan Walsh 1.23.10-2 - Add info to man page -* Fri Apr 26 2005 Dan Walsh 1.23.10-1 +* Fri Apr 29 2005 Dan Walsh 1.23.10-1 - Update from NSA * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat). * Rewrote get_ordered_context_list and helpers, including @@ -1875,7 +1880,7 @@ Resolves: #200110 * Mon Jan 24 2005 Dan Walsh 1.21.1-3 - rpmexeccon should not fail in permissive mode. -* Fri Jan 20 2005 Dan Walsh 1.21.1-2 +* Fri Jan 21 2005 Dan Walsh 1.21.1-2 - fix printf in avcstat * Thu Jan 20 2005 Dan Walsh 1.21.1-1 @@ -2039,7 +2044,7 @@ Resolves: #200110 - Update from NSA - Add optflags -* Fri Aug 26 2004 Dan Walsh 1.17.3-1 +* Fri Aug 27 2004 Dan Walsh 1.17.3-1 - Update from NSA * Thu Aug 26 2004 Dan Walsh 1.17.2-1 @@ -2081,7 +2086,7 @@ Resolves: #200110 * Thu Aug 12 2004 Dan Walsh 1.15.3-2 - Add man page for boolean functions and SELinux -* Sat Aug 8 2004 Dan Walsh 1.15.3-1 +* Sun Aug 8 2004 Dan Walsh 1.15.3-1 - Latest from NSA * Mon Jul 19 2004 Dan Walsh 1.15.2-1 @@ -2107,7 +2112,7 @@ Resolves: #200110 * Tue Jun 15 2004 Elliot Lee - rebuilt -* Sat Jun 13 2004 Dan Walsh 1.13.3-2 +* Sun Jun 13 2004 Dan Walsh 1.13.3-2 - Fix selinux_config to break once it finds SELINUXTYPE. * Fri May 28 2004 Dan Walsh 1.13.2-1 @@ -2119,7 +2124,7 @@ Resolves: #200110 * Mon May 17 2004 Dan Walsh 1.12-2 - add man patch -* Thu May 14 2004 Dan Walsh 1.12-1 +* Fri May 14 2004 Dan Walsh 1.12-1 - Update with latest from NSA * Wed May 5 2004 Dan Walsh 1.11.4-1 @@ -2211,7 +2216,7 @@ Resolves: #200110 * Mon Oct 27 2003 Dan Walsh 1.3-2 - Fix x86_64 build -* Wed Oct 21 2003 Dan Walsh 1.3-1 +* Wed Oct 22 2003 Dan Walsh 1.3-1 - Latest tarball from NSA. * Tue Oct 21 2003 Dan Walsh 1.2-9 @@ -2235,12 +2240,12 @@ Resolves: #200110 * Fri Sep 12 2003 Dan Walsh 1.2-3 - Update with latest from NSA. -* Fri Aug 28 2003 Dan Walsh 1.2-2 +* Thu Aug 28 2003 Dan Walsh 1.2-2 - Fix to build on x86_64 * Thu Aug 21 2003 Dan Walsh 1.2-1 - update for version 1.2 -* Wed May 27 2003 Dan Walsh 1.0-1 +* Tue May 27 2003 Dan Walsh 1.0-1 - Initial version