rpms
/
libselinux
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Return EPERM if login program can not reach default label for user 

- Attempt to return container info from audit2why
This commit is contained in:
Dan Walsh 2012-11-16 16:49:57 -05:00
parent 8c2b32a881
commit edd5aaafc0
2 changed files with 78 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
libselinux-rhat.patch
View File

@ -126,7 +126,7 @@ index 9f16f77..4835f2f 100644
.SH FILES .SH FILES
/etc/selinux/config /etc/selinux/config
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 02483a3..c804e84 100644 index 02483a3..647ea4c 100644
--- a/libselinux/src/audit2why.c --- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c
@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) @@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
@ -191,6 +191,32 @@ index 02483a3..c804e84 100644
if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
return NULL; return NULL;
result = __policy_init(init_path); result = __policy_init(init_path);
@@ -306,6 +298,7 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
return result;
static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
+ char *reason_buf = NULL;
security_context_t scon;
security_context_t tcon;
char *tclassstr;
@@ -376,7 +369,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
/* Reproduce the computation. */
- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
+ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf);
if (rc < 0) {
RETURN(BADCOMPUTE)
}
@@ -417,6 +410,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
if (reason & SEPOL_COMPUTEAV_CONS) {
+ printf("%s\n", reason_buf);
+ free(reason_buf);
RETURN(CONSTRAINT);
}
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 802a07f..6ff83a7 100644 index 802a07f..6ff83a7 100644
--- a/libselinux/src/avc.c --- a/libselinux/src/avc.c
@ -213,6 +239,24 @@ index 825f295..d11c8dc 100644
S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts") S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts")
- S_(BOOLEAN_SUBS, "/booleans.subs") - S_(BOOLEAN_SUBS, "/booleans.subs")
+ S_(BOOLEAN_SUBS, "/booleans.subs_dist") + S_(BOOLEAN_SUBS, "/booleans.subs_dist")
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index e02157c..e653ecc 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -489,7 +489,12 @@ int get_ordered_context_list(const char *user,
reachable[nordered] = NULL;
rc = nordered;
} else {
- rc = nreach;
+ if (security_getenforce()) {
+ errno = EPERM;
+ rc = -1;
+ } else {
+ rc = nreach;
+ }
}
out:
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 02b3cd2..301e4d6 100644 index 02b3cd2..301e4d6 100644
--- a/libselinux/src/label_file.c --- a/libselinux/src/label_file.c

61
libselinux.spec
View File

@ -10,7 +10,7 @@
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 2.1.12 Version: 2.1.12
Release: 7%{?dist} Release: 8%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Libraries Group: System Environment/Libraries
Source: %{name}-%{version}.tgz Source: %{name}-%{version}.tgz
@ -241,6 +241,10 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so %{ruby_sitearch}/selinux.so
%changelog %changelog
* Fri Nov 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-8
- Return EPERM if login program can not reach default label for user
- Attempt to return container info from audit2why
* Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7 * Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7
- Apply patch from eparis to fix leaked file descriptor in new labeling code - Apply patch from eparis to fix leaked file descriptor in new labeling code
@ -401,7 +405,7 @@ rm -rf %{buildroot}
* Cleanup Man pages * Cleanup Man pages
* merge freecon with getcon man page * merge freecon with getcon man page
* Mon Dec 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5 * Mon Dec 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
- Add patch from Richard Haines - Add patch from Richard Haines
When selabel_lookup found an invalid context with validation enabled, it When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file. always stated it was 'file_contexts' whether media, x, db or file.
@ -558,7 +562,7 @@ context
by Dan Walsh. by Dan Walsh.
* Update man pages for selinux_color_* functions by Richard Haines. * Update man pages for selinux_color_* functions by Richard Haines.
* Wed Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1 * Wed Apr 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
- Clean up patch to make handling of constructor cleanup more portable - Clean up patch to make handling of constructor cleanup more portable
* db_language object class support for selabel_lookup from KaiGai Kohei. * db_language object class support for selabel_lookup from KaiGai Kohei.
* Library destructors for thread local storage keys from Eamon Walsh. * Library destructors for thread local storage keys from Eamon Walsh.
@ -607,10 +611,10 @@ pthread_key_delete, and is ignored.
- Update to upstream - Update to upstream
* Thread local storage fixes from Eamon Walsh. * Thread local storage fixes from Eamon Walsh.
* Wed Dec 2 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9 * Sat Dec 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
- Add /etc/tmpfiles.d support for /var/run/setrans - Add /etc/tmpfiles.d support for /var/run/setrans
* Sun Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8 * Wed Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
- Ghost /var/run/setrans - Ghost /var/run/setrans
* Wed Sep 29 2010 jkeating - 2.0.96-7 * Wed Sep 29 2010 jkeating - 2.0.96-7
@ -643,7 +647,7 @@ pthread_key_delete, and is ignored.
* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1 * Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1
* Set errno=EINVAL for invalid contexts from Dan Walsh. * Set errno=EINVAL for invalid contexts from Dan Walsh.
* Sun Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1 * Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
- Update to upstream - Update to upstream
* Show strerror for security_getenforce() by Colin Waters. * Show strerror for security_getenforce() by Colin Waters.
* Merged selabel database support by KaiGai Kohei. * Merged selabel database support by KaiGai Kohei.
@ -1172,23 +1176,23 @@ pthread_key_delete, and is ignored.
* Merged patch to drop support for old /etc/sysconfig/selinux and * Merged patch to drop support for old /etc/sysconfig/selinux and
/etc/security policy file layout from Steve Grubb. /etc/security policy file layout from Steve Grubb.
* Tue Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2 * Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
- Do not fail on permission denied in getsebool - Do not fail on permission denied in getsebool
* Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1 * Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1
- Upgrade to upstream - Upgrade to upstream
* Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb. * Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
* Fri Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1 * Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
- Upgrade to upstream - Upgrade to upstream
* Removed sending of setrans init message. * Removed sending of setrans init message.
* Merged matchpathcon memory leak fix from Steve Grubb. * Merged matchpathcon memory leak fix from Steve Grubb.
* Thu Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1 * Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
- Upgrade to upstream - Upgrade to upstream
* Merged more swig initializers from Dan Walsh. * Merged more swig initializers from Dan Walsh.
* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1 * Sun Feb 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
- Upgrade to upstream - Upgrade to upstream
* Merged patch from Todd Miller to convert int types over to C99 style. * Merged patch from Todd Miller to convert int types over to C99 style.
@ -1208,7 +1212,8 @@ pthread_key_delete, and is ignored.
* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1 * Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1
- Upgrade to upstream - Upgrade to upstream
* Merged man page updates to make "apropos selinux" work from Dan Walsh. * Merged man page updates to make "apropos selinux" work from Dan Walsh.
* Wed Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
- Upgrade to upstream - Upgrade to upstream
* Merged getdefaultcon utility from Dan Walsh. * Merged getdefaultcon utility from Dan Walsh.
@ -1274,7 +1279,7 @@ Resolves: #200110
* Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3 * Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3
- really make -devel depend on libsepol-devel - really make -devel depend on libsepol-devel
* Wed Sep 25 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2 * Wed Sep 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
- Add sgrubb patch for polmatch - Add sgrubb patch for polmatch
* Wed Sep 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1 * Wed Sep 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1
@ -1441,7 +1446,7 @@ Resolves: #200110
a regular file. a regular file.
* Merged python binding t_output_helper removal patch from Dan Walsh. * Merged python binding t_output_helper removal patch from Dan Walsh.
* Mon Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2 * Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
- Fix python bindings for matchpathcon - Fix python bindings for matchpathcon
- Fix booleans man page - Fix booleans man page
@ -1476,7 +1481,7 @@ Resolves: #200110
- Upgrade to latest from NSA - Upgrade to latest from NSA
* Added getseuser test program. * Added getseuser test program.
* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1 * Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
- Upgrade to latest from NSA - Upgrade to latest from NSA
* Added format attribute to myprintf in matchpathcon.c and * Added format attribute to myprintf in matchpathcon.c and
removed obsoleted rootlen variable in init_selinux_config(). removed obsoleted rootlen variable in init_selinux_config().
@ -1682,13 +1687,13 @@ Resolves: #200110
- Update to latest from NSA - Update to latest from NSA
- Add getseuserbyname - Add getseuserbyname
* Fri Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6 * Fri Sep 16 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
- Fix patch call - Fix patch call
* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5 * Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
- Fix strip_con call - Fix strip_con call
* Tue Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3 * Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
- Go back to original libsetrans code - Go back to original libsetrans code
* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2 * Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
@ -1754,13 +1759,13 @@ Resolves: #200110
* Changed security_load_booleans to process booleans.local * Changed security_load_booleans to process booleans.local
even if booleans file doesn't exist. even if booleans file doesn't exist.
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3 * Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
- Fix avcstat to clear totals - Fix avcstat to clear totals
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2 * Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
- Add info to man page - Add info to man page
* Fri Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1 * Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
- Update from NSA - Update from NSA
* Merged set_selinuxmnt patch from Bill Nottingham (Red Hat). * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
* Rewrote get_ordered_context_list and helpers, including * Rewrote get_ordered_context_list and helpers, including
@ -1875,7 +1880,7 @@ Resolves: #200110
* Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3 * Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3
- rpmexeccon should not fail in permissive mode. - rpmexeccon should not fail in permissive mode.
* Fri Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2 * Fri Jan 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
- fix printf in avcstat - fix printf in avcstat
* Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1 * Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
@ -2039,7 +2044,7 @@ Resolves: #200110
- Update from NSA - Update from NSA
- Add optflags - Add optflags
* Fri Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1 * Fri Aug 27 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
- Update from NSA - Update from NSA
* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1 * Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
@ -2081,7 +2086,7 @@ Resolves: #200110
* Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2 * Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2
- Add man page for boolean functions and SELinux - Add man page for boolean functions and SELinux
* Sat Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1 * Sun Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
- Latest from NSA - Latest from NSA
* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1 * Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
@ -2107,7 +2112,7 @@ Resolves: #200110
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt - rebuilt
* Sat Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2 * Sun Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
- Fix selinux_config to break once it finds SELINUXTYPE. - Fix selinux_config to break once it finds SELINUXTYPE.
* Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1 * Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1
@ -2119,7 +2124,7 @@ Resolves: #200110
* Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2 * Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2
- add man patch - add man patch
* Thu May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1 * Fri May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
- Update with latest from NSA - Update with latest from NSA
* Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1 * Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1
@ -2211,7 +2216,7 @@ Resolves: #200110
* Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2 * Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2
- Fix x86_64 build - Fix x86_64 build
* Wed Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1 * Wed Oct 22 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
- Latest tarball from NSA. - Latest tarball from NSA.
* Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9 * Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9
@ -2235,12 +2240,12 @@ Resolves: #200110
* Fri Sep 12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3 * Fri Sep 12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3
- Update with latest from NSA. - Update with latest from NSA.
* Fri Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2 * Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
- Fix to build on x86_64 - Fix to build on x86_64
* Thu Aug 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1 * Thu Aug 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
- update for version 1.2 - update for version 1.2
* Wed May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1 * Tue May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version - Initial version