Fix restorecon python binding to accept relative paths

.gitignore

@@ -182,3 +182,5 @@ libselinux-2.0.96.tgz
 /libselinux-2.0.97.tgz
 /libselinux-2.0.98.tgz
 /libselinux-2.0.99.tgz
+/libselinux-2.0.101.tgz
+/libselinux-2.0.102.tgz

libselinux-rhat.patch

@@ -1,25 +1,3 @@
-diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index 0725b57..f110dcf 100644
---- a/libselinux/include/selinux/selinux.h
-+++ b/libselinux/include/selinux/selinux.h
-@@ -482,6 +482,7 @@ extern const char *selinux_file_context_path(void);
- extern const char *selinux_file_context_homedir_path(void);
- extern const char *selinux_file_context_local_path(void);
- extern const char *selinux_file_context_subs_path(void);
-+extern const char *selinux_file_context_subs_dist_path(void);
- extern const char *selinux_homedir_context_path(void);
- extern const char *selinux_media_context_path(void);
- extern const char *selinux_virtual_domain_context_path(void);
-@@ -514,6 +515,9 @@ extern int selinux_check_securetty_context(const security_context_t tty_context)
-    which performs the initial mount of selinuxfs. */
- void set_selinuxmnt(char *mnt);
- 
-+/* clear selinuxmnt variable and free allocated memory */
-+void fini_selinuxmnt(void);
-+
- /* Execute a helper for rpm in an appropriate security context. */
- extern int rpm_execcon(unsigned int verified,
- 		       const char *filename,
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
 index bf665ab..ccd08ae 100644
 --- a/libselinux/src/Makefile
@@ -196,99 +174,8 @@ index b245364..7c47222 100644
  	va_start(ap, fmt);
  	rc = vfprintf(stderr, fmt, ap);
  	va_end(ap);
-diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
-index ccf43e1..0b00156 100644
---- a/libselinux/src/file_path_suffixes.h
-+++ b/libselinux/src/file_path_suffixes.h
-@@ -23,4 +23,5 @@ S_(BINPOLICY, "/policy/policy")
-     S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
-     S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
-     S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
-+    S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
-     S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts")
-diff --git a/libselinux/src/init.c b/libselinux/src/init.c
-index 1dd9838..a948920 100644
---- a/libselinux/src/init.c
-+++ b/libselinux/src/init.c
-@@ -96,12 +96,14 @@ static void init_selinuxmnt(void)
- 	return;
- }
- 
--static void fini_selinuxmnt(void)
-+void fini_selinuxmnt(void)
- {
- 	free(selinux_mnt);
- 	selinux_mnt = NULL;
- }
- 
-+hidden_def(fini_selinuxmnt)
-+
- void set_selinuxmnt(char *mnt)
- {
- 	selinux_mnt = strdup(mnt);
-diff --git a/libselinux/src/label.c b/libselinux/src/label.c
-index 2fd19c5..ba316df 100644
---- a/libselinux/src/label.c
-+++ b/libselinux/src/label.c
-@@ -56,12 +56,11 @@ static char *selabel_sub(struct selabel_sub *ptr, const char *src)
- 	return NULL;
- }
- 
--static struct selabel_sub *selabel_subs_init(void)
-+static struct selabel_sub *selabel_subs_init(const char *path,struct selabel_sub *list)
- {
- 	char buf[1024];
--	FILE *cfg = fopen(selinux_file_context_subs_path(), "r");
-+	FILE *cfg = fopen(path, "r");
- 	struct selabel_sub *sub;
--	struct selabel_sub *list = NULL;
- 
- 	if (cfg) {
- 		while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
-@@ -160,7 +159,10 @@ struct selabel_handle *selabel_open(unsigned int backend,
- 	memset(rec, 0, sizeof(*rec));
- 	rec->backend = backend;
- 	rec->validating = selabel_is_validate_set(opts, nopts);
--	rec->subs = selabel_subs_init();
-+
-+	rec->subs = NULL;
-+	rec->subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->subs);
-+	rec->subs = selabel_subs_init(selinux_file_context_subs_path(), rec->subs);
- 
- 	if ((*initfuncs[backend])(rec, opts, nopts)) {
- 		free(rec);
-diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index 36ce029..83d2143 100644
---- a/libselinux/src/load_policy.c
-+++ b/libselinux/src/load_policy.c
-@@ -329,7 +329,7 @@ int selinux_init_load_policy(int *enforce)
- 	selinux_getenforcemode(&seconfig);
- 
- 	/* Check for an override of the mode via the kernel command line. */
--	rc = mount("none", "/proc", "proc", 0, 0);
-+	rc = mount("proc", "/proc", "proc", 0, 0);
- 	cfg = fopen("/proc/cmdline", "r");
- 	if (cfg) {
- 		char *tmp;
-@@ -369,7 +369,7 @@ int selinux_init_load_policy(int *enforce)
- 	 * Check for the existence of SELinux via selinuxfs, and 
- 	 * mount it if present for use in the calls below.  
- 	 */
--	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
-+	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
- 		if (errno == ENODEV) {
- 			/*
- 			 * SELinux was disabled in the kernel, either
-@@ -398,6 +398,7 @@ int selinux_init_load_policy(int *enforce)
- 		if (rc == 0) {
- 			/* Successfully disabled, so umount selinuxfs too. */
- 			umount(SELINUXMNT);
-+			fini_selinuxmnt();
- 		}
- 		/*
- 		 * If we failed to disable, SELinux will still be 
 diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index f3e45af..da5cab9 100644
+index 5fd8fe4..da5cab9 100644
 --- a/libselinux/src/matchpathcon.c
 +++ b/libselinux/src/matchpathcon.c
 @@ -2,6 +2,7 @@
@@ -299,15 +186,7 @@ index f3e45af..da5cab9 100644
  #include "selinux_internal.h"
  #include "label_internal.h"
  #include "callbacks.h"
-@@ -17,6 +18,7 @@ static __thread int con_array_used;
- 
- static pthread_once_t once = PTHREAD_ONCE_INIT;
- static pthread_key_t destructor_key;
-+static int destructor_key_initialized = 0;
- 
- static int add_array_elt(char *con)
- {
-@@ -60,7 +62,7 @@ static void
+@@ -61,7 +62,7 @@ static void
  {
  	va_list ap;
  	va_start(ap, fmt);
@@ -316,25 +195,8 @@ index f3e45af..da5cab9 100644
  	va_end(ap);
  }
  
-@@ -292,12 +294,14 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
- 
- void __attribute__((destructor)) matchpathcon_lib_destructor(void)
- {
--	__selinux_key_delete(destructor_key);
-+	if (destructor_key_initialized)
-+		__selinux_key_delete(destructor_key);
- }
- 
- static void matchpathcon_init_once(void)
- {
--	__selinux_key_create(&destructor_key, matchpathcon_thread_destructor);
-+	if (__selinux_key_create(&destructor_key, matchpathcon_thread_destructor) == 0)
-+		destructor_key_initialized = 1;
- }
- 
- int matchpathcon_init_prefix(const char *path, const char *subset)
 diff --git a/libselinux/src/selinux.py b/libselinux/src/selinux.py
-index fd63a4f..705012c 100644
+index fd63a4f..248048a 100644
 --- a/libselinux/src/selinux.py
 +++ b/libselinux/src/selinux.py
 @@ -1,5 +1,5 @@
@@ -344,7 +206,24 @@ index fd63a4f..705012c 100644
  #
  # Do not make changes to this file unless you know what you are doing--modify
  # the SWIG interface file instead.
-@@ -79,6 +79,14 @@ def restorecon(path, recursive=False):
+@@ -70,8 +70,14 @@ import shutil, os, stat
+ 
+ def restorecon(path, recursive=False):
+     """ Restore SELinux context on a given path """
+-    mode = os.lstat(path)[stat.ST_MODE]
+-    status, context = matchpathcon(path, mode)
++    try:
++        mode = os.lstat(path)[stat.ST_MODE]
++        status, context = matchpathcon(path, mode)
++    except OSError:
++        path = os.path.realpath(os.path.expanduser(path))
++        mode = os.lstat(path)[stat.ST_MODE]
++        status, context = matchpathcon(path, mode)
++
+     if status == 0:
+         lsetfilecon(path, context)
+         if recursive:
+@@ -79,6 +85,14 @@ def restorecon(path, recursive=False):
                               map(restorecon, [os.path.join(dirname, fname)
                                                for fname in fnames]), None)
  
@@ -359,7 +238,7 @@ index fd63a4f..705012c 100644
  def copytree(src, dest):
      """ An SELinux-friendly shutil.copytree method """
      shutil.copytree(src, dest)
-@@ -1588,6 +1596,7 @@ get_default_type = _selinux.get_default_type
+@@ -1588,6 +1602,7 @@ get_default_type = _selinux.get_default_type
  SELABEL_CTX_FILE = _selinux.SELABEL_CTX_FILE
  SELABEL_CTX_MEDIA = _selinux.SELABEL_CTX_MEDIA
  SELABEL_CTX_X = _selinux.SELABEL_CTX_X
@@ -367,7 +246,7 @@ index fd63a4f..705012c 100644
  SELABEL_OPT_UNUSED = _selinux.SELABEL_OPT_UNUSED
  SELABEL_OPT_VALIDATE = _selinux.SELABEL_OPT_VALIDATE
  SELABEL_OPT_BASEONLY = _selinux.SELABEL_OPT_BASEONLY
-@@ -1621,6 +1630,15 @@ SELABEL_X_EVENT = _selinux.SELABEL_X_EVENT
+@@ -1621,6 +1636,15 @@ SELABEL_X_EVENT = _selinux.SELABEL_X_EVENT
  SELABEL_X_SELN = _selinux.SELABEL_X_SELN
  SELABEL_X_POLYPROP = _selinux.SELABEL_X_POLYPROP
  SELABEL_X_POLYSELN = _selinux.SELABEL_X_POLYSELN
@@ -383,7 +262,7 @@ index fd63a4f..705012c 100644
  
  def is_selinux_enabled():
    return _selinux.is_selinux_enabled()
-@@ -2201,6 +2219,10 @@ def selinux_x_context_path():
+@@ -2201,6 +2225,10 @@ def selinux_x_context_path():
    return _selinux.selinux_x_context_path()
  selinux_x_context_path = _selinux.selinux_x_context_path
  
@@ -394,70 +273,29 @@ index fd63a4f..705012c 100644
  def selinux_contexts_path():
    return _selinux.selinux_contexts_path()
  selinux_contexts_path = _selinux.selinux_contexts_path
-diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index e040959..f4c33df 100644
---- a/libselinux/src/selinux_config.c
-+++ b/libselinux/src/selinux_config.c
-@@ -45,7 +45,8 @@
- #define VIRTUAL_IMAGE     22
- #define FILE_CONTEXT_SUBS 23
- #define SEPGSQL_CONTEXTS  24
--#define NEL               25
-+#define FILE_CONTEXT_SUBS_DIST 25
-+#define NEL               26
- 
- /* Part of one-time lazy init */
- static pthread_once_t once = PTHREAD_ONCE_INIT;
-@@ -423,6 +424,12 @@ const char * selinux_file_context_subs_path(void) {
- 
- hidden_def(selinux_file_context_subs_path)
- 
-+const char * selinux_file_context_subs_dist_path(void) {
-+	return get_path(FILE_CONTEXT_SUBS_DIST);
-+}
-+
-+hidden_def(selinux_file_context_subs_dist_path)
-+
- const char *selinux_sepgsql_context_path()
- {
- 	return get_path(SEPGSQL_CONTEXTS);
-diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
-index fdddfaf..806e87c 100644
---- a/libselinux/src/selinux_internal.h
-+++ b/libselinux/src/selinux_internal.h
-@@ -3,6 +3,7 @@
- #include "dso.h"
- 
- hidden_proto(selinux_mkload_policy)
-+    hidden_proto(fini_selinuxmnt)
-     hidden_proto(set_selinuxmnt)
-     hidden_proto(security_disable)
-     hidden_proto(security_policyvers)
-@@ -65,6 +66,7 @@ hidden_proto(selinux_mkload_policy)
-     hidden_proto(selinux_file_context_path)
-     hidden_proto(selinux_file_context_homedir_path)
-     hidden_proto(selinux_file_context_local_path)
-+    hidden_proto(selinux_file_context_subs_dist_path)
-     hidden_proto(selinux_file_context_subs_path)
-     hidden_proto(selinux_netfilter_context_path)
-     hidden_proto(selinux_homedir_context_path)
-@@ -114,10 +116,7 @@ extern int selinux_page_size hidden;
- 
- /* Pthread key macros */
- #define __selinux_key_create(KEY, DESTRUCTOR)			\
--	do {							\
--		if (pthread_key_create != NULL)			\
--			pthread_key_create(KEY, DESTRUCTOR);	\
--	} while (0)
-+	(pthread_key_create != NULL ? pthread_key_create(KEY, DESTRUCTOR) : -1)
- 
- #define __selinux_key_delete(KEY)				\
- 	do {							\
 diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
-index dea0e80..bb227e9 100644
+index dea0e80..12fba6d 100644
 --- a/libselinux/src/selinuxswig_python.i
 +++ b/libselinux/src/selinuxswig_python.i
-@@ -45,7 +45,7 @@ def install(src, dest):
+@@ -12,8 +12,15 @@ import shutil, os, stat
+ 
+ def restorecon(path, recursive=False):
+     """ Restore SELinux context on a given path """
+-    mode = os.lstat(path)[stat.ST_MODE]
+-    status, context = matchpathcon(path, mode)
++
++    try:
++        mode = os.lstat(path)[stat.ST_MODE]
++        status, context = matchpathcon(path, mode)
++    except OSError:
++        path = os.path.realpath(os.path.expanduser(path))
++        mode = os.lstat(path)[stat.ST_MODE]
++        status, context = matchpathcon(path, mode)
++
+     if status == 0:
+         lsetfilecon(path, context)
+         if recursive:
+@@ -45,7 +52,7 @@ def install(src, dest):
  	PyObject* list = PyList_New(*$2);
  	int i;
  	for (i = 0; i < *$2; i++) {
@@ -466,7 +304,7 @@ index dea0e80..bb227e9 100644
  	}
  	$result = SWIG_Python_AppendOutput($result, list);
  }
-@@ -74,7 +74,9 @@ def install(src, dest):
+@@ -74,7 +81,9 @@ def install(src, dest):
  			len++;
  		plist = PyList_New(len);
  		for (i = 0; i < len; i++) {
@@ -477,7 +315,7 @@ index dea0e80..bb227e9 100644
  		}
  	} else {
  		plist = PyList_New(0);
-@@ -91,7 +93,9 @@ def install(src, dest):
+@@ -91,7 +100,9 @@ def install(src, dest):
  	if (*$1) {
  		plist = PyList_New(result);
  		for (i = 0; i < result; i++) {
@@ -488,7 +326,7 @@ index dea0e80..bb227e9 100644
  		}
  	} else {
  		plist = PyList_New(0);
-@@ -144,16 +148,20 @@ def install(src, dest):
+@@ -144,16 +155,20 @@ def install(src, dest):
  	$1 = (char**) malloc(size + 1);
  
  	for(i = 0; i < size; i++) {
@@ -1537,36 +1375,3 @@ index e0884f6..b131d2e 100644
    SWIG_Python_SetConstant(d, "SELINUX_AVD_FLAGS_PERMISSIVE",SWIG_From_int((int)(0x0001)));
    SWIG_Python_SetConstant(d, "SELINUX_CB_LOG",SWIG_From_int((int)(0)));
    SWIG_Python_SetConstant(d, "SELINUX_CB_AUDIT",SWIG_From_int((int)(1)));
-diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
-index 4bdbe08..e074142 100644
---- a/libselinux/src/setrans_client.c
-+++ b/libselinux/src/setrans_client.c
-@@ -35,6 +35,7 @@ static __thread security_context_t prev_r2c_raw = NULL;
- 
- static pthread_once_t once = PTHREAD_ONCE_INIT;
- static pthread_key_t destructor_key;
-+static int destructor_key_initialized = 0;
- static __thread char destructor_initialized;
- 
- /*
-@@ -254,7 +255,8 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
- 
- void __attribute__((destructor)) setrans_lib_destructor(void)
- {
--	__selinux_key_delete(destructor_key);
-+	if (destructor_key_initialized)
-+		__selinux_key_delete(destructor_key);
- }
- 
- static inline void init_thread_destructor(void)
-@@ -267,7 +269,9 @@ static inline void init_thread_destructor(void)
- 
- static void init_context_translations(void)
- {
--	__selinux_key_create(&destructor_key, setrans_thread_destructor);
-+	if (__selinux_key_create(&destructor_key, setrans_thread_destructor) == 0)
-+		destructor_key_initialized = 1;
-+
- 	mls_enabled = is_selinux_mls_enabled();
- }
- 

libselinux.spec

@@ -1,13 +1,13 @@
 %global with_python3 1
 
 %define ruby_sitearch %(ruby -rrbconfig -e "puts Config::CONFIG['sitearchdir']")
-%define libsepolver 2.0.32-1
+%define libsepolver 2.0.42-1
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 2.0.101
-Release: 1%{?dist}
+Version: 2.0.102
+Release: 2%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/research/selinux/%{name}-%{version}.tgz
@@ -236,6 +236,19 @@ exit 0
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Wed Apr 13 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-2
+- Fix restorecon python binding to accept relative paths
+
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-1
+-Update to upstream
+	* Give correct names to mount points in load_policy by Dan Walsh.
+	* Make sure selinux state is reported correctly if selinux is disabled or
+	fails to load by Dan Walsh.
+	* Fix crash if selinux_key_create was never called by Dan Walsh.
+	* Add new file_context.subs_dist for distro specific filecon substitutions
+	by Dan Walsh.
+	* Update man pages for selinux_color_* functions by Richard Haines.
+
 * Wed Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
 - Clean up patch to make handling of constructor  cleanup more portable
   * db_language object class support for selabel_lookup from KaiGai Kohei.

sources

@@ -1 +1 @@
-14d969b13c42e72c477cb3543b52c427  libselinux-2.0.101.tgz
+148de887b85cbe1e1da46af360a911f0  libselinux-2.0.102.tgz