Fix patch that Handles substitutions for /

libselinux-rhat.patch

@@ -128,6 +128,190 @@ index 0000000..8077658
 +++ b/libselinux/man/man3/selinux_set_policy_root.3
 @@ -0,0 +1 @@
 +.so man3/selinux_policy_root.3
+diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
+deleted file mode 100644
+index b834577..0000000
+--- a/libselinux/man/man5/secolor.conf.5
++++ /dev/null
+@@ -1,178 +0,0 @@
+-.TH "secolor.conf" "5" "08 April 2011" "SELinux API documentation"
+-.SH "NAME"
+-secolor.conf \- The SELinux color configuration file
+-.
+-.SH "DESCRIPTION"
+-This optional file controls the color to be associated to the context components associated to the 
+-.I raw
+-context passed by 
+-.BR selinux_raw_context_to_color "(3),"
+-when context related information is to be displayed in color by an SELinux-aware application. 
+-.sp
+-.BR selinux_raw_context_to_color "(3)"
+-obtains this color information from the active policy 
+-.B secolor.conf
+-file as returned by 
+-.BR selinux_colors_path "(3)."
+-.
+-.SH "FILE FORMAT"
+-The file format is as follows:
+-.RS
+-.B color
+-.I color_name
+-.BI "= #"color_mask
+-.br
+-[...]
+-.sp
+-.I context_component string
+-.B =
+-.I fg_color_name bg_color_name
+-.br
+-[...]
+-.sp 
+-.RE
+-
+-Where:
+-.br
+-.B color
+-.RS
+-The color keyword. Each color entry is on a new line.
+-.RE
+-.I color_name
+-.RS
+-A single word name for the color (e.g. red).
+-.RE
+-.I color_mask
+-.RS
+-A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff.
+-.RE
+-.I context_component
+-.RS
+-The context component name that must be one of the following:
+-.br
+-.RS
+-user, role, type or range 
+-.RE
+-Each
+-.IR context_component " " string " ..."
+-entry is on a new line.
+-.RE
+-.I string
+-.RS
+-This is the 
+-.I context_component
+-string that will be matched with the 
+-.I raw
+-context component passed by
+-.BR selinux_raw_context_to_color "(3)."
+-.br
+-A wildcard '*' may be used to match any undefined string for the user, role and type 
+-.I context_component
+-entries only.
+-.RE
+-
+-.I fg_color_name
+-.RS
+-The color_name string that will be used as the foreground color.
+-A 
+-.I color_mask
+-may also be used.
+-.RE
+-.I bg_color_name
+-.RS
+-The color_name string that will be used as the background color.
+-A 
+-.I color_mask
+-may also be used.
+-.RE
+-.
+-.SH "EXAMPLES"
+-Example 1 entries are:
+-.RS
+-color black  = #000000
+-.br
+-color green  = #008000
+-.br
+-color yellow = #ffff00
+-.br
+-color blue   = #0000ff
+-.br
+-color white  = #ffffff
+-.br
+-color red    = #ff0000
+-.br
+-color orange = #ffa500
+-.br
+-color tan    = #D2B48C
+-.sp
+-user * = black white
+-.br
+-role * = white black
+-.br
+-type * = tan orange
+-.br
+-range s0\-s0:c0.c1023 = black green
+-.br
+-range s1\-s1:c0.c1023 = white green
+-.br
+-range s3\-s3:c0.c1023 = black tan
+-.br
+-range s5\-s5:c0.c1023 = white blue
+-.br
+-range s7\-s7:c0.c1023 = black red
+-.br
+-range s9\-s9:c0.c1023 = black orange
+-.br
+-range s15:c0.c1023   = black yellow
+-.RE
+-
+-.sp
+-Example 2 entries are:
+-.RS
+-color black  = #000000
+-.br
+-color green  = #008000
+-.br
+-color yellow = #ffff00
+-.br
+-color blue   = #0000ff
+-.br
+-color white  = #ffffff
+-.br
+-color red    = #ff0000
+-.br
+-color orange = #ffa500
+-.br
+-color tan    = #d2b48c
+-.sp
+-user unconfined_u = #ff0000 green
+-.br
+-role unconfined_r = red #ffffff
+-.br
+-type unconfined_t = red orange
+-.br
+-user user_u       = black green
+-.br
+-role user_r       = white black
+-.br
+-type user_t       = tan red
+-.br
+-user xguest_u     = black yellow
+-.br
+-role xguest_r     = black red
+-.br
+-type xguest_t     = black green
+-.br
+-user sysadm_u     = white black
+-.br
+-range s0:c0.c1023 = black white
+-.br
+-user *            = black white
+-.br
+-role *            = black white
+-.br
+-type *            = black white
+-.RE
+-.
+-.SH "SEE ALSO"
+-.BR selinux "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)"
 diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
 index 368991f..5d60789 100644
 --- a/libselinux/man/man8/matchpathcon.8
@@ -468,6 +652,30 @@ index b9e8002..355730a 100644
  }
  
  hidden_def(get_ordered_context_list)
+diff --git a/libselinux/src/label.c b/libselinux/src/label.c
+index 11f6e96..f5cb52a 100644
+--- a/libselinux/src/label.c
++++ b/libselinux/src/label.c
+@@ -43,12 +43,18 @@ static void selabel_subs_fini(struct selabel_sub *ptr)
+ static char *selabel_sub(struct selabel_sub *ptr, const char *src)
+ {
+ 	char *dst = NULL;
++	int len;
+ 
+ 	while (ptr) {
+ 		if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
+ 			if (src[ptr->slen] == '/' || 
+ 			    src[ptr->slen] == 0) {
+-				if (asprintf(&dst, "%s%s", ptr->dst, &src[ptr->slen]) < 0)
++				if ((src[ptr->slen] == '/') && 
++				    (strcmp(ptr->dst, "/") == 0))
++					len = ptr->slen + 1;
++				else
++					len = ptr->slen;
++				if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
+ 					return NULL;
+ 				return dst;
+ 			}
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
 index 5f697f3..9b0d6b0 100644
 --- a/libselinux/src/label_file.c
@@ -511,19 +719,91 @@ index 2d7369e..2a00807 100644
  }
  
 diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
-index 6c5b45a..0a0dd3e 100644
+index 6c5b45a..f6b896e 100644
 --- a/libselinux/src/procattr.c
 +++ b/libselinux/src/procattr.c
-@@ -257,6 +257,7 @@ out:
+@@ -9,13 +9,15 @@
+ #include "selinux_internal.h"
+ #include "policy.h"
+ 
++#define UNSET (const security_context_t) -1
++
+ static __thread pid_t cpid;
+ static __thread pid_t tid;
+-static __thread security_context_t prev_current;
+-static __thread security_context_t prev_exec;
+-static __thread security_context_t prev_fscreate;
+-static __thread security_context_t prev_keycreate;
+-static __thread security_context_t prev_sockcreate;
++static __thread security_context_t prev_current = UNSET;
++static __thread security_context_t prev_exec = UNSET;
++static __thread security_context_t prev_fscreate = UNSET;
++static __thread security_context_t prev_keycreate = UNSET;
++static __thread security_context_t prev_sockcreate = UNSET;
+ 
+ static pthread_once_t once = PTHREAD_ONCE_INIT;
+ static pthread_key_t destructor_key;
+@@ -29,11 +31,16 @@ static pid_t gettid(void)
+ 
+ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
+ {
+-	free(prev_current);
+-	free(prev_exec);
+-	free(prev_fscreate);
+-	free(prev_keycreate);
+-	free(prev_sockcreate);
++	if (prev_current != UNSET)
++		free(prev_current);
++	if (prev_exec != UNSET)
++		free(prev_exec);
++	if (prev_fscreate != UNSET)
++		free(prev_fscreate);
++	if (prev_keycreate != UNSET)
++		free(prev_keycreate);
++	if (prev_sockcreate != UNSET)
++		free(prev_sockcreate);
+ }
+ 
+ static void free_procattr(void)
+@@ -41,7 +48,7 @@ static void free_procattr(void)
+ 	procattr_thread_destructor(NULL);
+ 	tid = 0;
+ 	cpid = getpid();
+-	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = NULL;
++	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
+ }
+ 
+ void __attribute__((destructor)) procattr_destructor(void);
+@@ -131,7 +138,7 @@ static int getprocattrcon_raw(security_context_t * context,
+ 			return -1;
+ 	};
+ 
+-	if (prev_context) {
++	if (prev_context && prev_context != UNSET) {
+ 		*context = strdup(prev_context);
+ 		if (!(*context)) {
+ 			return -1;
+@@ -230,7 +237,8 @@ static int setprocattrcon_raw(security_context_t context,
+ 
+ 	if (!context && !*prev_context)
+ 		return 0;
+-	if (context && *prev_context && !strcmp(context, *prev_context))
++	if (context && *prev_context && *prev_context != UNSET 
++	    && !strcmp(context, *prev_context))
+ 		return 0;
+ 
+ 	fd = openattr(pid, attr, O_RDWR);
+@@ -257,6 +265,8 @@ out:
  		free(context);
  		return -1;
  	} else {
-+		free(*prev_context);
++		if (*prev_context != UNSET)
++			free(*prev_context);
  		*prev_context = context;
  		return 0;
  	}
 diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 296f357..0040524 100644
+index 296f357..9aee32f 100644
 --- a/libselinux/src/selinux_config.c
 +++ b/libselinux/src/selinux_config.c
 @@ -8,6 +8,8 @@
@@ -556,7 +836,7 @@ index 296f357..0040524 100644
 +int selinux_set_policy_root(const char *path)
 +{
 +	int i;
-+	char *policy_type = strchr(selinux_policyroot, '/');
++	char *policy_type = strrchr(path, '/');
 +	if (!policy_type) {
 +		errno = EINVAL;
 +		return -1;
@@ -631,6 +911,21 @@ index 2c7c85c..4a4aebc 100644
      hidden_proto(selinux_binary_policy_path)
      hidden_proto(selinux_booleans_subs_path)
      hidden_proto(selinux_default_context_path)
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 359bd02..0ab0bae 100644
+--- a/libselinux/src/selinuxswig_python.i
++++ b/libselinux/src/selinuxswig_python.i
+@@ -74,6 +74,10 @@ def install(src, dest):
+   $1 = &temp;
+ }
+ 
++%typemap(in, numinputs=0) void *(char *temp=NULL) {
++	$1 = temp;
++}
++
+ /* Makes security_compute_user() return a Python list of contexts */
+ %typemap(argout) (security_context_t **con) {
+ 	PyObject* plist;
 diff --git a/libselinux/src/setrans_internal.h b/libselinux/src/setrans_internal.h
 index a801ee8..b3bdca2 100644
 --- a/libselinux/src/setrans_internal.h

libselinux.spec

@@ -10,7 +10,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.13
-Release: 9%{?dist}
+Release: 15%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@@ -241,6 +241,25 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Mon May 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-15
+- Fix patch that Handles substitutions for /
+
+* Wed Apr 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-14
+- Handle substitutions for /
+- semanage fcontext -a -e  / /opt/rh/devtoolset-2/root
+
+* Tue Apr 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-13
+- Add Eric Paris patch to fix procattr calls after a fork.
+
+* Tue Mar 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-12
+- Move secolor.conf.5 into mcstrans package and out of libselinux 
+
+* Wed Mar 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-11
+- Fix python bindings for selinux_check_access
+
+* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-10
+- Fix reseting the policy root in matchpathcon
+
 * Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-9
 - Cleanup setfcontext_compile atomic patch
 - Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root