|
|
|
@ -128,6 +128,190 @@ index 0000000..8077658
|
|
|
|
|
+++ b/libselinux/man/man3/selinux_set_policy_root.3
|
|
|
|
|
@@ -0,0 +1 @@
|
|
|
|
|
+.so man3/selinux_policy_root.3
|
|
|
|
|
diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
|
|
|
|
|
deleted file mode 100644
|
|
|
|
|
index b834577..0000000
|
|
|
|
|
--- a/libselinux/man/man5/secolor.conf.5
|
|
|
|
|
+++ /dev/null
|
|
|
|
|
@@ -1,178 +0,0 @@
|
|
|
|
|
-.TH "secolor.conf" "5" "08 April 2011" "SELinux API documentation"
|
|
|
|
|
-.SH "NAME"
|
|
|
|
|
-secolor.conf \- The SELinux color configuration file
|
|
|
|
|
-.
|
|
|
|
|
-.SH "DESCRIPTION"
|
|
|
|
|
-This optional file controls the color to be associated to the context components associated to the
|
|
|
|
|
-.I raw
|
|
|
|
|
-context passed by
|
|
|
|
|
-.BR selinux_raw_context_to_color "(3),"
|
|
|
|
|
-when context related information is to be displayed in color by an SELinux-aware application.
|
|
|
|
|
-.sp
|
|
|
|
|
-.BR selinux_raw_context_to_color "(3)"
|
|
|
|
|
-obtains this color information from the active policy
|
|
|
|
|
-.B secolor.conf
|
|
|
|
|
-file as returned by
|
|
|
|
|
-.BR selinux_colors_path "(3)."
|
|
|
|
|
-.
|
|
|
|
|
-.SH "FILE FORMAT"
|
|
|
|
|
-The file format is as follows:
|
|
|
|
|
-.RS
|
|
|
|
|
-.B color
|
|
|
|
|
-.I color_name
|
|
|
|
|
-.BI "= #"color_mask
|
|
|
|
|
-.br
|
|
|
|
|
-[...]
|
|
|
|
|
-.sp
|
|
|
|
|
-.I context_component string
|
|
|
|
|
-.B =
|
|
|
|
|
-.I fg_color_name bg_color_name
|
|
|
|
|
-.br
|
|
|
|
|
-[...]
|
|
|
|
|
-.sp
|
|
|
|
|
-.RE
|
|
|
|
|
-
|
|
|
|
|
-Where:
|
|
|
|
|
-.br
|
|
|
|
|
-.B color
|
|
|
|
|
-.RS
|
|
|
|
|
-The color keyword. Each color entry is on a new line.
|
|
|
|
|
-.RE
|
|
|
|
|
-.I color_name
|
|
|
|
|
-.RS
|
|
|
|
|
-A single word name for the color (e.g. red).
|
|
|
|
|
-.RE
|
|
|
|
|
-.I color_mask
|
|
|
|
|
-.RS
|
|
|
|
|
-A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff.
|
|
|
|
|
-.RE
|
|
|
|
|
-.I context_component
|
|
|
|
|
-.RS
|
|
|
|
|
-The context component name that must be one of the following:
|
|
|
|
|
-.br
|
|
|
|
|
-.RS
|
|
|
|
|
-user, role, type or range
|
|
|
|
|
-.RE
|
|
|
|
|
-Each
|
|
|
|
|
-.IR context_component " " string " ..."
|
|
|
|
|
-entry is on a new line.
|
|
|
|
|
-.RE
|
|
|
|
|
-.I string
|
|
|
|
|
-.RS
|
|
|
|
|
-This is the
|
|
|
|
|
-.I context_component
|
|
|
|
|
-string that will be matched with the
|
|
|
|
|
-.I raw
|
|
|
|
|
-context component passed by
|
|
|
|
|
-.BR selinux_raw_context_to_color "(3)."
|
|
|
|
|
-.br
|
|
|
|
|
-A wildcard '*' may be used to match any undefined string for the user, role and type
|
|
|
|
|
-.I context_component
|
|
|
|
|
-entries only.
|
|
|
|
|
-.RE
|
|
|
|
|
-
|
|
|
|
|
-.I fg_color_name
|
|
|
|
|
-.RS
|
|
|
|
|
-The color_name string that will be used as the foreground color.
|
|
|
|
|
-A
|
|
|
|
|
-.I color_mask
|
|
|
|
|
-may also be used.
|
|
|
|
|
-.RE
|
|
|
|
|
-.I bg_color_name
|
|
|
|
|
-.RS
|
|
|
|
|
-The color_name string that will be used as the background color.
|
|
|
|
|
-A
|
|
|
|
|
-.I color_mask
|
|
|
|
|
-may also be used.
|
|
|
|
|
-.RE
|
|
|
|
|
-.
|
|
|
|
|
-.SH "EXAMPLES"
|
|
|
|
|
-Example 1 entries are:
|
|
|
|
|
-.RS
|
|
|
|
|
-color black = #000000
|
|
|
|
|
-.br
|
|
|
|
|
-color green = #008000
|
|
|
|
|
-.br
|
|
|
|
|
-color yellow = #ffff00
|
|
|
|
|
-.br
|
|
|
|
|
-color blue = #0000ff
|
|
|
|
|
-.br
|
|
|
|
|
-color white = #ffffff
|
|
|
|
|
-.br
|
|
|
|
|
-color red = #ff0000
|
|
|
|
|
-.br
|
|
|
|
|
-color orange = #ffa500
|
|
|
|
|
-.br
|
|
|
|
|
-color tan = #D2B48C
|
|
|
|
|
-.sp
|
|
|
|
|
-user * = black white
|
|
|
|
|
-.br
|
|
|
|
|
-role * = white black
|
|
|
|
|
-.br
|
|
|
|
|
-type * = tan orange
|
|
|
|
|
-.br
|
|
|
|
|
-range s0\-s0:c0.c1023 = black green
|
|
|
|
|
-.br
|
|
|
|
|
-range s1\-s1:c0.c1023 = white green
|
|
|
|
|
-.br
|
|
|
|
|
-range s3\-s3:c0.c1023 = black tan
|
|
|
|
|
-.br
|
|
|
|
|
-range s5\-s5:c0.c1023 = white blue
|
|
|
|
|
-.br
|
|
|
|
|
-range s7\-s7:c0.c1023 = black red
|
|
|
|
|
-.br
|
|
|
|
|
-range s9\-s9:c0.c1023 = black orange
|
|
|
|
|
-.br
|
|
|
|
|
-range s15:c0.c1023 = black yellow
|
|
|
|
|
-.RE
|
|
|
|
|
-
|
|
|
|
|
-.sp
|
|
|
|
|
-Example 2 entries are:
|
|
|
|
|
-.RS
|
|
|
|
|
-color black = #000000
|
|
|
|
|
-.br
|
|
|
|
|
-color green = #008000
|
|
|
|
|
-.br
|
|
|
|
|
-color yellow = #ffff00
|
|
|
|
|
-.br
|
|
|
|
|
-color blue = #0000ff
|
|
|
|
|
-.br
|
|
|
|
|
-color white = #ffffff
|
|
|
|
|
-.br
|
|
|
|
|
-color red = #ff0000
|
|
|
|
|
-.br
|
|
|
|
|
-color orange = #ffa500
|
|
|
|
|
-.br
|
|
|
|
|
-color tan = #d2b48c
|
|
|
|
|
-.sp
|
|
|
|
|
-user unconfined_u = #ff0000 green
|
|
|
|
|
-.br
|
|
|
|
|
-role unconfined_r = red #ffffff
|
|
|
|
|
-.br
|
|
|
|
|
-type unconfined_t = red orange
|
|
|
|
|
-.br
|
|
|
|
|
-user user_u = black green
|
|
|
|
|
-.br
|
|
|
|
|
-role user_r = white black
|
|
|
|
|
-.br
|
|
|
|
|
-type user_t = tan red
|
|
|
|
|
-.br
|
|
|
|
|
-user xguest_u = black yellow
|
|
|
|
|
-.br
|
|
|
|
|
-role xguest_r = black red
|
|
|
|
|
-.br
|
|
|
|
|
-type xguest_t = black green
|
|
|
|
|
-.br
|
|
|
|
|
-user sysadm_u = white black
|
|
|
|
|
-.br
|
|
|
|
|
-range s0:c0.c1023 = black white
|
|
|
|
|
-.br
|
|
|
|
|
-user * = black white
|
|
|
|
|
-.br
|
|
|
|
|
-role * = black white
|
|
|
|
|
-.br
|
|
|
|
|
-type * = black white
|
|
|
|
|
-.RE
|
|
|
|
|
-.
|
|
|
|
|
-.SH "SEE ALSO"
|
|
|
|
|
-.BR selinux "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)"
|
|
|
|
|
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
|
|
|
|
|
index 368991f..5d60789 100644
|
|
|
|
|
--- a/libselinux/man/man8/matchpathcon.8
|
|
|
|
@ -468,6 +652,30 @@ index b9e8002..355730a 100644
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hidden_def(get_ordered_context_list)
|
|
|
|
|
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
|
|
|
|
|
index 11f6e96..f5cb52a 100644
|
|
|
|
|
--- a/libselinux/src/label.c
|
|
|
|
|
+++ b/libselinux/src/label.c
|
|
|
|
|
@@ -43,12 +43,18 @@ static void selabel_subs_fini(struct selabel_sub *ptr)
|
|
|
|
|
static char *selabel_sub(struct selabel_sub *ptr, const char *src)
|
|
|
|
|
{
|
|
|
|
|
char *dst = NULL;
|
|
|
|
|
+ int len;
|
|
|
|
|
|
|
|
|
|
while (ptr) {
|
|
|
|
|
if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
|
|
|
|
|
if (src[ptr->slen] == '/' ||
|
|
|
|
|
src[ptr->slen] == 0) {
|
|
|
|
|
- if (asprintf(&dst, "%s%s", ptr->dst, &src[ptr->slen]) < 0)
|
|
|
|
|
+ if ((src[ptr->slen] == '/') &&
|
|
|
|
|
+ (strcmp(ptr->dst, "/") == 0))
|
|
|
|
|
+ len = ptr->slen + 1;
|
|
|
|
|
+ else
|
|
|
|
|
+ len = ptr->slen;
|
|
|
|
|
+ if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
|
|
|
|
|
index 5f697f3..9b0d6b0 100644
|
|
|
|
|
--- a/libselinux/src/label_file.c
|
|
|
|
@ -511,19 +719,91 @@ index 2d7369e..2a00807 100644
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
|
|
|
|
|
index 6c5b45a..0a0dd3e 100644
|
|
|
|
|
index 6c5b45a..f6b896e 100644
|
|
|
|
|
--- a/libselinux/src/procattr.c
|
|
|
|
|
+++ b/libselinux/src/procattr.c
|
|
|
|
|
@@ -257,6 +257,7 @@ out:
|
|
|
|
|
@@ -9,13 +9,15 @@
|
|
|
|
|
#include "selinux_internal.h"
|
|
|
|
|
#include "policy.h"
|
|
|
|
|
|
|
|
|
|
+#define UNSET (const security_context_t) -1
|
|
|
|
|
+
|
|
|
|
|
static __thread pid_t cpid;
|
|
|
|
|
static __thread pid_t tid;
|
|
|
|
|
-static __thread security_context_t prev_current;
|
|
|
|
|
-static __thread security_context_t prev_exec;
|
|
|
|
|
-static __thread security_context_t prev_fscreate;
|
|
|
|
|
-static __thread security_context_t prev_keycreate;
|
|
|
|
|
-static __thread security_context_t prev_sockcreate;
|
|
|
|
|
+static __thread security_context_t prev_current = UNSET;
|
|
|
|
|
+static __thread security_context_t prev_exec = UNSET;
|
|
|
|
|
+static __thread security_context_t prev_fscreate = UNSET;
|
|
|
|
|
+static __thread security_context_t prev_keycreate = UNSET;
|
|
|
|
|
+static __thread security_context_t prev_sockcreate = UNSET;
|
|
|
|
|
|
|
|
|
|
static pthread_once_t once = PTHREAD_ONCE_INIT;
|
|
|
|
|
static pthread_key_t destructor_key;
|
|
|
|
|
@@ -29,11 +31,16 @@ static pid_t gettid(void)
|
|
|
|
|
|
|
|
|
|
static void procattr_thread_destructor(void __attribute__((unused)) *unused)
|
|
|
|
|
{
|
|
|
|
|
- free(prev_current);
|
|
|
|
|
- free(prev_exec);
|
|
|
|
|
- free(prev_fscreate);
|
|
|
|
|
- free(prev_keycreate);
|
|
|
|
|
- free(prev_sockcreate);
|
|
|
|
|
+ if (prev_current != UNSET)
|
|
|
|
|
+ free(prev_current);
|
|
|
|
|
+ if (prev_exec != UNSET)
|
|
|
|
|
+ free(prev_exec);
|
|
|
|
|
+ if (prev_fscreate != UNSET)
|
|
|
|
|
+ free(prev_fscreate);
|
|
|
|
|
+ if (prev_keycreate != UNSET)
|
|
|
|
|
+ free(prev_keycreate);
|
|
|
|
|
+ if (prev_sockcreate != UNSET)
|
|
|
|
|
+ free(prev_sockcreate);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void free_procattr(void)
|
|
|
|
|
@@ -41,7 +48,7 @@ static void free_procattr(void)
|
|
|
|
|
procattr_thread_destructor(NULL);
|
|
|
|
|
tid = 0;
|
|
|
|
|
cpid = getpid();
|
|
|
|
|
- prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = NULL;
|
|
|
|
|
+ prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void __attribute__((destructor)) procattr_destructor(void);
|
|
|
|
|
@@ -131,7 +138,7 @@ static int getprocattrcon_raw(security_context_t * context,
|
|
|
|
|
return -1;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
- if (prev_context) {
|
|
|
|
|
+ if (prev_context && prev_context != UNSET) {
|
|
|
|
|
*context = strdup(prev_context);
|
|
|
|
|
if (!(*context)) {
|
|
|
|
|
return -1;
|
|
|
|
|
@@ -230,7 +237,8 @@ static int setprocattrcon_raw(security_context_t context,
|
|
|
|
|
|
|
|
|
|
if (!context && !*prev_context)
|
|
|
|
|
return 0;
|
|
|
|
|
- if (context && *prev_context && !strcmp(context, *prev_context))
|
|
|
|
|
+ if (context && *prev_context && *prev_context != UNSET
|
|
|
|
|
+ && !strcmp(context, *prev_context))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
fd = openattr(pid, attr, O_RDWR);
|
|
|
|
|
@@ -257,6 +265,8 @@ out:
|
|
|
|
|
free(context);
|
|
|
|
|
return -1;
|
|
|
|
|
} else {
|
|
|
|
|
+ free(*prev_context);
|
|
|
|
|
+ if (*prev_context != UNSET)
|
|
|
|
|
+ free(*prev_context);
|
|
|
|
|
*prev_context = context;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
|
|
|
|
|
index 296f357..0040524 100644
|
|
|
|
|
index 296f357..9aee32f 100644
|
|
|
|
|
--- a/libselinux/src/selinux_config.c
|
|
|
|
|
+++ b/libselinux/src/selinux_config.c
|
|
|
|
|
@@ -8,6 +8,8 @@
|
|
|
|
@ -556,7 +836,7 @@ index 296f357..0040524 100644
|
|
|
|
|
+int selinux_set_policy_root(const char *path)
|
|
|
|
|
+{
|
|
|
|
|
+ int i;
|
|
|
|
|
+ char *policy_type = strchr(selinux_policyroot, '/');
|
|
|
|
|
+ char *policy_type = strrchr(path, '/');
|
|
|
|
|
+ if (!policy_type) {
|
|
|
|
|
+ errno = EINVAL;
|
|
|
|
|
+ return -1;
|
|
|
|
@ -631,6 +911,21 @@ index 2c7c85c..4a4aebc 100644
|
|
|
|
|
hidden_proto(selinux_binary_policy_path)
|
|
|
|
|
hidden_proto(selinux_booleans_subs_path)
|
|
|
|
|
hidden_proto(selinux_default_context_path)
|
|
|
|
|
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
|
|
|
|
|
index 359bd02..0ab0bae 100644
|
|
|
|
|
--- a/libselinux/src/selinuxswig_python.i
|
|
|
|
|
+++ b/libselinux/src/selinuxswig_python.i
|
|
|
|
|
@@ -74,6 +74,10 @@ def install(src, dest):
|
|
|
|
|
$1 = &temp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+%typemap(in, numinputs=0) void *(char *temp=NULL) {
|
|
|
|
|
+ $1 = temp;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
/* Makes security_compute_user() return a Python list of contexts */
|
|
|
|
|
%typemap(argout) (security_context_t **con) {
|
|
|
|
|
PyObject* plist;
|
|
|
|
|
diff --git a/libselinux/src/setrans_internal.h b/libselinux/src/setrans_internal.h
|
|
|
|
|
index a801ee8..b3bdca2 100644
|
|
|
|
|
--- a/libselinux/src/setrans_internal.h
|
|
|
|
|