232 lines
6.3 KiB
Diff
232 lines
6.3 KiB
Diff
diff --exclude-from=exclude -N -u -r nsalibselinux/ChangeLog libselinux-2.0.70/ChangeLog
|
|
--- nsalibselinux/ChangeLog 2008-08-01 06:48:06.000000000 -0400
|
|
+++ libselinux-2.0.70/ChangeLog 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -1,6 +1,3 @@
|
|
-2.0.70 2008-07-30
|
|
- * Merge ruby bindings from Dan Walsh.
|
|
-
|
|
2.0.69 2008-07-29
|
|
* Handle duplicate file context regexes as a fatal error from Stephen Smalley.
|
|
This prevents adding them via semanage.
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/VERSION libselinux-2.0.70/VERSION
|
|
--- nsalibselinux/VERSION 2008-08-01 06:48:06.000000000 -0400
|
|
+++ libselinux-2.0.70/VERSION 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -1 +1 @@
|
|
-2.0.70
|
|
+2.0.69
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.70/man/man8/selinuxconlist.8
|
|
--- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-2.0.70/man/man8/selinuxconlist.8 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -0,0 +1,18 @@
|
|
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
|
|
+.SH "NAME"
|
|
+selinuxconlist \- list all SELinux context reachable for user
|
|
+.SH "SYNOPSIS"
|
|
+.B selinuxconlist [-l level] user [context]
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+.B selinuxconlist
|
|
+reports the list of context reachable for user from the current context or specified context
|
|
+
|
|
+.B \-l level
|
|
+mcs/mls level
|
|
+
|
|
+.SH AUTHOR
|
|
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
+
|
|
+.SH "SEE ALSO"
|
|
+secon(8), selinuxdefcon(8)
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.70/man/man8/selinuxdefcon.8
|
|
--- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-2.0.70/man/man8/selinuxdefcon.8 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -0,0 +1,19 @@
|
|
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
|
|
+.SH "NAME"
|
|
+selinuxdefcon \- list default SELinux context for user
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B selinuxdefcon [-l level] user [fromcon]
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+.B seconlist
|
|
+reports the default context for the specified user from current context or specified context
|
|
+
|
|
+.B \-l level
|
|
+mcs/mls level
|
|
+
|
|
+.SH AUTHOR
|
|
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
+
|
|
+.SH "SEE ALSO"
|
|
+secon(8), selinuxconlist(8)
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.70/src/callbacks.c
|
|
--- nsalibselinux/src/callbacks.c 2008-06-12 23:25:14.000000000 -0400
|
|
+++ libselinux-2.0.70/src/callbacks.c 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -16,6 +16,7 @@
|
|
{
|
|
int rc;
|
|
va_list ap;
|
|
+ if (is_selinux_enabled() == 0) return 0;
|
|
va_start(ap, fmt);
|
|
rc = vfprintf(stderr, fmt, ap);
|
|
va_end(ap);
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.70/src/matchpathcon.c
|
|
--- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400
|
|
+++ libselinux-2.0.70/src/matchpathcon.c 2008-08-01 06:51:25.000000000 -0400
|
|
@@ -2,6 +2,7 @@
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <stdio.h>
|
|
+#include <syslog.h>
|
|
#include "selinux_internal.h"
|
|
#include "label_internal.h"
|
|
#include "callbacks.h"
|
|
@@ -57,7 +58,7 @@
|
|
{
|
|
va_list ap;
|
|
va_start(ap, fmt);
|
|
- vfprintf(stderr, fmt, ap);
|
|
+ vsyslog(LOG_ERR, fmt, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.70/src/seusers.c
|
|
--- nsalibselinux/src/seusers.c 2008-06-12 23:25:14.000000000 -0400
|
|
+++ libselinux-2.0.70/src/seusers.c 2008-08-01 06:53:03.000000000 -0400
|
|
@@ -89,6 +89,62 @@
|
|
|
|
int require_seusers hidden = 0;
|
|
|
|
+#include <pwd.h>
|
|
+#include <grp.h>
|
|
+
|
|
+static gid_t get_default_gid(const char *name) {
|
|
+ struct passwd pwstorage, *pwent = NULL;
|
|
+ gid_t gid = -1;
|
|
+ /* Allocate space for the getpwnam_r buffer */
|
|
+ long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
|
|
+ if (rbuflen <= 0) return -1;
|
|
+ char *rbuf = malloc(rbuflen);
|
|
+ if (rbuf == NULL) return -1;
|
|
+
|
|
+ int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
|
|
+ if (retval == 0 || pwent != NULL) {
|
|
+ gid = pwent->pw_gid;
|
|
+ }
|
|
+ free(rbuf);
|
|
+ return gid;
|
|
+}
|
|
+
|
|
+static int check_group(const char *group, const char *name, const gid_t gid) {
|
|
+ int match = 0;
|
|
+ int i, ng = 0;
|
|
+ gid_t *groups = NULL;
|
|
+ struct group gbuf, *grent = NULL;
|
|
+
|
|
+ long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
|
|
+ if (rbuflen <= 0)
|
|
+ return 0;
|
|
+ char *rbuf = malloc(rbuflen);
|
|
+ if (rbuf == NULL)
|
|
+ return 0;
|
|
+
|
|
+ if (getgrnam_r(group, &gbuf, rbuf, rbuflen,
|
|
+ &grent) != 0)
|
|
+ goto done;
|
|
+
|
|
+ if (getgrouplist(name, gid, NULL, &ng) < 0) {
|
|
+ groups = (gid_t *) malloc(sizeof (gid_t) * ng);
|
|
+ if (!groups) goto done;
|
|
+ if (getgrouplist(name, gid, groups, &ng) < 0) goto done;
|
|
+ }
|
|
+
|
|
+ for (i = 0; i < ng; i++) {
|
|
+ if (grent->gr_gid == groups[i]) {
|
|
+ match = 1;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ done:
|
|
+ free(groups);
|
|
+ free(rbuf);
|
|
+ return match;
|
|
+}
|
|
+
|
|
int getseuserbyname(const char *name, char **r_seuser, char **r_level)
|
|
{
|
|
FILE *cfg = NULL;
|
|
@@ -101,9 +157,14 @@
|
|
char *username = NULL;
|
|
char *seuser = NULL;
|
|
char *level = NULL;
|
|
+ char *groupseuser = NULL;
|
|
+ char *grouplevel = NULL;
|
|
char *defaultseuser = NULL;
|
|
char *defaultlevel = NULL;
|
|
|
|
+ gid_t gid = get_default_gid(name);
|
|
+ if ( gid == (gid_t) -1 ) goto nomatch;
|
|
+
|
|
cfg = fopen(selinux_usersconf_path(), "r");
|
|
if (!cfg)
|
|
goto nomatch;
|
|
@@ -124,31 +185,48 @@
|
|
if (!strcmp(username, name))
|
|
break;
|
|
|
|
- if (!defaultseuser && !strcmp(username, "__default__")) {
|
|
- free(username);
|
|
- defaultseuser = seuser;
|
|
- defaultlevel = level;
|
|
+ if (username[0] == '%' &&
|
|
+ !groupseuser &&
|
|
+ check_group(&username[1], name, gid)) {
|
|
+ groupseuser = seuser;
|
|
+ grouplevel = level;
|
|
} else {
|
|
- free(username);
|
|
- free(seuser);
|
|
- free(level);
|
|
+ if (!defaultseuser &&
|
|
+ !strcmp(username, "__default__")) {
|
|
+ defaultseuser = seuser;
|
|
+ defaultlevel = level;
|
|
+ } else {
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ }
|
|
}
|
|
+ free(username);
|
|
+ username = NULL;
|
|
seuser = NULL;
|
|
}
|
|
|
|
- if (buffer)
|
|
- free(buffer);
|
|
+ free(buffer);
|
|
fclose(cfg);
|
|
|
|
if (seuser) {
|
|
free(username);
|
|
free(defaultseuser);
|
|
free(defaultlevel);
|
|
+ free(groupseuser);
|
|
+ free(grouplevel);
|
|
*r_seuser = seuser;
|
|
*r_level = level;
|
|
return 0;
|
|
}
|
|
|
|
+ if (groupseuser) {
|
|
+ free(defaultseuser);
|
|
+ free(defaultlevel);
|
|
+ *r_seuser = groupseuser;
|
|
+ *r_level = grouplevel;
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if (defaultseuser) {
|
|
*r_seuser = defaultseuser;
|
|
*r_level = defaultlevel;
|