2017-03-02 12:22:13 +00:00
|
|
|
diff --git libsemanage-2.6/src/Makefile libsemanage-2.6/src/Makefile
|
|
|
|
index 68aab72..ccaa29d 100644
|
|
|
|
--- libsemanage-2.6/src/Makefile
|
|
|
|
+++ libsemanage-2.6/src/Makefile
|
|
|
|
@@ -2,7 +2,7 @@
|
|
|
|
# runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build
|
|
|
|
# targets with "PYPREFIX":
|
|
|
|
PYTHON ?= python
|
|
|
|
-PYPREFIX ?= $(notdir $(PYTHON))
|
|
|
|
+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python%d" % sys.version_info[0])')
|
|
|
|
RUBY ?= ruby
|
|
|
|
RUBYPREFIX ?= $(notdir $(RUBY))
|
|
|
|
PKG_CONFIG ?= pkg-config
|
2017-04-18 08:46:14 +00:00
|
|
|
diff --git libsemanage-2.6/src/direct_api.c libsemanage-2.6/src/direct_api.c
|
|
|
|
index e5c72cd..9c3149b 100644
|
|
|
|
--- libsemanage-2.6/src/direct_api.c
|
|
|
|
+++ libsemanage-2.6/src/direct_api.c
|
|
|
|
@@ -146,9 +146,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
|
|
|
|
if (semanage_create_store(sh, 1))
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
- if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
|
|
|
|
- goto err;
|
|
|
|
-
|
|
|
|
sh->u.direct.translock_file_fd = -1;
|
|
|
|
sh->u.direct.activelock_file_fd = -1;
|
|
|
|
|
|
|
|
@@ -345,10 +342,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
|
|
|
|
|
|
|
|
static int semanage_direct_begintrans(semanage_handle_t * sh)
|
|
|
|
{
|
|
|
|
-
|
|
|
|
- if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
|
|
|
|
- return -1;
|
|
|
|
- }
|
|
|
|
if (semanage_get_trans_lock(sh) < 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
@@ -617,13 +610,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c
|
|
|
|
}
|
|
|
|
|
|
|
|
if (size > 0) {
|
|
|
|
+ /*
|
|
|
|
+ * Write the users_extra entries from CIL modules.
|
|
|
|
+ * This file is used as our baseline when we do not require
|
|
|
|
+ * re-linking.
|
|
|
|
+ */
|
|
|
|
+ ofilename = semanage_path(SEMANAGE_TMP,
|
|
|
|
+ SEMANAGE_USERS_EXTRA_LINKED);
|
|
|
|
+ if (ofilename == NULL) {
|
|
|
|
+ retval = -1;
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+ retval = write_file(sh, ofilename, data, size);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * Write the users_extra file; users_extra.local
|
|
|
|
+ * will be merged into this file.
|
|
|
|
+ */
|
|
|
|
ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA);
|
|
|
|
if (ofilename == NULL) {
|
|
|
|
- return retval;
|
|
|
|
+ retval = -1;
|
|
|
|
+ goto cleanup;
|
|
|
|
}
|
|
|
|
retval = write_file(sh, ofilename, data, size);
|
|
|
|
if (retval < 0)
|
|
|
|
- return retval;
|
|
|
|
+ goto cleanup;
|
|
|
|
|
|
|
|
pusers_extra->dtable->drop_cache(pusers_extra->dbase);
|
|
|
|
|
|
|
|
@@ -652,11 +665,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
|
|
|
|
}
|
|
|
|
|
|
|
|
if (size > 0) {
|
|
|
|
+ /*
|
|
|
|
+ * Write the seusers entries from CIL modules.
|
|
|
|
+ * This file is used as our baseline when we do not require
|
|
|
|
+ * re-linking.
|
|
|
|
+ */
|
|
|
|
+ ofilename = semanage_path(SEMANAGE_TMP,
|
|
|
|
+ SEMANAGE_SEUSERS_LINKED);
|
|
|
|
+ if (ofilename == NULL) {
|
|
|
|
+ retval = -1;
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+ retval = write_file(sh, ofilename, data, size);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * Write the seusers file; seusers.local will be merged into
|
|
|
|
+ * this file.
|
|
|
|
+ */
|
|
|
|
ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
|
|
if (ofilename == NULL) {
|
|
|
|
- return -1;
|
|
|
|
+ retval = -1;
|
|
|
|
+ goto cleanup;
|
|
|
|
}
|
|
|
|
retval = write_file(sh, ofilename, data, size);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
|
|
|
|
pseusers->dtable->drop_cache(pseusers->dbase);
|
|
|
|
} else {
|
|
|
|
@@ -1095,21 +1130,18 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
size_t fc_buffer_len = 0;
|
|
|
|
const char *ofilename = NULL;
|
|
|
|
const char *path;
|
|
|
|
- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0,
|
|
|
|
- missing_seusers = 0, missing_fc = 0, missing = 0;
|
|
|
|
+ int retval = -1, num_modinfos = 0, i;
|
|
|
|
sepol_policydb_t *out = NULL;
|
|
|
|
struct cil_db *cildb = NULL;
|
|
|
|
semanage_module_info_t *modinfos = NULL;
|
|
|
|
|
|
|
|
- /* Declare some variables */
|
|
|
|
- int modified = 0, fcontexts_modified, ports_modified,
|
|
|
|
- seusers_modified, users_extra_modified, dontaudit_modified,
|
|
|
|
- preserve_tunables_modified, bools_modified = 0,
|
|
|
|
+ int do_rebuild, do_write_kernel, do_install;
|
|
|
|
+ int fcontexts_modified, ports_modified, seusers_modified,
|
|
|
|
disable_dontaudit, preserve_tunables;
|
|
|
|
dbase_config_t *users = semanage_user_dbase_local(sh);
|
|
|
|
dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
|
|
|
|
dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
|
|
|
|
- dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh);
|
|
|
|
+ dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh);
|
|
|
|
dbase_config_t *ports = semanage_port_dbase_local(sh);
|
|
|
|
dbase_config_t *pports = semanage_port_dbase_policy(sh);
|
|
|
|
dbase_config_t *bools = semanage_bool_dbase_local(sh);
|
|
|
|
@@ -1121,13 +1153,22 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh);
|
|
|
|
dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
|
|
|
|
dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
|
|
|
|
+ dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh);
|
|
|
|
+
|
|
|
|
+ /* Modified flags that we need to use more than once. */
|
|
|
|
+ ports_modified = ports->dtable->is_modified(ports->dbase);
|
|
|
|
+ seusers_modified = seusers->dtable->is_modified(seusers->dbase);
|
|
|
|
+ fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase);
|
|
|
|
+
|
|
|
|
+ /* Rebuild if explicitly requested or any module changes occurred. */
|
|
|
|
+ do_rebuild = sh->do_rebuild | sh->modules_modified;
|
|
|
|
|
|
|
|
/* Create or remove the disable_dontaudit flag file. */
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
|
|
|
|
if (access(path, F_OK) == 0)
|
|
|
|
- dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
|
|
|
|
+ do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
|
|
|
|
else
|
|
|
|
- dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
|
|
|
|
+ do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
|
|
|
|
if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
|
|
|
|
FILE *touch;
|
|
|
|
touch = fopen(path, "w");
|
|
|
|
@@ -1150,9 +1191,9 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
/* Create or remove the preserve_tunables flag file. */
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
|
|
|
|
if (access(path, F_OK) == 0)
|
|
|
|
- preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
|
|
|
|
+ do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
|
|
|
|
else
|
|
|
|
- preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
|
|
|
|
+ do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
|
|
|
|
if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
|
|
|
|
FILE *touch;
|
|
|
|
touch = fopen(path, "w");
|
|
|
|
@@ -1180,54 +1221,75 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
- /* Decide if anything was modified */
|
|
|
|
- fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase);
|
|
|
|
- seusers_modified = seusers->dtable->is_modified(seusers->dbase);
|
|
|
|
- users_extra_modified =
|
|
|
|
- users_extra->dtable->is_modified(users_extra->dbase);
|
|
|
|
- ports_modified = ports->dtable->is_modified(ports->dbase);
|
|
|
|
- bools_modified = bools->dtable->is_modified(bools->dbase);
|
|
|
|
-
|
|
|
|
- modified = sh->modules_modified;
|
|
|
|
- modified |= seusers_modified;
|
|
|
|
- modified |= users_extra_modified;
|
|
|
|
- modified |= ports_modified;
|
|
|
|
- modified |= users->dtable->is_modified(users_base->dbase);
|
|
|
|
- modified |= ifaces->dtable->is_modified(ifaces->dbase);
|
|
|
|
- modified |= nodes->dtable->is_modified(nodes->dbase);
|
|
|
|
- modified |= dontaudit_modified;
|
|
|
|
- modified |= preserve_tunables_modified;
|
|
|
|
-
|
|
|
|
- /* This is for systems that have already migrated with an older version
|
|
|
|
- * of semanage_migrate_store. The older version did not copy policy.kern so
|
|
|
|
- * the policy binary must be rebuilt here.
|
|
|
|
+ /*
|
|
|
|
+ * This is for systems that have already migrated with an older version
|
|
|
|
+ * of semanage_migrate_store. The older version did not copy
|
|
|
|
+ * policy.kern so the policy binary must be rebuilt here.
|
|
|
|
+ * This also ensures that any linked files that are required
|
|
|
|
+ * in order to skip re-linking are present; otherwise, we force
|
|
|
|
+ * a rebuild.
|
|
|
|
*/
|
|
|
|
- if (!sh->do_rebuild && !modified) {
|
|
|
|
+ if (!do_rebuild) {
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
|
|
|
|
-
|
|
|
|
if (access(path, F_OK) != 0) {
|
|
|
|
- missing_policy_kern = 1;
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
}
|
|
|
|
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
|
|
|
|
-
|
|
|
|
if (access(path, F_OK) != 0) {
|
|
|
|
- missing_fc = 1;
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
}
|
|
|
|
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
|
|
+ if (access(path, F_OK) != 0) {
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
+ }
|
|
|
|
|
|
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED);
|
|
|
|
if (access(path, F_OK) != 0) {
|
|
|
|
- missing_seusers = 1;
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
}
|
|
|
|
- }
|
|
|
|
|
|
|
|
- missing |= missing_policy_kern;
|
|
|
|
- missing |= missing_fc;
|
|
|
|
- missing |= missing_seusers;
|
|
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
|
|
|
|
+ if (access(path, F_OK) != 0) {
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
|
|
|
|
+ if (access(path, F_OK) != 0) {
|
|
|
|
+ do_rebuild = 1;
|
|
|
|
+ goto rebuild;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
|
|
|
|
- /* If there were policy changes, or explicitly requested, rebuild the policy */
|
|
|
|
- if (sh->do_rebuild || modified || missing) {
|
|
|
|
+rebuild:
|
|
|
|
+ /*
|
|
|
|
+ * Now that we know whether or not a rebuild is required,
|
|
|
|
+ * we can determine what else needs to be done.
|
|
|
|
+ * We need to write the kernel policy if we are rebuilding
|
|
|
|
+ * or if any other policy component that lives in the kernel
|
|
|
|
+ * policy has been modified.
|
|
|
|
+ * We need to install the policy files if any of the managed files
|
|
|
|
+ * that live under /etc/selinux (kernel policy, seusers, file contexts)
|
|
|
|
+ * will be modified.
|
|
|
|
+ */
|
|
|
|
+ do_write_kernel = do_rebuild | ports_modified |
|
|
|
|
+ bools->dtable->is_modified(bools->dbase) |
|
|
|
|
+ ifaces->dtable->is_modified(ifaces->dbase) |
|
|
|
|
+ nodes->dtable->is_modified(nodes->dbase) |
|
|
|
|
+ users->dtable->is_modified(users_base->dbase);
|
|
|
|
+ do_install = do_write_kernel | seusers_modified | fcontexts_modified;
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
+ * If there were policy changes, or explicitly requested, or
|
|
|
|
+ * any required files are missing, rebuild the policy.
|
|
|
|
+ */
|
|
|
|
+ if (do_rebuild) {
|
|
|
|
/* =================== Module expansion =============== */
|
|
|
|
|
|
|
|
retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
|
|
|
|
@@ -1316,43 +1378,72 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
cil_db_destroy(&cildb);
|
|
|
|
-
|
|
|
|
+
|
|
|
|
+ /* Write the linked policy before merging local changes. */
|
|
|
|
+ retval = semanage_write_policydb(sh, out,
|
|
|
|
+ SEMANAGE_LINKED);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
} else {
|
|
|
|
- /* Load already linked policy */
|
|
|
|
+ /* Load the existing linked policy, w/o local changes */
|
|
|
|
retval = sepol_policydb_create(&out);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
- retval = semanage_read_policydb(sh, out);
|
|
|
|
+ retval = semanage_read_policydb(sh, out, SEMANAGE_LINKED);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
- }
|
|
|
|
|
|
|
|
- if (sh->do_rebuild || modified || bools_modified) {
|
|
|
|
- /* Attach to policy databases that work with a policydb. */
|
|
|
|
- dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out);
|
|
|
|
- dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
|
|
|
|
- dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
|
|
|
|
- dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
|
|
|
|
- dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
|
|
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
|
|
|
|
+ if (access(path, F_OK) == 0) {
|
|
|
|
+ retval = semanage_copy_file(path,
|
|
|
|
+ semanage_path(SEMANAGE_TMP,
|
|
|
|
+ SEMANAGE_STORE_SEUSERS),
|
|
|
|
+ sh->conf->file_mode);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ pseusers->dtable->drop_cache(pseusers->dbase);
|
|
|
|
+ } else {
|
|
|
|
+ pseusers->dtable->clear(sh, pseusers->dbase);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
|
|
|
|
+ if (access(path, F_OK) == 0) {
|
|
|
|
+ retval = semanage_copy_file(path,
|
|
|
|
+ semanage_path(SEMANAGE_TMP,
|
|
|
|
+ SEMANAGE_USERS_EXTRA),
|
|
|
|
+ sh->conf->file_mode);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
+ pusers_extra->dtable->drop_cache(pusers_extra->dbase);
|
|
|
|
+ } else {
|
|
|
|
+ pusers_extra->dtable->clear(sh, pusers_extra->dbase);
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
|
|
|
|
- /* ============= Apply changes, and verify =============== */
|
|
|
|
+ /* Attach our databases to the policydb we just created or loaded. */
|
|
|
|
+ dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out);
|
|
|
|
+ dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
|
|
|
|
+ dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
|
|
|
|
+ dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
|
|
|
|
+ dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
|
|
|
|
|
|
|
|
- retval = semanage_base_merge_components(sh);
|
|
|
|
- if (retval < 0)
|
|
|
|
- goto cleanup;
|
|
|
|
+ /* Merge local changes */
|
|
|
|
+ retval = semanage_base_merge_components(sh);
|
|
|
|
+ if (retval < 0)
|
|
|
|
+ goto cleanup;
|
|
|
|
|
|
|
|
- retval = semanage_write_policydb(sh, out);
|
|
|
|
+ if (do_write_kernel) {
|
|
|
|
+ /* Write new kernel policy. */
|
|
|
|
+ retval = semanage_write_policydb(sh, out,
|
|
|
|
+ SEMANAGE_STORE_KERNEL);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
+ /* Run the kernel policy verifier, if any. */
|
|
|
|
retval = semanage_verify_kernel(sh);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
- } else {
|
|
|
|
- retval = semanage_base_merge_components(sh);
|
|
|
|
- if (retval < 0)
|
|
|
|
- goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ======= Post-process: Validate non-policydb components ===== */
|
|
|
|
@@ -1361,21 +1452,21 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
* Note: those are still cached, even though they've been
|
|
|
|
* merged into the main file_contexts. We won't check the
|
|
|
|
* large file_contexts - checked at compile time */
|
|
|
|
- if (sh->do_rebuild || modified || fcontexts_modified) {
|
|
|
|
+ if (do_rebuild || fcontexts_modified) {
|
|
|
|
retval = semanage_fcontext_validate_local(sh, out);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate local seusers against policy */
|
|
|
|
- if (sh->do_rebuild || modified || seusers_modified) {
|
|
|
|
+ if (do_rebuild || seusers_modified) {
|
|
|
|
retval = semanage_seuser_validate_local(sh, out);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate local ports for overlap */
|
|
|
|
- if (sh->do_rebuild || modified || ports_modified) {
|
|
|
|
+ if (do_rebuild || ports_modified) {
|
|
|
|
retval = semanage_port_validate_local(sh);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
@@ -1396,33 +1487,27 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
}
|
|
|
|
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
|
|
|
|
- if (access(path, F_OK) == 0) {
|
|
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
|
|
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
|
|
|
|
- sh->conf->file_mode);
|
|
|
|
- if (retval < 0) {
|
|
|
|
- goto cleanup;
|
|
|
|
- }
|
|
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
|
|
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
|
|
|
|
+ sh->conf->file_mode);
|
|
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
|
|
+ goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
|
|
|
|
- if (access(path, F_OK) == 0) {
|
|
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
|
|
- sh->conf->file_mode);
|
|
|
|
- if (retval < 0) {
|
|
|
|
- goto cleanup;
|
|
|
|
- }
|
|
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
|
|
+ sh->conf->file_mode);
|
|
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
|
|
+ goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
|
|
- if (access(path, F_OK) == 0) {
|
|
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
|
|
|
|
- sh->conf->file_mode);
|
|
|
|
- if (retval < 0) {
|
|
|
|
- goto cleanup;
|
|
|
|
- }
|
|
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
|
|
|
|
+ sh->conf->file_mode);
|
|
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
|
|
+ goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* run genhomedircon if its enabled, this should be the last operation
|
|
|
|
@@ -1444,9 +1529,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
|
sepol_policydb_free(out);
|
|
|
|
out = NULL;
|
|
|
|
|
|
|
|
- if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
|
|
|
|
+ if (do_install)
|
|
|
|
retval = semanage_install_sandbox(sh);
|
|
|
|
- }
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
for (i = 0; i < num_modinfos; i++) {
|
|
|
|
@@ -1458,14 +1542,12 @@ cleanup:
|
|
|
|
free(mod_filenames[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
- if (modified || bools_modified) {
|
|
|
|
- /* Detach from policydb, so it can be freed */
|
|
|
|
- dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
|
|
|
|
- dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
|
|
|
|
- dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
|
|
|
|
- dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
|
|
|
|
- dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
|
|
|
|
- }
|
|
|
|
+ /* Detach from policydb, so it can be freed */
|
|
|
|
+ dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
|
|
|
|
+ dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
|
|
|
|
+ dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
|
|
|
|
+ dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
|
|
|
|
+ dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
|
|
|
|
|
|
|
|
free(mod_filenames);
|
|
|
|
sepol_policydb_free(out);
|
|
|
|
@@ -1981,7 +2063,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh)
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
- retval = semanage_read_policydb(sh, p);
|
|
|
|
+ retval = semanage_read_policydb(sh, p, SEMANAGE_STORE_KERNEL);
|
|
|
|
if (retval < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
diff --git libsemanage-2.6/src/semanage_store.c libsemanage-2.6/src/semanage_store.c
|
2017-04-18 08:46:14 +00:00
|
|
|
index ca29257..4b87d67 100644
|
2017-02-15 12:21:15 +00:00
|
|
|
--- libsemanage-2.6/src/semanage_store.c
|
|
|
|
+++ libsemanage-2.6/src/semanage_store.c
|
2017-04-18 08:46:14 +00:00
|
|
|
@@ -95,7 +95,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
|
|
|
|
static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
|
|
|
|
"",
|
|
|
|
"/modules",
|
|
|
|
- "/base.linked",
|
|
|
|
+ "/policy.linked",
|
|
|
|
"/homedir_template",
|
|
|
|
"/file_contexts.template",
|
|
|
|
"/commit_num",
|
|
|
|
@@ -104,8 +104,10 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
|
|
|
|
"/nodes.local",
|
|
|
|
"/booleans.local",
|
|
|
|
"/seusers.local",
|
|
|
|
+ "/seusers.linked",
|
|
|
|
"/users.local",
|
|
|
|
"/users_extra.local",
|
|
|
|
+ "/users_extra.linked",
|
|
|
|
"/users_extra",
|
|
|
|
"/disable_dontaudit",
|
|
|
|
"/preserve_tunables",
|
|
|
|
@@ -533,7 +535,6 @@ char *semanage_conf_path(void)
|
|
|
|
int semanage_create_store(semanage_handle_t * sh, int create)
|
|
|
|
{
|
|
|
|
struct stat sb;
|
|
|
|
- int mode_mask = R_OK | W_OK | X_OK;
|
|
|
|
const char *path = semanage_files[SEMANAGE_ROOT];
|
|
|
|
int fd;
|
|
|
|
|
|
|
|
@@ -552,9 +553,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
|
|
ERR(sh,
|
|
|
|
- "Could not access module store at %s, or it is not a directory.",
|
|
|
|
+ "Module store at %s is not a directory.",
|
|
|
|
path);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
@@ -575,9 +576,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
|
|
ERR(sh,
|
|
|
|
- "Could not access module store active subdirectory at %s, or it is not a directory.",
|
|
|
|
+ "Module store active subdirectory at %s is not a directory.",
|
|
|
|
path);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
@@ -598,9 +599,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
|
|
ERR(sh,
|
|
|
|
- "Could not access module store active modules subdirectory at %s, or it is not a directory.",
|
|
|
|
+ "Module store active modules subdirectory at %s is not a directory.",
|
|
|
|
path);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
@@ -619,8 +620,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
- if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
|
|
|
|
- ERR(sh, "Could not access lock file at %s.", path);
|
|
|
|
+ if (!S_ISREG(sb.st_mode)) {
|
|
|
|
+ ERR(sh, "Lock file at %s missing.", path);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -1158,7 +1159,7 @@ cleanup:
|
2017-02-15 12:21:15 +00:00
|
|
|
free(all_modinfos);
|
|
|
|
|
|
|
|
if (status != 0) {
|
|
|
|
- for (i = 0; i < j; j++) {
|
|
|
|
+ for (i = 0; i < j; i++) {
|
|
|
|
semanage_module_info_destroy(sh, &(*modinfo)[i]);
|
2016-10-04 06:30:58 +00:00
|
|
|
}
|
2017-02-15 12:21:15 +00:00
|
|
|
free(*modinfo);
|
2017-04-18 08:46:14 +00:00
|
|
|
@@ -2037,9 +2038,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
- * Read the policy from the sandbox (kernel)
|
|
|
|
+ * Read the policy from the sandbox (linked or kernel)
|
|
|
|
*/
|
|
|
|
-int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
|
|
|
|
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in,
|
|
|
|
+ enum semanage_sandbox_defs file)
|
|
|
|
{
|
|
|
|
|
|
|
|
int retval = STATUS_ERR;
|
|
|
|
@@ -2048,7 +2050,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
|
|
|
|
FILE *infile = NULL;
|
|
|
|
|
|
|
|
if ((kernel_filename =
|
|
|
|
- semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) {
|
|
|
|
+ semanage_path(SEMANAGE_ACTIVE, file)) == NULL) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
if ((infile = fopen(kernel_filename, "r")) == NULL) {
|
|
|
|
@@ -2078,9 +2080,10 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
- * Writes the final policy to the sandbox (kernel)
|
|
|
|
+ * Writes the policy to the sandbox (linked or kernel)
|
|
|
|
*/
|
|
|
|
-int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
|
|
|
|
+int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
|
|
|
|
+ enum semanage_sandbox_defs file)
|
|
|
|
{
|
|
|
|
|
|
|
|
int retval = STATUS_ERR;
|
|
|
|
@@ -2089,7 +2092,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
|
|
|
|
FILE *outfile = NULL;
|
|
|
|
|
|
|
|
if ((kernel_filename =
|
|
|
|
- semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) {
|
|
|
|
+ semanage_path(SEMANAGE_TMP, file)) == NULL) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
|
|
|
|
diff --git libsemanage-2.6/src/semanage_store.h libsemanage-2.6/src/semanage_store.h
|
|
|
|
index c5b33c8..0b96fbe 100644
|
|
|
|
--- libsemanage-2.6/src/semanage_store.h
|
|
|
|
+++ libsemanage-2.6/src/semanage_store.h
|
|
|
|
@@ -49,8 +49,10 @@ enum semanage_sandbox_defs {
|
|
|
|
SEMANAGE_NODES_LOCAL,
|
|
|
|
SEMANAGE_BOOLEANS_LOCAL,
|
|
|
|
SEMANAGE_SEUSERS_LOCAL,
|
|
|
|
+ SEMANAGE_SEUSERS_LINKED,
|
|
|
|
SEMANAGE_USERS_BASE_LOCAL,
|
|
|
|
SEMANAGE_USERS_EXTRA_LOCAL,
|
|
|
|
+ SEMANAGE_USERS_EXTRA_LINKED,
|
|
|
|
SEMANAGE_USERS_EXTRA,
|
|
|
|
SEMANAGE_DISABLE_DONTAUDIT,
|
|
|
|
SEMANAGE_PRESERVE_TUNABLES,
|
|
|
|
@@ -129,10 +131,12 @@ int semanage_load_files(semanage_handle_t * sh,
|
|
|
|
cil_db_t *cildb, char **filenames, int num_modules);
|
|
|
|
|
|
|
|
int semanage_read_policydb(semanage_handle_t * sh,
|
|
|
|
- sepol_policydb_t * policydb);
|
|
|
|
+ sepol_policydb_t * policydb,
|
|
|
|
+ enum semanage_sandbox_defs file);
|
|
|
|
|
|
|
|
int semanage_write_policydb(semanage_handle_t * sh,
|
|
|
|
- sepol_policydb_t * policydb);
|
|
|
|
+ sepol_policydb_t * policydb,
|
|
|
|
+ enum semanage_sandbox_defs file);
|
|
|
|
|
|
|
|
int semanage_install_sandbox(semanage_handle_t * sh);
|
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
diff --git libsemanage-2.6/src/seuser_record.c libsemanage-2.6/src/seuser_record.c
|
|
|
|
index 8823b1e..1ed4594 100644
|
|
|
|
--- libsemanage-2.6/src/seuser_record.c
|
|
|
|
+++ libsemanage-2.6/src/seuser_record.c
|
|
|
|
@@ -33,7 +33,7 @@ struct semanage_seuser {
|
2016-10-04 06:30:58 +00:00
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
struct semanage_seuser_key {
|
|
|
|
/* This user's name */
|
|
|
|
- const char *name;
|
|
|
|
+ char *name;
|
|
|
|
};
|
2016-05-06 14:16:42 +00:00
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
int semanage_seuser_key_create(semanage_handle_t * handle,
|
|
|
|
@@ -48,7 +48,12 @@ int semanage_seuser_key_create(semanage_handle_t * handle,
|
|
|
|
ERR(handle, "out of memory, could not create seuser key");
|
|
|
|
return STATUS_ERR;
|
2016-10-04 06:30:58 +00:00
|
|
|
}
|
2017-02-15 12:21:15 +00:00
|
|
|
- tmp_key->name = name;
|
|
|
|
+ tmp_key->name = strdup(name);
|
|
|
|
+ if (!tmp_key->name) {
|
|
|
|
+ ERR(handle, "out of memory, could not create seuser key");
|
|
|
|
+ free(tmp_key);
|
|
|
|
+ return STATUS_ERR;
|
2016-10-04 06:30:58 +00:00
|
|
|
+ }
|
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
*key_ptr = tmp_key;
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
@@ -75,7 +80,7 @@ hidden_def(semanage_seuser_key_extract)
|
2016-05-06 14:16:42 +00:00
|
|
|
|
2017-02-15 12:21:15 +00:00
|
|
|
void semanage_seuser_key_free(semanage_seuser_key_t * key)
|
2016-05-06 14:16:42 +00:00
|
|
|
{
|
2016-10-04 06:30:58 +00:00
|
|
|
-
|
2017-02-15 12:21:15 +00:00
|
|
|
+ free(key->name);
|
|
|
|
free(key);
|
|
|
|
}
|
2016-02-21 11:36:19 +00:00
|
|
|
|