rpms
/
libsemanage
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- Fix genhomedircon code to only generate valid context 

- Fixes autorelabel problem
This commit is contained in:
Daniel J Walsh 2007-09-26 20:51:43 +00:00
parent 422f3b68fd
commit 09711868c7
2 changed files with 305 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

313
libsemanage-rhat.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/handle.h libsemanage-2.0.3/include/semanage/handle.h
diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/handle.h libsemanage-2.0.6/include/semanage/handle.h
--- nsalibsemanage/include/semanage/handle.h 2007-08-20 19:15:36.000000000 -0400
+++ libsemanage-2.0.3/include/semanage/handle.h 2007-08-11 06:41:11.000000000 -0400
+++ libsemanage-2.0.6/include/semanage/handle.h 2007-09-26 16:22:02.000000000 -0400
@@ -69,6 +69,10 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
@ -12,9 +12,9 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/handle.h li
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff --exclude-from=exclude -N -u -r nsalibsemanage/Makefile libsemanage-2.0.3/Makefile
diff --exclude-from=exclude -N -u -r nsalibsemanage/Makefile libsemanage-2.0.6/Makefile
--- nsalibsemanage/Makefile 2007-07-16 14:20:39.000000000 -0400
+++ libsemanage-2.0.3/Makefile 2007-08-11 06:40:28.000000000 -0400
+++ libsemanage-2.0.6/Makefile 2007-09-26 16:22:02.000000000 -0400
@@ -1,6 +1,9 @@
all:
$(MAKE) -C src all
@ -25,9 +25,255 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/Makefile libsemanage-2.0.3/M
pywrap:
$(MAKE) -C src pywrap
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.c libsemanage-2.0.3/src/handle.c
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.6/src/direct_api.c
--- nsalibsemanage/src/direct_api.c 2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.6/src/direct_api.c 2007-09-26 16:22:31.000000000 -0400
@@ -700,7 +700,7 @@
goto cleanup;
if (sh->do_rebuild || modified) {
- retval = semanage_install_sandbox(sh);
+ retval = semanage_install_sandbox(sh, out);
}
cleanup:
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.6/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c 2007-09-13 08:21:11.000000000 -0400
+++ libsemanage-2.0.6/src/genhomedircon.c 2007-09-26 16:39:40.000000000 -0400
@@ -1,5 +1,6 @@
-/* Author: Mark Goldman <mgoldman@tresys.com>
- * Paul Rosenfeld <prosenfeld@tresys.com>
+/* Author: Mark Goldman <mgoldman@tresys.com>
+ * Paul Rosenfeld <prosenfeld@tresys.com>
+ * Todd C. Miller <tmiller@tresys.com>
*
* Copyright (C) 2007 Tresys Technology, LLC
*
@@ -23,6 +24,8 @@
#include <semanage/seusers_policy.h>
#include <semanage/users_policy.h>
#include <semanage/user_record.h>
+#include <sepol/context.h>
+#include <sepol/context_record.h>
#include "semanage_store.h"
#include "seuser_internal.h"
#include "debug.h"
@@ -80,6 +83,7 @@
int usepasswd;
const char *homedir_template_path;
semanage_handle_t *h_semanage;
+ sepol_policydb_t *policydb;
} genhomedircon_settings_t;
typedef struct user_entry {
@@ -352,9 +356,48 @@
return retval;
}
-static int write_home_dir_context(FILE * out, semanage_list_t * tpl,
- const char *user, const char *seuser,
- const char *home, const char *role_prefix)
+static const char * extract_context(Ustr *line)
+{
+ const char whitespace[] = " \t\n";
+ size_t off, len;
+
+ /* check for trailing whitespace */
+ off = ustr_spn_chrs_rev(line, 0, whitespace, strlen(whitespace));
+
+ /* find the length of the last field in line */
+ len = ustr_cspn_chrs_rev(line, off, whitespace, strlen(whitespace));
+
+ if (len == 0)
+ return NULL;
+ return ustr_cstr(line) + ustr_len(line) - (len + off);
+}
+
+static int check_line(genhomedircon_settings_t * s, Ustr *line)
+{
+ sepol_context_t *ctx_record = NULL;
+ const char *ctx_str;
+ int result;
+
+ ctx_str = extract_context(line);
+ if (!ctx_str)
+ return STATUS_ERR;
+
+ result = sepol_context_from_string(s->h_semanage->sepolh,
+ ctx_str, &ctx_record);
+ if (result == STATUS_SUCCESS && ctx_record != NULL) {
+ sepol_msg_set_callback(s->h_semanage->sepolh, NULL, NULL);
+ result = sepol_context_check(s->h_semanage->sepolh,
+ s->policydb, ctx_record);
+ sepol_msg_set_callback(s->h_semanage->sepolh, semanage_msg_relay_handler, NULL);
+ sepol_context_free(ctx_record);
+ }
+ return result;
+}
+
+static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
+ semanage_list_t * tpl, const char *user,
+ const char *seuser, const char *home,
+ const char *role_prefix)
{
replacement_pair_t repl[] = {
{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
@@ -369,8 +412,12 @@
for (; tpl; tpl = tpl->next) {
line = replace_all(tpl->data, repl);
- if (!line || !ustr_io_putfileline(&line, out))
+ if (!line)
goto fail;
+ if (check_line(s, line) == STATUS_SUCCESS) {
+ if (!ustr_io_putfileline(&line, out))
+ goto fail;
+ }
ustr_sc_free(&line);
}
return STATUS_SUCCESS;
@@ -380,8 +427,8 @@
return STATUS_ERR;
}
-static int write_home_root_context(FILE * out, semanage_list_t * tpl,
- char *homedir)
+static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
+ semanage_list_t * tpl, char *homedir)
{
replacement_pair_t repl[] = {
{.search_for = TEMPLATE_HOME_ROOT,.replace_with = homedir},
@@ -391,8 +438,12 @@
for (; tpl; tpl = tpl->next) {
line = replace_all(tpl->data, repl);
- if (!line || !ustr_io_putfileline(&line, out))
+ if (!line)
goto fail;
+ if (check_line(s, line) == STATUS_SUCCESS) {
+ if (!ustr_io_putfileline(&line, out))
+ goto fail;
+ }
ustr_sc_free(&line);
}
return STATUS_SUCCESS;
@@ -402,7 +453,8 @@
return STATUS_ERR;
}
-static int write_user_context(FILE * out, semanage_list_t * tpl, char *user,
+static int write_user_context(genhomedircon_settings_t * s, FILE * out,
+ semanage_list_t * tpl, char *user,
char *seuser, char *role_prefix)
{
replacement_pair_t repl[] = {
@@ -415,8 +467,12 @@
for (; tpl; tpl = tpl->next) {
line = replace_all(tpl->data, repl);
- if (!line || !ustr_io_putfileline(&line, out))
+ if (!line)
goto fail;
+ if (check_line(s, line) == STATUS_SUCCESS) {
+ if (!ustr_io_putfileline(&line, out))
+ goto fail;
+ }
ustr_sc_free(&line);
}
return STATUS_SUCCESS;
@@ -602,7 +658,7 @@
return head;
}
-static int write_gen_home_dir_context(FILE * out, genhomedircon_settings_t * s,
+static int write_gen_home_dir_context(genhomedircon_settings_t * s, FILE * out,
semanage_list_t * user_context_tpl,
semanage_list_t * homedir_context_tpl)
{
@@ -615,13 +671,13 @@
}
for (; users; pop_user_entry(&users)) {
- if (write_home_dir_context(out, homedir_context_tpl,
+ if (write_home_dir_context(s, out, homedir_context_tpl,
users->name,
users->sename, users->home,
users->prefix)) {
return STATUS_ERR;
}
- if (write_user_context(out, user_context_tpl, users->name,
+ if (write_user_context(s, out, user_context_tpl, users->name,
users->sename, users->prefix)) {
return STATUS_ERR;
}
@@ -671,7 +727,7 @@
goto done;
}
- if (write_home_dir_context(out,
+ if (write_home_dir_context(s, out,
homedir_context_tpl, FALLBACK_USER,
FALLBACK_USER, ustr_cstr(temp),
FALLBACK_USER_PREFIX) !=
@@ -680,7 +736,7 @@
retval = STATUS_ERR;
goto done;
}
- if (write_home_root_context(out,
+ if (write_home_root_context(s, out,
homeroot_context_tpl,
h->data) != STATUS_SUCCESS) {
ustr_sc_free(&temp);
@@ -690,13 +746,13 @@
ustr_sc_free(&temp);
}
- if (write_user_context(out, user_context_tpl,
+ if (write_user_context(s, out, user_context_tpl,
".*", FALLBACK_USER,
FALLBACK_USER_PREFIX) != STATUS_SUCCESS) {
retval = STATUS_ERR;
goto done;
}
- if (write_gen_home_dir_context(out, s, user_context_tpl,
+ if (write_gen_home_dir_context(s, out, user_context_tpl,
homedir_context_tpl) != STATUS_SUCCESS) {
retval = STATUS_ERR;
}
@@ -711,7 +767,9 @@
return retval;
}
-int semanage_genhomedircon(semanage_handle_t * sh, int usepasswd)
+int semanage_genhomedircon(semanage_handle_t * sh,
+ sepol_policydb_t * policydb,
+ int usepasswd)
{
genhomedircon_settings_t s;
FILE *out = NULL;
@@ -725,6 +783,7 @@
s.usepasswd = usepasswd;
s.h_semanage = sh;
+ s.policydb = policydb;
if (!(out = fopen(s.fcfilepath, "w"))) {
/* couldn't open output file */
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.h libsemanage-2.0.6/src/genhomedircon.h
--- nsalibsemanage/src/genhomedircon.h 2007-08-23 16:52:25.000000000 -0400
+++ libsemanage-2.0.6/src/genhomedircon.h 2007-09-26 16:22:31.000000000 -0400
@@ -22,6 +22,7 @@
#include "utilities.h"
-int semanage_genhomedircon(semanage_handle_t * sh, int usepasswd);
+int semanage_genhomedircon(semanage_handle_t * sh,
+ sepol_policydb_t * policydb, int usepasswd);
#endif
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.c libsemanage-2.0.6/src/handle.c
--- nsalibsemanage/src/handle.c 2007-08-20 19:15:37.000000000 -0400
+++ libsemanage-2.0.3/src/handle.c 2007-08-11 06:41:31.000000000 -0400
+++ libsemanage-2.0.6/src/handle.c 2007-09-26 16:22:02.000000000 -0400
@@ -68,6 +68,7 @@
/* By default do not create store */
sh->create_store = 0;
@ -52,9 +298,9 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.c libsemanage-2.0
void semanage_set_create_store(semanage_handle_t * sh, int create_store)
{
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.h libsemanage-2.0.3/src/handle.h
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.h libsemanage-2.0.6/src/handle.h
--- nsalibsemanage/src/handle.h 2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.3/src/handle.h 2007-08-11 06:40:28.000000000 -0400
+++ libsemanage-2.0.6/src/handle.h 2007-09-26 16:22:02.000000000 -0400
@@ -58,6 +58,7 @@
int is_connected;
int is_in_transaction;
@ -63,9 +309,9 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.h libsemanage-2.0
int do_rebuild; /* whether to rebuild policy if there were no changes */
int modules_modified;
int create_store; /* whether to create the store if it does not exist
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.3/src/libsemanage.map
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.6/src/libsemanage.map
--- nsalibsemanage/src/libsemanage.map 2007-08-20 19:15:37.000000000 -0400
+++ libsemanage-2.0.3/src/libsemanage.map 2007-08-11 06:40:28.000000000 -0400
+++ libsemanage-2.0.6/src/libsemanage.map 2007-09-26 16:22:02.000000000 -0400
@@ -9,6 +9,7 @@
semanage_module_list_nth; semanage_module_get_name;
semanage_module_get_version; semanage_select_store;
@ -74,10 +320,10 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libseman
semanage_user_*; semanage_bool_*; semanage_seuser_*;
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.3/src/semanage_store.c
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.6/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c 2007-08-23 16:52:25.000000000 -0400
+++ libsemanage-2.0.3/src/semanage_store.c 2007-08-11 06:40:28.000000000 -0400
@@ -1130,7 +1120,7 @@
+++ libsemanage-2.0.6/src/semanage_store.c 2007-09-26 16:22:31.000000000 -0400
@@ -1130,7 +1130,7 @@
skip_reload:
@ -86,3 +332,44 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsema
semanage_exec_prog(sh, sh->conf->setfiles, store_pol,
store_fc)) != 0) {
ERR(sh, "setfiles returned error code %d.", r);
@@ -1257,7 +1257,8 @@
* should be placed within a mutex lock to ensure that it runs
* atomically. Returns commit number on success, -1 on error.
*/
-int semanage_install_sandbox(semanage_handle_t * sh)
+int semanage_install_sandbox(semanage_handle_t * sh,
+ sepol_policydb_t * policydb)
{
int retval = -1, commit_num = -1;
@@ -1272,7 +1273,7 @@
}
if (!sh->conf->disable_genhomedircon) {
if ((retval =
- semanage_genhomedircon(sh, TRUE)) != 0) {
+ semanage_genhomedircon(sh, policydb, TRUE)) != 0) {
ERR(sh, "semanage_genhomedircon returned error code %d.",
retval);
goto cleanup;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.6/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h 2007-08-23 16:52:25.000000000 -0400
+++ libsemanage-2.0.6/src/semanage_store.h 2007-09-26 16:22:31.000000000 -0400
@@ -83,8 +83,6 @@
int semanage_get_modules_names(semanage_handle_t * sh,
char ***filenames, int *len);
-int semanage_install_sandbox(semanage_handle_t * sh);
-
/* lock file routines */
int semanage_get_trans_lock(semanage_handle_t * sh);
int semanage_get_active_lock(semanage_handle_t * sh);
@@ -102,7 +100,8 @@
int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * policydb);
-int semanage_install_sandbox(semanage_handle_t * sh);
+int semanage_install_sandbox(semanage_handle_t * sh,
+ sepol_policydb_t * policydb);
int semanage_verify_modules(semanage_handle_t * sh,
char **module_filenames, int num_modules);

6
libsemanage.spec
View File

@ -3,7 +3,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.0.6
Release: 1%{?dist}
Release: 2%{?dist}
License: GPL
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz
@ -78,6 +78,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_mandir}/man3/*
%changelog
* Wed Sep 26 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-2
- Fix genhomedircon code to only generate valid context
- Fixes autorelabel problem
* Thu Sep 13 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-1
- Upgrade to latest from NSA
* Change to use getpw* function calls to the _r versions from Todd Miller.