diff --git a/libsemanage-fedora.patch b/libsemanage-fedora.patch index e69de29..a2969bb 100644 --- a/libsemanage-fedora.patch +++ b/libsemanage-fedora.patch @@ -0,0 +1,158 @@ +diff --git libsemanage-2.8/src/semanage_store.c libsemanage-2.8/src/semanage_store.c +index f1984c5..58dded6 100644 +--- libsemanage-2.8/src/semanage_store.c ++++ libsemanage-2.8/src/semanage_store.c +@@ -541,14 +541,18 @@ int semanage_create_store(semanage_handle_t * sh, int create) + struct stat sb; + const char *path = semanage_files[SEMANAGE_ROOT]; + int fd; ++ mode_t mask; + + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, "Could not create module store at %s.", + path); + return -2; + } ++ umask(mask); + } else { + if (create) + ERR(sh, +@@ -567,12 +571,15 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL); + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, + "Could not create module store, active subdirectory at %s.", + path); + return -2; + } ++ umask(mask); + } else { + ERR(sh, + "Could not read from module store, active subdirectory at %s.", +@@ -590,12 +597,15 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_MODULES); + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, + "Could not create module store, active modules subdirectory at %s.", + path); + return -2; + } ++ umask(mask); + } else { + ERR(sh, + "Could not read from module store, active modules subdirectory at %s.", +@@ -613,11 +623,14 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_files[SEMANAGE_READ_LOCK]; + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if ((fd = creat(path, S_IRUSR | S_IWUSR)) == -1) { ++ umask(mask); + ERR(sh, "Could not create lock file at %s.", + path); + return -2; + } ++ umask(mask); + close(fd); + } else { + ERR(sh, "Could not read lock file at %s.", path); +@@ -763,6 +776,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + struct stat sb; + struct dirent **names = NULL; + char path[PATH_MAX], path2[PATH_MAX]; ++ mode_t mask; + + if ((len = scandir(src, &names, semanage_filename_select, NULL)) == -1) { + fprintf(stderr, "Could not read the contents of %s: %s\n", src, strerror(errno)); +@@ -770,10 +784,13 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + } + + if (stat(dst, &sb) != 0) { ++ mask = umask(0077); + if (mkdir(dst, S_IRWXU) != 0) { ++ umask(mask); + fprintf(stderr, "Could not create %s: %s\n", dst, strerror(errno)); + goto cleanup; + } ++ umask(mask); + } + + for (i = 0; i < len; i++) { +@@ -785,14 +802,20 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + } + snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name); + if (S_ISDIR(sb.st_mode)) { ++ mask = umask(0077); + if (mkdir(path2, 0700) == -1 || + semanage_copy_dir_flags(path, path2, flag) == -1) { ++ umask(mask); + goto cleanup; + } ++ umask(mask); + } else if (S_ISREG(sb.st_mode) && flag == 1) { ++ mask = umask(0077); + if (semanage_copy_file(path, path2, sb.st_mode) < 0) { ++ umask(mask); + goto cleanup; + } ++ umask(mask); + } + } + retval = 0; +@@ -872,16 +895,20 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path) + { + int status = 0; + struct stat sb; ++ mode_t mask; + + /* check if directory already exists */ + if (stat(path, &sb) != 0) { + /* make the modules directory */ ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) != 0) { ++ umask(mask); + ERR(sh, "Cannot make directory at %s", path); + status = -1; + goto cleanup; + + } ++ umask(mask); + } + else { + /* check that it really is a directory */ +@@ -906,6 +933,7 @@ int semanage_make_sandbox(semanage_handle_t * sh) + const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL); + struct stat buf; + int errsv; ++ mode_t mask; + + if (stat(sandbox, &buf) == -1) { + if (errno != ENOENT) { +@@ -922,12 +950,15 @@ int semanage_make_sandbox(semanage_handle_t * sh) + } + } + ++ mask = umask(0077); + if (mkdir(sandbox, S_IRWXU) == -1 || + semanage_copy_dir(semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL), + sandbox) == -1) { ++ umask(mask); + ERR(sh, "Could not copy files to sandbox %s.", sandbox); + goto cleanup; + } ++ umask(mask); + return 0; + + cleanup: diff --git a/libsemanage.spec b/libsemanage.spec index 4f5fcbc..b8b24dd 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -4,13 +4,13 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.8 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2+ Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libsemanage-2.8.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.8 ./make-fedora-selinux-patch.sh libsemanage -# HEAD https://github.com/fedora-selinux/selinux/commit/0e84c8fe6bb895d22f706be1c8f59119c6427f64 +# HEAD https://github.com/fedora-selinux/selinux/commit/db1433d3b785eadb4eecf5c82430d57c92855a35 # Patch1: libsemanage-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -179,6 +179,9 @@ sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%' %{buildroot}%{_libexecdi %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Tue Sep 4 2018 Petr Lautrbach - 2.8-4 +- Reset umask before creating directories (#1186422) + * Fri Jul 13 2018 Fedora Release Engineering - 2.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild