Add support for preserving tunables

libsemanage-rhat.patch

@@ -1,5 +1,22 @@
+diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
+index e303713..c746930 100644
+--- a/libsemanage/include/semanage/handle.h
++++ b/libsemanage/include/semanage/handle.h
+@@ -129,6 +129,12 @@ int semanage_mls_enabled(semanage_handle_t *sh);
+ /* Change to alternate selinux root path */
+ int semanage_set_root(const char *path);
+ 
++/* Get whether or not needless unused branch of tunables would be preserved */
++int semanage_get_preserve_tunables(semanage_handle_t * handle);
++
++/* Set whether or not to preserve the needless unused branch of tunables */
++void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables);
++
+ /* META NOTES
+  *
+  * For all functions a non-negative number indicates success. For some
 diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index aac1974..3dfa279 100644
+index aac1974..8fcfb88 100644
 --- a/libsemanage/src/direct_api.c
 +++ b/libsemanage/src/direct_api.c
 @@ -353,17 +353,11 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data,
@@ -21,7 +38,57 @@ index aac1974..3dfa279 100644
  	return 0;
  }
  
-@@ -1307,29 +1301,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
+@@ -695,7 +689,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 
+ 	/* Declare some variables */
+ 	int modified = 0, fcontexts_modified, ports_modified,
+-	    seusers_modified, users_extra_modified, dontaudit_modified;
++	    seusers_modified, users_extra_modified, dontaudit_modified,
++	    preserve_tunables_modified;
+ 	dbase_config_t *users = semanage_user_dbase_local(sh);
+ 	dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
+ 	dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
+@@ -737,6 +732,31 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 		}
+ 	}
+ 
++	/* Create or remove the preserve_tunables flag file. */
++	path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
++	if (access(path, F_OK) == 0)
++		preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
++	else
++		preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
++	if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
++		FILE *touch;
++		touch = fopen(path, "w");
++		if (touch != NULL) {
++			if (fclose(touch) != 0) {
++				ERR(sh, "Error attempting to create preserve_tunable flag.");
++				goto cleanup;
++			}
++		} else {
++			ERR(sh, "Error attempting to create preserve_tunable flag.");
++			goto cleanup;
++		}
++	} else {
++		if (remove(path) == -1 && errno != ENOENT) {
++			ERR(sh, "Error removing the preserve_tunables flag.");
++			goto cleanup;
++		}
++	}
++
+ 	/* Before we do anything else, flush the join to its component parts.
+ 	 * This *does not* flush to disk automatically */
+ 	if (users->dtable->is_modified(users->dbase)) {
+@@ -759,6 +779,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
+ 	modified |= nodes->dtable->is_modified(nodes->dbase);
+ 	modified |= dontaudit_modified;
++	modified |= preserve_tunables_modified;
+ 
+ 	/* If there were policy changes, or explicitly requested, rebuild the policy */
+ 	if (sh->do_rebuild || modified) {
+@@ -1307,29 +1328,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
  		base++;
  		if (memcmp(module_name, base, name_len) == 0) {
  
@@ -53,7 +120,7 @@ index aac1974..3dfa279 100644
  			goto cleanup;
  		}
  	}
-@@ -1363,28 +1340,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
+@@ -1363,28 +1367,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
  			goto cleanup;
  		}
  		base++;
@@ -87,7 +154,7 @@ index aac1974..3dfa279 100644
  		}
  	}
  	ERR(sh, "Module %s was not found.", module_name);
-@@ -1418,6 +1381,7 @@ static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
+@@ -1418,6 +1408,7 @@ static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
  		}
  		base++;
  		if (memcmp(module_name, base, name_len) == 0) {
@@ -117,8 +184,43 @@ index 847d87e..2870fa8 100644
  		if (push_user_entry(&head, name, seuname,
  				    prefix, pwent->pw_dir, level) != STATUS_SUCCESS) {
  			*errors = STATUS_ERR;
+diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
+index 647f0ee..7adc1cc 100644
+--- a/libsemanage/src/handle.c
++++ b/libsemanage/src/handle.c
+@@ -261,6 +261,19 @@ void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudi
+ 	return;
+ }
+ 
++int semanage_get_preserve_tunables(semanage_handle_t * sh)
++{
++	assert(sh != NULL);
++	return sepol_get_preserve_tunables(sh->sepolh);
++}
++
++void semanage_set_preserve_tunables(semanage_handle_t * sh,
++				    int preserve_tunables)
++{
++	assert(sh != NULL);
++	sepol_set_preserve_tunables(sh->sepolh, preserve_tunables);
++}
++
+ void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts)
+ {
+ 
+diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
+index 3222e3d..2827abe 100644
+--- a/libsemanage/src/libsemanage.map
++++ b/libsemanage/src/libsemanage.map
+@@ -22,5 +22,6 @@ LIBSEMANAGE_1.0 {
+ 	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
+ 	  semanage_mls_enabled;
+ 	  semanage_set_check_contexts;
++	  semanage_get_preserve_tunables; semanage_set_preserve_tunables;
+   local: *;
+ };
 diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
-index 8d6ff1c..37b0c7a 100644
+index 8d6ff1c..e322992 100644
 --- a/libsemanage/src/semanage_store.c
 +++ b/libsemanage/src/semanage_store.c
 @@ -57,7 +57,7 @@ typedef struct dbase_policydb dbase_t;
@@ -130,7 +232,15 @@ index 8d6ff1c..37b0c7a 100644
  
  #define SEMANAGE_CONF_FILE "semanage.conf"
  /* relative path names to enum semanage_paths to special files and
-@@ -425,6 +425,13 @@ int semanage_store_access_check(void)
+@@ -117,6 +117,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+ 	"/netfilter_contexts",
+ 	"/file_contexts.homedirs",
+ 	"/disable_dontaudit",
++	"/preserve_tunables",
+ };
+ 
+ /* A node used in a linked list of file contexts; used for sorting.
+@@ -425,6 +426,13 @@ int semanage_store_access_check(void)
  
  /********************* other I/O functions *********************/
  
@@ -144,7 +254,7 @@ index 8d6ff1c..37b0c7a 100644
  /* Callback used by scandir() to select files. */
  static int semanage_filename_select(const struct dirent *d)
  {
-@@ -435,11 +442,41 @@ static int semanage_filename_select(const struct dirent *d)
+@@ -435,11 +443,41 @@ static int semanage_filename_select(const struct dirent *d)
  	return 1;
  }
  
@@ -188,7 +298,7 @@ index 8d6ff1c..37b0c7a 100644
  static int semanage_modulename_select(const struct dirent *d)
  {
  	if (d->d_name[0] == '.'
-@@ -447,7 +484,7 @@ static int semanage_modulename_select(const struct dirent *d)
+@@ -447,7 +485,7 @@ static int semanage_modulename_select(const struct dirent *d)
  		|| (d->d_name[1] == '.' && d->d_name[2] == '\0')))
  		return 0;
  
@@ -197,7 +307,7 @@ index 8d6ff1c..37b0c7a 100644
  }
  
  /* Copies a file from src to dst.  If dst already exists then
-@@ -684,7 +721,7 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
+@@ -684,7 +722,7 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
  			       int *len)
  {
  	return semanage_get_modules_names_filter(sh, filenames,
@@ -206,7 +316,7 @@ index 8d6ff1c..37b0c7a 100644
  }
  
  /* Scans the modules directory for the current semanage handler.  This
-@@ -697,8 +734,25 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
+@@ -697,8 +735,25 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
  int semanage_get_active_modules_names(semanage_handle_t * sh, char ***filenames,
  			       int *len)
  {
@@ -235,10 +345,18 @@ index 8d6ff1c..37b0c7a 100644
  
  /******************* routines that run external programs *******************/
 diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
-index a0b2dd8..e980cdc 100644
+index a0b2dd8..b451308 100644
 --- a/libsemanage/src/semanage_store.h
 +++ b/libsemanage/src/semanage_store.h
-@@ -85,6 +85,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
+@@ -59,6 +59,7 @@ enum semanage_sandbox_defs {
+ 	SEMANAGE_NC,
+ 	SEMANAGE_FC_HOMEDIRS,
+ 	SEMANAGE_DISABLE_DONTAUDIT,
++	SEMANAGE_PRESERVE_TUNABLES,
+ 	SEMANAGE_STORE_NUM_PATHS
+ };
+ 
+@@ -85,6 +86,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
  			       char ***filenames, int *len);
  
  int semanage_module_enabled(const char *file);
@@ -247,7 +365,7 @@ index a0b2dd8..e980cdc 100644
  /* lock file routines */
  int semanage_get_trans_lock(semanage_handle_t * sh);
  int semanage_get_active_lock(semanage_handle_t * sh);
-@@ -129,6 +131,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
+@@ -129,6 +132,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
  		     size_t buf_len,
  		     char **sorted_buf, size_t * sorted_buf_len);
  

libsemanage.spec

@@ -10,7 +10,7 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.1.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: libsemanage-%{version}.tgz
@@ -179,6 +179,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif # if with_python3
 
 %changelog
+* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
+- Add support for preserving tunables
+
 * Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
 -Update to upstream
 	* python wrapper makefile changes