6561fe9a7f
- free genhomedircon fallback user - Rebuild with libsepol-2.7-3 and libselinux-2.7-6
300 lines
10 KiB
Diff
300 lines
10 KiB
Diff
diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h
|
|
index a50db2b..199a1e1 100644
|
|
--- libsemanage-2.7/include/semanage/fcontexts_policy.h
|
|
+++ libsemanage-2.7/include/semanage/fcontexts_policy.h
|
|
@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle,
|
|
semanage_fcontext_t *** records,
|
|
unsigned int *count);
|
|
|
|
+extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
|
|
+ semanage_fcontext_t *** records,
|
|
+ unsigned int *count);
|
|
+
|
|
#endif
|
|
diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c
|
|
index 65842df..31fcada 100644
|
|
--- libsemanage-2.7/src/direct_api.c
|
|
+++ libsemanage-2.7/src/direct_api.c
|
|
@@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
|
|
if (semanage_create_store(sh, 1))
|
|
goto err;
|
|
|
|
- if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
|
|
- goto err;
|
|
-
|
|
sh->u.direct.translock_file_fd = -1;
|
|
sh->u.direct.activelock_file_fd = -1;
|
|
|
|
@@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
|
|
semanage_fcontext_dbase_local(sh)) < 0)
|
|
goto err;
|
|
|
|
+ if (fcontext_file_dbase_init(sh,
|
|
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS),
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
|
|
+ semanage_fcontext_dbase_homedirs(sh)) < 0)
|
|
+ goto err;
|
|
+
|
|
if (seuser_file_dbase_init(sh,
|
|
semanage_path(SEMANAGE_ACTIVE,
|
|
SEMANAGE_SEUSERS_LOCAL),
|
|
@@ -349,6 +352,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
|
|
iface_file_dbase_release(semanage_iface_dbase_local(sh));
|
|
bool_file_dbase_release(semanage_bool_dbase_local(sh));
|
|
fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
|
|
+ fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh));
|
|
seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
|
|
node_file_dbase_release(semanage_node_dbase_local(sh));
|
|
|
|
@@ -373,10 +377,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
|
|
|
|
static int semanage_direct_begintrans(semanage_handle_t * sh)
|
|
{
|
|
-
|
|
- if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
|
|
- return -1;
|
|
- }
|
|
if (semanage_get_trans_lock(sh) < 0) {
|
|
return -1;
|
|
}
|
|
@@ -1545,43 +1545,46 @@ rebuild:
|
|
}
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
|
|
- if (access(path, F_OK) == 0) {
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
|
|
- sh->conf->file_mode);
|
|
- if (retval < 0) {
|
|
- goto cleanup;
|
|
- }
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
+ goto cleanup;
|
|
}
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
|
|
- if (access(path, F_OK) == 0) {
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
- sh->conf->file_mode);
|
|
- if (retval < 0) {
|
|
- goto cleanup;
|
|
- }
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
+ goto cleanup;
|
|
}
|
|
|
|
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
|
|
- if (access(path, F_OK) == 0) {
|
|
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
|
|
- sh->conf->file_mode);
|
|
- if (retval < 0) {
|
|
- goto cleanup;
|
|
- }
|
|
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0 && errno != ENOENT) {
|
|
+ goto cleanup;
|
|
}
|
|
|
|
/* run genhomedircon if its enabled, this should be the last operation
|
|
* which requires the out policydb */
|
|
if (!sh->conf->disable_genhomedircon) {
|
|
- if (out && (retval =
|
|
- semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
|
|
- ERR(sh, "semanage_genhomedircon returned error code %d.",
|
|
- retval);
|
|
- goto cleanup;
|
|
+ if (out){
|
|
+ if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd,
|
|
+ sh->conf->ignoredirs)) != 0) {
|
|
+ ERR(sh, "semanage_genhomedircon returned error code %d.", retval);
|
|
+ goto cleanup;
|
|
+ }
|
|
+ /* file_contexts.homedirs was created in SEMANAGE_TMP store */
|
|
+ retval = semanage_copy_file(
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
|
|
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS),
|
|
+ sh->conf->file_mode);
|
|
+ if (retval < 0) {
|
|
+ goto cleanup;
|
|
+ }
|
|
}
|
|
} else {
|
|
WARN(sh, "WARNING: genhomedircon is disabled. \
|
|
diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c
|
|
index 0b063b1..98490ab 100644
|
|
--- libsemanage-2.7/src/fcontexts_policy.c
|
|
+++ libsemanage-2.7/src/fcontexts_policy.c
|
|
@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
|
|
dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
|
|
return dbase_list(handle, dconfig, records, count);
|
|
}
|
|
+
|
|
+int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
|
|
+ semanage_fcontext_t *** records, unsigned int *count)
|
|
+{
|
|
+
|
|
+ dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
|
|
+ return dbase_list(handle, dconfig, records, count);
|
|
+}
|
|
diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c
|
|
index b9a74b7..d09d82f 100644
|
|
--- libsemanage-2.7/src/genhomedircon.c
|
|
+++ libsemanage-2.7/src/genhomedircon.c
|
|
@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
|
|
|
|
s.homedir_template_path =
|
|
semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL);
|
|
- s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP,
|
|
- SEMANAGE_FC_HOMEDIRS);
|
|
+ s.fcfilepath =
|
|
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS);
|
|
|
|
s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t));
|
|
if (s.fallback == NULL) {
|
|
@@ -1385,7 +1385,9 @@ done:
|
|
if (out != NULL)
|
|
fclose(out);
|
|
|
|
- pop_user_entry(&(s.fallback));
|
|
+ while (s.fallback)
|
|
+ pop_user_entry(&(s.fallback));
|
|
+
|
|
ignore_free();
|
|
|
|
return retval;
|
|
diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h
|
|
index 889871d..1780ac8 100644
|
|
--- libsemanage-2.7/src/handle.h
|
|
+++ libsemanage-2.7/src/handle.h
|
|
@@ -79,7 +79,7 @@ struct semanage_handle {
|
|
struct semanage_policy_table *funcs;
|
|
|
|
/* Object databases */
|
|
-#define DBASE_COUNT 23
|
|
+#define DBASE_COUNT 24
|
|
|
|
/* Local modifications */
|
|
#define DBASE_LOCAL_USERS_BASE 0
|
|
@@ -102,13 +102,14 @@ struct semanage_handle {
|
|
#define DBASE_POLICY_INTERFACES 15
|
|
#define DBASE_POLICY_BOOLEANS 16
|
|
#define DBASE_POLICY_FCONTEXTS 17
|
|
-#define DBASE_POLICY_SEUSERS 18
|
|
-#define DBASE_POLICY_NODES 19
|
|
-#define DBASE_POLICY_IBPKEYS 20
|
|
-#define DBASE_POLICY_IBENDPORTS 21
|
|
+#define DBASE_POLICY_FCONTEXTS_H 18
|
|
+#define DBASE_POLICY_SEUSERS 19
|
|
+#define DBASE_POLICY_NODES 20
|
|
+#define DBASE_POLICY_IBPKEYS 21
|
|
+#define DBASE_POLICY_IBENDPORTS 22
|
|
|
|
/* Active kernel policy */
|
|
-#define DBASE_ACTIVE_BOOLEANS 22
|
|
+#define DBASE_ACTIVE_BOOLEANS 23
|
|
dbase_config_t dbase[DBASE_COUNT];
|
|
};
|
|
|
|
@@ -235,6 +236,12 @@ static inline
|
|
return &handle->dbase[DBASE_POLICY_FCONTEXTS];
|
|
}
|
|
|
|
+static inline
|
|
+ dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle)
|
|
+{
|
|
+ return &handle->dbase[DBASE_POLICY_FCONTEXTS_H];
|
|
+}
|
|
+
|
|
static inline
|
|
dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
|
|
{
|
|
diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c
|
|
index 6158d08..320fa7b 100644
|
|
--- libsemanage-2.7/src/semanage_store.c
|
|
+++ libsemanage-2.7/src/semanage_store.c
|
|
@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
|
|
"/modules/disabled",
|
|
"/policy.kern",
|
|
"/file_contexts.local",
|
|
+ "/file_contexts.homedirs",
|
|
"/file_contexts",
|
|
"/seusers"
|
|
};
|
|
@@ -537,7 +538,6 @@ char *semanage_conf_path(void)
|
|
int semanage_create_store(semanage_handle_t * sh, int create)
|
|
{
|
|
struct stat sb;
|
|
- int mode_mask = R_OK | W_OK | X_OK;
|
|
const char *path = semanage_files[SEMANAGE_ROOT];
|
|
int fd;
|
|
|
|
@@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
return -1;
|
|
}
|
|
} else {
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
ERR(sh,
|
|
- "Could not access module store at %s, or it is not a directory.",
|
|
+ "Module store at %s is not a directory.",
|
|
path);
|
|
return -1;
|
|
}
|
|
@@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
return -1;
|
|
}
|
|
} else {
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
ERR(sh,
|
|
- "Could not access module store active subdirectory at %s, or it is not a directory.",
|
|
+ "Module store active subdirectory at %s is not a directory.",
|
|
path);
|
|
return -1;
|
|
}
|
|
@@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
return -1;
|
|
}
|
|
} else {
|
|
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
|
|
+ if (!S_ISDIR(sb.st_mode)) {
|
|
ERR(sh,
|
|
- "Could not access module store active modules subdirectory at %s, or it is not a directory.",
|
|
+ "Module store active modules subdirectory at %s is not a directory.",
|
|
path);
|
|
return -1;
|
|
}
|
|
@@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
|
|
return -1;
|
|
}
|
|
} else {
|
|
- if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
|
|
- ERR(sh, "Could not access lock file at %s.", path);
|
|
+ if (!S_ISREG(sb.st_mode)) {
|
|
+ ERR(sh, "Lock file at %s missing.", path);
|
|
return -1;
|
|
}
|
|
}
|
|
diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h
|
|
index fcaa505..34bf852 100644
|
|
--- libsemanage-2.7/src/semanage_store.h
|
|
+++ libsemanage-2.7/src/semanage_store.h
|
|
@@ -61,6 +61,7 @@ enum semanage_sandbox_defs {
|
|
SEMANAGE_MODULES_DISABLED,
|
|
SEMANAGE_STORE_KERNEL,
|
|
SEMANAGE_STORE_FC_LOCAL,
|
|
+ SEMANAGE_STORE_FC_HOMEDIRS,
|
|
SEMANAGE_STORE_FC,
|
|
SEMANAGE_STORE_SEUSERS,
|
|
SEMANAGE_STORE_NUM_PATHS
|