libsemanage/libsemanage-fedora.patch
Petr Lautrbach 6561fe9a7f libsemanage-2.7-5.fc28
- free genhomedircon fallback user
- Rebuild with libsepol-2.7-3 and libselinux-2.7-6
2017-11-22 15:24:39 +01:00

300 lines
10 KiB
Diff

diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h
index a50db2b..199a1e1 100644
--- libsemanage-2.7/include/semanage/fcontexts_policy.h
+++ libsemanage-2.7/include/semanage/fcontexts_policy.h
@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle,
semanage_fcontext_t *** records,
unsigned int *count);
+extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
+ semanage_fcontext_t *** records,
+ unsigned int *count);
+
#endif
diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c
index 65842df..31fcada 100644
--- libsemanage-2.7/src/direct_api.c
+++ libsemanage-2.7/src/direct_api.c
@@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
if (semanage_create_store(sh, 1))
goto err;
- if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
- goto err;
-
sh->u.direct.translock_file_fd = -1;
sh->u.direct.activelock_file_fd = -1;
@@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
semanage_fcontext_dbase_local(sh)) < 0)
goto err;
+ if (fcontext_file_dbase_init(sh,
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_fcontext_dbase_homedirs(sh)) < 0)
+ goto err;
+
if (seuser_file_dbase_init(sh,
semanage_path(SEMANAGE_ACTIVE,
SEMANAGE_SEUSERS_LOCAL),
@@ -349,6 +352,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
iface_file_dbase_release(semanage_iface_dbase_local(sh));
bool_file_dbase_release(semanage_bool_dbase_local(sh));
fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
+ fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh));
seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
node_file_dbase_release(semanage_node_dbase_local(sh));
@@ -373,10 +377,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
static int semanage_direct_begintrans(semanage_handle_t * sh)
{
-
- if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
- return -1;
- }
if (semanage_get_trans_lock(sh) < 0) {
return -1;
}
@@ -1545,43 +1545,46 @@ rebuild:
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
/* run genhomedircon if its enabled, this should be the last operation
* which requires the out policydb */
if (!sh->conf->disable_genhomedircon) {
- if (out && (retval =
- semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
- ERR(sh, "semanage_genhomedircon returned error code %d.",
- retval);
- goto cleanup;
+ if (out){
+ if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd,
+ sh->conf->ignoredirs)) != 0) {
+ ERR(sh, "semanage_genhomedircon returned error code %d.", retval);
+ goto cleanup;
+ }
+ /* file_contexts.homedirs was created in SEMANAGE_TMP store */
+ retval = semanage_copy_file(
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS),
+ sh->conf->file_mode);
+ if (retval < 0) {
+ goto cleanup;
+ }
}
} else {
WARN(sh, "WARNING: genhomedircon is disabled. \
diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c
index 0b063b1..98490ab 100644
--- libsemanage-2.7/src/fcontexts_policy.c
+++ libsemanage-2.7/src/fcontexts_policy.c
@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
return dbase_list(handle, dconfig, records, count);
}
+
+int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
+ semanage_fcontext_t *** records, unsigned int *count)
+{
+
+ dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
+ return dbase_list(handle, dconfig, records, count);
+}
diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c
index b9a74b7..d09d82f 100644
--- libsemanage-2.7/src/genhomedircon.c
+++ libsemanage-2.7/src/genhomedircon.c
@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
s.homedir_template_path =
semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL);
- s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_FC_HOMEDIRS);
+ s.fcfilepath =
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS);
s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t));
if (s.fallback == NULL) {
@@ -1385,7 +1385,9 @@ done:
if (out != NULL)
fclose(out);
- pop_user_entry(&(s.fallback));
+ while (s.fallback)
+ pop_user_entry(&(s.fallback));
+
ignore_free();
return retval;
diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h
index 889871d..1780ac8 100644
--- libsemanage-2.7/src/handle.h
+++ libsemanage-2.7/src/handle.h
@@ -79,7 +79,7 @@ struct semanage_handle {
struct semanage_policy_table *funcs;
/* Object databases */
-#define DBASE_COUNT 23
+#define DBASE_COUNT 24
/* Local modifications */
#define DBASE_LOCAL_USERS_BASE 0
@@ -102,13 +102,14 @@ struct semanage_handle {
#define DBASE_POLICY_INTERFACES 15
#define DBASE_POLICY_BOOLEANS 16
#define DBASE_POLICY_FCONTEXTS 17
-#define DBASE_POLICY_SEUSERS 18
-#define DBASE_POLICY_NODES 19
-#define DBASE_POLICY_IBPKEYS 20
-#define DBASE_POLICY_IBENDPORTS 21
+#define DBASE_POLICY_FCONTEXTS_H 18
+#define DBASE_POLICY_SEUSERS 19
+#define DBASE_POLICY_NODES 20
+#define DBASE_POLICY_IBPKEYS 21
+#define DBASE_POLICY_IBENDPORTS 22
/* Active kernel policy */
-#define DBASE_ACTIVE_BOOLEANS 22
+#define DBASE_ACTIVE_BOOLEANS 23
dbase_config_t dbase[DBASE_COUNT];
};
@@ -235,6 +236,12 @@ static inline
return &handle->dbase[DBASE_POLICY_FCONTEXTS];
}
+static inline
+ dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle)
+{
+ return &handle->dbase[DBASE_POLICY_FCONTEXTS_H];
+}
+
static inline
dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
{
diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c
index 6158d08..320fa7b 100644
--- libsemanage-2.7/src/semanage_store.c
+++ libsemanage-2.7/src/semanage_store.c
@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"/modules/disabled",
"/policy.kern",
"/file_contexts.local",
+ "/file_contexts.homedirs",
"/file_contexts",
"/seusers"
};
@@ -537,7 +538,6 @@ char *semanage_conf_path(void)
int semanage_create_store(semanage_handle_t * sh, int create)
{
struct stat sb;
- int mode_mask = R_OK | W_OK | X_OK;
const char *path = semanage_files[SEMANAGE_ROOT];
int fd;
@@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store at %s, or it is not a directory.",
+ "Module store at %s is not a directory.",
path);
return -1;
}
@@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active subdirectory at %s, or it is not a directory.",
+ "Module store active subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active modules subdirectory at %s, or it is not a directory.",
+ "Module store active modules subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
- ERR(sh, "Could not access lock file at %s.", path);
+ if (!S_ISREG(sb.st_mode)) {
+ ERR(sh, "Lock file at %s missing.", path);
return -1;
}
}
diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h
index fcaa505..34bf852 100644
--- libsemanage-2.7/src/semanage_store.h
+++ libsemanage-2.7/src/semanage_store.h
@@ -61,6 +61,7 @@ enum semanage_sandbox_defs {
SEMANAGE_MODULES_DISABLED,
SEMANAGE_STORE_KERNEL,
SEMANAGE_STORE_FC_LOCAL,
+ SEMANAGE_STORE_FC_HOMEDIRS,
SEMANAGE_STORE_FC,
SEMANAGE_STORE_SEUSERS,
SEMANAGE_STORE_NUM_PATHS