diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 74ad37e..555a3b8 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.79/audit2allow/audit2allow +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.80/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.79/audit2allow/audit2allow 2010-03-01 15:27:27.000000000 -0500 ++++ policycoreutils-2.0.80/audit2allow/audit2allow 2010-03-08 13:26:05.000000000 -0500 @@ -28,6 +28,7 @@ import sepolgen.defaults as defaults import sepolgen.module as module @@ -153,9 +153,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + audit2why.init() app = AuditToPolicy() app.main() -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.79/audit2allow/audit2allow.1 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.80/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.79/audit2allow/audit2allow.1 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/audit2allow/audit2allow.1 2010-03-08 13:26:05.000000000 -0500 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME @@ -179,18 +179,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po .B "\-h" | "\-\-help" Print a short usage message .TP -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.79/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.80/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.79/Makefile 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/Makefile 2010-03-08 13:26:05.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.79/newrole/newrole.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.80/newrole/newrole.c --- nsapolicycoreutils/newrole/newrole.c 2010-02-16 12:33:05.000000000 -0500 -+++ policycoreutils-2.0.79/newrole/newrole.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/newrole/newrole.c 2010-03-08 13:26:05.000000000 -0500 @@ -1334,6 +1334,9 @@ if (send_audit_message(1, old_context, new_context, ttyn)) @@ -201,9 +201,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po #ifdef NAMESPACE_PRIV if (transition_to_caller_uid()) goto err_close_pam_session; -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.79/restorecond/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.80/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/Makefile 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/Makefile 2010-03-08 13:26:05.000000000 -0500 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -250,16 +250,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.79/restorecond/org.selinux.Restorecond.service +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.80/restorecond/org.selinux.Restorecond.service --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/restorecond/org.selinux.Restorecond.service 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/org.selinux.Restorecond.service 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.79/restorecond/restorecond.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.80/restorecond/restorecond.8 --- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/restorecond.8 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.8 2010-03-08 13:26:05.000000000 -0500 @@ -3,7 +3,7 @@ restorecond \- daemon that watches for file creation and then sets the default SELinux file context @@ -294,9 +294,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po .SH "SEE ALSO" .BR restorecon (8), -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.79/restorecond/restorecond.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.80/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/restorecond.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.c 2010-03-08 13:26:05.000000000 -0500 @@ -30,9 +30,11 @@ * and makes sure that there security context matches the systems defaults * @@ -803,9 +803,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po } + + -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.79/restorecond/restorecond.conf +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.80/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/restorecond.conf 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.conf 2010-03-08 13:26:05.000000000 -0500 @@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp @@ -816,9 +816,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po /root/.ssh/* - - -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.79/restorecond/restorecond.desktop +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.80/restorecond/restorecond.desktop --- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/restorecond/restorecond.desktop 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.desktop 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -827,9 +827,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.79/restorecond/restorecond.h +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.80/restorecond/restorecond.h --- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/restorecond.h 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.h 2010-03-08 13:26:05.000000000 -0500 @@ -24,7 +24,22 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -855,9 +855,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +extern int watch_list_isempty(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.79/restorecond/restorecond.init +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.80/restorecond/restorecond.init --- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.79/restorecond/restorecond.init 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond.init 2010-03-08 13:26:05.000000000 -0500 @@ -75,16 +75,15 @@ status restorecond RETVAL=$? @@ -877,15 +877,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po exit $RETVAL - -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.79/restorecond/restorecond_user.conf +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.80/restorecond/restorecond_user.conf --- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/restorecond/restorecond_user.conf 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/restorecond_user.conf 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.79/restorecond/user.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.80/restorecond/user.c --- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/restorecond/user.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/user.c 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,239 @@ +/* + * restorecond @@ -1126,9 +1126,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.79/restorecond/watch.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.80/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/restorecond/watch.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/restorecond/watch.c 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,260 @@ +#define _GNU_SOURCE +#include @@ -1390,17 +1390,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + if (master_wd == -1) + exitApp("Error watching config file."); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.79/sandbox/deliverables/basicwrapper +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.80/sandbox/deliverables/basicwrapper --- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/deliverables/basicwrapper 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/deliverables/basicwrapper 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,4 @@ +import os, sys +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] +SANDBOX_ARGS.extend(sys.argv[1::]) +os.execv('/usr/bin/sandbox',SANDBOX_ARGS) -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.79/sandbox/deliverables/README +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.80/sandbox/deliverables/README --- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/deliverables/README 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/deliverables/README 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,32 @@ +Files: +run-in-sandbox.py: @@ -1434,9 +1434,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + +Thanks for a great summer. +Chris Pardy -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.79/sandbox/deliverables/run-in-sandbox.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.80/sandbox/deliverables/run-in-sandbox.py --- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/deliverables/run-in-sandbox.py 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/deliverables/run-in-sandbox.py 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,49 @@ +import os +import os.path @@ -1487,9 +1487,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + def get_background_items(self, window, file): + return + -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.79/sandbox/deliverables/sandbox +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.80/sandbox/deliverables/sandbox --- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/deliverables/sandbox 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/deliverables/sandbox 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,216 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil @@ -1707,9 +1707,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + + sys.exit(rc) + -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.79/sandbox/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.80/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/Makefile 2010-03-04 16:40:24.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/Makefile 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,41 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -1752,9 +1752,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + ../../scripts/Lindent $(wildcard *.[ch]) + +relabel: -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.79/sandbox/sandbox +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.80/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandbox 2010-03-04 16:39:22.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/sandbox 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,415 @@ +#! /usr/bin/python -E +# Authors: Dan Walsh @@ -2171,9 +2171,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + rc = 0 + + sys.exit(rc) -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.79/sandbox/sandbox.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.80/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandbox.8 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/sandbox.8 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,50 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME @@ -2225,15 +2225,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +.TP +runcon(1) +.PP -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.79/sandbox/sandbox.config +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.80/sandbox/sandbox.config --- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandbox.config 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/sandbox.config 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,2 @@ +# Space separate list of homedirs +HOMEDIRS="/home" -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.79/sandbox/sandbox.init +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.80/sandbox/sandbox.init --- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandbox.init 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/sandbox.init 2010-03-11 17:02:13.000000000 -0500 @@ -0,0 +1,67 @@ +#!/bin/bash +## BEGIN INIT INFO @@ -2270,12 +2270,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + + touch $LOCKFILE + mount --make-rshared / -+ mount --bind /tmp /tmp -+ mount --bind /var/tmp /var/tmp ++ mount --rbind /tmp /tmp ++ mount --rbind /var/tmp /var/tmp + mount --make-private /tmp + mount --make-private /var/tmp + for h in $HOMEDIRS; do -+ mount --bind $h $h ++ mount --rbind $h $h + mount --make-private $h + done + @@ -2302,9 +2302,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + exit 3 + ;; +esac -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.79/sandbox/sandboxX.sh +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.80/sandbox/sandboxX.sh --- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandboxX.sh 2010-03-04 16:44:32.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/sandboxX.sh 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,15 @@ +#!/bin/bash +context=`id -Z | secon -t -l -P` @@ -2321,9 +2321,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + break +done +exit 0 -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.79/sandbox/seunshare.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.80/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/seunshare.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/seunshare.c 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,265 @@ +#include +#include @@ -2590,9 +2590,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + + return status; +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/test_sandbox.py policycoreutils-2.0.79/sandbox/test_sandbox.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/test_sandbox.py policycoreutils-2.0.80/sandbox/test_sandbox.py --- nsapolicycoreutils/sandbox/test_sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/test_sandbox.py 2010-03-04 16:22:56.000000000 -0500 ++++ policycoreutils-2.0.80/sandbox/test_sandbox.py 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,98 @@ +import unittest, os, shutil +from tempfile import mkdtemp @@ -2692,9 +2692,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + unittest.main() + else: + print "SELinux must be in enforcing mode for this test" -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.79/scripts/fixfiles +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.80/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2009-12-01 15:46:50.000000000 -0500 -+++ policycoreutils-2.0.79/scripts/fixfiles 2010-02-26 16:12:15.000000000 -0500 ++++ policycoreutils-2.0.80/scripts/fixfiles 2010-03-08 13:26:05.000000000 -0500 @@ -21,6 +21,17 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA @@ -2780,9 +2780,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po restore } -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.79/semanage/default_encoding/default_encoding.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.80/semanage/default_encoding/default_encoding.c --- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/default_encoding/default_encoding.c 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/default_encoding/default_encoding.c 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,59 @@ +/* + * Authors: @@ -2843,9 +2843,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + PyUnicode_SetDefaultEncoding("utf-8"); + m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.79/semanage/default_encoding/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.80/semanage/default_encoding/Makefile --- nsapolicycoreutils/semanage/default_encoding/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/default_encoding/Makefile 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/default_encoding/Makefile 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,8 @@ +all: + LDFLAGS="" python setup.py build @@ -2855,9 +2855,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + +clean: + rm -rf build *~ -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.79/semanage/default_encoding/policycoreutils/__init__.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.80/semanage/default_encoding/policycoreutils/__init__.py --- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/default_encoding/policycoreutils/__init__.py 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/default_encoding/policycoreutils/__init__.py 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,17 @@ +# +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. @@ -2876,9 +2876,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.79/semanage/default_encoding/setup.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.80/semanage/default_encoding/setup.py --- nsapolicycoreutils/semanage/default_encoding/setup.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/default_encoding/setup.py 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/default_encoding/setup.py 2010-03-08 13:26:05.000000000 -0500 @@ -0,0 +1,38 @@ +# Authors: +# John Dennis @@ -2918,9 +2918,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + ext_modules = [default_encoding_utf8], + packages=["policycoreutils"], +) -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.79/semanage/semanage +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.80/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/semanage 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/semanage 2010-03-08 13:26:05.000000000 -0500 @@ -20,6 +20,7 @@ # 02111-1307 USA # @@ -3266,9 +3266,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po errorExit(error.args[1]) + except OSError, error: + errorExit(error.args[1]) -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.79/semanage/semanage.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.80/semanage/semanage.8 --- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/semanage.8 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/semanage.8 2010-03-08 13:26:05.000000000 -0500 @@ -1,27 +1,58 @@ -.TH "semanage" "8" "2005111103" "" "" +.TH "semanage" "8" "20100223" "" "" @@ -3429,9 +3429,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +and Russell Coker . +.br Examples by Thomas Bleher . -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.79/semanage/seobject.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.80/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500 -+++ policycoreutils-2.0.79/semanage/seobject.py 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/semanage/seobject.py 2010-03-08 13:26:05.000000000 -0500 @@ -29,47 +29,12 @@ import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") @@ -4087,9 +4087,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.79/setfiles/restore.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.80/setfiles/restore.c --- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500 -+++ policycoreutils-2.0.79/setfiles/restore.c 2010-02-26 16:15:51.000000000 -0500 ++++ policycoreutils-2.0.80/setfiles/restore.c 2010-03-08 13:26:05.000000000 -0500 @@ -1,4 +1,5 @@ #include "restore.h" +#include @@ -4244,9 +4244,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + free(buf); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.79/setfiles/restorecon.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.80/setfiles/restorecon.8 --- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.79/setfiles/restorecon.8 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/setfiles/restorecon.8 2010-03-08 13:26:05.000000000 -0500 @@ -4,10 +4,10 @@ .SH "SYNOPSIS" @@ -4270,9 +4270,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po .TP .B \-v show changes in file labels. -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.79/setfiles/restore.h +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.80/setfiles/restore.h --- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500 -+++ policycoreutils-2.0.79/setfiles/restore.h 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/setfiles/restore.h 2010-03-08 13:26:05.000000000 -0500 @@ -27,6 +27,7 @@ int hard_links; int verbose; @@ -4292,9 +4292,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +void exclude_non_seclabel_mounts(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.79/setfiles/setfiles.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.80/setfiles/setfiles.8 --- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.79/setfiles/setfiles.8 2010-02-26 14:14:26.000000000 -0500 ++++ policycoreutils-2.0.80/setfiles/setfiles.8 2010-03-08 13:26:05.000000000 -0500 @@ -31,6 +31,9 @@ .TP .B \-n @@ -4305,145 +4305,1054 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po .TP .B \-q suppress non-error output. -diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.79/setfiles/setfiles.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.80/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500 -+++ policycoreutils-2.0.79/setfiles/setfiles.c 2010-02-26 14:14:26.000000000 -0500 -@@ -5,7 +5,6 @@ - #include - #include - #include ++++ policycoreutils-2.0.80/setfiles/setfiles.c 2010-03-08 13:32:08.000000000 -0500 +@@ -1,149 +1,643 @@ + #include "restore.h" +-#include +-#include +-#include +-#include +-#include +-#include -#include - #define __USE_XOPEN_EXTENDED 1 /* nftw */ - #include - #ifdef USE_AUDIT -@@ -25,7 +24,6 @@ - static int warn_no_match = 0; - static int null_terminated = 0; - static int errors; --static int ignore_enoent; - static struct restore_opts r_opts; +-#define __USE_XOPEN_EXTENDED 1 /* nftw */ +-#include +-#ifdef USE_AUDIT +-#include ++#include - #define STAT_BLOCK_SIZE 1 -@@ -44,13 +42,13 @@ - { - if (iamrestorecon) { - fprintf(stderr, +-#ifndef AUDIT_FS_RELABEL +-#define AUDIT_FS_RELABEL 2309 +-#endif +-#endif +-static int mass_relabel; +-static int mass_relabel_errs; ++#define SKIP -2 ++#define ERR -1 ++#define MAX_EXCLUDES 1000 + ++/* ++ * The hash table of associations, hashed by inode number. ++ * Chaining is used for collisions, with elements ordered ++ * by inode number in each bucket. Each hash bucket has a dummy ++ * header. ++ */ ++#define HASH_BITS 16 ++#define HASH_BUCKETS (1 << HASH_BITS) ++#define HASH_MASK (HASH_BUCKETS-1) + +-/* cmdline opts*/ ++/* ++ * An association between an inode and a context. ++ */ ++typedef struct file_spec { ++ ino_t ino; /* inode number */ ++ char *con; /* matched context */ ++ char *file; /* full pathname */ ++ struct file_spec *next; /* next association in hash bucket chain */ ++} file_spec_t; ++ ++struct edir { ++ char *directory; ++ size_t size; ++}; ++ ++ ++static file_spec_t *fl_head; ++static int filespec_add(ino_t ino, const security_context_t con, const char *file); ++static int only_changed_user(const char *a, const char *b); ++struct restore_opts *r_opts = NULL; ++static void filespec_destroy(void); ++static void filespec_eval(void); ++static int excludeCtr = 0; ++static struct edir excludeArray[MAX_EXCLUDES]; + +-static char *policyfile = NULL; +-static int warn_no_match = 0; +-static int null_terminated = 0; +-static int errors; +-static int ignore_enoent; +-static struct restore_opts r_opts; ++void remove_exclude(const char *directory) ++{ ++ int i = 0; ++ for (i = 0; i < excludeCtr; i++) { ++ if (strcmp(directory, excludeArray[i].directory) == 0) { ++ free(excludeArray[i].directory); ++ if (i != excludeCtr-1) ++ excludeArray[i] = excludeArray[excludeCtr-1]; ++ excludeCtr--; ++ return; ++ } ++ } ++ return; ++} + +-#define STAT_BLOCK_SIZE 1 ++void restore_init(struct restore_opts *opts) ++{ ++ r_opts = opts; ++ struct selinux_opt selinux_opts[] = { ++ { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, r_opts->selabel_opt_path } ++ }; ++ r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2); ++ if (!r_opts->hnd) { ++ perror(r_opts->selabel_opt_path); ++ exit(1); ++ } ++} + ++void restore_finish() ++{ ++ int i; ++ for (i = 0; i < excludeCtr; i++) { ++ free(excludeArray[i].directory); ++ } ++} + ++static int match(const char *name, struct stat *sb, char **con) ++{ ++ if (!(r_opts->hard_links) && !S_ISDIR(sb->st_mode) && (sb->st_nlink > 1)) { ++ fprintf(stderr, "Warning! %s refers to a file with more than one hard link, not fixing hard links.\n", ++ name); ++ return -1; ++ } ++ ++ if (NULL != r_opts->rootpath) { ++ if (0 != strncmp(r_opts->rootpath, name, r_opts->rootpathlen)) { ++ fprintf(stderr, "%s: %s is not located in %s\n", ++ r_opts->progname, name, r_opts->rootpath); ++ return -1; ++ } ++ name += r_opts->rootpathlen; ++ } + +-#define SETFILES "setfiles" +-#define RESTORECON "restorecon" +-static int iamrestorecon; ++ if (r_opts->rootpath != NULL && name[0] == '\0') ++ /* this is actually the root dir of the alt root */ ++ return selabel_lookup_raw(r_opts->hnd, con, "/", sb->st_mode); ++ else ++ return selabel_lookup_raw(r_opts->hnd, con, name, sb->st_mode); ++} ++static int restore(FTSENT *ftsent) ++{ ++ char *my_file = strdupa(ftsent->fts_path); ++ int ret; ++ char *context, *newcon; ++ int user_only_changed = 0; ++ ++ if (match(my_file, ftsent->fts_statp, &newcon) < 0) ++ /* Check for no matching specification. */ ++ return (errno == ENOENT) ? 0 : -1; ++ ++ if (r_opts->progress) { ++ r_opts->count++; ++ if (r_opts->count % (80 * STAR_COUNT) == 0) { ++ fprintf(stdout, "\n"); ++ fflush(stdout); ++ } ++ if (r_opts->count % STAR_COUNT == 0) { ++ fprintf(stdout, "*"); ++ fflush(stdout); ++ } ++ } + +-/* Behavior flags determined based on setfiles vs. restorecon */ +-static int ctx_validate; /* Validate contexts */ +-static const char *altpath; /* Alternate path to file_contexts */ ++ /* ++ * Try to add an association between this inode and ++ * this specification. If there is already an association ++ * for this inode and it conflicts with this specification, ++ * then use the last matching specification. ++ */ ++ if (r_opts->add_assoc) { ++ ret = filespec_add(ftsent->fts_statp->st_ino, newcon, my_file); ++ if (ret < 0) ++ goto err; ++ ++ if (ret > 0) ++ /* There was already an association and it took precedence. */ ++ goto out; ++ } ++ ++ if (r_opts->debug) { ++ printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); ++ } ++ ++ /* Get the current context of the file. */ ++ ret = lgetfilecon_raw(ftsent->fts_accpath, &context); ++ if (ret < 0) { ++ if (errno == ENODATA) { ++ context = NULL; ++ } else { ++ fprintf(stderr, "%s get context on %s failed: '%s'\n", ++ r_opts->progname, my_file, strerror(errno)); ++ goto err; ++ } ++ user_only_changed = 0; ++ } else ++ user_only_changed = only_changed_user(context, newcon); ++ /* lgetfilecon returns number of characters and ret needs to be reset ++ * to 0. ++ */ ++ ret = 0; ++ ++ /* ++ * Do not relabel the file if the matching specification is ++ * <> or the file is already labeled according to the ++ * specification. ++ */ ++ if ((strcmp(newcon, "<>") == 0) || ++ (context && (strcmp(context, newcon) == 0))) { ++ freecon(context); ++ goto out; ++ } + +-void usage(const char *const name) +-{ +- if (iamrestorecon) { +- fprintf(stderr, - "usage: %s [-iFnrRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", -+ "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", - name); - } else { - fprintf(stderr, - "usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n" - "usage: %s -c policyfile spec_file\n" +- name); +- } else { +- fprintf(stderr, +- "usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n" +- "usage: %s -c policyfile spec_file\n" - "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, -+ "usage: %s -s [-dnpqvW] [-o filename ] spec_file\n", name, name, - name); +- name); ++ if (!r_opts->force && context && (is_context_customizable(context) > 0)) { ++ if (r_opts->verbose > 1) { ++ fprintf(stderr, ++ "%s: %s not reset customized by admin to %s\n", ++ r_opts->progname, my_file, context); ++ } ++ freecon(context); ++ goto out; } - exit(1); -@@ -138,69 +136,6 @@ - #endif +- exit(1); +-} + +-static int nerr = 0; ++ if (r_opts->verbose) { ++ /* If we're just doing "-v", trim out any relabels where ++ * the user has r_opts->changed but the role and type are the ++ * same. For "-vv", emit everything. */ ++ if (r_opts->verbose > 1 || !user_only_changed) { ++ printf("%s reset %s context %s->%s\n", ++ r_opts->progname, my_file, context ?: "", newcon); ++ } ++ } + +-void inc_err() ++ if (r_opts->logging && !user_only_changed) { ++ if (context) ++ syslog(LOG_INFO, "relabeling %s from %s to %s\n", ++ my_file, context, newcon); ++ else ++ syslog(LOG_INFO, "labeling %s to %s\n", ++ my_file, newcon); ++ } ++ ++ if (r_opts->outfile && !user_only_changed) ++ fprintf(r_opts->outfile, "%s\n", my_file); ++ ++ if (context) ++ freecon(context); ++ ++ /* ++ * Do not relabel the file if -n was used. ++ */ ++ if (!r_opts->change || user_only_changed) ++ goto out; ++ ++ /* ++ * Relabel the file to the specified context. ++ */ ++ ret = lsetfilecon(ftsent->fts_accpath, newcon); ++ if (ret) { ++ fprintf(stderr, "%s set context %s->%s failed:'%s'\n", ++ r_opts->progname, my_file, newcon, strerror(errno)); ++ goto skip; ++ } ++ ret = 1; ++out: ++ freecon(newcon); ++ return ret; ++skip: ++ freecon(newcon); ++ return SKIP; ++err: ++ freecon(newcon); ++ return ERR; ++} ++/* ++ * Apply the last matching specification to a file. ++ * This function is called by fts on each file during ++ * the directory traversal. ++ */ ++static int apply_spec(FTSENT *ftsent) + { +- nerr++; +- if (nerr > 9 && !r_opts.debug) { +- fprintf(stderr, "Exiting after 10 errors.\n"); +- exit(1); ++ if (ftsent->fts_info == FTS_DNR) { ++ fprintf(stderr, "%s: unable to read directory %s\n", ++ r_opts->progname, ftsent->fts_path); ++ return SKIP; ++ } ++ ++ int rc = restore(ftsent); ++ if (rc == ERR) { ++ if (!r_opts->abort_on_error) ++ return SKIP; + } ++ return rc; } --/* -- Search /proc/mounts for all file systems that do not support extended -- attributes and add them to the exclude directory table. File systems -- that support security labels have the seclabel option. --*/ ++static int symlink_realpath(char *name, char *path) ++{ ++ char *p = NULL, *file_sep; ++ char *tmp_path = strdupa(name); ++ size_t len = 0; + ++ if (!tmp_path) { ++ fprintf(stderr, "strdupa on %s failed: %s\n", name, ++ strerror(errno)); ++ return -1; ++ } ++ file_sep = strrchr(tmp_path, '/'); ++ if (file_sep == tmp_path) { ++ file_sep++; ++ p = strcpy(path, ""); ++ } else if (file_sep) { ++ *file_sep = 0; ++ file_sep++; ++ p = realpath(tmp_path, path); ++ } else { ++ file_sep = tmp_path; ++ p = realpath("./", path); ++ } ++ if (p) ++ len = strlen(p); ++ if (!p || len + strlen(file_sep) + 2 > PATH_MAX) { ++ fprintf(stderr, "symlink_realpath(%s) failed %s\n", name, ++ strerror(errno)); ++ return -1; ++ } ++ p += len; ++ /* ensure trailing slash of directory name */ ++ if (len == 0 || *(p - 1) != '/') { ++ *p = '/'; ++ p++; ++ } ++ strcpy(p, file_sep); ++ return 0; ++} + +-void set_rootpath(const char *arg) ++static int process_one(char *name, int recurse_this_path) + { +- int len; ++ int rc = 0; ++ const char *namelist[2] = {name, NULL}; ++ dev_t dev_num = 0; ++ FTS *fts_handle = NULL; ++ FTSENT *ftsent = NULL; + +- r_opts.rootpath = strdup(arg); +- if (NULL == r_opts.rootpath) { +- fprintf(stderr, "%s: insufficient memory for r_opts.rootpath\n", +- r_opts.progname); +- exit(1); ++ if (r_opts == NULL){ ++ fprintf(stderr, ++ "Must call initialize first!"); ++ goto err; ++ } ++ ++ fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); ++ if (fts_handle == NULL) { ++ fprintf(stderr, ++ "%s: error while labeling %s: %s\n", ++ r_opts->progname, namelist[0], strerror(errno)); ++ goto err; ++ } ++ ++ ++ ftsent = fts_read(fts_handle); ++ if (ftsent != NULL) { ++ /* Keep the inode of the first one. */ ++ dev_num = ftsent->fts_statp->st_dev; ++ } ++ ++ do { ++ rc = 0; ++ /* Skip the post order nodes. */ ++ if (ftsent->fts_info == FTS_DP) ++ continue; ++ /* If the XDEV flag is set and the device is different */ ++ if (ftsent->fts_statp->st_dev != dev_num && ++ FTS_XDEV == (r_opts->fts_flags & FTS_XDEV)) ++ continue; ++ if (excludeCtr > 0) { ++ if (exclude(ftsent->fts_path)) { ++ fts_set(fts_handle, ftsent, FTS_SKIP); ++ continue; ++ } ++ } ++ rc = apply_spec(ftsent); ++ if (rc == SKIP) ++ fts_set(fts_handle, ftsent, FTS_SKIP); ++ if (rc == ERR) ++ goto err; ++ if (!recurse_this_path) ++ break; ++ } while ((ftsent = fts_read(fts_handle)) != NULL); ++ ++out: ++ if (r_opts->add_assoc) { ++ if (!r_opts->quiet) ++ filespec_eval(); ++ filespec_destroy(); + } ++ if (fts_handle) ++ fts_close(fts_handle); ++ return rc; + +- /* trim trailing /, if present */ +- len = strlen(r_opts.rootpath); +- while (len && ('/' == r_opts.rootpath[len - 1])) +- r_opts.rootpath[--len] = 0; +- r_opts.rootpathlen = len; ++err: ++ rc = -1; ++ goto out; + } + +-int canoncon(char **contextp) ++int process_glob(char *name, int recurse) { ++ glob_t globbuf; ++ size_t i = 0; ++ int errors = 0; ++ memset(&globbuf, 0, sizeof(globbuf)); ++ globbuf.gl_offs = 0; ++ if (glob(name, ++ GLOB_TILDE | GLOB_PERIOD, ++ NULL, ++ &globbuf) >= 0) { ++ for (i = 0; i < globbuf.gl_pathc; i++) { ++ int len = strlen(globbuf.gl_pathv[i]) -2; ++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; ++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; ++ errors |= process_one_realpath(globbuf.gl_pathv[i], recurse) < 0; ++ } ++ globfree(&globbuf); ++ } ++ else ++ errors |= process_one_realpath(name, recurse) < 0; ++ return errors; ++} ++ ++int process_one_realpath(char *name, int recurse) + { +- char *context = *contextp, *tmpcon; + int rc = 0; ++ char *p; ++ struct stat sb; + +- if (policyfile) { +- if (sepol_check_context(context) < 0) { +- fprintf(stderr, "invalid context %s\n", context); +- exit(1); +- } +- } else if (security_canonicalize_context_raw(context, &tmpcon) == 0) { +- free(context); +- *contextp = tmpcon; +- } else if (errno != ENOENT) { +- rc = -1; +- inc_err(); ++ if (r_opts == NULL){ ++ fprintf(stderr, ++ "Must call initialize first!"); ++ return -1; + } + +- return rc; ++ if (!r_opts->expand_realpath) { ++ return process_one(name, recurse); ++ } else { ++ rc = lstat(name, &sb); ++ if (rc < 0) { ++ if (r_opts->ignore_enoent && errno == ENOENT) return 0; ++ fprintf(stderr, "%s: lstat(%s) failed: %s\n", ++ r_opts->progname, name, strerror(errno)); ++ return -1; ++ } ++ ++ if (S_ISLNK(sb.st_mode)) { ++ char path[PATH_MAX + 1]; ++ ++ rc = symlink_realpath(name, path); ++ if (rc < 0) ++ return rc; ++ rc = process_one(path, 0); ++ if (rc < 0) ++ return rc; ++ ++ p = realpath(name, NULL); ++ if (p) { ++ rc = process_one(p, recurse); ++ free(p); ++ } ++ return rc; ++ } else { ++ p = realpath(name, NULL); ++ if (!p) { ++ fprintf(stderr, "realpath(%s) failed %s\n", name, ++ strerror(errno)); ++ return -1; ++ } ++ rc = process_one(p, recurse); ++ free(p); ++ return rc; ++ } ++ } + } + +-#ifndef USE_AUDIT +-static void maybe_audit_mass_relabel(void) ++int exclude(const char *file) + { +-#else +-static void maybe_audit_mass_relabel(void) ++ int i = 0; ++ for (i = 0; i < excludeCtr; i++) { ++ if (strncmp ++ (file, excludeArray[i].directory, ++ excludeArray[i].size) == 0) { ++ if (file[excludeArray[i].size] == 0 ++ || file[excludeArray[i].size] == '/') { ++ return 1; ++ } ++ } ++ } ++ return 0; ++} ++ ++int add_exclude(const char *directory) + { +- int audit_fd = -1; +- int rc = 0; ++ size_t len = 0; + +- if (!mass_relabel) /* only audit a forced full relabel */ ++ if (directory == NULL || directory[0] != '/') { ++ fprintf(stderr, "Full path required for exclude: %s.\n", ++ directory); ++ return 1; ++ } ++ if (excludeCtr == MAX_EXCLUDES) { ++ fprintf(stderr, "Maximum excludes %d exceeded.\n", ++ MAX_EXCLUDES); ++ return 1; ++ } ++ ++ len = strlen(directory); ++ while (len > 1 && directory[len - 1] == '/') { ++ len--; ++ } ++ excludeArray[excludeCtr].directory = strndup(directory, len); ++ ++ if (excludeArray[excludeCtr].directory == NULL) { ++ fprintf(stderr, "Out of memory.\n"); ++ return 1; ++ } ++ excludeArray[excludeCtr++].size = len; ++ ++ return 0; ++} ++ ++/* Compare two contexts to see if their differences are "significant", ++ * or whether the only difference is in the user. */ ++static int only_changed_user(const char *a, const char *b) ++{ ++ char *rest_a, *rest_b; /* Rest of the context after the user */ ++ if (r_opts->force) ++ return 0; ++ if (!a || !b) ++ return 0; ++ rest_a = strchr(a, ':'); ++ rest_b = strchr(b, ':'); ++ if (!rest_a || !rest_b) ++ return 0; ++ return (strcmp(rest_a, rest_b) == 0); ++} ++ ++/* ++ * Evaluate the association hash table distribution. ++ */ ++static void filespec_eval(void) ++{ ++ file_spec_t *fl; ++ int h, used, nel, len, longest; ++ ++ if (!fl_head) + return; + +- audit_fd = audit_open(); ++ used = 0; ++ longest = 0; ++ nel = 0; ++ for (h = 0; h < HASH_BUCKETS; h++) { ++ len = 0; ++ for (fl = fl_head[h].next; fl; fl = fl->next) { ++ len++; ++ } ++ if (len) ++ used++; ++ if (len > longest) ++ longest = len; ++ nel += len; ++ } ++ ++ if (r_opts->verbose > 1) ++ printf ++ ("%s: hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n", ++ __FUNCTION__, nel, used, HASH_BUCKETS, longest); ++} ++ ++/* ++ * Destroy the association hash table. ++ */ ++static void filespec_destroy(void) ++{ ++ file_spec_t *fl, *tmp; ++ int h; ++ ++ if (!fl_head) ++ return; + +- if (audit_fd < 0) { +- fprintf(stderr, "Error connecting to audit system.\n"); +- exit(-1); ++ for (h = 0; h < HASH_BUCKETS; h++) { ++ fl = fl_head[h].next; ++ while (fl) { ++ tmp = fl; ++ fl = fl->next; ++ freecon(tmp->con); ++ free(tmp->file); ++ free(tmp); ++ } ++ fl_head[h].next = NULL; + } ++ free(fl_head); ++ fl_head = NULL; ++} ++/* ++ * Try to add an association between an inode and a context. ++ * If there is a different context that matched the inode, ++ * then use the first context that matched. ++ */ ++static int filespec_add(ino_t ino, const security_context_t con, const char *file) ++{ ++ file_spec_t *prevfl, *fl; ++ int h, ret; ++ struct stat sb; + +- rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL, +- "op=mass relabel", NULL, NULL, NULL, !mass_relabel_errs); +- if (rc <= 0) { +- fprintf(stderr, "Error sending audit message: %s.\n", +- strerror(errno)); +- /* exit(-1); -- don't exit atm. as fix for eff_cap isn't in most kernels */ ++ if (!fl_head) { ++ fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); ++ if (!fl_head) ++ goto oom; ++ memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS); ++ } ++ ++ h = (ino + (ino >> HASH_BITS)) & HASH_MASK; ++ for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; ++ prevfl = fl, fl = fl->next) { ++ if (ino == fl->ino) { ++ ret = lstat(fl->file, &sb); ++ if (ret < 0 || sb.st_ino != ino) { ++ freecon(fl->con); ++ free(fl->file); ++ fl->file = strdup(file); ++ if (!fl->file) ++ goto oom; ++ fl->con = strdup(con); ++ if (!fl->con) ++ goto oom; ++ return 1; ++ } ++ ++ if (strcmp(fl->con, con) == 0) ++ return 1; ++ ++ fprintf(stderr, ++ "%s: conflicting specifications for %s and %s, using %s.\n", ++ __FUNCTION__, file, fl->file, fl->con); ++ free(fl->file); ++ fl->file = strdup(file); ++ if (!fl->file) ++ goto oom; ++ return 1; ++ } ++ ++ if (ino > fl->ino) ++ break; + } +- audit_close(audit_fd); +-#endif ++ ++ fl = malloc(sizeof(file_spec_t)); ++ if (!fl) ++ goto oom; ++ fl->ino = ino; ++ fl->con = strdup(con); ++ if (!fl->con) ++ goto oom_freefl; ++ fl->file = strdup(file); ++ if (!fl->file) ++ goto oom_freefl; ++ fl->next = prevfl->next; ++ prevfl->next = fl; ++ return 0; ++ oom_freefl: ++ free(fl); ++ oom: ++ fprintf(stderr, ++ "%s: insufficient memory for file label entry for %s\n", ++ __FUNCTION__, file); ++ return -1; + } + ++#include + /* + Search /proc/mounts for all file systems that do not support extended + attributes and add them to the exclude directory table. File systems + that support security labels have the seclabel option. + */ -static void exclude_non_seclabel_mounts() ++void exclude_non_seclabel_mounts() + { + struct utsname uts; + FILE *fp; +@@ -201,306 +695,3 @@ + free(buf); + } + +-int main(int argc, char **argv) -{ -- struct utsname uts; -- FILE *fp; -- size_t len; -- ssize_t num; -- int index = 0, found = 0; -- char *mount_info[4]; -- char *buf = NULL, *item; +- struct stat sb; +- int opt, i = 0; +- char *input_filename = NULL; +- int use_input_file = 0; +- char *buf = NULL; +- size_t buf_len; +- int recurse; /* Recursive descent. */ +- char *base; +- +- memset(&r_opts, 0, sizeof(r_opts)); - -- /* Check to see if the kernel supports seclabel */ -- if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0) -- return; -- if (is_selinux_enabled() <= 0) -- return; +- /* Initialize variables */ +- r_opts.progress = 0; +- r_opts.count = 0; +- r_opts.debug = 0; +- r_opts.change = 1; +- r_opts.verbose = 0; +- r_opts.logging = 0; +- r_opts.rootpath = NULL; +- r_opts.rootpathlen = 0; +- r_opts.outfile = NULL; +- r_opts.force = 0; +- r_opts.hard_links = 1; - -- fp = fopen("/proc/mounts", "r"); -- if (!fp) -- return; +- altpath = NULL; - -- while ((num = getline(&buf, &len, fp)) != -1) { -- found = 0; -- index = 0; -- item = strtok(buf, " "); -- while (item != NULL) { -- mount_info[index] = item; -- if (index == 3) -- break; -- index++; -- item = strtok(NULL, " "); -- } -- if (index < 3) { -- fprintf(stderr, -- "/proc/mounts record \"%s\" has incorrect format.\n", -- buf); -- continue; -- } +- r_opts.progname = strdup(argv[0]); +- if (!r_opts.progname) { +- fprintf(stderr, "%s: Out of memory!\n", argv[0]); +- exit(1); +- } +- base = basename(r_opts.progname); +- +- if (!strcmp(base, SETFILES)) { +- /* +- * setfiles: +- * Recursive descent, +- * Does not expand paths via realpath, +- * Aborts on errors during the file tree walk, +- * Try to track inode associations for conflict detection, +- * Does not follow mounts, +- * Validates all file contexts at init time. +- */ +- iamrestorecon = 0; +- recurse = 1; +- r_opts.expand_realpath = 0; +- r_opts.abort_on_error = 1; +- r_opts.add_assoc = 1; +- r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV; +- ctx_validate = 1; +- } else { +- /* +- * restorecon: +- * No recursive descent unless -r/-R, +- * Expands paths via realpath, +- * Do not abort on errors during the file tree walk, +- * Do not try to track inode associations for conflict detection, +- * Follows mounts, +- * Does lazy validation of contexts upon use. +- */ +- if (strcmp(base, RESTORECON) && !r_opts.quiet) +- printf("Executed with an unrecognized name (%s), defaulting to %s behavior.\n", base, RESTORECON); +- iamrestorecon = 1; +- recurse = 0; +- r_opts.expand_realpath = 1; +- r_opts.abort_on_error = 0; +- r_opts.add_assoc = 0; +- r_opts.fts_flags = FTS_PHYSICAL; +- ctx_validate = 0; - -- /* remove pre-existing entry */ -- remove_exclude(mount_info[1]); -- -- item = strtok(mount_info[3], ","); -- while (item != NULL) { -- if (strcmp(item, "seclabel") == 0) { -- found = 1; -- break; -- } -- item = strtok(NULL, ","); -- } -- -- /* exclude mount points without the seclabel option */ -- if (!found) -- add_exclude(mount_info[1]); +- /* restorecon only: silent exit if no SELinux. +- Allows unconditional execution by scripts. */ +- if (is_selinux_enabled() <= 0) +- exit(0); - } - -- free(buf); --} +- /* This must happen before getopt. */ +- exclude_non_seclabel_mounts(); - - int main(int argc, char **argv) - { - struct stat sb; -@@ -335,7 +270,7 @@ - r_opts.debug = 1; - break; - case 'i': +- /* Process any options. */ +- while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FRW0")) > 0) { +- switch (opt) { +- case 'c': +- { +- FILE *policystream; +- +- if (iamrestorecon) +- usage(argv[0]); +- +- policyfile = optarg; +- +- policystream = fopen(policyfile, "r"); +- if (!policystream) { +- fprintf(stderr, +- "Error opening %s: %s\n", +- policyfile, strerror(errno)); +- exit(1); +- } +- __fsetlocking(policystream, +- FSETLOCKING_BYCALLER); +- +- if (sepol_set_policydb_from_file(policystream) < +- 0) { +- fprintf(stderr, +- "Error reading policy %s: %s\n", +- policyfile, strerror(errno)); +- exit(1); +- } +- fclose(policystream); +- +- ctx_validate = 1; +- +- break; +- } +- case 'e': +- remove_exclude(optarg); +- if (lstat(optarg, &sb) < 0 && errno != EACCES) { +- fprintf(stderr, "Can't stat exclude path \"%s\", %s - ignoring.\n", +- optarg, strerror(errno)); +- break; +- } +- if (add_exclude(optarg)) +- exit(1); +- break; +- case 'f': +- use_input_file = 1; +- input_filename = optarg; +- break; +- case 'd': +- r_opts.debug = 1; +- break; +- case 'i': - ignore_enoent = 1; -+ r_opts.ignore_enoent = 1; - break; - case 'l': - r_opts.logging = 1; -@@ -371,7 +306,7 @@ - break; - } - if (optind + 1 >= argc) { +- break; +- case 'l': +- r_opts.logging = 1; +- break; +- case 'F': +- r_opts.force = 1; +- break; +- case 'n': +- r_opts.change = 0; +- break; +- case 'o': +- if (strcmp(optarg, "-") == 0) { +- r_opts.outfile = stdout; +- break; +- } +- +- r_opts.outfile = fopen(optarg, "w"); +- if (!r_opts.outfile) { +- fprintf(stderr, "Error opening %s: %s\n", +- optarg, strerror(errno)); +- +- usage(argv[0]); +- } +- __fsetlocking(r_opts.outfile, FSETLOCKING_BYCALLER); +- break; +- case 'q': +- r_opts.quiet = 1; +- break; +- case 'R': +- case 'r': +- if (iamrestorecon) { +- recurse = 1; +- break; +- } +- if (optind + 1 >= argc) { - fprintf(stderr, "usage: %s -r r_opts.rootpath\n", -+ fprintf(stderr, "usage: %s -r rootpath\n", - argv[0]); - exit(1); - } -@@ -475,7 +410,7 @@ - buf[len - 1] = 0; - if (!strcmp(buf, "/")) - mass_relabel = 1; +- argv[0]); +- exit(1); +- } +- if (NULL != r_opts.rootpath) { +- fprintf(stderr, +- "%s: only one -r can be specified\n", +- argv[0]); +- exit(1); +- } +- set_rootpath(argv[optind++]); +- break; +- case 's': +- use_input_file = 1; +- input_filename = "-"; +- r_opts.add_assoc = 0; +- break; +- case 'v': +- if (r_opts.progress) { +- fprintf(stderr, +- "Progress and Verbose mutually exclusive\n"); +- exit(1); +- } +- r_opts.verbose++; +- break; +- case 'p': +- if (r_opts.verbose) { +- fprintf(stderr, +- "Progress and Verbose mutually exclusive\n"); +- usage(argv[0]); +- } +- r_opts.progress = 1; +- break; +- case 'W': +- warn_no_match = 1; +- break; +- case '0': +- null_terminated = 1; +- break; +- case '?': +- usage(argv[0]); +- } +- } +- +- if (!iamrestorecon) { +- if (policyfile) { +- if (optind != (argc - 1)) +- usage(argv[0]); +- } else if (use_input_file) { +- if (optind != (argc - 1)) { +- /* Cannot mix with pathname arguments. */ +- usage(argv[0]); +- } +- } else { +- if (optind > (argc - 2)) +- usage(argv[0]); +- } +- +- /* Use our own invalid context checking function so that +- we can support either checking against the active policy or +- checking against a binary policy file. */ +- selinux_set_callback(SELINUX_CB_VALIDATE, +- (union selinux_callback)&canoncon); +- +- if (stat(argv[optind], &sb) < 0) { +- perror(argv[optind]); +- exit(1); +- } +- if (!S_ISREG(sb.st_mode)) { +- fprintf(stderr, "%s: spec file %s is not a regular file.\n", +- argv[0], argv[optind]); +- exit(1); +- } +- +- altpath = argv[optind]; +- optind++; +- } +- +- /* Load the file contexts configuration and check it. */ +- r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL); +- r_opts.selabel_opt_path = altpath; +- +- if (nerr) +- exit(1); +- +- restore_init(&r_opts); +- if (use_input_file) { +- FILE *f = stdin; +- ssize_t len; +- int delim; +- if (strcmp(input_filename, "-") != 0) +- f = fopen(input_filename, "r"); +- if (f == NULL) { +- fprintf(stderr, "Unable to open %s: %s\n", input_filename, +- strerror(errno)); +- usage(argv[0]); +- } +- __fsetlocking(f, FSETLOCKING_BYCALLER); +- +- delim = (null_terminated != 0) ? '\0' : '\n'; +- while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) { +- buf[len - 1] = 0; +- if (!strcmp(buf, "/")) +- mass_relabel = 1; - errors |= process_one_realpath(buf, recurse) < 0; -+ errors |= process_glob(buf, recurse) < 0; - } - if (strcmp(input_filename, "-") != 0) - fclose(f); -@@ -483,7 +418,8 @@ - for (i = optind; i < argc; i++) { - if (!strcmp(argv[i], "/")) - mass_relabel = 1; +- } +- if (strcmp(input_filename, "-") != 0) +- fclose(f); +- } else { +- for (i = optind; i < argc; i++) { +- if (!strcmp(argv[i], "/")) +- mass_relabel = 1; - errors |= process_one_realpath(argv[i], recurse) < 0; -+ -+ errors |= process_glob(argv[i], recurse) < 0; - } - } - +- } +- } +- +- if (mass_relabel) +- mass_relabel_errs = errors; +- maybe_audit_mass_relabel(); +- +- if (warn_no_match) +- selabel_stats(r_opts.hnd); +- +- selabel_close(r_opts.hnd); +- restore_finish(); +- +- if (r_opts.outfile) +- fclose(r_opts.outfile); +- +- if (r_opts.progress && r_opts.count >= STAR_COUNT) +- printf("\n"); +- exit(errors); +-} diff --git a/policycoreutils.spec b/policycoreutils.spec index bc38f35..ea6a504 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,13 +1,13 @@ %define libauditver 1.4.2-1 -%define libsepolver 2.0.41-1 -%define libsemanagever 2.0.43-3 -%define libselinuxver 2.0.90-1 +%define libsepolver 2.0.41-3 +%define libsemanagever 2.0.43-4 +%define libselinuxver 2.0.90-3 %define sepolgenver 1.0.19 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.80 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -305,6 +305,9 @@ fi exit 0 %changelog +* Thu Mar 11 2010 Dan Walsh 2.0.80-2 +- Use --rbind in sandbox init scripts + * Mon Mar 8 2010 Dan Walsh 2.0.80-1 - Update to upstream * Module enable/disable support from Dan Walsh.