diff --git a/glibc-rh1025126.patch b/glibc-rh1025126.patch deleted file mode 100644 index ac6b481..0000000 --- a/glibc-rh1025126.patch +++ /dev/null @@ -1,135 +0,0 @@ -diff --git a/nscd/selinux.c b/nscd/selinux.c -index 0866c44..ba55b04 100644 ---- a/nscd/selinux.c -+++ b/nscd/selinux.c -@@ -44,35 +44,31 @@ - /* Global variable to tell if the kernel has SELinux support. */ - int selinux_enabled; - --/* Define mappings of access vector permissions to request types. */ --static const access_vector_t perms[LASTREQ] = -+/* Define mappings of request type to AVC permission name. */ -+static const char *perms[LASTREQ] = - { -- [GETPWBYNAME] = NSCD__GETPWD, -- [GETPWBYUID] = NSCD__GETPWD, -- [GETGRBYNAME] = NSCD__GETGRP, -- [GETGRBYGID] = NSCD__GETGRP, -- [GETHOSTBYNAME] = NSCD__GETHOST, -- [GETHOSTBYNAMEv6] = NSCD__GETHOST, -- [GETHOSTBYADDR] = NSCD__GETHOST, -- [GETHOSTBYADDRv6] = NSCD__GETHOST, -- [GETSTAT] = NSCD__GETSTAT, -- [SHUTDOWN] = NSCD__ADMIN, -- [INVALIDATE] = NSCD__ADMIN, -- [GETFDPW] = NSCD__SHMEMPWD, -- [GETFDGR] = NSCD__SHMEMGRP, -- [GETFDHST] = NSCD__SHMEMHOST, -- [GETAI] = NSCD__GETHOST, -- [INITGROUPS] = NSCD__GETGRP, --#ifdef NSCD__GETSERV -- [GETSERVBYNAME] = NSCD__GETSERV, -- [GETSERVBYPORT] = NSCD__GETSERV, -- [GETFDSERV] = NSCD__SHMEMSERV, --#endif --#ifdef NSCD__GETNETGRP -- [GETNETGRENT] = NSCD__GETNETGRP, -- [INNETGR] = NSCD__GETNETGRP, -- [GETFDNETGR] = NSCD__SHMEMNETGRP, --#endif -+ [GETPWBYNAME] = "getpwd", -+ [GETPWBYUID] = "getpwd", -+ [GETGRBYNAME] = "getgrp", -+ [GETGRBYGID] = "getgrp", -+ [GETHOSTBYNAME] = "gethost", -+ [GETHOSTBYNAMEv6] = "gethost", -+ [GETHOSTBYADDR] = "gethost", -+ [GETHOSTBYADDRv6] = "gethost", -+ [SHUTDOWN] = "admin", -+ [GETSTAT] = "getstat", -+ [INVALIDATE] = "admin", -+ [GETFDPW] = "shmempwd", -+ [GETFDGR] = "shmemgrp", -+ [GETFDHST] = "shmemhost", -+ [GETAI] = "gethost", -+ [INITGROUPS] = "getgrp", -+ [GETSERVBYNAME] = "getserv", -+ [GETSERVBYPORT] = "getserv", -+ [GETFDSERV] = "shmemserv", -+ [GETNETGRENT] = "getnetgrp", -+ [INNETGR] = "getnetgrp", -+ [GETFDNETGR] = "shmemnetgrp", - }; - - /* Store an entry ref to speed AVC decisions. */ -@@ -344,7 +340,18 @@ nscd_avc_init (void) - - - /* Check the permission from the caller (via getpeercon) to nscd. -- Returns 0 if access is allowed, 1 if denied, and -1 on error. */ -+ Returns 0 if access is allowed, 1 if denied, and -1 on error. -+ -+ Implementation note: -+ The SELinux policy, enablement, and permission bits are all dynamic -+ and the caching done by glibc is not entirely correct. This nscd -+ support should be rewritten to use selinux_check_permission. -+ A rewrite is risky though and requires some refactoring fist. -+ Instead we use symbolic mappings instead of compile time -+ constants (which selinux upstream says are going away), and use -+ security_deny_unknown to determine what to do if selinux-policy -+ doesn't have a definition for the the permission or object class -+ we are looking up. */ - int - nscd_request_avc_has_perm (int fd, request_type req) - { -@@ -354,6 +361,33 @@ nscd_request_avc_has_perm (int fd, request_type req) - security_id_t ssid = NULL; - security_id_t tsid = NULL; - int rc = -1; -+ security_class_t sc_nscd = 0; -+ access_vector_t perm = 0; -+ int avc_deny_unknown = 0; -+ -+ /* Check if SELinux denys or allows unknown object classes -+ and permissions. It is 0 if they are allowed, 1 if they -+ are not allowed and -1 on error. */ -+ if ((avc_deny_unknown = security_deny_unknown ()) == -1) -+ dbg_log (_("Error querying policy for undefined object classes " -+ "or permissions.")); -+ -+ /* Get the security class for nscd. If this fails we will likely be -+ unable to do anything unless avc_deny_unknown is 0. */ -+ if ((sc_nscd = string_to_security_class ("nscd")) == 0 -+ && avc_deny_unknown == 1) -+ dbg_log (_("Error getting security class for nscd.")); -+ -+ /* Convert permission to AVC bits. */ -+ perm = string_to_av_perm (sc_nscd, perms[req]); -+ if (perm == 0 && avc_deny_unknown == 1) -+ dbg_log (_("Error translating permission name " -+ "\"%s\" to access vector bit."), perms[req]); -+ -+ /* If the nscd security class was not found or perms were not -+ found and AVC does not deny unknown values then allow it. */ -+ if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0) -+ return 0; - - if (getpeercon (fd, &scon) < 0) - { -@@ -372,15 +406,7 @@ nscd_request_avc_has_perm (int fd, request_type req) - goto out; - } - --#ifndef NSCD__GETSERV -- if (perms[req] == 0) -- { -- dbg_log (_("compile-time support for database policy missing")); -- goto out; -- } --#endif -- -- rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0; -+ rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0; - - out: - if (scon) diff --git a/glibc.spec b/glibc.spec index 3495e68..581bc1a 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,6 +1,6 @@ -%define glibcsrcdir glibc-2.19-269-ga4c75cf +%define glibcsrcdir glibc-2.19-309-gc54e5cf %define glibcversion 2.19.90 -%define glibcrelease 10%{?dist} +%define glibcrelease 11%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -219,9 +219,6 @@ Patch2026: %{name}-rh841787.patch # Upstream BZ 14185 Patch2027: %{name}-rh819430.patch -# Fix nscd to use permission names not constants. -Patch2028: %{name}-rh1025126.patch - Patch2031: %{name}-rh1070416.patch # Upstream 16724 @@ -549,7 +546,6 @@ package or when debugging this package. %patch0042 -p1 %patch0044 -p1 %patch0046 -p1 -%patch2028 -p1 %patch2031 -p1 %patch0047 -p1 %patch2032 -p1 @@ -1639,6 +1635,9 @@ rm -f *.filelist* %endif %changelog +* Fri Apr 18 2014 Siddhesh Poyarekar - 2.19.90-11 +- Sync with upstream master. + * Thu Apr 10 2014 Siddhesh Poyarekar - 2.19.90-10 - Sync with upstream master. diff --git a/sources b/sources index 4e5f97f..efa3a5a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -997b3a71cbe5ee90e7cfddd14a14da14 glibc-2.19-269-ga4c75cf.tar.gz +dfca55f88fea8739ccf86429cb3dd313 glibc-2.19-309-gc54e5cf.tar.gz