Change matchpatcon to use proper myprintf
Fix symlink_realpath to always include "/" Update to upstream * selinux_file_context_verify function returns wrong value. * move realpath helper to matchpathcon library * python wrapper makefile changes
This commit is contained in:
parent
4eca5fc79f
commit
495b754734
@ -1,235 +1,3 @@
|
|||||||
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
|
||||||
index f110dcf..d29b0c1 100644
|
|
||||||
--- a/libselinux/include/selinux/selinux.h
|
|
||||||
+++ b/libselinux/include/selinux/selinux.h
|
|
||||||
@@ -566,7 +566,7 @@ extern int selinux_file_context_cmp(const security_context_t a,
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Verify the context of the file 'path' against policy.
|
|
||||||
- * Return 0 if correct.
|
|
||||||
+ * Return 1 if match, 0 if not and -1 on error.
|
|
||||||
*/
|
|
||||||
extern int selinux_file_context_verify(const char *path, mode_t mode);
|
|
||||||
|
|
||||||
diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3
|
|
||||||
index 51e8c20..cd67188 100644
|
|
||||||
--- a/libselinux/man/man3/selinux_file_context_cmp.3
|
|
||||||
+++ b/libselinux/man/man3/selinux_file_context_cmp.3
|
|
||||||
@@ -1,25 +1,75 @@
|
|
||||||
-.TH "selinux_file_context_cmp" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
|
|
||||||
+.TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation"
|
|
||||||
+
|
|
||||||
.SH "NAME"
|
|
||||||
-selinux_file_context_cmp, selinux_file_context_verify \- comparison of two file contexts.
|
|
||||||
+selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component.
|
|
||||||
|
|
||||||
.SH "SYNOPSIS"
|
|
||||||
.B #include <selinux/selinux.h>
|
|
||||||
.sp
|
|
||||||
-
|
|
||||||
-.BI "int selinux_file_context_cmp(const security_context_t " a ", const security_context_t " b ");"
|
|
||||||
-
|
|
||||||
-.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
|
|
||||||
+.BI "int selinux_file_context_cmp(const security_context_t " a ", "
|
|
||||||
+.RS
|
|
||||||
+.BI "const security_context_t " b ");"
|
|
||||||
+.RE
|
|
||||||
|
|
||||||
.SH "DESCRIPTION"
|
|
||||||
.B selinux_file_context_cmp
|
|
||||||
-compares two file contexts to see if their differences are "significant", the function runs the strcmp function ignoring the user componant of the file context.
|
|
||||||
-.sp
|
|
||||||
-.B selinux_file_context_verify
|
|
||||||
-compares the file context on disk to the system default.
|
|
||||||
+compares two context strings excluding the user component with
|
|
||||||
+.B strcmp(3)
|
|
||||||
+as shown in the
|
|
||||||
+.B EXAMPLE
|
|
||||||
+section.
|
|
||||||
.sp
|
|
||||||
+This is useful as for most object contexts, the user component is not relevant.
|
|
||||||
|
|
||||||
.SH "RETURN VALUE"
|
|
||||||
-Returns zero on success or \-1 otherwise.
|
|
||||||
+The return values follow the
|
|
||||||
+.B strcmp(3)
|
|
||||||
+function, where:
|
|
||||||
+.RS
|
|
||||||
+0 if they are equal.
|
|
||||||
+.RE
|
|
||||||
+.RS
|
|
||||||
+1 if
|
|
||||||
+.I a
|
|
||||||
+is greater than
|
|
||||||
+.I b
|
|
||||||
+.RE
|
|
||||||
+.RS
|
|
||||||
+\-1 if
|
|
||||||
+.I a
|
|
||||||
+is less than
|
|
||||||
+.I b
|
|
||||||
+.RE
|
|
||||||
+
|
|
||||||
+.SH "ERRORS"
|
|
||||||
+None.
|
|
||||||
+
|
|
||||||
+.SH "NOTES"
|
|
||||||
+The contexts being compared do not specifically need to be file contexts.
|
|
||||||
+
|
|
||||||
+.SH "EXAMPLE"
|
|
||||||
+If context
|
|
||||||
+.I a
|
|
||||||
+is:
|
|
||||||
+.RS
|
|
||||||
+user_u:user_r:user_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+and context
|
|
||||||
+.I b
|
|
||||||
+is:
|
|
||||||
+.RS
|
|
||||||
+root:user_r:user_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+then the actual strings compared are:
|
|
||||||
+.RS
|
|
||||||
+:user_r:user_t:s0 and :user_r:user_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+Therefore they will match and
|
|
||||||
+.B selinux_file_context_cmp
|
|
||||||
+will return zero.
|
|
||||||
|
|
||||||
.SH "SEE ALSO"
|
|
||||||
-.BR selinux "(8), " selinux_lsetfilecon "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
|
|
||||||
+.BR selinux "(8)"
|
|
||||||
diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3
|
|
||||||
index d777547..e22be70 100644
|
|
||||||
--- a/libselinux/man/man3/selinux_file_context_verify.3
|
|
||||||
+++ b/libselinux/man/man3/selinux_file_context_verify.3
|
|
||||||
@@ -1 +1,98 @@
|
|
||||||
-.so man3/selinux_file_context_cmp.3
|
|
||||||
+.TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation"
|
|
||||||
+
|
|
||||||
+.SH "NAME"
|
|
||||||
+selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file.
|
|
||||||
+
|
|
||||||
+.SH "SYNOPSIS"
|
|
||||||
+.B #include <selinux/selinux.h>
|
|
||||||
+.sp
|
|
||||||
+.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
|
|
||||||
+
|
|
||||||
+.SH "DESCRIPTION"
|
|
||||||
+.B selinux_file_context_verify
|
|
||||||
+compares the context of the specified
|
|
||||||
+.I path
|
|
||||||
+that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files.
|
|
||||||
+.sp
|
|
||||||
+The
|
|
||||||
+.I mode
|
|
||||||
+may be zero.
|
|
||||||
+.sp
|
|
||||||
+Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the
|
|
||||||
+.B EXAMPLE
|
|
||||||
+section.
|
|
||||||
+
|
|
||||||
+.SH "RETURN VALUE"
|
|
||||||
+If the contexts significantly match, 1 (one) is returned.
|
|
||||||
+.sp
|
|
||||||
+If the contexts do not match 0 (zero) is returned and
|
|
||||||
+.I errno
|
|
||||||
+is set to either
|
|
||||||
+.B ENOENT
|
|
||||||
+or
|
|
||||||
+.B EINVAL
|
|
||||||
+for the reasons listed in the
|
|
||||||
+.B ERRORS
|
|
||||||
+section, or if
|
|
||||||
+.I errno
|
|
||||||
+= 0 then the contexts did not match.
|
|
||||||
+.sp
|
|
||||||
+On failure \-1 is returned and
|
|
||||||
+.I errno
|
|
||||||
+set appropriately.
|
|
||||||
+
|
|
||||||
+.SH "ERRORS"
|
|
||||||
+.TP
|
|
||||||
+.B ENOTSUP
|
|
||||||
+if extended attributes are not supported by the file system.
|
|
||||||
+.TP
|
|
||||||
+.B ENOENT
|
|
||||||
+if there is no entry in the file contexts series of files or
|
|
||||||
+.I path
|
|
||||||
+does not exist.
|
|
||||||
+.TP
|
|
||||||
+.B EINVAL
|
|
||||||
+if the entry in the file contexts series of files or
|
|
||||||
+.I path
|
|
||||||
+are invalid, or the returned context fails validation.
|
|
||||||
+.TP
|
|
||||||
+.B ENOMEM
|
|
||||||
+if attempt to allocate memory failed.
|
|
||||||
+
|
|
||||||
+.SH "FILES"
|
|
||||||
+The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the
|
|
||||||
+.I path
|
|
||||||
+default context:
|
|
||||||
+.sp
|
|
||||||
+.RS
|
|
||||||
+contexts/files/file_contexts - This file must exist.
|
|
||||||
+.sp
|
|
||||||
+contexts/files/file_contexts.local - If exists has local customizations.
|
|
||||||
+.sp
|
|
||||||
+contexts/files/file_contexts.homedirs - If exists has users home directory customizations.
|
|
||||||
+.sp
|
|
||||||
+contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files.
|
|
||||||
+.RE
|
|
||||||
+
|
|
||||||
+.SH "EXAMPLE"
|
|
||||||
+If the files context is:
|
|
||||||
+.RS
|
|
||||||
+unconfined_u:object_r:admin_home_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+and the default context defined in the file contexts file is:
|
|
||||||
+.RS
|
|
||||||
+system_u:object_r:admin_home_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+then the actual strings compared are:
|
|
||||||
+.RS
|
|
||||||
+:object_r:admin_home_t:s0 and :object_r:admin_home_t:s0
|
|
||||||
+.RE
|
|
||||||
+.sp
|
|
||||||
+Therefore they will match and
|
|
||||||
+.B selinux_file_context_verify
|
|
||||||
+will return 1.
|
|
||||||
+
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+.BR selinux "(8)"
|
|
||||||
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
|
|
||||||
index 15f7c1a..7680008 100644
|
|
||||||
--- a/libselinux/src/Makefile
|
|
||||||
+++ b/libselinux/src/Makefile
|
|
||||||
@@ -10,7 +10,8 @@ LIBDIR ?= $(PREFIX)/lib
|
|
||||||
SHLIBDIR ?= $(PREFIX)/lib
|
|
||||||
INCLUDEDIR ?= $(PREFIX)/include
|
|
||||||
PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
|
|
||||||
-PYINC ?= $(shell pkg-config --cflags `basename $(PYTHON)`)
|
|
||||||
+PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
|
|
||||||
+PYTHONLIBDIR ?= $(shell pkg-config --libs $(PYPREFIX))
|
|
||||||
PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
|
|
||||||
RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
|
|
||||||
RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM')
|
|
||||||
@@ -78,7 +79,7 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
|
|
||||||
$(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $<
|
|
||||||
|
|
||||||
$(SWIGSO): $(SWIGLOBJ)
|
|
||||||
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
|
|
||||||
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs
|
|
||||||
|
|
||||||
$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
|
|
||||||
$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
|
|
||||||
diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
|
diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
|
||||||
index b245364..7c47222 100644
|
index b245364..7c47222 100644
|
||||||
--- a/libselinux/src/callbacks.c
|
--- a/libselinux/src/callbacks.c
|
||||||
@ -243,10 +11,10 @@ index b245364..7c47222 100644
|
|||||||
rc = vfprintf(stderr, fmt, ap);
|
rc = vfprintf(stderr, fmt, ap);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
|
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
|
||||||
index 5fd8fe4..410dd9d 100644
|
index 9717b14..df83b30 100644
|
||||||
--- a/libselinux/src/matchpathcon.c
|
--- a/libselinux/src/matchpathcon.c
|
||||||
+++ b/libselinux/src/matchpathcon.c
|
+++ b/libselinux/src/matchpathcon.c
|
||||||
@@ -2,9 +2,11 @@
|
@@ -2,6 +2,7 @@
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -254,11 +22,7 @@ index 5fd8fe4..410dd9d 100644
|
|||||||
#include "selinux_internal.h"
|
#include "selinux_internal.h"
|
||||||
#include "label_internal.h"
|
#include "label_internal.h"
|
||||||
#include "callbacks.h"
|
#include "callbacks.h"
|
||||||
+#include <limits.h>
|
@@ -62,7 +63,7 @@ static void
|
||||||
|
|
||||||
static __thread struct selabel_handle *hnd;
|
|
||||||
|
|
||||||
@@ -61,7 +63,7 @@ static void
|
|
||||||
{
|
{
|
||||||
va_list ap;
|
va_list ap;
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
@ -267,234 +31,53 @@ index 5fd8fe4..410dd9d 100644
|
|||||||
va_end(ap);
|
va_end(ap);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -337,14 +339,82 @@ void matchpathcon_fini(void)
|
@@ -353,7 +354,7 @@ static int symlink_realpath(const char *name, char *resolved_path)
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-int matchpathcon(const char *name, mode_t mode, security_context_t * con)
|
tmp_path = strdup(name);
|
||||||
+/*
|
if (!tmp_path) {
|
||||||
+ * We do not want to resolve a symlink to a real path if it is the final
|
|
||||||
+ * component of the name. Thus we split the pathname on the last "/" and
|
|
||||||
+ * determine a real path component of the first portion. We then have to
|
|
||||||
+ * copy the last part back on to get the final real path. Wheww.
|
|
||||||
+ */
|
|
||||||
+static int symlink_realpath(const char *name, char *resolved_path)
|
|
||||||
+{
|
|
||||||
+ char *last_component;
|
|
||||||
+ char *tmp_path, *p;
|
|
||||||
+ size_t len = 0;
|
|
||||||
+ int rc = 0;
|
|
||||||
+
|
|
||||||
+ tmp_path = strdup(name);
|
|
||||||
+ if (!tmp_path) {
|
|
||||||
+ fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
|
|
||||||
+ name, strerror(errno));
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ last_component = strrchr(tmp_path, '/');
|
|
||||||
+
|
|
||||||
+ if (last_component == tmp_path) {
|
|
||||||
+ last_component++;
|
|
||||||
+ p = strcpy(resolved_path, "/");
|
|
||||||
+ } else if (last_component) {
|
|
||||||
+ *last_component = '\0';
|
|
||||||
+ last_component++;
|
|
||||||
+ p = realpath(tmp_path, resolved_path);
|
|
||||||
+ } else {
|
|
||||||
+ last_component = tmp_path;
|
|
||||||
+ p = realpath("./", resolved_path);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!p) {
|
|
||||||
+ fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
|
|
||||||
+ name, strerror(errno));
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ len = strlen(p);
|
|
||||||
+ if (len + strlen(last_component) + 1 > PATH_MAX) {
|
|
||||||
+ fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
|
|
||||||
+ name);
|
|
||||||
+ rc = -1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ resolved_path += len;
|
|
||||||
+ strcpy(resolved_path, last_component);
|
|
||||||
+out:
|
|
||||||
+ free(tmp_path);
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int matchpathcon(const char *path, mode_t mode, security_context_t * con)
|
|
||||||
{
|
|
||||||
+ char stackpath[PATH_MAX + 1];
|
|
||||||
+ char *p = NULL;
|
|
||||||
if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
+ if (S_ISLNK(mode)) {
|
|
||||||
+ if (!symlink_realpath(path, stackpath))
|
|
||||||
+ path = stackpath;
|
|
||||||
+ } else {
|
|
||||||
+ p = realpath(path, stackpath);
|
|
||||||
+ if (p)
|
|
||||||
+ path = p;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return notrans ?
|
|
||||||
- selabel_lookup_raw(hnd, con, name, mode) :
|
|
||||||
- selabel_lookup(hnd, con, name, mode);
|
|
||||||
+ selabel_lookup_raw(hnd, con, path, mode) :
|
|
||||||
+ selabel_lookup(hnd, con, path, mode);
|
|
||||||
}
|
|
||||||
|
|
||||||
int matchpathcon_index(const char *name, mode_t mode, security_context_t * con)
|
|
||||||
@@ -394,7 +464,7 @@ int selinux_file_context_verify(const char *path, mode_t mode)
|
|
||||||
rc = lgetfilecon_raw(path, &con);
|
|
||||||
if (rc == -1) {
|
|
||||||
if (errno != ENOTSUP)
|
|
||||||
- return 1;
|
|
||||||
+ return -1;
|
|
||||||
else
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -404,11 +474,18 @@ int selinux_file_context_verify(const char *path, mode_t mode)
|
|
||||||
|
|
||||||
if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
|
|
||||||
if (errno != ENOENT)
|
|
||||||
- rc = 1;
|
|
||||||
+ rc = -1;
|
|
||||||
else
|
|
||||||
rc = 0;
|
|
||||||
- } else
|
|
||||||
+ } else {
|
|
||||||
+ /*
|
|
||||||
+ * Need to set errno to 0 as it can be set to ENOENT if the
|
|
||||||
+ * file_contexts.subs file does not exist (see selabel_open in
|
|
||||||
+ * label.c), thus causing confusion if errno is checked on return.
|
|
||||||
+ */
|
|
||||||
+ errno = 0;
|
|
||||||
rc = (selinux_file_context_cmp(fcontext, con) == 0);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
freecon(con);
|
|
||||||
freecon(fcontext);
|
|
||||||
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
|
|
||||||
index 3ecd52f..5f0a4c2 100644
|
|
||||||
--- a/libselinux/utils/matchpathcon.c
|
|
||||||
+++ b/libselinux/utils/matchpathcon.c
|
|
||||||
@@ -43,63 +43,6 @@ int printmatchpathcon(char *path, int header, int mode)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * We do not want to resolve a symlink to a real path if it is the final
|
|
||||||
- * component of the name. Thus we split the pathname on the last "/" and
|
|
||||||
- * determine a real path component of the first portion. We then have to
|
|
||||||
- * copy the last part back on to get the final real path. Wheww.
|
|
||||||
- */
|
|
||||||
-static int symlink_realpath(char *name, char *resolved_path)
|
|
||||||
-{
|
|
||||||
- char *last_component;
|
|
||||||
- char *tmp_path, *p;
|
|
||||||
- size_t len = 0;
|
|
||||||
- int rc = 0;
|
|
||||||
-
|
|
||||||
- tmp_path = strdup(name);
|
|
||||||
- if (!tmp_path) {
|
|
||||||
- fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
|
- fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
|
||||||
- name, strerror(errno));
|
+ myprintf("symlink_realpath(%s) strdup() failed: %s\n",
|
||||||
- rc = -1;
|
name, strerror(errno));
|
||||||
- goto out;
|
rc = -1;
|
||||||
- }
|
goto out;
|
||||||
-
|
@@ -374,21 +375,24 @@ static int symlink_realpath(const char *name, char *resolved_path)
|
||||||
- last_component = strrchr(tmp_path, '/');
|
}
|
||||||
-
|
|
||||||
- if (last_component == tmp_path) {
|
if (!p) {
|
||||||
- last_component++;
|
|
||||||
- p = strcpy(resolved_path, "/");
|
|
||||||
- } else if (last_component) {
|
|
||||||
- *last_component = '\0';
|
|
||||||
- last_component++;
|
|
||||||
- p = realpath(tmp_path, resolved_path);
|
|
||||||
- } else {
|
|
||||||
- last_component = tmp_path;
|
|
||||||
- p = realpath("./", resolved_path);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!p) {
|
|
||||||
- fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
|
- fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
|
||||||
- name, strerror(errno));
|
+ myprintf("symlink_realpath(%s) realpath() failed: %s\n",
|
||||||
- rc = -1;
|
name, strerror(errno));
|
||||||
- goto out;
|
rc = -1;
|
||||||
- }
|
goto out;
|
||||||
-
|
}
|
||||||
- len = strlen(p);
|
|
||||||
|
len = strlen(p);
|
||||||
- if (len + strlen(last_component) + 1 > PATH_MAX) {
|
- if (len + strlen(last_component) + 1 > PATH_MAX) {
|
||||||
- fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
|
- fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
|
||||||
- name);
|
+ if (len + strlen(last_component) + 2 > PATH_MAX) {
|
||||||
- rc = -1;
|
+ myprintf("symlink_realpath(%s) failed: Filename too long \n",
|
||||||
- goto out;
|
name);
|
||||||
- }
|
+ errno=ENAMETOOLONG;
|
||||||
-
|
rc = -1;
|
||||||
- resolved_path += len;
|
goto out;
|
||||||
- strcpy(resolved_path, last_component);
|
}
|
||||||
-out:
|
|
||||||
- free(tmp_path);
|
resolved_path += len;
|
||||||
- return rc;
|
+ strcpy(resolved_path, "/");
|
||||||
-}
|
+ resolved_path += 1;
|
||||||
-
|
strcpy(resolved_path, last_component);
|
||||||
|
out:
|
||||||
|
free(tmp_path);
|
||||||
|
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
|
||||||
|
index 2fa21bc..5f0a4c2 100644
|
||||||
|
--- a/libselinux/utils/matchpathcon.c
|
||||||
|
+++ b/libselinux/utils/matchpathcon.c
|
||||||
|
@@ -45,7 +45,7 @@ int printmatchpathcon(char *path, int header, int mode)
|
||||||
|
|
||||||
int main(int argc, char **argv)
|
int main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
int i, init = 0;
|
- int i, init = 0, rc = 0;
|
||||||
@@ -166,8 +109,7 @@ int main(int argc, char **argv)
|
+ int i, init = 0;
|
||||||
for (i = optind; i < argc; i++) {
|
int header = 1, opt;
|
||||||
int rc, mode = 0;
|
int verify = 0;
|
||||||
struct stat buf;
|
int notrans = 0;
|
||||||
- char *p, *path = argv[i];
|
|
||||||
- char stackpath[PATH_MAX + 1];
|
|
||||||
+ char *path = argv[i];
|
|
||||||
int len = strlen(path);
|
|
||||||
if (len > 1 && path[len - 1 ] == '/')
|
|
||||||
path[len - 1 ] = '\0';
|
|
||||||
@@ -175,31 +117,23 @@ int main(int argc, char **argv)
|
|
||||||
if (lstat(path, &buf) == 0)
|
|
||||||
mode = buf.st_mode;
|
|
||||||
|
|
||||||
- if (S_ISLNK(mode)) {
|
|
||||||
- rc = symlink_realpath(path, stackpath);
|
|
||||||
- if (!rc)
|
|
||||||
- path = stackpath;
|
|
||||||
- } else {
|
|
||||||
- p = realpath(path, stackpath);
|
|
||||||
- if (p)
|
|
||||||
- path = p;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (verify) {
|
|
||||||
rc = selinux_file_context_verify(path, mode);
|
|
||||||
|
|
||||||
if (quiet) {
|
|
||||||
- if (rc)
|
|
||||||
+ if (rc == 1)
|
|
||||||
continue;
|
|
||||||
else
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rc) {
|
|
||||||
+ if (rc == -1) {
|
|
||||||
+ printf("%s error: %s\n", path, strerror(errno));
|
|
||||||
+ exit(1);
|
|
||||||
+ } else if (rc == 1) {
|
|
||||||
printf("%s verified.\n", path);
|
|
||||||
} else {
|
|
||||||
security_context_t con;
|
|
||||||
- int rc;
|
|
||||||
error = 1;
|
|
||||||
if (notrans)
|
|
||||||
rc = lgetfilecon_raw(path, &con);
|
|
||||||
|
@ -6,8 +6,8 @@
|
|||||||
|
|
||||||
Summary: SELinux library and simple utilities
|
Summary: SELinux library and simple utilities
|
||||||
Name: libselinux
|
Name: libselinux
|
||||||
Version: 2.1.4
|
Version: 2.1.5
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: Public Domain
|
License: Public Domain
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: %{name}-%{version}.tgz
|
Source: %{name}-%{version}.tgz
|
||||||
@ -233,6 +233,14 @@ exit 0
|
|||||||
%{ruby_sitearch}/selinux.so
|
%{ruby_sitearch}/selinux.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
|
||||||
|
- Change matchpatcon to use proper myprintf
|
||||||
|
- Fix symlink_realpath to always include "/"
|
||||||
|
- Update to upstream
|
||||||
|
* selinux_file_context_verify function returns wrong value.
|
||||||
|
* move realpath helper to matchpathcon library
|
||||||
|
* python wrapper makefile changes
|
||||||
|
|
||||||
* Mon Aug 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
|
* Mon Aug 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
|
||||||
- Move to new Makefile that can build with or without PYTHON being set
|
- Move to new Makefile that can build with or without PYTHON being set
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user