libselinux-2.5-12

- Fix -Wsign-compare warnings
- Drop unused stdio_ext.h header file
- Kill logging check for selinux_enabled()
- Drop usage of _D_ALLOC_NAMLEN
- Add openrc_contexts functions
- Fix redefinition of XATTR_NAME_SELINUX
- Correct error path to always try text
- Clean up process_file()
- Handle NULL pcre study data
- Fix in tree compilation of utils that depend on libsepol
This commit is contained in:
Petr Lautrbach 2016-10-04 08:23:03 +02:00
parent 1eb2b767ff
commit 5ad771ed68
2 changed files with 755 additions and 18 deletions

View File

@ -1,8 +1,18 @@
diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
index 24673dd..6588189 100644 index 24673dd..bc68bed 100644
--- libselinux-2.5/ChangeLog --- libselinux-2.5/ChangeLog
+++ libselinux-2.5/ChangeLog +++ libselinux-2.5/ChangeLog
@@ -1,3 +1,19 @@ @@ -1,3 +1,29 @@
+ * Fix -Wsign-compare warnings, from Nicolas Iooss.
+ * Drop unused stdio_ext.h header file, from William Roberts.
+ * Kill logging check for selinux_enabled(), from William Roberts.
+ * Drop usage of _D_ALLOC_NAMLEN, from William Roberts.
+ * Add openrc_contexts functions, from Jason Zaman.
+ * Fix redefinition of XATTR_NAME_SELINUX, from William Roberts.
+ * Correct error path to always try text, from William Roberts.
+ * Clean up process_file(), from William Roberts.
+ * Handle NULL pcre study data, from Stephen Smalley.
+ * Fix in tree compilation of utils that depend on libsepol, from Laurent Bigonville.
+ * Change the location of _selinux.so, from Petr Lautrbach. + * Change the location of _selinux.so, from Petr Lautrbach.
+ * Clarify is_selinux_mls_enabled() description, from David King. + * Clarify is_selinux_mls_enabled() description, from David King.
+ * Explain how to free policy type from selinux_getpolicytype(), from David King. + * Explain how to free policy type from selinux_getpolicytype(), from David King.
@ -494,12 +504,14 @@ index 0000000..fed6de8
+ selinux.Test() + selinux.Test()
+} +}
diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h
index 2262086..3d8673f 100644 index 2262086..45dd6ca 100644
--- libselinux-2.5/include/selinux/selinux.h --- libselinux-2.5/include/selinux/selinux.h
+++ libselinux-2.5/include/selinux/selinux.h +++ libselinux-2.5/include/selinux/selinux.h
@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void); @@ -543,7 +543,9 @@ extern const char *selinux_virtual_image_context_path(void);
extern const char *selinux_lxc_contexts_path(void);
extern const char *selinux_x_context_path(void); extern const char *selinux_x_context_path(void);
extern const char *selinux_sepgsql_context_path(void); extern const char *selinux_sepgsql_context_path(void);
+extern const char *selinux_openrc_contexts_path(void);
extern const char *selinux_openssh_contexts_path(void); extern const char *selinux_openssh_contexts_path(void);
+extern const char *selinux_snapperd_contexts_path(void); +extern const char *selinux_snapperd_contexts_path(void);
extern const char *selinux_systemd_contexts_path(void); extern const char *selinux_systemd_contexts_path(void);
@ -755,6 +767,36 @@ index 9669264..c775430 100644
*sid = NULL; *sid = NULL;
hvalue = sidtab_hash(ctx); hvalue = sidtab_hash(ctx);
diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c
index 4b39a28..c438af1 100644
--- libselinux-2.5/src/booleans.c
+++ libselinux-2.5/src/booleans.c
@@ -63,12 +63,11 @@ int security_get_boolean_names(char ***names, int *len)
}
for (i = 0; i < *len; i++) {
- n[i] = (char *)malloc(_D_ALLOC_NAMLEN(namelist[i]));
+ n[i] = strdup(namelist[i]->d_name);
if (!n[i]) {
rc = -1;
goto bad_freen;
}
- strcpy(n[i], namelist[i]->d_name);
}
rc = 0;
*names = n;
diff --git libselinux-2.5/src/callbacks.c libselinux-2.5/src/callbacks.c
index cdf7b63..c3cf98b 100644
--- libselinux-2.5/src/callbacks.c
+++ libselinux-2.5/src/callbacks.c
@@ -16,7 +16,6 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
{
int rc;
va_list ap;
- if (is_selinux_enabled() == 0) return 0;
va_start(ap, fmt);
rc = vfprintf(stderr, fmt, ap);
va_end(ap);
diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c
index 7cf3139..364a746 100644 index 7cf3139..364a746 100644
--- libselinux-2.5/src/canonicalize_context.c --- libselinux-2.5/src/canonicalize_context.c
@ -880,12 +922,14 @@ index b7cff7e..a58bf3f 100755
for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
rm -f -- temp.aux -.o rm -f -- temp.aux -.o
diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h
index d1f9b48..95b228b 100644 index d1f9b48..2d3ca49 100644
--- libselinux-2.5/src/file_path_suffixes.h --- libselinux-2.5/src/file_path_suffixes.h
+++ libselinux-2.5/src/file_path_suffixes.h +++ libselinux-2.5/src/file_path_suffixes.h
@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy") @@ -23,7 +23,9 @@ S_(BINPOLICY, "/policy/policy")
S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
S_(LXC_CONTEXTS, "/contexts/lxc_contexts") S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
+ S_(OPENRC_CONTEXTS, "/contexts/openrc_contexts")
S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts") S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
+ S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts") + S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts") S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
@ -911,7 +955,7 @@ index 52707d0..0cbe12d 100644
char * ccontext = NULL; char * ccontext = NULL;
int err = errno; int err = errno;
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
index 3db4de0..3c687a2 100644 index 3db4de0..ddf91f8 100644
--- libselinux-2.5/src/init.c --- libselinux-2.5/src/init.c
+++ libselinux-2.5/src/init.c +++ libselinux-2.5/src/init.c
@@ -11,7 +11,6 @@ @@ -11,7 +11,6 @@
@ -922,7 +966,15 @@ index 3db4de0..3c687a2 100644
#include "dso.h" #include "dso.h"
#include "policy.h" #include "policy.h"
@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt) @@ -20,7 +19,6 @@
char *selinux_mnt = NULL;
int selinux_page_size = 0;
-int obj_class_compat = 1;
int has_selinux_config = 0;
@@ -57,20 +55,15 @@ static int verify_selinuxmnt(const char *mnt)
int selinuxfs_exists(void) int selinuxfs_exists(void)
{ {
@ -946,7 +998,7 @@ index 3db4de0..3c687a2 100644
__fsetlocking(fp, FSETLOCKING_BYCALLER); __fsetlocking(fp, FSETLOCKING_BYCALLER);
num = getline(&buf, &len, fp); num = getline(&buf, &len, fp);
@@ -84,14 +78,6 @@ int selinuxfs_exists(void) @@ -84,14 +77,6 @@ int selinuxfs_exists(void)
free(buf); free(buf);
fclose(fp); fclose(fp);
@ -961,6 +1013,583 @@ index 3db4de0..3c687a2 100644
return exists; return exists;
} }
hidden_def(selinuxfs_exists) hidden_def(selinuxfs_exists)
diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c
index 071d902..c243c67 100644
--- libselinux-2.5/src/label_file.c
+++ libselinux-2.5/src/label_file.c
@@ -10,7 +10,6 @@
#include <stdarg.h>
#include <string.h>
#include <stdio.h>
-#include <stdio_ext.h>
#include <ctype.h>
#include <errno.h>
#include <limits.h>
@@ -97,62 +96,42 @@ static int nodups_specs(struct saved_data *data, const char *path)
return rc;
}
-static int load_mmap(struct selabel_handle *rec, const char *path,
- struct stat *sb, bool isbinary,
- struct selabel_digest *digest)
+static int process_text_file(FILE *fp, const char *prefix,
+ struct selabel_handle *rec, const char *path)
+{
+ int rc;
+ size_t line_len;
+ unsigned int lineno = 0;
+ char *line_buf = NULL;
+
+ while (getline(&line_buf, &line_len, fp) > 0) {
+ rc = process_line(rec, path, prefix, line_buf, ++lineno);
+ if (rc)
+ goto out;
+ }
+ rc = 0;
+out:
+ free(line_buf);
+ return rc;
+}
+
+static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec,
+ const char *path)
{
struct saved_data *data = (struct saved_data *)rec->data;
- char mmap_path[PATH_MAX + 1];
- int mmapfd;
int rc;
- struct stat mmap_stat;
char *addr, *str_buf;
- size_t len;
int *stem_map;
struct mmap_area *mmap_area;
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
- if (isbinary) {
- len = strlen(path);
- if (len >= sizeof(mmap_path))
- return -1;
- strcpy(mmap_path, path);
- } else {
- rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path);
- if (rc >= (int)sizeof(mmap_path))
- return -1;
- }
-
- mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC);
- if (mmapfd < 0)
- return -1;
-
- rc = fstat(mmapfd, &mmap_stat);
- if (rc < 0) {
- close(mmapfd);
- return -1;
- }
-
- /* if mmap is old, ignore it */
- if (mmap_stat.st_mtime < sb->st_mtime) {
- close(mmapfd);
- return -1;
- }
-
- /* ok, read it in... */
- len = mmap_stat.st_size;
- len += (sysconf(_SC_PAGE_SIZE) - 1);
- len &= ~(sysconf(_SC_PAGE_SIZE) - 1);
-
mmap_area = malloc(sizeof(*mmap_area));
if (!mmap_area) {
- close(mmapfd);
return -1;
}
- addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0);
- close(mmapfd);
+ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, fileno(fp), 0);
if (addr == MAP_FAILED) {
free(mmap_area);
perror("mmap");
@@ -227,7 +206,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&stem_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !stem_len) {
rc = -1;
- goto err;
+ goto out;
}
/* Check for stem_len wrap around. */
@@ -236,15 +215,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
/* Check if over-run before null check. */
rc = next_entry(NULL, mmap_area, (stem_len + 1));
if (rc < 0)
- goto err;
+ goto out;
if (buf[stem_len] != '\0') {
rc = -1;
- goto err;
+ goto out;
}
} else {
rc = -1;
- goto err;
+ goto out;
}
/* store the mapping between old and new */
@@ -253,7 +232,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
newid = store_stem(data, buf, stem_len);
if (newid < 0) {
rc = newid;
- goto err;
+ goto out;
}
data->stem_arr[newid].from_mmap = 1;
}
@@ -264,7 +243,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&regex_array_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !regex_array_len) {
rc = -1;
- goto err;
+ goto out;
}
for (i = 0; i < regex_array_len; i++) {
@@ -274,7 +253,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = grow_specs(data);
if (rc < 0)
- goto err;
+ goto out;
spec = &data->spec_arr[data->nspec];
spec->from_mmap = 1;
@@ -284,30 +263,31 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !entry_len) {
rc = -1;
- goto err;
+ goto out;
}
str_buf = malloc(entry_len);
if (!str_buf) {
rc = -1;
- goto err;
+ goto out;
}
rc = next_entry(str_buf, mmap_area, entry_len);
if (rc < 0)
- goto err;
+ goto out;
if (str_buf[entry_len - 1] != '\0') {
free(str_buf);
rc = -1;
- goto err;
+ goto out;
}
spec->lr.ctx_raw = str_buf;
if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) {
if (selabel_validate(rec, &spec->lr) < 0) {
selinux_log(SELINUX_ERROR,
- "%s: context %s is invalid\n", mmap_path, spec->lr.ctx_raw);
- goto err;
+ "%s: context %s is invalid\n",
+ path, spec->lr.ctx_raw);
+ goto out;
}
}
@@ -315,17 +295,17 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !entry_len) {
rc = -1;
- goto err;
+ goto out;
}
spec->regex_str = (char *)mmap_area->next_addr;
rc = next_entry(NULL, mmap_area, entry_len);
if (rc < 0)
- goto err;
+ goto out;
if (spec->regex_str[entry_len - 1] != '\0') {
rc = -1;
- goto err;
+ goto out;
}
/* Process mode */
@@ -334,14 +314,14 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
else
rc = next_entry(&mode, mmap_area, sizeof(mode_t));
if (rc < 0)
- goto err;
+ goto out;
spec->mode = mode;
/* map the stem id from the mmap file to the data->stem_arr */
rc = next_entry(&stem_id, mmap_area, sizeof(int32_t));
if (rc < 0)
- goto err;
+ goto out;
if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
spec->stem_id = -1;
@@ -351,7 +331,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
/* retrieve the hasMetaChars bit */
rc = next_entry(&meta_chars, mmap_area, sizeof(uint32_t));
if (rc < 0)
- goto err;
+ goto out;
spec->hasMetaChars = meta_chars;
/* and prefix length for use by selabel_lookup_best_match */
@@ -359,7 +339,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&prefix_len, mmap_area,
sizeof(uint32_t));
if (rc < 0)
- goto err;
+ goto out;
spec->prefix_len = prefix_len;
}
@@ -368,143 +348,207 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !entry_len) {
rc = -1;
- goto err;
+ goto out;
}
spec->regex = (pcre *)mmap_area->next_addr;
rc = next_entry(NULL, mmap_area, entry_len);
if (rc < 0)
- goto err;
+ goto out;
/* Check that regex lengths match. pcre_fullinfo()
* also validates its magic number. */
rc = pcre_fullinfo(spec->regex, NULL, PCRE_INFO_SIZE, &len);
if (rc < 0 || len != entry_len) {
rc = -1;
- goto err;
+ goto out;
}
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
if (rc < 0 || !entry_len) {
rc = -1;
- goto err;
+ goto out;
}
- spec->lsd.study_data = (void *)mmap_area->next_addr;
- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
- rc = next_entry(NULL, mmap_area, entry_len);
- if (rc < 0)
- goto err;
- /* Check that study data lengths match. */
- rc = pcre_fullinfo(spec->regex, &spec->lsd,
- PCRE_INFO_STUDYSIZE, &len);
- if (rc < 0 || len != entry_len) {
- rc = -1;
- goto err;
+ if (entry_len) {
+ spec->lsd.study_data = (void *)mmap_area->next_addr;
+ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
+ rc = next_entry(NULL, mmap_area, entry_len);
+ if (rc < 0)
+ goto out;
+
+ /* Check that study data lengths match. */
+ rc = pcre_fullinfo(spec->regex, &spec->lsd,
+ PCRE_INFO_STUDYSIZE, &len);
+ if (rc < 0 || len != entry_len) {
+ rc = -1;
+ goto out;
+ }
}
data->nspec++;
}
- rc = digest_add_specfile(digest, NULL, addr, mmap_stat.st_size,
- mmap_path);
- if (rc)
- goto err;
-
-err:
+ rc = 0;
+out:
free(stem_map);
return rc;
}
-static int process_file(const char *path, const char *suffix,
- struct selabel_handle *rec,
- const char *prefix, struct selabel_digest *digest)
-{
- FILE *fp;
+struct file_details {
+ const char *suffix;
struct stat sb;
- unsigned int lineno;
- size_t line_len = 0;
- char *line_buf = NULL;
- int rc;
- char stack_path[PATH_MAX + 1];
- bool isbinary = false;
+};
+
+static char *rolling_append(char *current, const char *suffix, size_t max)
+{
+ size_t size;
+ size_t suffix_size;
+ size_t current_size;
+
+ if (!suffix)
+ return current;
+
+ current_size = strlen(current);
+ suffix_size = strlen(suffix);
+
+ size = current_size + suffix_size;
+ if (size < current_size || size < suffix_size)
+ return NULL;
+
+ /* ensure space for the '.' and the '\0' characters. */
+ if (size >= (SIZE_MAX - 2))
+ return NULL;
+
+ size += 2;
+
+ if (size > max)
+ return NULL;
+
+ /* Append any given suffix */
+ char *to = current + current_size;
+ *to++ = '.';
+ strcpy(to, suffix);
+
+ return current;
+}
+
+static bool fcontext_is_binary(FILE *fp)
+{
uint32_t magic;
- /* append the path suffix if we have one */
- if (suffix) {
- rc = snprintf(stack_path, sizeof(stack_path),
- "%s.%s", path, suffix);
- if (rc >= (int)sizeof(stack_path)) {
- errno = ENAMETOOLONG;
- return -1;
- }
- path = stack_path;
+ size_t len = fread(&magic, sizeof(magic), 1, fp);
+ rewind(fp);
+
+ return (len && (magic == SELINUX_MAGIC_COMPILED_FCONTEXT));
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+static FILE *open_file(const char *path, const char *suffix,
+ char *save_path, size_t len, struct stat *sb, bool open_oldest)
+{
+ unsigned int i;
+ int rc;
+ char stack_path[len];
+ struct file_details *found = NULL;
+
+ /*
+ * Rolling append of suffix. Try to open with path.suffix then the
+ * next as path.suffix.suffix and so forth.
+ */
+ struct file_details fdetails[2] = {
+ { .suffix = suffix },
+ { .suffix = "bin" }
+ };
+
+ rc = snprintf(stack_path, sizeof(stack_path), "%s", path);
+ if (rc >= (int) sizeof(stack_path)) {
+ errno = ENAMETOOLONG;
+ return NULL;
}
- /* Open the specification file. */
- fp = fopen(path, "r");
- if (fp) {
- __fsetlocking(fp, FSETLOCKING_BYCALLER);
+ for (i = 0; i < ARRAY_SIZE(fdetails); i++) {
- if (fstat(fileno(fp), &sb) < 0)
- return -1;
- if (!S_ISREG(sb.st_mode)) {
- errno = EINVAL;
- return -1;
- }
+ /* This handles the case if suffix is null */
+ path = rolling_append(stack_path, fdetails[i].suffix,
+ sizeof(stack_path));
+ if (!path)
+ return NULL;
- magic = 0;
- if (fread(&magic, sizeof magic, 1, fp) != 1) {
- if (ferror(fp)) {
- errno = EINVAL;
- fclose(fp);
- return -1;
- }
- clearerr(fp);
- }
+ rc = stat(path, &fdetails[i].sb);
+ if (rc)
+ continue;
- if (magic == SELINUX_MAGIC_COMPILED_FCONTEXT) {
- /* file_contexts.bin format */
- fclose(fp);
- fp = NULL;
- isbinary = true;
- } else {
- rewind(fp);
+ /* first file thing found, just take it */
+ if (!found) {
+ strcpy(save_path, path);
+ found = &fdetails[i];
+ continue;
}
- } else {
+
/*
- * Text file does not exist, so clear the timestamp
- * so that we will always pass the timestamp comparison
- * with the bin file in load_mmap().
+ * Keep picking the newest file found. Where "newest"
+ * includes equality. This provides a precedence on
+ * secondary suffixes even when the timestamp is the
+ * same. Ie choose file_contexts.bin over file_contexts
+ * even if the time stamp is the same. Invert this logic
+ * on open_oldest set to true. The idea is that if the
+ * newest file failed to process, we can attempt to
+ * process the oldest. The logic here is subtle and depends
+ * on the array ordering in fdetails for the case when time
+ * stamps are the same.
*/
- sb.st_mtime = 0;
+ if (open_oldest ^
+ (fdetails[i].sb.st_mtime >= found->sb.st_mtime)) {
+ found = &fdetails[i];
+ strcpy(save_path, path);
+ }
}
- rc = load_mmap(rec, path, &sb, isbinary, digest);
- if (rc == 0)
- goto out;
+ if (!found) {
+ errno = ENOENT;
+ return NULL;
+ }
+
+ memcpy(sb, &found->sb, sizeof(*sb));
+ return fopen(save_path, "r");
+}
- if (!fp)
- return -1; /* no text or bin file */
+static int process_file(const char *path, const char *suffix,
+ struct selabel_handle *rec,
+ const char *prefix, struct selabel_digest *digest)
+{
+ int rc;
+ unsigned int i;
+ struct stat sb;
+ FILE *fp = NULL;
+ char found_path[PATH_MAX];
/*
- * Then do detailed validation of the input and fill the spec array
+ * On the first pass open the newest modified file. If it fails to
+ * process, then the second pass shall open the oldest file. If both
+ * passes fail, then it's a fatal error.
*/
- lineno = 0;
- rc = 0;
- while (getline(&line_buf, &line_len, fp) > 0) {
- rc = process_line(rec, path, prefix, line_buf, ++lineno);
- if (rc)
- goto out;
- }
+ for (i = 0; i < 2; i++) {
+ fp = open_file(path, suffix, found_path, sizeof(found_path),
+ &sb, i > 0);
+ if (fp == NULL)
+ return -1;
- rc = digest_add_specfile(digest, fp, NULL, sb.st_size, path);
+ rc = fcontext_is_binary(fp) ?
+ load_mmap(fp, sb.st_size, rec, found_path) :
+ process_text_file(fp, prefix, rec, found_path);
+ if (!rc)
+ rc = digest_add_specfile(digest, fp, NULL, sb.st_size,
+ found_path);
-out:
- free(line_buf);
- if (fp)
fclose(fp);
- return rc;
+
+ if (!rc)
+ return 0;
+ }
+ return -1;
}
static void closef(struct selabel_handle *rec);
diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h
index 72fed1f..6d1e890 100644
--- libselinux-2.5/src/label_file.h
+++ libselinux-2.5/src/label_file.h
@@ -80,9 +80,12 @@ struct saved_data {
static inline pcre_extra *get_pcre_extra(struct spec *spec)
{
- if (spec->from_mmap)
- return &spec->lsd;
- else
+ if (spec->from_mmap) {
+ if (spec->lsd.study_data)
+ return &spec->lsd;
+ else
+ return NULL;
+ } else
return spec->sd;
}
diff --git libselinux-2.5/src/label_internal.h libselinux-2.5/src/label_internal.h
index aa48fff..0827ef6 100644
--- libselinux-2.5/src/label_internal.h
+++ libselinux-2.5/src/label_internal.h
@@ -124,7 +124,7 @@ selabel_validate(struct selabel_handle *rec,
*/
extern int myprintf_compat;
extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...);
+(*myprintf) (const char *fmt, ...) hidden;
#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \
myprintf(fmt); \
diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c
index 21ee58b..4f39fc7 100644 index 21ee58b..4f39fc7 100644
--- libselinux-2.5/src/load_policy.c --- libselinux-2.5/src/load_policy.c
@ -1065,6 +1694,25 @@ index 5b495a0..a2f2c3e 100644
rc = lgetfilecon_raw(path, &con); rc = lgetfilecon_raw(path, &con);
if (rc == -1) { if (rc == -1) {
diff --git libselinux-2.5/src/policy.h libselinux-2.5/src/policy.h
index bf270b5..f6d7242 100644
--- libselinux-2.5/src/policy.h
+++ libselinux-2.5/src/policy.h
@@ -3,8 +3,13 @@
/* Private definitions used internally by libselinux. */
-/* xattr name for SELinux attributes. */
+/*
+ * xattr name for SELinux attributes.
+ * This may have been exported via Kernel uapi header.
+ */
+#ifndef XATTR_NAME_SELINUX
#define XATTR_NAME_SELINUX "security.selinux"
+#endif
/* Initial length guess for getting contexts. */
#define INITCONTEXTLEN 255
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
index 527a0a5..eee4612 100644 index 527a0a5..eee4612 100644
--- libselinux-2.5/src/procattr.c --- libselinux-2.5/src/procattr.c
@ -1116,20 +1764,35 @@ index 527a0a5..eee4612 100644
all_selfattr_def(con, current) all_selfattr_def(con, current)
diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c
index bec5f3b..c519a77 100644 index bec5f3b..88bcc85 100644
--- libselinux-2.5/src/selinux_config.c --- libselinux-2.5/src/selinux_config.c
+++ libselinux-2.5/src/selinux_config.c +++ libselinux-2.5/src/selinux_config.c
@@ -50,7 +50,8 @@ @@ -50,7 +50,9 @@
#define BOOLEAN_SUBS 27 #define BOOLEAN_SUBS 27
#define OPENSSH_CONTEXTS 28 #define OPENSSH_CONTEXTS 28
#define SYSTEMD_CONTEXTS 29 #define SYSTEMD_CONTEXTS 29
-#define NEL 30 -#define NEL 30
+#define SNAPPERD_CONTEXTS 30 +#define SNAPPERD_CONTEXTS 30
+#define NEL 31 +#define OPENRC_CONTEXTS 31
+#define NEL 32
/* Part of one-time lazy init */ /* Part of one-time lazy init */
static pthread_once_t once = PTHREAD_ONCE_INIT; static pthread_once_t once = PTHREAD_ONCE_INIT;
@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void) @@ -492,6 +494,13 @@ const char *selinux_lxc_contexts_path(void)
hidden_def(selinux_lxc_contexts_path)
+const char *selinux_openrc_contexts_path(void)
+{
+ return get_path(OPENRC_CONTEXTS);
+}
+
+hidden_def(selinux_openrc_contexts_path)
+
const char *selinux_openssh_contexts_path(void)
{
return get_path(OPENSSH_CONTEXTS);
@@ -499,6 +508,13 @@ const char *selinux_openssh_contexts_path(void)
hidden_def(selinux_openssh_contexts_path) hidden_def(selinux_openssh_contexts_path)
@ -1144,12 +1807,14 @@ index bec5f3b..c519a77 100644
{ {
return get_path(SYSTEMD_CONTEXTS); return get_path(SYSTEMD_CONTEXTS);
diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h
index 46566f6..9b9145c 100644 index 46566f6..3d5c9fb 100644
--- libselinux-2.5/src/selinux_internal.h --- libselinux-2.5/src/selinux_internal.h
+++ libselinux-2.5/src/selinux_internal.h +++ libselinux-2.5/src/selinux_internal.h
@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy) @@ -83,7 +83,9 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(selinux_media_context_path)
hidden_proto(selinux_x_context_path) hidden_proto(selinux_x_context_path)
hidden_proto(selinux_sepgsql_context_path) hidden_proto(selinux_sepgsql_context_path)
+ hidden_proto(selinux_openrc_contexts_path)
hidden_proto(selinux_openssh_contexts_path) hidden_proto(selinux_openssh_contexts_path)
+ hidden_proto(selinux_snapperd_contexts_path) + hidden_proto(selinux_snapperd_contexts_path)
hidden_proto(selinux_systemd_contexts_path) hidden_proto(selinux_systemd_contexts_path)
@ -1191,3 +1856,63 @@ index 060eaab..ed3bf0b 100644
selinuxenabled selinuxenabled
selinuxexeccon selinuxexeccon
setenforce setenforce
diff --git libselinux-2.5/utils/Makefile libselinux-2.5/utils/Makefile
index cf7af52..8497cb4 100644
--- libselinux-2.5/utils/Makefile
+++ libselinux-2.5/utils/Makefile
@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
LIBDIR ?= $(PREFIX)/lib
USRBINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
+INCLUDEDIR ?= $(PREFIX)/include
MAX_STACK_SIZE=8192
CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \
@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
-fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
-fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
-Werror -Wno-aggregate-return -Wno-redundant-decls
-override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
LDLIBS += -L../src -lselinux -L$(LIBDIR)
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c
index d2578b6..fd6fb78 100644
--- libselinux-2.5/utils/sefcontext_compile.c
+++ libselinux-2.5/utils/sefcontext_compile.c
@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd)
if (len != to_write)
goto err;
- /* determine the size of the pcre study info */
- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
- if (rc < 0)
- goto err;
+ if (sd) {
+ /* determine the size of the pcre study info */
+ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
+ if (rc < 0)
+ goto err;
+ } else
+ size = 0;
/* write the number of bytes in the pcre study data */
to_write = size;
@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd)
if (len != 1)
goto err;
- /* write the actual pcre study data as a char array */
- len = fwrite(sd->study_data, 1, to_write, bin_file);
- if (len != to_write)
- goto err;
+ if (sd) {
+ /* write the actual pcre study data as a char array */
+ len = fwrite(sd->study_data, 1, to_write, bin_file);
+ if (len != to_write)
+ goto err;
+ }
}
rc = 0;

View File

@ -3,13 +3,13 @@
%endif %endif
%define ruby_inc %(pkg-config --cflags ruby) %define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 2.5-9 %define libsepolver 2.5-10
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 2.5 Version: 2.5
Release: 11%{?dist} Release: 12%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Libraries Group: System Environment/Libraries
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux
# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336 # HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b
Patch1: libselinux-fedora.patch Patch1: libselinux-fedora.patch
BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
%if 0%{?with_python3} %if 0%{?with_python3}
@ -256,6 +256,18 @@ rm -rf %{buildroot}
%{ruby_vendorarchdir}/selinux.so %{ruby_vendorarchdir}/selinux.so
%changelog %changelog
* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-12
- Fix -Wsign-compare warnings
- Drop unused stdio_ext.h header file
- Kill logging check for selinux_enabled()
- Drop usage of _D_ALLOC_NAMLEN
- Add openrc_contexts functions
- Fix redefinition of XATTR_NAME_SELINUX
- Correct error path to always try text
- Clean up process_file()
- Handle NULL pcre study data
- Fix in tree compilation of utils that depend on libsepol
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-11 * Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-11
- Rebuilt with libsepol-2.5-9 - Rebuilt with libsepol-2.5-9