From 5f9e3146a2bd4e0156d21f876fe257145a317f68 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 25 Nov 2013 15:24:16 -0500 Subject: [PATCH] Update to upstream * Remove -lpthread from pkg-config file; it is not required. --- .gitignore | 1 + libselinux-rhat.patch | 201 ++++++++++++++++++++++++++++++++++++++++++ libselinux.spec | 6 +- sources | 2 +- 4 files changed, 208 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index c3bf9bd..2e9cec3 100644 --- a/.gitignore +++ b/.gitignore @@ -196,3 +196,4 @@ libselinux-2.0.96.tgz /libselinux-2.1.12.tgz /libselinux-2.1.13.tgz /libselinux-2.2.tgz +/libselinux-2.2.1.tgz diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 1789ec0..c43fe51 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,3 +1,204 @@ +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 02dd829..6dfdb46 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -114,7 +114,7 @@ $(LIBA): $(OBJS) + $(RANLIB) $@ + + $(LIBSO): $(LOBJS) +- $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ++ $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -llzma -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in ../VERSION +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index e419f1a..fdeca93 100644 +--- a/libselinux/src/load_policy.c ++++ b/libselinux/src/load_policy.c +@@ -16,6 +16,82 @@ + #include + #include "policy.h" + #include ++#include ++ ++static char *lzmaread(int fd, size_t *rsize) { ++ int capacity = 64*1024; ++ char *buf = NULL; ++ int tmpsize = 8 * 1024; ++ unsigned char tmp[tmpsize]; ++ unsigned char tmp_out[tmpsize]; ++ size_t size = 0; ++ lzma_stream strm = LZMA_STREAM_INIT; ++ lzma_action action = LZMA_RUN; ++ lzma_ret ret; ++ ++ FILE *stream = fdopen (fd, "r"); ++ if (!stream) { ++ return NULL; ++ } ++ ret = lzma_stream_decoder(&strm, UINT64_MAX, ++ LZMA_CONCATENATED); ++ ++ strm.avail_in = 0; ++ strm.next_out = tmp_out; ++ strm.avail_out = tmpsize; ++ ++ buf = (char *) malloc (capacity); ++ if (!buf) ++ goto err; ++ ++ while (1) { ++ if (strm.avail_in == 0) { ++ strm.next_in = tmp; ++ strm.avail_in = fread(tmp, 1, tmpsize, stream); ++ ++ if (ferror(stream)) { ++ // POSIX says that fread() sets errno if ++ // an error occurred. ferror() doesn't ++ // touch errno. ++ goto err; ++ } ++ if (feof(stream)) action = LZMA_FINISH; ++ } ++ ++ ret = lzma_code(&strm, action); ++ ++ // Write and check write error before checking decoder error. ++ // This way as much data as possible gets written to output ++ // even if decoder detected an error. ++ if (strm.avail_out == 0 || ret != LZMA_OK) { ++ const size_t num = tmpsize - strm.avail_out; ++ if (num > capacity) { ++ buf = (char*) realloc (buf, size*2); ++ capacity = size; ++ } ++ memcpy (buf+size, tmp_out, num); ++ capacity -= num; ++ size += num; ++ strm.next_out = tmp_out; ++ strm.avail_out = tmpsize; ++ } ++ if (ret != LZMA_OK) { ++ if (ret == LZMA_STREAM_END) { ++ break; ++ } else { ++ goto err; ++ } ++ } ++ } ++ *rsize = size; ++ ++ goto exit; ++err: ++ free(buf); buf = NULL; ++exit: ++ lzma_end(&strm); ++ return buf; ++} + + int security_load_policy(void *data, size_t len) + { +@@ -55,7 +131,7 @@ int selinux_mkload_policy(int preservebools) + struct stat sb; + struct utsname uts; + size_t size; +- void *map, *data; ++ void *map = NULL, *data=NULL; + int fd, rc = -1, prot; + sepol_policydb_t *policydb; + sepol_policy_file_t *pf; +@@ -181,24 +257,28 @@ checkbool: + goto dlclose; + } + +- if (fstat(fd, &sb) < 0) { +- fprintf(stderr, +- "SELinux: Could not stat policy file %s: %s\n", +- path, strerror(errno)); +- goto close; +- } +- +- prot = PROT_READ; +- if (setlocaldefs || preservebools) +- prot |= PROT_WRITE; ++ data = lzmaread(fd,&size); + +- size = sb.st_size; +- data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); +- if (map == MAP_FAILED) { +- fprintf(stderr, +- "SELinux: Could not map policy file %s: %s\n", ++ if (!data) { ++ if (fstat(fd, &sb) < 0) { ++ fprintf(stderr, ++ "SELinux: Could not stat policy file %s: %s\n", + path, strerror(errno)); +- goto close; ++ goto close; ++ } ++ ++ prot = PROT_READ; ++ if (setlocaldefs || preservebools) ++ prot |= PROT_WRITE; ++ ++ size = sb.st_size; ++ data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); ++ if (map == MAP_FAILED) { ++ fprintf(stderr, ++ "SELinux: Could not map policy file %s: %s\n", ++ path, strerror(errno)); ++ goto close; ++ } + } + + if (vers > kernvers && usesepol) { +@@ -210,6 +290,8 @@ checkbool: + goto unmap; + } + policy_file_set_mem(pf, data, size); ++ if (!map) ++ free(data); + if (policydb_read(policydb, pf)) { + policy_file_free(pf); + policydb_free(policydb); +@@ -223,7 +305,8 @@ checkbool: + path); + policy_file_free(pf); + policydb_free(policydb); +- munmap(map, sb.st_size); ++ if (map) ++ munmap(map, sb.st_size); + close(fd); + vers--; + goto search; +@@ -275,7 +358,7 @@ checkbool: + #endif + } + +- ++ + rc = security_load_policy(data, size); + + if (rc) +@@ -286,7 +369,8 @@ checkbool: + unmap: + if (data != map) + free(data); +- munmap(map, sb.st_size); ++ if (map) ++ munmap(map, sb.st_size); + close: + close(fd); + dlclose: +@@ -410,7 +494,7 @@ int selinux_init_load_policy(int *enforce) + * already mounted and selinuxmnt set above. + */ + +- if (seconfig == -1) { ++ if (*enforce == -1) { + /* Runtime disable of SELinux. */ + rc = security_disable(); + if (rc == 0) { diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index 2d7369e..2a00807 100644 --- a/libselinux/src/matchpathcon.c diff --git a/libselinux.spec b/libselinux.spec index 40773ec..2403b2d 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -9,7 +9,7 @@ Summary: SELinux library and simple utilities Name: libselinux -Version: 2.2 +Version: 2.2.1 Release: 1%{?dist} License: Public Domain Group: System Environment/Libraries @@ -240,6 +240,10 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Mon Nov 25 2013 Dan Walsh - 2.2.1-1 +- Update to upstream + * Remove -lpthread from pkg-config file; it is not required. + * Thu Oct 31 2013 Dan Walsh - 2.2-1 - Update to upstream * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. diff --git a/sources b/sources index c3fa66e..0d56678 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a970226626784d4ee760fd848cc5ca91 libselinux-2.2.tgz +ada793adfb5683672f9cc8a99447939d libselinux-2.2.1.tgz