This commit is contained in:
Daniel J Walsh 2005-10-17 18:19:07 +00:00
parent d5c6e72c48
commit 61427961fc
4 changed files with 161 additions and 259 deletions

View File

@ -53,3 +53,4 @@ libselinux-1.27.4.tgz
libselinux-1.27.6.tgz
libselinux-1.27.7.tgz
libselinux-1.27.9.tgz
libselinux-1.27.10.tgz

View File

@ -1,264 +1,159 @@
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.27.1/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h 2005-09-01 11:17:40.000000000 -0400
+++ libselinux-1.27.1/include/selinux/selinux.h 2005-09-29 14:46:48.000000000 -0400
@@ -323,6 +323,7 @@
extern const char *selinux_booleans_path(void);
extern const char *selinux_customizable_types_path(void);
extern const char *selinux_users_path(void);
+extern const char *selinux_usersconf_path(void);
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/get_context_list.h libselinux-1.27.10/include/selinux/get_context_list.h
--- nsalibselinux/include/selinux/get_context_list.h 2005-09-19 13:36:06.000000000 -0400
+++ libselinux-1.27.10/include/selinux/get_context_list.h 2005-10-17 13:48:00.000000000 -0400
@@ -54,6 +54,15 @@
security_context_t fromcon,
security_context_t *newcon);
/* Check a permission in the passwd class.
Return 0 if granted or -1 otherwise. */
@@ -354,6 +355,12 @@
extern int selinux_raw_to_trans_context(security_context_t raw,
security_context_t *transp);
+/* Same as get_default_context, but only return a context
+ that has the specified role and level. If no reachable context exists
+ for the user with that role, then return -1. */
+int get_default_context_with_rolelevel(const char* user,
+ const char *level,
+ const char *role,
+ security_context_t fromcon,
+ security_context_t *newcon);
+
/* Given a list of authorized security contexts for the user,
query the user to select one and set *newcon to refer to it.
Caller must free via freecon.
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_level.3 libselinux-1.27.10/man/man3/get_default_context_with_level.3
--- nsalibselinux/man/man3/get_default_context_with_level.3 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.10/man/man3/get_default_context_with_level.3 2005-10-17 13:58:54.000000000 -0400
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_rolelevel.3 libselinux-1.27.10/man/man3/get_default_context_with_rolelevel.3
--- nsalibselinux/man/man3/get_default_context_with_rolelevel.3 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.10/man/man3/get_default_context_with_rolelevel.3 2005-10-17 13:58:41.000000000 -0400
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list.3 libselinux-1.27.10/man/man3/get_ordered_context_list.3
--- nsalibselinux/man/man3/get_ordered_context_list.3 2005-04-29 14:06:50.000000000 -0400
+++ libselinux-1.27.10/man/man3/get_ordered_context_list.3 2005-10-17 13:57:48.000000000 -0400
@@ -1,6 +1,6 @@
.TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SE Linux"
.SH "NAME"
-get_ordered_context_list, get_default_context, get_default_context_with_role, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user sessions
+get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user sessions
+
+/* the following functions are used to retrieve the SELinux user and their
+ security level via the Linux usernames selinux */
+
+extern int getseuserbyname(const char *name, char **seuser, char **level);
+
#ifdef __cplusplus
}
#endif
diff --exclude-from=exclude -N -u -r nsalibselinux/man/Makefile libselinux-1.27.1/man/Makefile
--- nsalibselinux/man/Makefile 2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.27.1/man/Makefile 2005-09-28 14:32:16.000000000 -0400
@@ -8,3 +8,6 @@
install -m 644 man3/*.3 $(MAN3DIR)
install -m 644 man8/*.8 $(MAN8DIR)
+clean:
+ -rm -f *~ \#*
+ -rm -f man8/*~ man8/\#*
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getseuserbyname.3 libselinux-1.27.1/man/man3/getseuserbyname.3
--- nsalibselinux/man/man3/getseuserbyname.3 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.1/man/man3/getseuserbyname.3 2005-09-29 15:09:57.000000000 -0400
@@ -0,0 +1,21 @@
+.TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SE Linux API documentation"
+.SH "NAME"
+getseuserbyname \- get SELinux user and level via Linux username
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -9,10 +9,16 @@
.sp
.BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list );
.sp
+.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t **" list );
+.sp
+.BI "int getseuserbyname(const char *" username ", char **" selinuxuser ", char **" level ");
+.SH "DESCRIPTION"
+.B getseuserbyname
+retrieves the SELinux Username and security level associated with username.
+
+.br
+
+The returned SELinux username and level should be free with free if non-NULL.
+.SH "RETURN VALUE"
+On success, 0 is returned indicating.
+On failure, \-1 is returned and errno is set appropriately.
+
+The errors documented for the stat(2) system call are also applicable
+here.
+
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.27.1/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c 2005-03-17 14:56:21.000000000 -0500
+++ libselinux-1.27.1/src/selinux_config.c 2005-09-29 11:28:55.000000000 -0400
@@ -11,6 +11,7 @@
.BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon );
.sp
+.BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon );
+.sp
.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
.sp
+.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
+.sp
.BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon );
.sp
.BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon );
@@ -27,7 +33,7 @@
.I user
that are reachable from the specified
.I fromcon
-context and then orders the resulting list based on the global
+context. The function then orders the resulting list based on the global
.B /etc/selinux/<SELINUXTYPE>/contexts/default_contexts
file and the per-user
.B /etc/selinux/<SELINUXTYPE>/contexts/users/<username>
@@ -39,13 +45,22 @@
.B freeconary
function.
#define SELINUXDIR "/etc/selinux/"
#define SELINUXCONFIG SELINUXDIR "config"
+#define SELINUXUSERS SELINUXDIR "seusers.conf"
#define SELINUXDEFAULT "targeted"
#define SELINUXTYPETAG "SELINUXTYPE="
#define SELINUXTAG "SELINUX="
@@ -252,5 +253,9 @@
const char *selinux_users_path() {
return get_path(USERS_DIR);
+.B get_ordered_context_list_with_level
+invokes the get_ordered_context_list function and applies the specified level.
+
.B get_default_context
is the same as get_ordered_context_list but only returns a single context
which has to be freed with freecon.
+.B get_default_context_with_level
+invokes the get_default_context function and applies the specified level.
+
.B get_default_context_with_role
is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user.
+.B get_default_context_with_rolelevel
+invokes the get_default_context_with_role function and applies the specified level.
+
.B query_user_context
takes a list of contexts, queries the user via stdin/stdout as to which context
they want, and returns a new context as selected by the user (which has to be
@@ -58,9 +73,8 @@
Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free.
.SH "RETURN VALUE"
-get_ordered_context_list returns the number of contexts in the list upon
-success or -1 upon errors.
+get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors.
The other functions return 0 for success or -1 for errors.
.SH "SEE ALSO"
-.BR freeconary "(3), " freecon "(3), " security_compute_av "(3)"
+.BR freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list_with_level.3 libselinux-1.27.10/man/man3/get_ordered_context_list_with_level.3
--- nsalibselinux/man/man3/get_ordered_context_list_with_level.3 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.10/man/man3/get_ordered_context_list_with_level.3 2005-10-17 13:59:03.000000000 -0400
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --exclude-from=exclude -N -u -r nsalibselinux/src/get_context_list.c libselinux-1.27.10/src/get_context_list.c
--- nsalibselinux/src/get_context_list.c 2005-10-14 14:45:05.000000000 -0400
+++ libselinux-1.27.10/src/get_context_list.c 2005-10-17 13:45:55.000000000 -0400
@@ -48,6 +48,49 @@
return rc;
}
+const char *selinux_usersconf_path() {
+ return SELINUXUSERS;
+}
+
hidden_def(selinux_users_path)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-1.27.1/src/selinux_internal.h
--- nsalibselinux/src/selinux_internal.h 2005-08-25 16:18:01.000000000 -0400
+++ libselinux-1.27.1/src/selinux_internal.h 2005-09-29 14:49:43.000000000 -0400
@@ -49,6 +49,7 @@
hidden_proto(selinux_check_passwd_access)
hidden_proto(matchpathcon_init)
hidden_proto(selinux_users_path)
+hidden_proto(selinux_usersconf_path);
extern int context_translations hidden;
extern int hidden trans_to_raw_context(char *trans, char **rawp);
diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-1.27.1/src/seusers.c
--- nsalibselinux/src/seusers.c 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.1/src/seusers.c 2005-09-29 14:51:47.000000000 -0400
@@ -0,0 +1,138 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include "selinux_internal.h"
+
+/* Process line from seusers.conf.
+ Remove white space and set name do data before the "=" and sename to data
+ after it */
+static int process_seusers(const char *buffer, char **r_username, char **r_seuser, char **r_level) {
+ char *username=NULL;
+ char *seuser=NULL;
+ char *level=NULL;
+ char *ptr;
+ int rc=-1;
+ char *tok;
+ char *newbuf=strdup(buffer);
+ if (!newbuf) return -1;
+
+ tok=strtok_r(newbuf,":",&ptr);
+ if (!tok) goto err;
+ if ( tok[0]=='#' ) goto err;
+ username=strdup(tok);
+ if (!username) {
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (!tok) goto err;
+ while (isspace(*tok)) tok++;
+ if(strlen(tok))
+ seuser=strdup(tok);
+ if (!seuser) {
+ free(username);
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (!tok) goto err;
+ while (isspace(*tok)) tok++;
+ if(strlen(tok))
+ level=strdup(tok);
+ if (!level) {
+ free(username);
+ free(seuser);
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (tok) {
+ int len;
+ while (isspace(*tok)) tok++;
+ len=strlen(tok);
+ if(len) {
+ char *ptr=realloc(level, strlen(level) + len + 2);
+ if (ptr==NULL) {
+ free(username);
+ free(seuser);
+ free(level);
+ rc=-1;
+ goto err;
+ }
+ level=ptr;
+ strcat(level,":");
+ strcat(level,tok);
+ }
+ }
+
+ *r_username=username;
+ *r_seuser=seuser;
+ *r_level=level;
+ rc=0;
+err:
+ free(newbuf);
+ return rc;
+}
+
+int getseuserbyname(const char *name, char **r_seuser, char **r_level) {
+ FILE *cfg=NULL;
+ size_t size=0;
+ char *buffer=NULL;
+
+ char *username=NULL;
+ char *seuser=NULL;
+ char *level=NULL;
+ char *defaultseuser=NULL;
+ char *defaultlevel=NULL;
+
+ cfg = fopen(selinux_usersconf_path(),"r");
+ if (!cfg) return -1;
+
+ while (getline(&buffer, &size, cfg) > 0) {
+ if(process_seusers(buffer, &username, &seuser, &level) == 0) {
+ if (strcmp(username, name)==0)
+ break;
+
+ if (strcmp(username,"default")==0) {
+ free(username);
+ if (defaultseuser)
+ free(defaultseuser);
+ if (defaultlevel)
+ free(defaultlevel);
+ defaultseuser=seuser;
+ defaultlevel=level;
+ }
+ else {
+ free(username);
+ free(seuser);
+ free(level);
+ }
+ seuser=NULL;
+ }
+ }
+ if (buffer) free(buffer);
+ fclose(cfg);
+ if (seuser) {
+ free(username);
+ free(defaultseuser);
+ free(defaultlevel);
+ *r_seuser=seuser;
+ *r_level=level;
+ return 0;
+ }
+ if (defaultseuser) {
+ *r_seuser=defaultseuser;
+ *r_level=defaultlevel;
+ return 0;
+ }
+
+ return -1;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getseuser.c libselinux-1.27.1/utils/getseuser.c
--- nsalibselinux/utils/getseuser.c 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.1/utils/getseuser.c 2005-09-29 14:46:06.000000000 -0400
@@ -0,0 +1,27 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+
+void usage(const char *progname)
+int get_default_context_with_rolelevel(const char* user,
+ const char *role,
+ const char *level,
+ security_context_t fromcon,
+ security_context_t *newcon)
+{
+ fprintf(stderr, "usage: %s\n", progname);
+ exit(1);
+}
+int main(int argc, char **argv) {
+ char *seuser;
+ char *level;
+ if ( argc != 2 ) usage(argv[0]);
+ if (getseuserbyname(argv[1], &seuser, &level) == 0 ) {
+ printf("%s\n", argv[1]);
+ printf("%s\n", seuser);
+ printf("%s", level);
+ return 0;
+ } else {
+ printf("%s not found\n", argv[1]);
+ return -1;
+ }
+
+ int rc=0;
+ int freefrom = 0;
+ context_t con;
+ char *newfromcon;
+ if (!level)
+ return get_default_context_with_role(user, role, fromcon, newcon);
+
+ if (!fromcon) {
+ rc = getcon(&fromcon);
+ if (rc < 0)
+ return rc;
+ freefrom = 1;
+ }
+
+ rc = -1;
+ con=context_new(fromcon);
+ if (!con)
+ goto out;
+
+ if (context_range_set(con, level))
+ goto out;
+
+ newfromcon = context_str(con);
+ if (!newfromcon)
+ goto out;
+
+ rc = get_default_context_with_role(user, role, newfromcon, newcon);
+
+out:
+ context_free(con);
+ if (freefrom)
+ freecon(fromcon);
+ return rc;
+
+}
+
int get_default_context(const char* user,
security_context_t fromcon,
security_context_t *newcon)

View File

@ -1,11 +1,13 @@
%define libsepolver 1.9.17-1
Summary: SELinux library and simple utilities
Name: libselinux
Version: 1.27.9
Release: 2
Version: 1.27.10
Release: 1
License: Public domain (uncopyrighted)
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: libselinux-rhat.patch
Prereq: libsetrans
Requires: libsepol >= %{libsepolver}
@ -37,6 +39,7 @@ needed for developing SELinux applications.
%prep
%setup -q
%patch -p1 -b .rhat
%build
make CFLAGS="-g %{optflags}"
@ -89,6 +92,9 @@ exit 0
%{_mandir}/man8/*
%changelog
* Mon Oct 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.10-1
-
* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
- Tell init to reexec itself in post script

View File

@ -1 +1 @@
ec7aa6371255e9ce58f84287184705cf libselinux-1.27.9.tgz
e88a9720a6eab17b1a6782caa8278673 libselinux-1.27.10.tgz