- Modify matchpathcon to also process file_contexts.local if it exists

2005-01-18 22:27:57 +00:00 · 2005-01-18 22:27:57 +00:00 · 958b6d4982
commit 958b6d4982
parent ae6f77c9ad
2 changed files with 339 additions and 6 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,6 +1,7 @@
+Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ
 diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h
 --- nsalibselinux/include/selinux/selinux.h	2004-12-03 14:40:05.000000000 -0500
-+++ libselinux-1.20.1/include/selinux/selinux.h	2005-01-10 17:30:01.615342019 -0500
+++ libselinux-1.20.1/include/selinux/selinux.h	2005-01-12 10:13:25.000000000 -0500
@@ -226,6 +226,7 @@
 extern const char *selinux_media_context_path(void);
 extern const char *selinux_contexts_path(void);
@ -22,7 +23,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib
 #endif
 diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3
 --- nsalibselinux/man/man3/is_context_customizable.3	1969-12-31 19:00:00.000000000 -0500
-+++ libselinux-1.20.1/man/man3/is_context_customizable.3	2005-01-10 17:30:01.617341793 -0500
+++ libselinux-1.20.1/man/man3/is_context_customizable.3	2005-01-12 10:13:25.000000000 -0500
@@ -0,0 +1,22 @@
 +.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
 +.SH "NAME"
@ -46,9 +47,42 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customiza
 +.SH "FILE"
 +/etc/selinux/SELINUXTYPE/context/customizable_types
 +
+diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3
+--- nsalibselinux/man/man3/security_load_booleans.3	2004-11-30 15:59:02.000000000 -0500
+++ libselinux-1.20.1/man/man3/security_load_booleans.3	2005-01-18 17:24:31.326454550 -0500
+@@ -1,10 +1,8 @@
+ .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
+ .SH "NAME"
+ security_load_booleans, security_set_boolean, security_commit_booleans, 
+-security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending 
+-.sp
+-routines for manipulating SELinux boolean values
+-
+security_get_boolean_names, security_get_boolean_active,
+security_get_boolean_pending \- routines for manipulating SELinux boolean values
+ .SH "SYNOPSIS"
+ .B #include <selinux/selinux.h>
+ .sp
+diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3
+--- nsalibselinux/man/man3/selinux_binary_policy_path.3	2004-11-30 15:59:02.000000000 -0500
+++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3	2005-01-18 17:24:31.344452529 -0500
+@@ -1,8 +1,10 @@
+ .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
+ .SH "NAME"
+-selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path
+-.sp
+-These functions return the paths to the active policy configuration
+selinux_policy_root, selinux_binary_policy_path,
+selinux_failsafe_context_path, selinux_removable_context_path,
+selinux_default_context_path, selinux_user_contexts_path,
+selinux_file_context_path, selinux_media_context_path,
+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration
+ directories and files.
+ 
+ .SH "SYNOPSIS"
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h
 --- nsalibselinux/src/file_path_suffixes.h	2004-10-20 16:31:36.000000000 -0400
-+++ libselinux-1.20.1/src/file_path_suffixes.h	2005-01-10 17:30:01.618341680 -0500
+++ libselinux-1.20.1/src/file_path_suffixes.h	2005-01-12 10:13:25.000000000 -0500
@@ -9,3 +9,4 @@
 S_(BOOLEANS, "/booleans")
 S_(MEDIA_CONTEXTS, "/contexts/files/media")
@ -56,7 +90,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libs
 +S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types")
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c
 --- nsalibselinux/src/is_customizable_type.c	1969-12-31 19:00:00.000000000 -0500
-+++ libselinux-1.20.1/src/is_customizable_type.c	2005-01-10 17:47:59.567648626 -0500
+++ libselinux-1.20.1/src/is_customizable_type.c	2005-01-12 10:13:25.000000000 -0500
@@ -0,0 +1,68 @@
 +#include <unistd.h>
 +#include <errno.h>
@ -126,9 +160,305 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c li
 +  }
 +  return 0;
 +}
+diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c
+--- nsalibselinux/src/matchpathcon.c	2004-12-29 11:51:23.000000000 -0500
+++ libselinux-1.20.1/src/matchpathcon.c	2005-01-12 10:13:25.000000000 -0500
+@@ -207,15 +207,135 @@
+ 	}
+ 	return;
+ }
+-
+static int process_line( const char *path, char *line_buf, int pass, int lineno) {
+	int items, len, regerr;
+	char *buf_p;
+	char *regex, *type, *context;
+	char *anchored_regex;
+	len = strlen(line_buf);
+	if (line_buf[len - 1] != '\n') {
+		myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 
+		return 0;
+	}
+	line_buf[len - 1] = 0;
+	buf_p = line_buf;
+	while (isspace(*buf_p))
+		buf_p++;
+	/* Skip comment lines and empty lines. */
+	if (*buf_p == '#' || *buf_p == 0)
+		return 0;
+	items =
+		sscanf(line_buf, "%as %as %as", &regex, &type,
+		       &context);
+	if (items < 2) {
+		myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 
+		return 0;
+	} else if (items == 2) {
+		/* The type field is optional. */
+		free(context);
+		context = type;
+		type = 0;
+	}
+	
+	if (pass == 1) {
+		/* On the second pass, compile and store the specification in spec. */
+		const char *reg_buf = regex;
+		char *cp;
+		spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);
+		spec_arr[nspec].regex_str = regex;
+		
+		/* Anchor the regular expression. */
+		len = strlen(reg_buf);
+		cp = anchored_regex = malloc(len + 3);
+		if (!anchored_regex)
+			return -1;
+		/* Create ^...$ regexp.  */
+		*cp++ = '^';
+		cp = mempcpy(cp, reg_buf, len);
+		*cp++ = '$';
+		*cp = '\0';
+		
+		/* Compile the regular expression. */
+		regerr =
+			regcomp(&spec_arr[nspec].regex,
+				anchored_regex,
+				REG_EXTENDED | REG_NOSUB);
+		free(anchored_regex);
+		if (regerr < 0) {
+			myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 
+			return 0;
+		}
+		
+		/* Convert the type string to a mode format */
+		spec_arr[nspec].type_str = type;
+		spec_arr[nspec].mode = 0;
+		if (!type)
+			goto skip_type;
+		len = strlen(type);
+		if (type[0] != '-' || len != 2) {
+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+			return 0;
+		}
+		switch (type[1]) {
+		case 'b':
+			spec_arr[nspec].mode = S_IFBLK;
+			break;
+		case 'c':
+			spec_arr[nspec].mode = S_IFCHR;
+			break;
+		case 'd':
+			spec_arr[nspec].mode = S_IFDIR;
+			break;
+		case 'p':
+			spec_arr[nspec].mode = S_IFIFO;
+			break;
+		case 'l':
+			spec_arr[nspec].mode = S_IFLNK;
+			break;
+		case 's':
+			spec_arr[nspec].mode = S_IFSOCK;
+			break;
+		case '-':
+			spec_arr[nspec].mode = S_IFREG;
+			break;
+		default:
+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+			return 0;
+		}
+		
+	skip_type:
+		
+		spec_arr[nspec].context = context;
+		
+		if (strcmp(context, "<<none>>")) {
+			if (security_check_context(context) < 0 && errno != ENOENT) {
+				myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 
+				return 0;
+			}
+		}
+		
+		/* Determine if specification has 
+		 * any meta characters in the RE */
+		spec_hasMetaChars(&spec_arr[nspec]);
+	}
+	
+	nspec++;
+	if (pass == 0) {
+		free(regex);
+		if (type)
+			free(type);
+		free(context);
+	}
+	return 0;
+}
+ static int matchpathcon_init(void)
+ {
+ 	FILE *fp;
+ 	const char *path;
+-	char line_buf[BUFSIZ + 1], *buf_p;
+-	char *regex, *type, *context;
+-	char *anchored_regex;
+-	int items, len, lineno, pass, regerr, i, j;
+	FILE *localfp;
+	char local_path[PATH_MAX + 1];
+	char line_buf[BUFSIZ + 1];
+	int lineno, pass, i, j;
+ 	spec_t *spec_copy;
+ 
+ 	/* Open the specification file. */
+@@ -223,6 +343,9 @@
+ 	if ((fp = fopen(path, "r")) == NULL)
+ 		return -1;
+ 
+	snprintf(local_path, sizeof(local_path), "%s.local", path);
+	localfp = fopen(local_path, "r");
+
+ 	/* 
+ 	 * Perform two passes over the specification file.
+ 	 * The first pass counts the number of specifications and
+@@ -235,123 +358,15 @@
+ 		lineno = 0;
+ 		nspec = 0;
+ 		while (fgets_unlocked(line_buf, sizeof line_buf, fp)) {
+-			lineno++;
+-			len = strlen(line_buf);
+-			if (line_buf[len - 1] != '\n') {
+-				myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 
+-				continue;
+-			}
+-			line_buf[len - 1] = 0;
+-			buf_p = line_buf;
+-			while (isspace(*buf_p))
+-				buf_p++;
+-			/* Skip comment lines and empty lines. */
+-			if (*buf_p == '#' || *buf_p == 0)
+-				continue;
+-			items =
+-			    sscanf(line_buf, "%as %as %as", &regex, &type,
+-				   &context);
+-			if (items < 2) {
+-				myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 
+-				continue;
+-			} else if (items == 2) {
+-				/* The type field is optional. */
+-				free(context);
+-				context = type;
+-				type = 0;
+-			}
+-
+-			if (pass == 1) {
+-				/* On the second pass, compile and store the specification in spec. */
+-				const char *reg_buf = regex;
+-				char *cp;
+-				spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);
+-				spec_arr[nspec].regex_str = regex;
+-
+-				/* Anchor the regular expression. */
+-				len = strlen(reg_buf);
+-				cp = anchored_regex = malloc(len + 3);
+-				if (!anchored_regex)
+			if (process_line(path, line_buf, pass, ++lineno) != 0)
+				return -1;
+		}
+		if (localfp) 
+			while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) {
+				if (process_line(local_path, line_buf, pass, ++lineno) != 0)
+ 					return -1;
+-				/* Create ^...$ regexp.  */
+-				*cp++ = '^';
+-				cp = mempcpy(cp, reg_buf, len);
+-				*cp++ = '$';
+-				*cp = '\0';
+-
+-				/* Compile the regular expression. */
+-				regerr =
+-				    regcomp(&spec_arr[nspec].regex,
+-					    anchored_regex,
+-					    REG_EXTENDED | REG_NOSUB);
+-				free(anchored_regex);
+-				if (regerr < 0) {
+-					myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 
+-					continue;
+-				}
+-
+-				/* Convert the type string to a mode format */
+-				spec_arr[nspec].type_str = type;
+-				spec_arr[nspec].mode = 0;
+-				if (!type)
+-					goto skip_type;
+-				len = strlen(type);
+-				if (type[0] != '-' || len != 2) {
+-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+-					continue;
+-				}
+-				switch (type[1]) {
+-				case 'b':
+-					spec_arr[nspec].mode = S_IFBLK;
+-					break;
+-				case 'c':
+-					spec_arr[nspec].mode = S_IFCHR;
+-					break;
+-				case 'd':
+-					spec_arr[nspec].mode = S_IFDIR;
+-					break;
+-				case 'p':
+-					spec_arr[nspec].mode = S_IFIFO;
+-					break;
+-				case 'l':
+-					spec_arr[nspec].mode = S_IFLNK;
+-					break;
+-				case 's':
+-					spec_arr[nspec].mode = S_IFSOCK;
+-					break;
+-				case '-':
+-					spec_arr[nspec].mode = S_IFREG;
+-					break;
+-				default:
+-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 
+-					continue;
+-				}
+-
+-			      skip_type:
+-
+-				spec_arr[nspec].context = context;
+-
+-				if (strcmp(context, "<<none>>")) {
+-					if (security_check_context(context) < 0 && errno != ENOENT) {
+-						myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 
+-						continue;
+-					}
+-				}
+-
+-				/* Determine if specification has 
+-				 * any meta characters in the RE */
+-				spec_hasMetaChars(&spec_arr[nspec]);
+ 			}
+ 
+-			nspec++;
+-			if (pass == 0) {
+-				free(regex);
+-				if (type)
+-					free(type);
+-				free(context);
+-			}
+-		}
+-
+ 		if (pass == 0) {
+ 			if (nspec == 0)
+ 				return 0;
+@@ -360,9 +375,11 @@
+ 				return -1;
+ 			memset(spec_arr, '\0', sizeof(spec_t) * nspec);
+ 			rewind(fp);
+			if (localfp) rewind(localfp);
+ 		}
+ 	}
+ 	fclose(fp);
+	if (localfp) fclose(localfp);
+ 
+ 	/* Move exact pathname specifications to the end. */
+ 	spec_copy = malloc(sizeof(spec_t) * nspec);
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c
 --- nsalibselinux/src/selinux_config.c	2004-10-20 16:31:36.000000000 -0400
-+++ libselinux-1.20.1/src/selinux_config.c	2005-01-10 17:30:01.838316846 -0500
+++ libselinux-1.20.1/src/selinux_config.c	2005-01-12 10:13:25.000000000 -0500
@@ -26,7 +26,8 @@
 #define BOOLEANS          7
 #define MEDIA_CONTEXTS    8
--- a/libselinux.spec
+++ b/libselinux.spec
@ -1,7 +1,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 1.20.1
-Release: 2
+Release: 3
 License: Public domain (uncopyrighted)
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
@ -86,6 +86,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_mandir}/man8/*

 %changelog
+* Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-3
+- Modify matchpathcon to also process file_contexts.local if it exists
+
 * Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-2
 - Add is_customizable_types function call