- Update to latest from NSA

- Add getseuserbyname
This commit is contained in:
Daniel J Walsh 2005-09-29 02:12:47 +00:00
parent e8346fc44d
commit bebb529bd5
3 changed files with 236 additions and 217 deletions

View File

@ -1,229 +1,242 @@
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.26/include/selinux/selinux.h diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.27.1/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h 2005-09-01 11:17:40.000000000 -0400 --- nsalibselinux/include/selinux/selinux.h 2005-09-01 11:17:40.000000000 -0400
+++ libselinux-1.26/include/selinux/selinux.h 2005-09-16 14:16:26.000000000 -0400 +++ libselinux-1.27.1/include/selinux/selinux.h 2005-09-28 14:37:04.000000000 -0400
@@ -304,6 +304,12 @@ @@ -354,6 +354,25 @@
extern int selinux_getenforcemode(int *enforce); extern int selinux_raw_to_trans_context(security_context_t raw,
security_context_t *transp);
/*
+ selinux_getpolicytype reads the /etc/selinux/config file and determines
+ whether the policy tyep for this machine, type must be freed.
+ */
+extern void selinux_getpolicytype(char **type);
+ +
+/* +/* the following functions are used to retrieve the SELinux user and their
selinux_policy_root reads the /etc/selinux/config file and returns + security level via the Linux usernames selinux */
the directory path under which the compiled policy file and context +
configuration files exist. +#define SEUSERFILE "/etc/selinux/seusers.conf"
diff --exclude-from=exclude -N -u -r nsalibselinux/src/get_context_list.c libselinux-1.26/src/get_context_list.c +
--- nsalibselinux/src/get_context_list.c 2005-08-11 22:41:15.000000000 -0400 +/* Define data structures */
+++ libselinux-1.26/src/get_context_list.c 2005-09-16 16:22:03.000000000 -0400 +typedef struct seuser {
@@ -288,6 +288,40 @@ + char* username;
return strcmp(c1->con, c2->con); + char* seusername;
+ char* level;
+} seuser_t;
+
+/* read /etc/selinux/seusers.conf file an return selinux user info */
+
+extern void freeseuser(seuser_t *seuser);
+
+extern int getseuserbyname(const char *name, seuser_t **r_seuser);
+
#ifdef __cplusplus
} }
#endif
+int get_ordered_context_list_with_level (const char *user, diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/seuser.h libselinux-1.27.1/include/selinux/seuser.h
+ const char *level, --- nsalibselinux/include/selinux/seuser.h 1969-12-31 19:00:00.000000000 -0500
+ security_context_t fromcon, +++ libselinux-1.27.1/include/selinux/seuser.h 2005-09-28 14:32:11.000000000 -0400
+ security_context_t **list) @@ -0,0 +1,32 @@
+#ifndef _SEUSER_H_
+#define _SEUSER_H_
+
+#include <sys/types.h>
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C"
+{ +{
+ int rc; +#endif
+ int freefrom = 0;
+ context_t con;
+ +
+ if (!level) +#define SEUSERFILE "/etc/selinux/seusers.conf"
+ return get_ordered_context_list (user, fromcon, list);
+ +
+ if (!fromcon) { +/* Define data structures */
+ rc = getcon(&fromcon); +typedef struct seuser {
+ if (rc < 0) + char* username;
+ return rc; + char* seusername;
+ freefrom = 1; + char* sensitivity;
+ char* categories;
+} seuser_t;
+
+/* read /etc/selinux/seusers.conf file an return selinux user info */
+
+extern void free_seuser(seuser_t *seuser);
+
+extern int getseuserbyname(const char *name, seuser_t **r_seuser);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --exclude-from=exclude -N -u -r nsalibselinux/man/Makefile libselinux-1.27.1/man/Makefile
--- nsalibselinux/man/Makefile 2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.27.1/man/Makefile 2005-09-28 14:32:16.000000000 -0400
@@ -8,3 +8,6 @@
install -m 644 man3/*.3 $(MAN3DIR)
install -m 644 man8/*.8 $(MAN8DIR)
+clean:
+ -rm -f *~ \#*
+ -rm -f man8/*~ man8/\#*
diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-1.27.1/src/seusers.c
--- nsalibselinux/src/seusers.c 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.1/src/seusers.c 2005-09-28 14:48:28.000000000 -0400
@@ -0,0 +1,132 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include "selinux_internal.h"
+
+void freeseuser(seuser_t *seuser) {
+ if (!seuser) return;
+ if (seuser->username)
+ free(seuser->username);
+ if (seuser->seusername)
+ free(seuser->seusername);
+ if (seuser->level)
+ free(seuser->level);
+ free(seuser);
+ return;
+} +}
+ +
+ con=context_new(fromcon); +/* Process line from SEUSERSFILE.
+ if (con) { + Remove white space and set name do data before the "=" and sename to data
+ context_range_set(con, level); + after it */
+ rc = get_ordered_context_list (user, context_str(con), list); +static int process_seusers(const char *buffer, seuser_t **r_user) {
+ context_free(con); + seuser_t *user=NULL;
+ char *ptr;
+ int rc=-1;
+ char *tok;
+ char *newbuf=strdup(buffer);
+ if (!newbuf) return -1;
+
+ user=calloc(1, sizeof(seuser_t));
+ if (!user) return -1;
+
+ tok=strtok_r(newbuf,":",&ptr);
+ if (!tok) goto err;
+ if ( tok[0]=='#' ) goto err;
+ user->username=strdup(tok);
+ if (!user->username) {
+ freeseuser(user);
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (!tok) goto err;
+ while (isspace(*tok)) tok++;
+ if(strlen(tok))
+ user->seusername=strdup(tok);
+ if (!user->seusername) {
+ freeseuser(user);
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (!tok) goto err;
+ while (isspace(*tok)) tok++;
+ if(strlen(tok))
+ user->level=strdup(tok);
+ if (!user->level) {
+ freeseuser(user);
+ rc=-1;
+ goto err;
+ }
+
+ tok=strtok_r(NULL,":",&ptr);
+ if (tok) {
+ int len;
+ while (isspace(*tok)) tok++;
+ len=strlen(tok);
+ if(len) {
+ char *ptr=realloc(user->level, strlen(user->level) + len + 2);
+ if (ptr==NULL) {
+ freeseuser(user);
+ rc=-1;
+ goto err;
+ }
+ user->level=ptr;
+ strcat(user->level,":");
+ strcat(user->level,tok);
+ }
+ }
+
+ *r_user=user;
+ rc=0;
+err:
+ free(newbuf);
+ return rc;
+}
+
+int getseuserbyname(const char *name, seuser_t **r_seuser) {
+ FILE *cfg=NULL;
+ size_t size=0;
+ char *buffer=NULL;
+
+ static seuser_t *seuser=NULL;
+ static seuser_t *defaultseuser=NULL;
+
+ cfg = fopen(SEUSERFILE,"r");
+ if (!cfg) return -1;
+
+ while (getline(&buffer, &size, cfg) > 0) {
+ if(process_seusers(buffer, &seuser) == 0) {
+ if (strcasecmp(seuser->username, name)==0)
+ break;
+
+ if (strcasecmp(seuser->username,"default")==0) {
+ if (defaultseuser) freeseuser(defaultseuser);
+ defaultseuser=seuser;
+ } + }
+ else + else
+ rc=-1; + freeseuser(seuser);
+ + seuser=NULL;
+ if (freefrom)
+ freecon(fromcon);
+
+ return rc;
+}
+
int get_ordered_context_list (const char *user,
security_context_t fromcon,
security_context_t **list)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.26/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c 2005-08-24 09:07:11.000000000 -0400
+++ libselinux-1.26/src/matchpathcon.c 2005-09-16 15:54:01.000000000 -0400
@@ -12,6 +12,7 @@
#include <regex.h>
#include <stdarg.h>
#include "policy.h"
+#include <selinux/context.h>
static void
#ifdef __GNUC__
@@ -25,6 +26,19 @@
va_end(ap);
}
+#define STRIP_LEVEL(CON) \
+ if (! mls_enabled) { \
+ security_context_t newcon; \
+ context_t con=context_new(CON); \
+ if (con) { \
+ context_range_set(con,NULL); \
+ newcon=strdup(context_str(con));\
+ context_free(con); \
+ freecon(CON); \
+ CON=newcon; \
+ } \
+ }
+
static void (*myprintf)(const char *fmt, ...) = &default_printf;
void set_matchpathcon_printf(void (*f)(const char *fmt, ...))
@@ -415,7 +429,7 @@
}
return;
}
-static int process_line( const char *path, char *line_buf, int pass, unsigned lineno) {
+static int process_line( const char *path, char *line_buf, int pass, unsigned lineno, int mls_enabled) {
int items, len, regerr;
char *buf_p;
char *regex, *type, *context;
@@ -438,6 +452,7 @@
} else if (items == 2) {
/* The type field is optional. */
free(context);
+ STRIP_LEVEL(type)
context = type;
type = 0;
}
@@ -510,7 +525,7 @@
}
skip_type:
-
+ STRIP_LEVEL(context)
spec_arr[nspec].context = context;
if (strcmp(context, "<<none>>")) {
@@ -557,6 +572,7 @@
unsigned int lineno, pass, i, j, maxnspec;
spec_t *spec_copy=NULL;
int status=-1;
+ int mls_enabled=is_selinux_mls_enabled();
/* Open the specification file. */
if (!path)
@@ -590,20 +606,20 @@
lineno = 0;
nspec = 0;
while (getline(&line_buf, &line_len, fp) > 0 && nspec < maxnspec) {
- if (process_line(path, line_buf, pass, ++lineno) != 0)
+ if (process_line(path, line_buf, pass, ++lineno, mls_enabled) != 0)
goto finish;
}
lineno = 0;
if (homedirfp)
while (getline(&line_buf, &line_len, homedirfp) > 0 && nspec < maxnspec) {
- if (process_line(homedir_path, line_buf, pass, ++lineno) != 0)
+ if (process_line(homedir_path, line_buf, pass, ++lineno, mls_enabled) != 0)
goto finish;
}
lineno = 0;
if (localfp)
while (getline(&line_buf, &line_len, localfp) > 0 && nspec < maxnspec) {
- if (process_line(local_path, line_buf, pass, ++lineno) != 0)
+ if (process_line(local_path, line_buf, pass, ++lineno, mls_enabled) != 0)
goto finish;
}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.26/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c 2005-03-17 14:56:21.000000000 -0500
+++ libselinux-1.26/src/selinux_config.c 2005-09-16 14:16:26.000000000 -0400
@@ -85,6 +85,29 @@
static int use_compat_file_path;
+void selinux_getpolicytype(char **rtype) {
+ char *type=SELINUXDEFAULT;
+ char buf[4097];
+ int i=0;
+ int len=sizeof(SELINUXTYPETAG)-1;
+ FILE *cfg = fopen(SELINUXCONFIG,"r");
+ if (cfg) {
+ while (fgets_unlocked(buf, 4096, cfg)) {
+ if (strncmp(buf,SELINUXTYPETAG,len)==0) {
+ type=buf+len;
+ break;
+ } + }
+ } + }
+ if (buffer) free(buffer);
+ fclose(cfg); + fclose(cfg);
+ if (seuser) {
+ freeseuser(defaultseuser);
+ *r_seuser=seuser;
+ return 0;
+ } + }
+ i=strlen(type)-1; + if (defaultseuser) {
+ while ((i>=0) && + *r_seuser=defaultseuser;
+ (isspace(type[i]) || iscntrl(type[i]))) { + return 0;
+ type[i]=0;
+ i--;
+ } + }
+ *rtype=strdup(type); +
+ return -1;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getseuser.c libselinux-1.27.1/utils/getseuser.c
--- nsalibselinux/utils/getseuser.c 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.27.1/utils/getseuser.c 2005-09-28 14:49:21.000000000 -0400
@@ -0,0 +1,27 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+
+void usage(const char *progname)
+{
+ fprintf(stderr, "usage: %s\n", progname);
+ exit(1);
+}
+int main(int argc, char **argv) {
+ seuser_t *seuser;
+ if ( argc != 2 ) usage(argv[0]);
+ if (getseuserbyname(argv[1], &seuser) == 0 ) {
+ printf("%s\n", seuser->username);
+ printf("%s\n", seuser->seusername);
+ printf("%s", seuser->level);
+ freeseuser(seuser);
+ return 0;
+ } else {
+ printf("%s not found\n", argv[1]);
+ return -1;
+ } + }
int selinux_getenforcemode(int *enforce) {
int ret=-1;
FILE *cfg = fopen(SELINUXCONFIG,"r");
@@ -122,38 +145,24 @@
static void init_selinux_policyroot(void)
{
- char *type=SELINUXDEFAULT;
- int i=0, len=sizeof(SELINUXTYPETAG)-1, len2;
- char buf[4097];
- FILE *cfg;
+ char *type=NULL;
+ int i=0, len, len2;
if (selinux_policyroot) return;
if (access(SELINUXDIR, F_OK) != 0) {
selinux_policyroot = SECURITYDIR;
use_compat_file_path = 1;
return;
}
- cfg = fopen(SELINUXCONFIG,"r");
- if (cfg) {
- while (fgets_unlocked(buf, 4096, cfg)) {
- if (strncmp(buf,SELINUXTYPETAG,len)==0) {
- type=buf+len;
- break;
- }
- }
- fclose(cfg);
- }
- i=strlen(type)-1;
- while ((i>=0) &&
- (isspace(type[i]) || iscntrl(type[i]))) {
- type[i]=0;
- i--;
- }
+ selinux_getpolicytype(&type);
+ if (!type) return;
len=sizeof(SELINUXDIR) + strlen(type);
selinux_policyroot=malloc(len);
- if (!selinux_policyroot)
+ if (!selinux_policyroot) {
+ free(type);
return;
+} +}
snprintf(selinux_policyroot,len, "%s%s", SELINUXDIR, type);
-
+ free(type);
for (i = 0; i < NEL; i++) {
len2 = len + strlen(file_path_suffixes_data.str
+ file_path_suffixes_idx[i])+1;

View File

@ -1,16 +1,17 @@
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 1.27.1 Version: 1.27.1
Release: 1 Release: 2
License: Public domain (uncopyrighted) License: Public domain (uncopyrighted)
Group: System Environment/Libraries Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: libselinux-rhat.patch
Prereq: libsetrans Prereq: libsetrans
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
%description %description
Security-enhanced Linux is a patch of the Linux® kernel and a number Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to kernel contains new architectural components originally developed to
@ -35,6 +36,7 @@ needed for developing SELinux applications.
%prep %prep
%setup -q %setup -q
%patch -p1 -b .rhat
%build %build
make CFLAGS="-g %{optflags}" make CFLAGS="-g %{optflags}"
@ -84,6 +86,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
- Update to latest from NSA
- Add getseuserbyname
* Fri Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6 * Fri Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
- Fix patch call - Fix patch call

View File

@ -1 +1 @@
c6ec48d847c4b7d708e960e6dfb72603 libselinux-1.26.tgz 6962dcd8760dd741e49bb85c1a602e7f libselinux-1.27.1.tgz