Cleanup setfcontext_compile atomic patch

- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root - Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
2013-03-08 12:23:30 -05:00 · 2013-03-08 12:23:30 -05:00 · cc9c7ddcf7
commit cc9c7ddcf7
parent 8047eef070
2 changed files with 265 additions and 43 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,5 +1,5 @@
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index a4079aa..80ba628 100644
+index a4079aa..0b122af 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
@ -10,8 +10,16 @@ index a4079aa..80ba628 100644
 /* Compute an access decision. */
 extern int security_compute_av(const security_context_t scon,
-@@ -498,6 +499,7 @@ extern const char *selinux_policy_root(void);
+@@ -496,8 +497,15 @@ extern int selinux_getpolicytype(char **policytype);
  */
 extern const char *selinux_policy_root(void);
 +/*
 +  selinux_set_policy_root sets an alternate policy root directory path under 
 +  which the compiled policy file and context configuration files exist.
 + */
 +extern int selinux_set_policy_root(const char *rootpath);
 +
 /* These functions return the paths to specific files under the 
    policy root directory. */
 +extern const char *selinux_current_policy_path(void);
@ -72,6 +80,77 @@ index 0000000..175a611
 +++ b/libselinux/man/man3/selinux_current_policy_path.3
@@ -0,0 +1 @@
 +.so man3/selinux_binary_policy_path.3
 diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
 index a6ccf86..63dc901 100644
 --- a/libselinux/man/man3/selinux_policy_root.3
 +++ b/libselinux/man/man3/selinux_policy_root.3
@@ -1,21 +1,34 @@
 .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 selinux_policy_root \- return the path of the SELinux policy files for this machine
 +selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine.
 .
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .B const char *selinux_policy_root(void);
 .
 +.sp
 +.B int selinux_set_policy_root(const char *policypath);
 +.
 .SH "DESCRIPTION"
 .BR selinux_policy_root ()
 reads the contents of the
 .I /etc/selinux/config
 file to determine which policy files should be used for this machine.
 .
 +.BR selinux_set_policy_root ()
 +sets up all all policy paths based on the alternate root
 +
 +.I /etc/selinux/config
 +file to determine which policy files should be used for this machine.
 +.
 .SH "RETURN VALUE"
 -On success, returns a directory path containing the SELinux policy files.
 -On failure, NULL is returned.
 +On success, selinux_policy_root returns a directory path containing the SELinux policy files.
 +On failure, selinux_policy_root returns NULL.
 +
 +On success, selinux_set_policy_root returns 0 on success -1 on failure.
 +
 .
 .SH "SEE ALSO"
 .BR selinux "(8)"
 diff --git a/libselinux/man/man3/selinux_set_policy_root.3 b/libselinux/man/man3/selinux_set_policy_root.3
 new file mode 100644
 index 0000000..8077658
 --- /dev/null
 +++ b/libselinux/man/man3/selinux_set_policy_root.3
@@ -0,0 +1 @@
 +.so man3/selinux_policy_root.3
 diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
 index 368991f..5d60789 100644
 --- a/libselinux/man/man8/matchpathcon.8
 +++ b/libselinux/man/man8/matchpathcon.8
@@ -13,6 +13,8 @@ matchpathcon \- get the default SELinux security context for the specified path
 .IR file_contexts_file ]
 .RB [ \-p
 .IR prefix ]
 +.RB [ \-P
 +.IR policy_root_path ]
 .I filepath...
 .
 .SH "DESCRIPTION"
@@ -46,6 +48,9 @@ Use alternate file_context file
 .BI \-p " prefix"
 Use prefix to speed translations
 .TP
 +.BI \-P " policy_root_path"
 +Use alternate policy root path
 +.TP
 .B \-V
 Verify file context on disk matches defaults
 .
 diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
 index a328866..50868e4 100644
 --- a/libselinux/man/man8/selinux.8
@ -389,6 +468,27 @@ index b9e8002..355730a 100644
 }
 hidden_def(get_ordered_context_list)
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
 index 5f697f3..9b0d6b0 100644
 --- a/libselinux/src/label_file.c
 +++ b/libselinux/src/label_file.c
@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
 				break;
 			} else if (rc == PCRE_ERROR_NOMATCH)
 				continue;
 +
 +			errno = ENOENT;
 			/* else it's an error */
 			goto finish;
 		}
@@ -660,6 +662,7 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
 		goto finish;
 	}
 +	errno = 0;
 	ret = &spec_arr[i].lr;
 finish:
 diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
 index 2d7369e..2a00807 100644
 --- a/libselinux/src/matchpathcon.c
@ -423,18 +523,71 @@ index 6c5b45a..0a0dd3e 100644
 		return 0;
 	}
 diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 296f357..4913c55 100644
+index 296f357..0040524 100644
 --- a/libselinux/src/selinux_config.c
 +++ b/libselinux/src/selinux_config.c
-@@ -8,6 +8,7 @@
+@@ -8,6 +8,8 @@
 #include <limits.h>
 #include <unistd.h>
 #include <pthread.h>
 +#include <errno.h>
 +#include "policy.h"
 #include "selinux_internal.h"
 #include "get_default_type_internal.h"
-@@ -303,6 +304,29 @@ const char *selinux_binary_policy_path(void)
+@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type)
 hidden_def(selinux_getpolicytype)
 +static int setpolicytype(const char *type)
 +{
 +	free(selinux_policytype);
 +	selinux_policytype = strdup(type);
 +	return selinux_policytype ? 0 : -1;
 +}
 +
 static char *selinux_policyroot = NULL;
 static const char *selinux_rootpath = SELINUXDIR;
@@ -261,6 +270,37 @@ const char *selinux_policy_root(void)
 	return selinux_policyroot;
 }
 +int selinux_set_policy_root(const char *path)
 +{
 +	int i;
 +	char *policy_type = strchr(selinux_policyroot, '/');
 +	if (!policy_type) {
 +		errno = EINVAL;
 +		return -1;
 +	}
 +	policy_type++;
 +
 +	fini_selinuxmnt();
 +	fini_selinux_policyroot();
 +
 +	selinux_policyroot = strdup(path);
 +	if (! selinux_policyroot) 
 +		return -1;
 +
 +	if (setpolicytype(policy_type) != 0)
 +		return -1;
 +
 +	for (i = 0; i < NEL; i++)
 +		if (asprintf(&file_paths[i], "%s%s",
 +			     selinux_policyroot,
 +			     file_path_suffixes_data.str +
 +			     file_path_suffixes_idx[i])
 +		    == -1)
 +			return -1;
 +
 +	return 0;
 +}
 +
 const char *selinux_path(void)
 {
 	return selinux_rootpath;
@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void)
 hidden_def(selinux_binary_policy_path)
@ -444,18 +597,20 @@ index 296f357..4913c55 100644
 +	int vers = 0;
 +	static char policy_path[PATH_MAX];
 +
-+	snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
+	if (selinux_mnt) {
-+	if (access(policy_path, F_OK) != 0 ) {
+		snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
-+		vers = security_policyvers();
+		if (access(policy_path, F_OK) == 0 ) {
-+		do {
+			return policy_path;
-+			/* Check prior versions to see if old policy is available */
+		}
 +			snprintf(policy_path, sizeof(policy_path), "%s.%d",
 +				 selinux_binary_policy_path(), vers);
 +		} while ((rc = access(policy_path, F_OK)) && --vers > 0);
 +
 +		if (rc) return NULL;
 +	}
-+
+	vers = security_policyvers();
 +	do {
 +		/* Check prior versions to see if old policy is available */
 +		snprintf(policy_path, sizeof(policy_path), "%s.%d",
 +			 selinux_binary_policy_path(), vers);
 +	} while ((rc = access(policy_path, F_OK)) && --vers > 0);
 +	
 +	if (rc) return NULL;
 +	return policy_path;
 +}
 +
@ -489,50 +644,112 @@ index a801ee8..b3bdca2 100644
 #define RAW_TO_TRANS_CONTEXT		2
 #define TRANS_TO_RAW_CONTEXT		3
 diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
 index dd5aaa3..9d3ff3a 100644
 --- a/libselinux/utils/matchpathcon.c
 +++ b/libselinux/utils/matchpathcon.c
@@ -12,11 +12,10 @@
 #include <limits.h>
 #include <stdlib.h>
 -
 static void usage(const char *progname)
 {
 	fprintf(stderr,
 -		"usage:  %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
 +		"usage:  %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
 		progname);
 	exit(1);
 }
@@ -78,7 +77,7 @@ int main(int argc, char **argv)
 	if (argc < 2)
 		usage(argv[0]);
 -	while ((opt = getopt(argc, argv, "m:Nnf:p:Vq")) > 0) {
 +	while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
 		switch (opt) {
 		case 'n':
 			header = 0;
@@ -113,6 +112,15 @@ int main(int argc, char **argv)
 				exit(1);
 			}
 			break;
 +		case 'P':
 +			if (selinux_set_policy_root(optarg) < 0 ) {
 +				fprintf(stderr,
 +					"Error setting policy root  %s:  %s\n",
 +					optarg,
 +					errno ? strerror(errno) : "invalid");
 +				exit(1);
 +			}
 +			break;
 		case 'p':
 			if (init) {
 				fprintf(stderr,
 diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
-index 6f79dd6..eb88ea8 100644
+index 6f79dd6..e019a07 100644
 --- a/libselinux/utils/sefcontext_compile.c
 +++ b/libselinux/utils/sefcontext_compile.c
-@@ -6,6 +6,7 @@
+@@ -145,7 +145,7 @@ static int process_file(struct saved_data *data, const char *filename)
- #include <string.h>
+  *	u32  - data length of the pcre regex study daya
  *	char - a buffer holding the raw pcre regex study data
  */
 -static int write_binary_file(struct saved_data *data, char *filename)
 +static int write_binary_file(struct saved_data *data, int fd)
 {
 	struct spec *specs = data->spec_arr;
 	FILE *bin_file;
@@ -155,7 +155,7 @@ static int write_binary_file(struct saved_data *data, char *filename)
 	uint32_t i;
 	int rc;
- #include <linux/limits.h>
+-	bin_file = fopen(filename, "w");
-+#include <libgen.h>
+	bin_file = fdopen(fd, "w");
- 
+ 	if (!bin_file) {
- #include "../src/label_file.h"
+ 		perror("fopen output_file");
- 
+ 		exit(EXIT_FAILURE);
-@@ -321,7 +322,8 @@ int main(int argc, char *argv[])
+@@ -321,7 +321,9 @@ int main(int argc, char *argv[])
 	const char *path;
 	char stack_path[PATH_MAX + 1];
 	int rc;
 -
-+	char *tmp, *tmppath;
+	char *tmp= NULL;
 +	int fd;
 +	
 	if (argc != 2) {
 		fprintf(stderr, "usage: %s input_file\n", argv[0]);
 		exit(EXIT_FAILURE);
-@@ -342,10 +344,21 @@ int main(int argc, char *argv[])
+@@ -342,13 +344,29 @@ int main(int argc, char *argv[])
 	rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path);
 	if (rc < 0 || rc >= sizeof(stack_path))
 		return rc;
 -	rc = write_binary_file(&data, stack_path);
-	if (rc < 0)
+
 +	if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0)
 +		return -1;
 +
 +	fd  = mkstemp(tmp);
 +	if (fd < 0) 
 +		goto err;
 +
 +	rc = write_binary_file(&data, fd);
 +
 	if (rc < 0)
 -		return rc;
 +		goto err;
 +	tmppath = strdup(stack_path);
 +	if (!tmppath) 
 +		return -1;
 +	tmp = tempnam(dirname(tmppath), ".bin");
 +	free(tmppath);
 +	if (!tmp) 
 +		return -1;
 +	rc = write_binary_file(&data, tmp);
 +	if (rc < 0) {
 +		free(tmp);
 +		return rc;
 +	}
 +	rename(tmp, stack_path);
 +	free(tmp);
 	rc = free_specs(&data);
 	if (rc < 0)
- 		return rc;
+-		return rc;
 +		goto err;
 -	return 0;
 +	rc = 0;
 +out:
 +	free(tmp);
 +	return rc;
 +err:
 +	rc = -1;
 +	goto out;
 }
--- a/libselinux.spec
+++ b/libselinux.spec
@ -10,7 +10,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.13
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@ -241,6 +241,11 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 %changelog
 * Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-9
 - Cleanup setfcontext_compile atomic patch
 - Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
 - Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
 * Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-8
 - Make setfcontext_compile atomic