From d6966f294ba8a1bedb01109bd75aa6aea8269b69 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 23 Jun 2009 19:40:42 +0000 Subject: [PATCH] - Update to upstream Fix improper use of thread local storage from Tomas Mraz . Label substitution support from Dan Walsh. Support for labeling virtual machine images from Dan Walsh. --- libselinux-rhat.patch | 289 +++++------------------------------------- 1 file changed, 34 insertions(+), 255 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 0827572..2422d1c 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,19 +1,7 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-2.0.80/include/selinux/selinux.h ---- nsalibselinux/include/selinux/selinux.h 2009-04-08 09:06:23.000000000 -0400 -+++ libselinux-2.0.80/include/selinux/selinux.h 2009-04-08 09:08:28.000000000 -0400 -@@ -481,8 +481,11 @@ - extern const char *selinux_file_context_path(void); - extern const char *selinux_file_context_homedir_path(void); - extern const char *selinux_file_context_local_path(void); -+extern const char *selinux_file_context_subs_path(void); - extern const char *selinux_homedir_context_path(void); - extern const char *selinux_media_context_path(void); -+extern const char *selinux_virtual_domain_context_path(void); -+extern const char *selinux_virtual_image_context_path(void); - extern const char *selinux_x_context_path(void); - extern const char *selinux_contexts_path(void); - extern const char *selinux_securetty_types_path(void); -@@ -544,6 +547,14 @@ +diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-2.0.81/include/selinux/selinux.h +--- nsalibselinux/include/selinux/selinux.h 2009-06-23 15:36:07.000000000 -0400 ++++ libselinux-2.0.81/include/selinux/selinux.h 2009-05-18 14:04:07.000000000 -0400 +@@ -547,6 +547,14 @@ Caller must free the returned strings via free. */ extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); @@ -28,9 +16,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib /* Compare two file contexts, return 0 if equivalent. */ int selinux_file_context_cmp(const security_context_t a, const security_context_t b); -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.80/man/man8/selinuxconlist.8 +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.81/man/man8/selinuxconlist.8 --- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.80/man/man8/selinuxconlist.8 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/man/man8/selinuxconlist.8 2009-05-18 14:04:07.000000000 -0400 @@ -0,0 +1,18 @@ +.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" +.SH "NAME" @@ -50,9 +38,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 lib + +.SH "SEE ALSO" +secon(8), selinuxdefcon(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.80/man/man8/selinuxdefcon.8 +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.81/man/man8/selinuxdefcon.8 --- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.80/man/man8/selinuxdefcon.8 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/man/man8/selinuxdefcon.8 2009-05-18 14:04:07.000000000 -0400 @@ -0,0 +1,19 @@ +.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" +.SH "NAME" @@ -73,9 +61,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libs + +.SH "SEE ALSO" +secon(8), selinuxconlist(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.80/src/callbacks.c +diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.81/src/callbacks.c --- nsalibselinux/src/callbacks.c 2009-04-08 09:06:23.000000000 -0400 -+++ libselinux-2.0.80/src/callbacks.c 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/callbacks.c 2009-05-18 14:04:07.000000000 -0400 @@ -16,6 +16,7 @@ { int rc; @@ -84,9 +72,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2. va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/exception.sh libselinux-2.0.80/src/exception.sh +diff --exclude-from=exclude -N -u -r nsalibselinux/src/exception.sh libselinux-2.0.81/src/exception.sh --- nsalibselinux/src/exception.sh 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.80/src/exception.sh 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/exception.sh 2009-05-18 14:04:07.000000000 -0400 @@ -0,0 +1,12 @@ +function except() { +echo " @@ -100,168 +88,15 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/exception.sh libselinux-2 +" +} +for i in `grep "extern *int" ../include/selinux/selinux.h | awk '{ print $3 }' | cut -d '(' -f 1`; do except $i ; done -diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-2.0.80/src/file_path_suffixes.h ---- nsalibselinux/src/file_path_suffixes.h 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/file_path_suffixes.h 2009-04-08 09:08:28.000000000 -0400 -@@ -20,3 +20,6 @@ - S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local") - S_(X_CONTEXTS, "/contexts/x_contexts") - S_(COLORS, "/secolor.conf") -+ S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context") -+ S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") -+ S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") -diff --exclude-from=exclude -N -u -r nsalibselinux/src/label.c libselinux-2.0.80/src/label.c ---- nsalibselinux/src/label.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/label.c 2009-04-08 09:08:28.000000000 -0400 -@@ -5,10 +5,12 @@ - */ +diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.81/src/Makefile +--- nsalibselinux/src/Makefile 2009-06-23 15:36:07.000000000 -0400 ++++ libselinux-2.0.81/src/Makefile 2009-05-18 14:04:07.000000000 -0400 +@@ -79,9 +79,12 @@ + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ - #include -+#include - #include - #include - #include - #include -+#include - #include "callbacks.h" - #include "label_internal.h" - -@@ -23,6 +25,96 @@ - &selabel_x_init - }; - -+typedef struct selabel_sub { -+ char *src; -+ int slen; -+ char *dst; -+ struct selabel_sub *next; -+} SELABELSUB; -+ -+SELABELSUB *selabelsublist = NULL; -+ -+static void selabel_subs_fini(void) -+{ -+ SELABELSUB *ptr = selabelsublist; -+ SELABELSUB *next = NULL; -+ while (ptr) { -+ next = ptr->next; -+ free(ptr->src); -+ free(ptr->dst); -+ free(ptr); -+ ptr = next; -+ } -+ selabelsublist = NULL; -+} -+ -+static char *selabel_sub(const char *src) -+{ -+ char *dst = NULL; -+ SELABELSUB *ptr = selabelsublist; -+ while (ptr) { -+ if (strncmp(src, ptr->src, ptr->slen) == 0 ) { -+ if (src[ptr->slen] == '/' || -+ src[ptr->slen] == 0) { -+ asprintf(&dst, "%s%s", ptr->dst, &src[ptr->slen]); -+ return dst; -+ } -+ } -+ ptr = ptr->next; -+ } -+ return NULL; -+} -+ -+static int selabel_subs_init(void) -+{ -+ char buf[1024]; -+ FILE *cfg = fopen(selinux_file_context_subs_path(), "r"); -+ if (cfg) { -+ while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) { -+ char *ptr = NULL; -+ char *src = buf; -+ char *dst = NULL; -+ -+ while (*src && isspace(*src)) -+ src++; -+ if (src[0] == '#') continue; -+ ptr = src; -+ while (*ptr && ! isspace(*ptr)) -+ ptr++; -+ *ptr++ = 0; -+ if (! *src) continue; -+ -+ dst = ptr; -+ while (*dst && isspace(*dst)) -+ dst++; -+ ptr=dst; -+ while (*ptr && ! isspace(*ptr)) -+ ptr++; -+ *ptr=0; -+ if (! *dst) continue; -+ -+ SELABELSUB *sub = (SELABELSUB*) malloc(sizeof(SELABELSUB)); -+ if (! sub) return -1; -+ sub->src=strdup(src); -+ if (! sub->src) { -+ free(sub); -+ return -1; -+ } -+ sub->dst=strdup(dst); -+ if (! sub->dst) { -+ free(sub); -+ free(sub->src); -+ return -1; -+ } -+ sub->slen = strlen(src); -+ sub->next = selabelsublist; -+ selabelsublist = sub; -+ } -+ fclose(cfg); -+ } -+ return 0; -+} -+ - /* - * Validation functions - */ -@@ -67,6 +159,8 @@ - goto out; - } - -+ selabel_subs_init(); -+ - rec = (struct selabel_handle *)malloc(sizeof(*rec)); - if (!rec) - goto out; -@@ -88,7 +182,14 @@ - selabel_lookup_common(struct selabel_handle *rec, int translating, - const char *key, int type) - { -- struct selabel_lookup_rec *lr = rec->func_lookup(rec, key, type); -+ struct selabel_lookup_rec *lr; -+ char *ptr = selabel_sub(key); -+ if (ptr) { -+ lr = rec->func_lookup(rec, ptr, type); -+ free(ptr); -+ } else { -+ lr = rec->func_lookup(rec, key, type); -+ } - if (!lr) - return NULL; - -@@ -132,6 +233,8 @@ - { - rec->func_close(rec); - free(rec); -+ -+ selabel_subs_fini(); - } - - void selabel_stats(struct selabel_handle *rec) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.80/src/Makefile ---- nsalibselinux/src/Makefile 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/Makefile 2009-04-08 09:08:28.000000000 -0400 -@@ -82,6 +82,9 @@ - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(LIBSO): $(LOBJS) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -lpthread -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ++ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) +selinuxswig_exception.i: ../include/selinux/selinux.h @@ -290,9 +125,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.8 distclean: clean rm -f $(GENERATED) $(SWIGFILES) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.80/src/matchpathcon.c +diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.81/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/matchpathcon.c 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/matchpathcon.c 2009-05-18 14:04:07.000000000 -0400 @@ -2,6 +2,7 @@ #include #include @@ -310,65 +145,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux va_end(ap); } -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-2.0.80/src/selinux_config.c ---- nsalibselinux/src/selinux_config.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/selinux_config.c 2009-04-08 09:08:28.000000000 -0400 -@@ -40,7 +40,10 @@ - #define SECURETTY_TYPES 18 - #define X_CONTEXTS 19 - #define COLORS 20 --#define NEL 21 -+#define VIRTUAL_DOMAIN 21 -+#define VIRTUAL_IMAGE 22 -+#define FILE_CONTEXT_SUBS 23 -+#define NEL 24 - - /* New layout is relative to SELINUXDIR/policytype. */ - static char *file_paths[NEL]; -@@ -391,3 +394,24 @@ - } - - hidden_def(selinux_x_context_path) -+ -+const char *selinux_virtual_domain_context_path() -+{ -+ return get_path(VIRTUAL_DOMAIN); -+} -+ -+hidden_def(selinux_virtual_domain_context_path) -+ -+const char *selinux_virtual_image_context_path() -+{ -+ return get_path(VIRTUAL_IMAGE); -+} -+ -+hidden_def(selinux_virtual_image_context_path) -+ -+const char * selinux_file_context_subs_path(void) { -+ return get_path(FILE_CONTEXT_SUBS); -+} -+ -+hidden_def(selinux_file_context_subs_path) -+ -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-2.0.80/src/selinux_internal.h ---- nsalibselinux/src/selinux_internal.h 2009-04-08 09:06:23.000000000 -0400 -+++ libselinux-2.0.80/src/selinux_internal.h 2009-04-08 09:08:28.000000000 -0400 -@@ -59,9 +59,12 @@ - hidden_proto(selinux_securetty_types_path) - hidden_proto(selinux_failsafe_context_path) - hidden_proto(selinux_removable_context_path) -+ hidden_proto(selinux_virtual_domain_context_path) -+ hidden_proto(selinux_virtual_image_context_path) - hidden_proto(selinux_file_context_path) - hidden_proto(selinux_file_context_homedir_path) - hidden_proto(selinux_file_context_local_path) -+ hidden_proto(selinux_file_context_subs_path) - hidden_proto(selinux_netfilter_context_path) - hidden_proto(selinux_homedir_context_path) - hidden_proto(selinux_user_contexts_path) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.80/src/selinux.py +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.81/src/selinux.py --- nsalibselinux/src/selinux.py 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/selinux.py 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/selinux.py 2009-05-18 14:04:07.000000000 -0400 @@ -1,12 +1,26 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.35 @@ -2580,9 +2359,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0 +selinux_lsetfilecon_default = _selinux.selinux_lsetfilecon_default -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.80/src/selinuxswig.i +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.81/src/selinuxswig.i --- nsalibselinux/src/selinuxswig.i 2009-03-12 08:48:48.000000000 -0400 -+++ libselinux-2.0.80/src/selinuxswig.i 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/selinuxswig.i 2009-05-18 14:04:07.000000000 -0400 @@ -4,11 +4,14 @@ %module selinux @@ -2616,9 +2395,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux- +%include "../include/selinux/get_default_type.h" +%include "../include/selinux/label.h" +%include "../include/selinux/selinux.h" -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.80/src/selinuxswig_python.i +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.81/src/selinuxswig_python.i --- nsalibselinux/src/selinuxswig_python.i 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/selinuxswig_python.i 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/selinuxswig_python.i 2009-05-18 14:04:07.000000000 -0400 @@ -21,6 +21,15 @@ map(restorecon, [os.path.join(dirname, fname) for fname in fnames]), None) @@ -2641,9 +2420,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libs +%include "selinuxswig_exception.i" %include "selinuxswig.i" -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.80/src/selinuxswig_wrap.c +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.81/src/selinuxswig_wrap.c --- nsalibselinux/src/selinuxswig_wrap.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/selinuxswig_wrap.c 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/selinuxswig_wrap.c 2009-05-18 14:04:07.000000000 -0400 @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). @@ -17029,9 +16808,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel +#endif } -diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.80/src/seusers.c +diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.81/src/seusers.c --- nsalibselinux/src/seusers.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.80/src/seusers.c 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/src/seusers.c 2009-05-18 14:04:07.000000000 -0400 @@ -243,3 +243,67 @@ *r_level = NULL; return 0; @@ -17100,9 +16879,9 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0. + + return (ret ? getseuserbyname(username, r_seuser, r_level) : ret); +} -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.80/utils/matchpathcon.c +diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.81/utils/matchpathcon.c --- nsalibselinux/utils/matchpathcon.c 2009-05-18 13:53:14.000000000 -0400 -+++ libselinux-2.0.80/utils/matchpathcon.c 2009-04-08 09:08:28.000000000 -0400 ++++ libselinux-2.0.81/utils/matchpathcon.c 2009-05-18 14:04:07.000000000 -0400 @@ -22,9 +22,13 @@ char *buf; int rc = matchpathcon(path, mode, &buf);