From e1c914df474eca94474e7d0e856e04b4715f200b Mon Sep 17 00:00:00 2001 From: rhatdan Date: Thu, 25 Oct 2012 16:27:52 -0400 Subject: [PATCH] Add new function mode_to_security_class which takes mode instead of a string. - Possibly will be used with coreutils. --- libselinux-rhat.patch | 169 +++++++++++++++++++++++++++++++++++++++--- libselinux.spec | 25 ++++++- 2 files changed, 182 insertions(+), 12 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index a146711..227ac07 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,8 +1,17 @@ diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h -index 6b9089d..85b0cfc 100644 +index 6b9089d..aba6e33 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h -@@ -496,7 +496,9 @@ extern const char *selinux_policy_root(void); +@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map); + + /* Common helpers */ + ++/* Convert between mode and security class values */ ++extern security_class_t mode_to_security_class(mode_t mode); + /* Convert between security class values and string names */ + extern security_class_t string_to_security_class(const char *name); + extern const char *security_class_to_string(security_class_t cls); +@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void); /* These functions return the paths to specific files under the policy root directory. */ @@ -12,6 +21,45 @@ index 6b9089d..85b0cfc 100644 extern const char *selinux_failsafe_context_path(void); extern const char *selinux_removable_context_path(void); extern const char *selinux_default_context_path(void); +diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3 +index 140737e..e82e1d8 100644 +--- a/libselinux/man/man3/security_class_to_string.3 ++++ b/libselinux/man/man3/security_class_to_string.3 +@@ -3,7 +3,7 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation" + .SH "NAME" +-security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert ++security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert + between SELinux class and permission values and string names. + + print_access_vector \- display an access vector in human-readable form. +@@ -21,6 +21,8 @@ print_access_vector \- display an access vector in human-readable form. + .sp + .BI "security_class_t string_to_security_class(const char *" name ");" + .sp ++.BI "security_class_t mode_to_security_class(mode_t " mode ");" ++.sp + .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");" + .sp + .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");" +@@ -53,6 +55,11 @@ returns the class value corresponding to the string name + .IR name , + or zero if no such class exists. + ++.B mode_to_security_class ++returns the class value corresponding to the specified ++.IR mode , ++or zero if no such class exists. ++ + .B string_to_av_perm + returns the access vector bit corresponding to the string name + .I name +@@ -88,3 +95,4 @@ Eamon Walsh + .BR selinux (8), + .BR getcon (3), + .BR getfilecon (3) ++.BR stat (3) diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3 index 8ead1a4..c68ace5 100644 --- a/libselinux/man/man3/selinux_binary_policy_path.3 @@ -36,11 +84,64 @@ index 8ead1a4..c68ace5 100644 .sp selinux_default_type_path - context file mapping roles to default types. .sp +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 9f16f77..4835f2f 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -69,14 +69,27 @@ Many domains that are protected by SELinux also include SELinux man pages explai + All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. + Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. + +-The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. ++The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-selinux, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. + + .SH AUTHOR + This manual page was written by Dan Walsh . + + .SH "SEE ALSO" +-booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8) ++booleans(8), setsebool(8), selinuxenabled(8), restorecon(8), setfiles(8), semanage(8), sepolicy(8) ++.br + ++Every confined service on the system has a man page in the following format: ++.br ++ ++.B _selinux(8) ++ ++For example, httpd has the ++.B httpd_selinux(8) ++man page. ++ ++.B man -k selinux ++ ++Will list all SELinux man pages. + + .SH FILES + /etc/selinux/config diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index 02483a3..89953d7 100644 +index 02483a3..c804e84 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c -@@ -206,27 +206,12 @@ static int __policy_init(const char *init_path) +@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) + + if (PyArg_ParseTuple(args,(char *)":finish")) { + int i = 0; ++ if (! avc) ++ Py_RETURN_NONE; ++ + for (i = 0; i < boolcnt; i++) { + free(boollist[i]->name); + free(boollist[i]); +@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) + avc = NULL; + boollist = NULL; + boolcnt = 0; +- ++ + /* Boilerplate to return "None" */ + Py_RETURN_NONE; + } +@@ -206,27 +209,12 @@ static int __policy_init(const char *init_path) return 1; } } else { @@ -72,6 +173,17 @@ index 02483a3..89953d7 100644 PyErr_SetString( PyExc_ValueError, errormsg); return 1; } +@@ -295,6 +283,10 @@ static int __policy_init(const char *init_path) + static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { + int result; + char *init_path=NULL; ++ if (avc) { ++ PyErr_SetString( PyExc_RuntimeError, "init called multiple times"); ++ return NULL; ++ } + if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) + return NULL; + result = __policy_init(init_path); diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c index 802a07f..6ff83a7 100644 --- a/libselinux/src/avc.c @@ -625,6 +737,38 @@ index cfea186..8b1eba6 100644 char **r_seuser, char **r_level) { int ret = -1; int len = 0; +diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c +index 176ac34..082778e 100644 +--- a/libselinux/src/stringrep.c ++++ b/libselinux/src/stringrep.c +@@ -436,6 +436,27 @@ security_class_t string_to_security_class(const char *s) + return map_class(node->value); + } + ++security_class_t mode_to_security_class(mode_t m) { ++ ++ if (S_ISREG(m)) ++ return string_to_security_class("file"); ++ if (S_ISDIR(m)) ++ return string_to_security_class("dir"); ++ if (S_ISCHR(m)) ++ return string_to_security_class("chr_file"); ++ if (S_ISBLK(m)) ++ return string_to_security_class("blk_file"); ++ if (S_ISFIFO(m)) ++ return string_to_security_class("fifo_file"); ++ if (S_ISLNK(m)) ++ return string_to_security_class("lnk_file"); ++ if (S_ISSOCK(m)) ++ return string_to_security_class("sock_file"); ++ ++ errno=EINVAL; ++ return 0; ++} ++ + access_vector_t string_to_av_perm(security_class_t tclass, const char *s) + { + struct discover_class_node *node; diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore index 8b9294d..060eaab 100644 --- a/libselinux/utils/.gitignore @@ -651,10 +795,10 @@ index 5f3e047..f469924 100644 UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c new file mode 100644 -index 0000000..f8a5fea +index 0000000..15cc836 --- /dev/null +++ b/libselinux/utils/sefcontext_compile.c -@@ -0,0 +1,345 @@ +@@ -0,0 +1,350 @@ +#include +#include +#include @@ -676,8 +820,10 @@ index 0000000..f8a5fea + FILE *context_file; + + context_file = fopen(filename, "r"); -+ if (!context_file) ++ if (!context_file) { ++ fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno)); + return -1; ++ } + + line_num = 0; + while ((len = getline(&line_buf, &line_len, context_file)) != -1) { @@ -715,8 +861,10 @@ index 0000000..f8a5fea + } + + rc = grow_specs(data); -+ if (rc) ++ if (rc) { ++ fprintf(stderr, "grow_specs failed: %s\n", strerror(errno)); + return rc; ++ } + + spec = &data->spec_arr[data->nspec]; + @@ -738,9 +886,10 @@ index 0000000..f8a5fea + + regex_len = strlen(regex); + cp = anchored_regex = malloc(regex_len + 3); -+ if (!cp) ++ if (!cp) { ++ fprintf(stderr, "Malloc Failed: %s\n", strerror(errno)); + return -1; -+ ++ } + *cp++ = '^'; + memcpy(cp, regex, regex_len); + cp += regex_len; diff --git a/libselinux.spec b/libselinux.spec index 270fb7e..9ece3f0 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -4,16 +4,18 @@ %define ruby_inc %(pkg-config --cflags ruby-1.9) %define ruby_sitearch %(ruby -rrbconfig -e "puts RbConfig::CONFIG['vendorarchdir']") -%define libsepolver 2.1.8-1 +%define libsepolver 2.1.7-4 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux Version: 2.1.12 -Release: 1%{?dist} +Release: 6%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz +Source1: selinuxconlist.8 +Source2: selinuxdefcon.8 Url: http://oss.tresys.com/git/selinux.git Patch1: libselinux-rhat.patch BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel @@ -174,6 +176,9 @@ rm -f %{buildroot}%{_sbindir}/getseuser rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist +install -d %{buildroot}%{_mandir}/man8/ +install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/ +install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ %clean rm -rf %{buildroot} @@ -236,6 +241,22 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Fri Oct 19 2012 Dan Walsh - 2.1.12-6 +- Add new function mode_to_security_class which takes mode instead of a string. +- Possibly will be used with coreutils. + +* Mon Oct 15 2012 Dan Walsh - 2.1.12-5 +- Add back selinuxconlist and selinuxdefcon man pages + +* Mon Oct 15 2012 Dan Walsh - 2.1.12-4 +- Fix segfault from calling audit2why.finish() multiple times + +* Fri Oct 12 2012 Dan Walsh - 2.1.12-3 +- Fix up selinux man page to reference service man pages + +* Wed Sep 19 2012 Dan Walsh - 2.1.12-2 +- Rebuild with fixed libsepol + * Thu Sep 13 2012 Dan Walsh - 2.1.12-1 - Update to upstream * Add support for lxc_contexts_path