Add new function mode_to_security_class which takes mode instead of a string.

- Possibly will be used with coreutils.
2012-10-25 16:27:52 -04:00 · 2012-10-25 16:27:52 -04:00 · e1c914df47
commit e1c914df47
parent 166aec5994
2 changed files with 182 additions and 12 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,8 +1,17 @@
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index 6b9089d..85b0cfc 100644
+index 6b9089d..aba6e33 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
-@@ -496,7 +496,9 @@ extern const char *selinux_policy_root(void);
+@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map);
 /* Common helpers */
 +/* Convert between mode and security class values */
 +extern security_class_t mode_to_security_class(mode_t mode);
 /* Convert between security class values and string names */
 extern security_class_t string_to_security_class(const char *name);
 extern const char *security_class_to_string(security_class_t cls);
@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void);
 /* These functions return the paths to specific files under the 
    policy root directory. */
@ -12,6 +21,45 @@ index 6b9089d..85b0cfc 100644
 extern const char *selinux_failsafe_context_path(void);
 extern const char *selinux_removable_context_path(void);
 extern const char *selinux_default_context_path(void);
 diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3
 index 140737e..e82e1d8 100644
 --- a/libselinux/man/man3/security_class_to_string.3
 +++ b/libselinux/man/man3/security_class_to_string.3
@@ -3,7 +3,7 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation"
 .SH "NAME"
 -security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
 +security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert
 between SELinux class and permission values and string names.
 print_access_vector \- display an access vector in human-readable form. 
@@ -21,6 +21,8 @@ print_access_vector \- display an access vector in human-readable form.
 .sp
 .BI "security_class_t string_to_security_class(const char *" name ");"
 .sp
 +.BI "security_class_t mode_to_security_class(mode_t " mode ");"
 +.sp
 .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
 .sp
 .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
@@ -53,6 +55,11 @@ returns the class value corresponding to the string name
 .IR name ,
 or zero if no such class exists.
 +.B mode_to_security_class
 +returns the class value corresponding to the specified 
 +.IR mode ,
 +or zero if no such class exists.
 +
 .B string_to_av_perm
 returns the access vector bit corresponding to the string name
 .I name
@@ -88,3 +95,4 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
 .BR selinux (8),
 .BR getcon (3),
 .BR getfilecon (3)
 +.BR stat (3)
 diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
 index 8ead1a4..c68ace5 100644
 --- a/libselinux/man/man3/selinux_binary_policy_path.3
@ -36,11 +84,64 @@ index 8ead1a4..c68ace5 100644
 .sp
 selinux_default_type_path - context file mapping roles to default types.
 .sp
 diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
 index 9f16f77..4835f2f 100644
 --- a/libselinux/man/man8/selinux.8
 +++ b/libselinux/man/man8/selinux.8
@@ -69,14 +69,27 @@ Many domains that are protected by SELinux also include SELinux man pages explai
 All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended attributes of the file system.
 Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel.  If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.  
 -The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-securitylevel, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
 +The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-selinux, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 .SH "SEE ALSO"
 -booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
 +booleans(8), setsebool(8), selinuxenabled(8), restorecon(8), setfiles(8), semanage(8), sepolicy(8)
 +.br
 +Every confined service on the system has a man page in the following format:
 +.br
 +
 +.B <servicename>_selinux(8)
 +
 +For example, httpd has the 
 +.B httpd_selinux(8) 
 +man page.
 +
 +.B man -k selinux 
 +
 +Will list all SELinux man pages.
 .SH FILES
 /etc/selinux/config
 diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
-index 02483a3..89953d7 100644
+index 02483a3..c804e84 100644
 --- a/libselinux/src/audit2why.c
 +++ b/libselinux/src/audit2why.c
-@@ -206,27 +206,12 @@ static int __policy_init(const char *init_path)
+@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
 	if (PyArg_ParseTuple(args,(char *)":finish")) {
 		int i = 0;
 +		if (! avc)
 +			Py_RETURN_NONE;
 +
 		for (i = 0; i < boolcnt; i++) {
 			free(boollist[i]->name);
 			free(boollist[i]);
@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
 		avc = NULL;
 		boollist = NULL;
 		boolcnt = 0;
 -	  
 +
 		/* Boilerplate to return "None" */
 		Py_RETURN_NONE;
 	}
@@ -206,27 +209,12 @@ static int __policy_init(const char *init_path)
 			return 1;
 		}
 	} else {
@ -72,6 +173,17 @@ index 02483a3..89953d7 100644
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
@@ -295,6 +283,10 @@ static int __policy_init(const char *init_path)
 static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
   int result;
   char *init_path=NULL;
 +  if (avc) {
 +	  PyErr_SetString( PyExc_RuntimeError, "init called multiple times");
 +	  return NULL;
 +  }
   if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
     return NULL;
   result = __policy_init(init_path);
 diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
 index 802a07f..6ff83a7 100644
 --- a/libselinux/src/avc.c
@ -625,6 +737,38 @@ index cfea186..8b1eba6 100644
 	      char **r_seuser, char **r_level) {
 	int ret = -1;
 	int len = 0;
 diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
 index 176ac34..082778e 100644
 --- a/libselinux/src/stringrep.c
 +++ b/libselinux/src/stringrep.c
@@ -436,6 +436,27 @@ security_class_t string_to_security_class(const char *s)
 	return map_class(node->value);
 }
 +security_class_t mode_to_security_class(mode_t m) {
 +
 +	if (S_ISREG(m))
 +		return string_to_security_class("file");
 +	if (S_ISDIR(m))
 +		return string_to_security_class("dir");
 +	if (S_ISCHR(m))
 +		return string_to_security_class("chr_file");
 +	if (S_ISBLK(m))
 +		return string_to_security_class("blk_file");
 +	if (S_ISFIFO(m))
 +		return string_to_security_class("fifo_file");
 +	if (S_ISLNK(m))
 +		return string_to_security_class("lnk_file");
 +	if (S_ISSOCK(m))
 +		return string_to_security_class("sock_file");
 +
 +	errno=EINVAL;
 +	return 0;
 +}
 +
 access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
 {
 	struct discover_class_node *node;
 diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
 index 8b9294d..060eaab 100644
 --- a/libselinux/utils/.gitignore
@ -651,10 +795,10 @@ index 5f3e047..f469924 100644
 	UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
 diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
 new file mode 100644
-index 0000000..f8a5fea
+index 0000000..15cc836
 --- /dev/null
 +++ b/libselinux/utils/sefcontext_compile.c
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,350 @@
 +#include <ctype.h>
 +#include <errno.h>
 +#include <pcre.h>
@ -676,8 +820,10 @@ index 0000000..f8a5fea
 +	FILE *context_file;
 +
 +	context_file = fopen(filename, "r");
-+	if (!context_file)
+	if (!context_file) {
 +		fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno));
 +		return -1;
 +	}
 +
 +	line_num = 0;
 +	while ((len = getline(&line_buf, &line_len, context_file)) != -1) {
@ -715,8 +861,10 @@ index 0000000..f8a5fea
 +		}
 +
 +		rc = grow_specs(data);
-+		if (rc)
+		if (rc) {
 +			fprintf(stderr, "grow_specs failed: %s\n", strerror(errno));
 +			return rc;
 +		}
 +
 +		spec = &data->spec_arr[data->nspec];
 +
@ -738,9 +886,10 @@ index 0000000..f8a5fea
 +
 +		regex_len = strlen(regex);
 +		cp = anchored_regex = malloc(regex_len + 3);
-+		if (!cp)
+		if (!cp) {
 +			fprintf(stderr, "Malloc Failed: %s\n", strerror(errno));
 +			return -1;
-+
+		}
 +		*cp++ = '^';
 +		memcpy(cp, regex, regex_len);
 +		cp += regex_len;
--- a/libselinux.spec
+++ b/libselinux.spec
@ -4,16 +4,18 @@
 %define ruby_inc %(pkg-config --cflags ruby-1.9)
 %define ruby_sitearch %(ruby -rrbconfig -e "puts RbConfig::CONFIG['vendorarchdir']")
-%define libsepolver 2.1.8-1
+%define libsepolver 2.1.7-4
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.12
-Release: 1%{?dist}
+Release: 6%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: http://oss.tresys.com/git/selinux.git
 Patch1: libselinux-rhat.patch
 BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel
@ -174,6 +176,9 @@ rm -f %{buildroot}%{_sbindir}/getseuser
 rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
 mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
 mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
 install -d %{buildroot}%{_mandir}/man8/
 install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
 install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
 %clean
 rm -rf %{buildroot}
@ -236,6 +241,22 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 %changelog
 * Fri Oct 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-6
 - Add new function mode_to_security_class which takes mode instead of a string.
 - Possibly will be used with coreutils.
 * Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-5
 - Add back selinuxconlist and selinuxdefcon man pages
 * Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
 - Fix segfault from calling audit2why.finish() multiple times
 * Fri Oct 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
 - Fix up selinux man page to reference service man pages
 * Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
 - Rebuild with fixed libsepol
 * Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
 - Update to upstream 
 	* Add support for lxc_contexts_path