- Add securetty handling Resolves: #200110
This commit is contained in:
parent
273c47d43c
commit
e6bab37d57
@ -1,64 +1,223 @@
|
|||||||
Binary files nsalibselinux/utils/matchpathcon and libselinux-1.33.2/utils/matchpathcon differ
|
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.33.3/include/selinux/selinux.h
|
||||||
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.33.2/utils/matchpathcon.c
|
--- nsalibselinux/include/selinux/selinux.h 2006-11-16 17:15:18.000000000 -0500
|
||||||
--- nsalibselinux/utils/matchpathcon.c 2006-11-16 17:15:17.000000000 -0500
|
+++ libselinux-1.33.3/include/selinux/selinux.h 2007-01-05 11:57:44.000000000 -0500
|
||||||
+++ libselinux-1.33.2/utils/matchpathcon.c 2006-12-06 14:11:29.000000000 -0500
|
@@ -406,6 +406,7 @@
|
||||||
@@ -4,20 +4,23 @@
|
extern const char *selinux_homedir_context_path(void);
|
||||||
#include <getopt.h>
|
extern const char *selinux_media_context_path(void);
|
||||||
#include <errno.h>
|
extern const char *selinux_contexts_path(void);
|
||||||
#include <string.h>
|
+ extern const char *selinux_securetty_context_path(void);
|
||||||
|
extern const char *selinux_booleans_path(void);
|
||||||
|
extern const char *selinux_customizable_types_path(void);
|
||||||
|
extern const char *selinux_users_path(void);
|
||||||
|
@@ -413,12 +414,14 @@
|
||||||
|
extern const char *selinux_translations_path(void);
|
||||||
|
extern const char *selinux_netfilter_context_path(void);
|
||||||
|
extern const char *selinux_path(void);
|
||||||
|
-
|
||||||
|
/* Check a permission in the passwd class.
|
||||||
|
Return 0 if granted or -1 otherwise. */
|
||||||
|
extern int selinux_check_passwd_access(access_vector_t requested);
|
||||||
|
extern int checkPasswdAccess(access_vector_t requested);
|
||||||
|
|
||||||
|
+/* Check if the tty_context is defined as a securetty
|
||||||
|
+ Return 1 if secure, 0 if not, or -1 if otherwise. */
|
||||||
|
+ extern int selinux_check_securetty_context(security_context_t tty_context);
|
||||||
|
/* Set the path to the selinuxfs mount point explicitly.
|
||||||
|
Normally, this is determined automatically during libselinux
|
||||||
|
initialization, but this is not always possible, e.g. for /sbin/init
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.33.3/man/man3/selinux_binary_policy_path.3
|
||||||
|
--- nsalibselinux/man/man3/selinux_binary_policy_path.3 2006-11-16 17:15:30.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/man/man3/selinux_binary_policy_path.3 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
.br
|
||||||
|
extern const char *selinux_media_context_path(void);
|
||||||
|
.br
|
||||||
|
+extern const char *selinux_securetty_context_path(void);
|
||||||
|
+.br
|
||||||
|
extern const char *selinux_contexts_path(void);
|
||||||
|
.br
|
||||||
|
extern const char *selinux_booleans_path(void);
|
||||||
|
@@ -56,6 +58,8 @@
|
||||||
|
.sp
|
||||||
|
selinux_contexts_path() - directory containing all of the context configuration files
|
||||||
|
.sp
|
||||||
|
+selinux_securetty_context_path() - defines terminal contexts for securetty
|
||||||
|
+.sp
|
||||||
|
selinux_booleans_path() - initial policy boolean settings
|
||||||
|
|
||||||
|
.SH AUTHOR
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_check_securetty_context.3 libselinux-1.33.3/man/man3/selinux_check_securetty_context.3
|
||||||
|
--- nsalibselinux/man/man3/selinux_check_securetty_context.3 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/man/man3/selinux_check_securetty_context.3 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+.TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SE Linux API documentation"
|
||||||
|
+.SH "NAME"
|
||||||
|
+selinux_check_securetty_context \- check whether a tty security context is defined as a securetty context
|
||||||
|
+.SH "SYNOPSIS"
|
||||||
|
+.B #include <selinux/selinux.h>
|
||||||
|
+.sp
|
||||||
|
+.BI "int selinux_check_securetty_context(security_context_t "tty_context );
|
||||||
|
+
|
||||||
|
+.SH "DESCRIPTION"
|
||||||
|
+.B selinux_check_securetty_context
|
||||||
|
+returns 1 if tty_context is a securetty context
|
||||||
|
+returns 0 if tty_context is a not a securetty context
|
||||||
|
+returns -1 on error.
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_securetty_context_path.3 libselinux-1.33.3/man/man3/selinux_securetty_context_path.3
|
||||||
|
--- nsalibselinux/man/man3/selinux_securetty_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/man/man3/selinux_securetty_context_path.3 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+.so man3/selinux_binary_policy_path.3
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.33.3/src/file_path_suffixes.h
|
||||||
|
--- nsalibselinux/src/file_path_suffixes.h 2006-11-16 17:15:25.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/src/file_path_suffixes.h 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -7,6 +7,7 @@
|
||||||
|
S_(USER_CONTEXTS, "/contexts/users/")
|
||||||
|
S_(FAILSAFE_CONTEXT, "/contexts/failsafe_context")
|
||||||
|
S_(DEFAULT_TYPE, "/contexts/default_type")
|
||||||
|
+ S_(SECURETTY_CONTEXTS, "/contexts/securetty_contexts")
|
||||||
|
S_(BOOLEANS, "/booleans")
|
||||||
|
S_(MEDIA_CONTEXTS, "/contexts/files/media")
|
||||||
|
S_(REMOVABLE_CONTEXT, "/contexts/removable_context")
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_check_securetty_context.c libselinux-1.33.3/src/selinux_check_securetty_context.c
|
||||||
|
--- nsalibselinux/src/selinux_check_securetty_context.c 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/src/selinux_check_securetty_context.c 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -0,0 +1,49 @@
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <ctype.h>
|
||||||
|
+#include "selinux_internal.h"
|
||||||
|
+#include "context_internal.h"
|
||||||
|
+
|
||||||
|
+int selinux_check_securetty_context(security_context_t tty_context)
|
||||||
|
+{
|
||||||
|
+ char buf[250];
|
||||||
|
+ char *ptr = "", *end;
|
||||||
|
+ size_t len;
|
||||||
|
+ int found = -1;
|
||||||
|
+ FILE *fp;
|
||||||
|
+ fp = fopen(selinux_securetty_context_path(), "r");
|
||||||
|
+ if (fp) {
|
||||||
|
+ context_t con =context_new(tty_context);
|
||||||
|
+ if (con) {
|
||||||
|
+ char *type=context_type_get(con);
|
||||||
|
+ found = 0;
|
||||||
|
+ len = strlen(type);
|
||||||
|
+ while (!feof_unlocked(fp)) {
|
||||||
|
+ if (!fgets_unlocked(buf, sizeof buf, fp))
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ if (buf[strlen(buf) - 1])
|
||||||
|
+ buf[strlen(buf) - 1] = 0;
|
||||||
|
+
|
||||||
|
+ ptr = buf;
|
||||||
|
+ while (*ptr && isspace(*ptr))
|
||||||
|
+ ptr++;
|
||||||
|
+ if (!(*ptr))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (!strncmp(type, ptr, len)) {
|
||||||
|
+ found = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ context_free(con);
|
||||||
|
+ }
|
||||||
|
+ fclose(fp);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return found;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+hidden_def(selinux_check_securetty_context)
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.33.3/src/selinux_config.c
|
||||||
|
--- nsalibselinux/src/selinux_config.c 2006-11-16 17:15:25.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/src/selinux_config.c 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -38,7 +38,8 @@
|
||||||
|
#define NETFILTER_CONTEXTS 15
|
||||||
|
#define FILE_CONTEXTS_HOMEDIR 16
|
||||||
|
#define FILE_CONTEXTS_LOCAL 17
|
||||||
|
-#define NEL 18
|
||||||
|
+#define SECURETTY_CONTEXTS 18
|
||||||
|
+#define NEL 19
|
||||||
|
|
||||||
|
/* New layout is relative to SELINUXDIR/policytype. */
|
||||||
|
static char *file_paths[NEL];
|
||||||
|
@@ -299,6 +300,12 @@
|
||||||
|
|
||||||
|
hidden_def(selinux_default_context_path)
|
||||||
|
|
||||||
|
+const char *selinux_securetty_context_path()
|
||||||
|
+{
|
||||||
|
+ return get_path(SECURETTY_CONTEXTS);
|
||||||
|
+}
|
||||||
|
+hidden_def(selinux_securetty_context_path)
|
||||||
|
+
|
||||||
|
const char *selinux_failsafe_context_path()
|
||||||
|
{
|
||||||
|
return get_path(FAILSAFE_CONTEXT);
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-1.33.3/src/selinux_internal.h
|
||||||
|
--- nsalibselinux/src/selinux_internal.h 2006-11-16 17:15:25.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/src/selinux_internal.h 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -53,6 +53,7 @@
|
||||||
|
hidden_proto(security_setenforce)
|
||||||
|
hidden_proto(selinux_binary_policy_path)
|
||||||
|
hidden_proto(selinux_default_context_path)
|
||||||
|
+ hidden_proto(selinux_securetty_context_path)
|
||||||
|
hidden_proto(selinux_failsafe_context_path)
|
||||||
|
hidden_proto(selinux_removable_context_path)
|
||||||
|
hidden_proto(selinux_file_context_path)
|
||||||
|
@@ -66,6 +67,7 @@
|
||||||
|
hidden_proto(selinux_media_context_path)
|
||||||
|
hidden_proto(selinux_path)
|
||||||
|
hidden_proto(selinux_check_passwd_access)
|
||||||
|
+ hidden_proto(selinux_check_securetty_context)
|
||||||
|
hidden_proto(matchpathcon_init_prefix)
|
||||||
|
hidden_proto(selinux_users_path)
|
||||||
|
hidden_proto(selinux_usersconf_path);
|
||||||
|
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/selinux_check_securetty_context.c libselinux-1.33.3/utils/selinux_check_securetty_context.c
|
||||||
|
--- nsalibselinux/utils/selinux_check_securetty_context.c 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ libselinux-1.33.3/utils/selinux_check_securetty_context.c 2007-01-05 11:57:44.000000000 -0500
|
||||||
|
@@ -0,0 +1,40 @@
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <getopt.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <string.h>
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+#include <sys/stat.h>
|
+#include <sys/stat.h>
|
||||||
+#include <sys/errno.h>
|
+#include <sys/errno.h>
|
||||||
#include <selinux/selinux.h>
|
+#include <selinux/selinux.h>
|
||||||
|
|
||||||
void usage(const char *progname)
|
|
||||||
{
|
|
||||||
fprintf(stderr,
|
|
||||||
- "usage: %s [-n] [-f file_contexts] [-p prefix] path...\n",
|
|
||||||
+ "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n",
|
|
||||||
progname);
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
-int printmatchpathcon(char *path, int header)
|
|
||||||
+int printmatchpathcon(char *path, int header, int mode)
|
|
||||||
{
|
|
||||||
char *buf;
|
|
||||||
- int rc = matchpathcon(path, 0, &buf);
|
|
||||||
+ int rc = matchpathcon(path, mode, &buf);
|
|
||||||
if (rc < 0) {
|
|
||||||
fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
|
|
||||||
strerror(errno));
|
|
||||||
@@ -92,6 +95,11 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for (i = optind; i < argc; i++) {
|
|
||||||
+ int mode=0;
|
|
||||||
+ struct stat buf;
|
|
||||||
+ if (lstat(argv[i], &buf) == 0)
|
|
||||||
+ mode = buf.st_mode;
|
|
||||||
+
|
+
|
||||||
if (verify) {
|
+void usage(const char *progname)
|
||||||
if (selinux_file_context_verify(argv[i], 0)) {
|
+{
|
||||||
printf("%s verified.\n", argv[i]);
|
+ fprintf(stderr,
|
||||||
@@ -106,17 +114,17 @@
|
+ "usage: %s tty_context...\n",
|
||||||
if (rc >= 0) {
|
+ progname);
|
||||||
printf("%s has context %s, should be ",
|
+ exit(1);
|
||||||
argv[i], con);
|
+}
|
||||||
- error += printmatchpathcon(argv[i], 0);
|
+
|
||||||
+ error += printmatchpathcon(argv[i], 0, mode);
|
+int main(int argc, char **argv)
|
||||||
freecon(con);
|
+{
|
||||||
} else {
|
+ int i;
|
||||||
printf
|
+ if (argc < 2)
|
||||||
("actual context unknown: %s, should be ",
|
+ usage(argv[0]);
|
||||||
strerror(errno));
|
+
|
||||||
- error += printmatchpathcon(argv[i], 0);
|
+ for (i = 1; i < argc; i++) {
|
||||||
+ error += printmatchpathcon(argv[i], 0,mode);
|
+ switch (selinux_check_securetty_context(argv[i])) {
|
||||||
}
|
+ case 1:
|
||||||
}
|
+ printf("%s securetty.\n", argv[i]);
|
||||||
} else {
|
+ break;
|
||||||
- error += printmatchpathcon(argv[i], header);
|
+ case 0:
|
||||||
+ error += printmatchpathcon(argv[i], header, mode);
|
+ printf("%s not securetty.\n", argv[i]);
|
||||||
}
|
+ break;
|
||||||
}
|
+ case -1:
|
||||||
matchpathcon_fini();
|
+ perror("Failed on check if securetty");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
@ -2,10 +2,11 @@
|
|||||||
Summary: SELinux library and simple utilities
|
Summary: SELinux library and simple utilities
|
||||||
Name: libselinux
|
Name: libselinux
|
||||||
Version: 1.33.3
|
Version: 1.33.3
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: Public domain (uncopyrighted)
|
License: Public domain (uncopyrighted)
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
||||||
|
Patch: libselinux-rhat.patch
|
||||||
|
|
||||||
BuildRequires: libsepol-devel >= %{libsepolver} swig
|
BuildRequires: libsepol-devel >= %{libsepolver} swig
|
||||||
Requires: libsepol >= %{libsepolver} setransd
|
Requires: libsepol >= %{libsepolver} setransd
|
||||||
@ -48,6 +49,7 @@ needed for developing SELinux applications.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch -p1 -b .rhat
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make clean
|
make clean
|
||||||
@ -78,6 +80,7 @@ rm -f %{buildroot}%{_sbindir}/setfilecon
|
|||||||
rm -f %{buildroot}%{_sbindir}/selinuxconfig
|
rm -f %{buildroot}%{_sbindir}/selinuxconfig
|
||||||
rm -f %{buildroot}%{_sbindir}/selinuxdisable
|
rm -f %{buildroot}%{_sbindir}/selinuxdisable
|
||||||
rm -f %{buildroot}%{_sbindir}/getseuser
|
rm -f %{buildroot}%{_sbindir}/getseuser
|
||||||
|
rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
rm -rf %{buildroot}
|
rm -rf %{buildroot}
|
||||||
@ -117,6 +120,10 @@ exit 0
|
|||||||
%{_libdir}/python*/site-packages/selinux.py*
|
%{_libdir}/python*/site-packages/selinux.py*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-2
|
||||||
|
- Add securetty handling
|
||||||
|
Resolves: #200110
|
||||||
|
|
||||||
* Thu Jan 4 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-1
|
* Thu Jan 4 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-1
|
||||||
- Upgrade to upstream
|
- Upgrade to upstream
|
||||||
* Merged patch for matchpathcon utility to use file mode information
|
* Merged patch for matchpathcon utility to use file mode information
|
||||||
|
Loading…
Reference in New Issue
Block a user