libselinux-2.4-4
- Flush the class/perm string mapping cache on policy reload (#1264051) - Fix restorecon when path has no context
This commit is contained in:
Petr Lautrbach
parent
8db7ce6b64
commit
fd198b3dc4
@ -755,6 +755,67 @@ index 7cf3139..364a746 100644
|
||||
if (!selinux_mnt) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
diff --git libselinux-2.4/src/checkAccess.c libselinux-2.4/src/checkAccess.c
|
||||
index ee85ebc..8de5747 100644
|
||||
--- libselinux-2.4/src/checkAccess.c
|
||||
+++ libselinux-2.4/src/checkAccess.c
|
||||
@@ -8,10 +8,28 @@
|
||||
#include "avc_internal.h"
|
||||
|
||||
static pthread_once_t once = PTHREAD_ONCE_INIT;
|
||||
+static int selinux_enabled;
|
||||
+
|
||||
+static int avc_reset_callback(uint32_t event __attribute__((unused)),
|
||||
+ security_id_t ssid __attribute__((unused)),
|
||||
+ security_id_t tsid __attribute__((unused)),
|
||||
+ security_class_t tclass __attribute__((unused)),
|
||||
+ access_vector_t perms __attribute__((unused)),
|
||||
+ access_vector_t *out_retained __attribute__((unused)))
|
||||
+{
|
||||
+ flush_class_cache();
|
||||
+ return 0;
|
||||
+}
|
||||
|
||||
static void avc_init_once(void)
|
||||
{
|
||||
- avc_open(NULL, 0);
|
||||
+ selinux_enabled = is_selinux_enabled();
|
||||
+ if (selinux_enabled == 1) {
|
||||
+ if (avc_open(NULL, 0))
|
||||
+ return;
|
||||
+ avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET,
|
||||
+ 0, 0, 0, 0);
|
||||
+ }
|
||||
}
|
||||
|
||||
int selinux_check_access(const char *scon, const char *tcon, const char *class, const char *perm, void *aux) {
|
||||
@@ -21,18 +39,20 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
|
||||
security_class_t sclass;
|
||||
access_vector_t av;
|
||||
|
||||
- if (is_selinux_enabled() == 0)
|
||||
- return 0;
|
||||
-
|
||||
__selinux_once(once, avc_init_once);
|
||||
|
||||
+ if (selinux_enabled != 1)
|
||||
+ return 0;
|
||||
+
|
||||
rc = avc_context_to_sid(scon, &scon_id);
|
||||
if (rc < 0)
|
||||
return rc;
|
||||
|
||||
- rc = avc_context_to_sid(tcon, &tcon_id);
|
||||
- if (rc < 0)
|
||||
- return rc;
|
||||
+ rc = avc_context_to_sid(tcon, &tcon_id);
|
||||
+ if (rc < 0)
|
||||
+ return rc;
|
||||
+
|
||||
+ (void) avc_netlink_check_nb();
|
||||
|
||||
sclass = string_to_security_class(class);
|
||||
if (sclass == 0) {
|
||||
diff --git libselinux-2.4/src/check_context.c libselinux-2.4/src/check_context.c
|
||||
index 52063fa..234749c 100644
|
||||
--- libselinux-2.4/src/check_context.c
|
||||
@ -1272,7 +1333,7 @@ index 30e9dc7..bec5f3b 100644
|
||||
{
|
||||
return get_path(SYSTEMD_CONTEXTS);
|
||||
diff --git libselinux-2.4/src/selinux_internal.h libselinux-2.4/src/selinux_internal.h
|
||||
index afb2170..9b1ca4d 100644
|
||||
index afb2170..16b5cdb 100644
|
||||
--- libselinux-2.4/src/selinux_internal.h
|
||||
+++ libselinux-2.4/src/selinux_internal.h
|
||||
@@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy)
|
||||
@ -1283,7 +1344,16 @@ index afb2170..9b1ca4d 100644
|
||||
hidden_proto(selinux_sepgsql_context_path)
|
||||
hidden_proto(selinux_systemd_contexts_path)
|
||||
hidden_proto(selinux_path)
|
||||
@@ -137,3 +138,8 @@ extern int selinux_page_size hidden;
|
||||
@@ -101,6 +102,8 @@ hidden_proto(security_get_initial_context);
|
||||
hidden_proto(security_get_initial_context_raw);
|
||||
hidden_proto(selinux_reset_config);
|
||||
|
||||
+hidden void flush_class_cache(void);
|
||||
+
|
||||
extern int load_setlocaldefs hidden;
|
||||
extern int require_seusers hidden;
|
||||
extern int selinux_page_size hidden;
|
||||
@@ -137,3 +140,8 @@ extern int selinux_page_size hidden;
|
||||
if (pthread_setspecific != NULL) \
|
||||
pthread_setspecific(KEY, VALUE); \
|
||||
} while (0)
|
||||
@ -1293,10 +1363,30 @@ index afb2170..9b1ca4d 100644
|
||||
+
|
||||
+extern int has_selinux_config hidden;
|
||||
diff --git libselinux-2.4/src/selinuxswig_python.i libselinux-2.4/src/selinuxswig_python.i
|
||||
index ae72246..c9a2341 100644
|
||||
index ae72246..8cea18d 100644
|
||||
--- libselinux-2.4/src/selinuxswig_python.i
|
||||
+++ libselinux-2.4/src/selinuxswig_python.i
|
||||
@@ -31,9 +31,9 @@ def restorecon(path, recursive=False):
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
%pythoncode %{
|
||||
|
||||
-import shutil, os, stat
|
||||
+import shutil, os, errno, stat
|
||||
|
||||
DISABLED = -1
|
||||
PERMISSIVE = 0
|
||||
@@ -26,14 +26,19 @@ def restorecon(path, recursive=False):
|
||||
status, context = matchpathcon(path, mode)
|
||||
|
||||
if status == 0:
|
||||
- status, oldcontext = lgetfilecon(path)
|
||||
+ try:
|
||||
+ status, oldcontext = lgetfilecon(path)
|
||||
+ except OSError as e:
|
||||
+ if e.errno != errno.ENODATA:
|
||||
+ raise
|
||||
+ oldcontext = None
|
||||
if context != oldcontext:
|
||||
lsetfilecon(path, context)
|
||||
|
||||
if recursive:
|
||||
@ -1328,6 +1418,39 @@ index d05969c..3f0200e 100644
|
||||
if (rc < 0 && errno == ENOTSUP) {
|
||||
char * ccontext = NULL;
|
||||
int err = errno;
|
||||
diff --git libselinux-2.4/src/stringrep.c libselinux-2.4/src/stringrep.c
|
||||
index 9ae8248..2dbec2b 100644
|
||||
--- libselinux-2.4/src/stringrep.c
|
||||
+++ libselinux-2.4/src/stringrep.c
|
||||
@@ -158,6 +158,28 @@ err1:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+hidden void flush_class_cache(void)
|
||||
+{
|
||||
+ struct discover_class_node *cur = discover_class_cache, *prev = NULL;
|
||||
+ size_t i;
|
||||
+
|
||||
+ while (cur != NULL) {
|
||||
+ free(cur->name);
|
||||
+
|
||||
+ for (i = 0; i < MAXVECTORS; i++)
|
||||
+ free(cur->perms[i]);
|
||||
+
|
||||
+ free(cur->perms);
|
||||
+
|
||||
+ prev = cur;
|
||||
+ cur = cur->next;
|
||||
+
|
||||
+ free(prev);
|
||||
+ }
|
||||
+
|
||||
+ discover_class_cache = NULL;
|
||||
+}
|
||||
+
|
||||
security_class_t string_to_security_class(const char *s)
|
||||
{
|
||||
struct discover_class_node *node;
|
||||
diff --git libselinux-2.4/utils/Makefile libselinux-2.4/utils/Makefile
|
||||
index f469924..5499538 100644
|
||||
--- libselinux-2.4/utils/Makefile
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
Summary: SELinux library and simple utilities
|
||||
Name: libselinux
|
||||
Version: 2.4
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: Public Domain
|
||||
Group: System Environment/Libraries
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
@ -18,7 +18,7 @@ Source1: selinuxconlist.8
|
||||
Source2: selinuxdefcon.8
|
||||
Url: https://github.com/SELinuxProject/selinux/wiki
|
||||
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/36fd8bb4b36bb1ca3aa10e3226136459e6ed2498
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/8c09d34e464e79a602fb9c9408554279aede3b6b
|
||||
Patch1: libselinux-rhat.patch
|
||||
BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
|
||||
%if 0%{?with_python3}
|
||||
@ -247,6 +247,10 @@ rm -rf %{buildroot}
|
||||
%{ruby_vendorarchdir}/selinux.so
|
||||
|
||||
%changelog
|
||||
* Wed Sep 30 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-4
|
||||
- Flush the class/perm string mapping cache on policy reload (#1264051)
|
||||
- Fix restorecon when path has no context
|
||||
|
||||
* Wed Sep 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-3
|
||||
- Simplify procattr cache (#1257157,#1232371)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user