rpms/libselinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity

libselinux-2.4-4

Browse Source 
- Flush the class/perm string mapping cache on policy reload (#1264051)
- Fix restorecon when path has no context
This commit is contained in:
Petr Lautrbach 2015-09-30 17:09:02 +02:00
parent 8db7ce6b64
commit fd198b3dc4
2 changed files with 133 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
libselinux-rhat.patch
View File

@ -755,6 +755,67 @@ index 7cf3139..364a746 100644
if (!selinux_mnt) { if (!selinux_mnt) {
errno = ENOENT; errno = ENOENT;
return -1; return -1;
diff --git libselinux-2.4/src/checkAccess.c libselinux-2.4/src/checkAccess.c
index ee85ebc..8de5747 100644
--- libselinux-2.4/src/checkAccess.c
+++ libselinux-2.4/src/checkAccess.c
@@ -8,10 +8,28 @@
#include "avc_internal.h"
static pthread_once_t once = PTHREAD_ONCE_INIT;
+static int selinux_enabled;
+
+static int avc_reset_callback(uint32_t event __attribute__((unused)),
+ security_id_t ssid __attribute__((unused)),
+ security_id_t tsid __attribute__((unused)),
+ security_class_t tclass __attribute__((unused)),
+ access_vector_t perms __attribute__((unused)),
+ access_vector_t *out_retained __attribute__((unused)))
+{
+ flush_class_cache();
+ return 0;
+}
static void avc_init_once(void)
{
- avc_open(NULL, 0);
+ selinux_enabled = is_selinux_enabled();
+ if (selinux_enabled == 1) {
+ if (avc_open(NULL, 0))
+ return;
+ avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET,
+ 0, 0, 0, 0);
+ }
}
int selinux_check_access(const char *scon, const char *tcon, const char *class, const char *perm, void *aux) {
@@ -21,18 +39,20 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
security_class_t sclass;
access_vector_t av;
- if (is_selinux_enabled() == 0)
- return 0;
-
__selinux_once(once, avc_init_once);
+ if (selinux_enabled != 1)
+ return 0;
+
rc = avc_context_to_sid(scon, &scon_id);
if (rc < 0)
return rc;
- rc = avc_context_to_sid(tcon, &tcon_id);
- if (rc < 0)
- return rc;
+ rc = avc_context_to_sid(tcon, &tcon_id);
+ if (rc < 0)
+ return rc;
+
+ (void) avc_netlink_check_nb();
sclass = string_to_security_class(class);
if (sclass == 0) {
diff --git libselinux-2.4/src/check_context.c libselinux-2.4/src/check_context.c diff --git libselinux-2.4/src/check_context.c libselinux-2.4/src/check_context.c
index 52063fa..234749c 100644 index 52063fa..234749c 100644
--- libselinux-2.4/src/check_context.c --- libselinux-2.4/src/check_context.c
@ -1272,7 +1333,7 @@ index 30e9dc7..bec5f3b 100644
{ {
return get_path(SYSTEMD_CONTEXTS); return get_path(SYSTEMD_CONTEXTS);
diff --git libselinux-2.4/src/selinux_internal.h libselinux-2.4/src/selinux_internal.h diff --git libselinux-2.4/src/selinux_internal.h libselinux-2.4/src/selinux_internal.h
index afb2170..9b1ca4d 100644 index afb2170..16b5cdb 100644
--- libselinux-2.4/src/selinux_internal.h --- libselinux-2.4/src/selinux_internal.h
+++ libselinux-2.4/src/selinux_internal.h +++ libselinux-2.4/src/selinux_internal.h
@@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy) @@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy)
@ -1283,7 +1344,16 @@ index afb2170..9b1ca4d 100644
hidden_proto(selinux_sepgsql_context_path) hidden_proto(selinux_sepgsql_context_path)
hidden_proto(selinux_systemd_contexts_path) hidden_proto(selinux_systemd_contexts_path)
hidden_proto(selinux_path) hidden_proto(selinux_path)
@@ -137,3 +138,8 @@ extern int selinux_page_size hidden; @@ -101,6 +102,8 @@ hidden_proto(security_get_initial_context);
hidden_proto(security_get_initial_context_raw);
hidden_proto(selinux_reset_config);
+hidden void flush_class_cache(void);
+
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
extern int selinux_page_size hidden;
@@ -137,3 +140,8 @@ extern int selinux_page_size hidden;
if (pthread_setspecific != NULL) \ if (pthread_setspecific != NULL) \
pthread_setspecific(KEY, VALUE); \ pthread_setspecific(KEY, VALUE); \
} while (0) } while (0)
@ -1293,10 +1363,30 @@ index afb2170..9b1ca4d 100644
+ +
+extern int has_selinux_config hidden; +extern int has_selinux_config hidden;
diff --git libselinux-2.4/src/selinuxswig_python.i libselinux-2.4/src/selinuxswig_python.i diff --git libselinux-2.4/src/selinuxswig_python.i libselinux-2.4/src/selinuxswig_python.i
index ae72246..c9a2341 100644 index ae72246..8cea18d 100644
--- libselinux-2.4/src/selinuxswig_python.i --- libselinux-2.4/src/selinuxswig_python.i
+++ libselinux-2.4/src/selinuxswig_python.i +++ libselinux-2.4/src/selinuxswig_python.i
@@ -31,9 +31,9 @@ def restorecon(path, recursive=False): @@ -8,7 +8,7 @@
%pythoncode %{
-import shutil, os, stat
+import shutil, os, errno, stat
DISABLED = -1
PERMISSIVE = 0
@@ -26,14 +26,19 @@ def restorecon(path, recursive=False):
status, context = matchpathcon(path, mode)
if status == 0:
- status, oldcontext = lgetfilecon(path)
+ try:
+ status, oldcontext = lgetfilecon(path)
+ except OSError as e:
+ if e.errno != errno.ENODATA:
+ raise
+ oldcontext = None
if context != oldcontext:
lsetfilecon(path, context) lsetfilecon(path, context)
if recursive: if recursive:
@ -1328,6 +1418,39 @@ index d05969c..3f0200e 100644
if (rc < 0 && errno == ENOTSUP) { if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL; char * ccontext = NULL;
int err = errno; int err = errno;
diff --git libselinux-2.4/src/stringrep.c libselinux-2.4/src/stringrep.c
index 9ae8248..2dbec2b 100644
--- libselinux-2.4/src/stringrep.c
+++ libselinux-2.4/src/stringrep.c
@@ -158,6 +158,28 @@ err1:
return NULL;
}
+hidden void flush_class_cache(void)
+{
+ struct discover_class_node *cur = discover_class_cache, *prev = NULL;
+ size_t i;
+
+ while (cur != NULL) {
+ free(cur->name);
+
+ for (i = 0; i < MAXVECTORS; i++)
+ free(cur->perms[i]);
+
+ free(cur->perms);
+
+ prev = cur;
+ cur = cur->next;
+
+ free(prev);
+ }
+
+ discover_class_cache = NULL;
+}
+
security_class_t string_to_security_class(const char *s)
{
struct discover_class_node *node;
diff --git libselinux-2.4/utils/Makefile libselinux-2.4/utils/Makefile diff --git libselinux-2.4/utils/Makefile libselinux-2.4/utils/Makefile
index f469924..5499538 100644 index f469924..5499538 100644
--- libselinux-2.4/utils/Makefile --- libselinux-2.4/utils/Makefile

8
libselinux.spec
View File

@ -9,7 +9,7 @@
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 2.4 Version: 2.4
Release: 3%{?dist} Release: 4%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Libraries Group: System Environment/Libraries
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -18,7 +18,7 @@ Source1: selinuxconlist.8
Source2: selinuxdefcon.8 Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki Url: https://github.com/SELinuxProject/selinux/wiki
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
# HEAD https://github.com/fedora-selinux/selinux/commit/36fd8bb4b36bb1ca3aa10e3226136459e6ed2498 # HEAD https://github.com/fedora-selinux/selinux/commit/8c09d34e464e79a602fb9c9408554279aede3b6b
Patch1: libselinux-rhat.patch Patch1: libselinux-rhat.patch
BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
%if 0%{?with_python3} %if 0%{?with_python3}
@ -247,6 +247,10 @@ rm -rf %{buildroot}
%{ruby_vendorarchdir}/selinux.so %{ruby_vendorarchdir}/selinux.so
%changelog %changelog
* Wed Sep 30 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-4
- Flush the class/perm string mapping cache on policy reload (#1264051)
- Fix restorecon when path has no context
* Wed Sep 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-3 * Wed Sep 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-3
- Simplify procattr cache (#1257157,#1232371) - Simplify procattr cache (#1257157,#1232371)