Commit Graph

504 Commits

Author SHA1 Message Date
Dan Walsh
0aa8cbe3ec Add ghost flag for /var/run/setrans 2014-01-14 17:28:48 -05:00
Dan Walsh
d6e8b72a30 Update to upstream
* Fix userspace AVC handling of per-domain permissive mode.
- Verify context is not null when passed into *setfilecon_raw
2014-01-06 10:20:47 -05:00
Dan Walsh
7e1165a3eb revert unexplained change to rhat.patch which broke SELinux disablement 2014-01-06 10:15:40 -05:00
Adam Williamson
9ba3cdd05f revert unexplained change to rhat.patch which broke SELinux disablement 2013-12-27 13:07:13 -08:00
Dan Walsh
e61de3d8f0 Verify context is not null when passed into lsetfilecon_raw 2013-12-23 09:53:25 -05:00
Dan Walsh
f4752d0882 Mv selinux.go to /usr/share/gocode/src/selinux 2013-12-18 14:40:49 -05:00
Dan Walsh
e79a10d304 Add golang support to selinux. 2013-12-17 11:21:42 -05:00
Dan Walsh
15fa31b994 Add golang support to libselinux 2013-12-17 11:07:44 -05:00
Dan Walsh
0662ba4d16 Remove togglesebool man page 2013-12-05 15:44:38 -05:00
Dan Walsh
d6f11ce40d Update to upstream
* Remove -lpthread from pkg-config file; it is not required.
- Add support for policy compressed with xv
2013-11-25 15:49:35 -05:00
Dan Walsh
5f9e3146a2 Update to upstream
* Remove -lpthread from pkg-config file; it is not required.
2013-11-25 15:24:16 -05:00
Dan Walsh
bb6f29def0 Update to upstream
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
	* Support overriding Makefile RANLIB from Sven Vermeulen.
	* Update pkgconfig definition from Sven Vermeulen.
	* Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
	* Fix man pages from Laurent Bigonville.
	* Support overriding PATH  and LIBBASE in Makefiles from Laurent Bigonville.
	* Fix LDFLAGS usage from Laurent Bigonville
	* Avoid shadowing stat in load_mmap from Joe MacDonald.
	* Support building on older PCRE libraries from Joe MacDonald.
	* Fix handling of temporary file in sefcontext_compile from Dan Walsh.
	* Fix procattr cache from Dan Walsh.
	* Define python constants for getenforce result from Dan Walsh.
	* Fix label substitution handling of / from Dan Walsh.
	* Add selinux_current_policy_path from Dan Walsh.
	* Change get_context_list to only return good matches from Dan Walsh.
	* Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
	* Add support for local substitutions from Dan Walsh.
	* Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
	* Python wrapper leak fixes from Dan Walsh.
	* Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
	* Add selinux_systemd_contexts_path from Dan Walsh.
	* Add selinux_set_policy_root from Dan Walsh.
	* Add man page for sefcontext_compile from Dan Walsh.
2013-10-31 09:29:10 -04:00
Dan Walsh
82deec5e5b Add systemd_contexts support
- Do substitutions on a local sub followed by a dist sub
2013-10-04 10:16:56 -04:00
Dan Walsh
0695b75fac Eliminate requirement on pthread library, by applying patch for Jakub Jelinek
Resolves #1013801
2013-10-03 12:36:44 -04:00
Dan Walsh
763f66c192 Fix handling of libselinux getconlist with only one entry 2013-09-23 09:58:31 -04:00
Dennis Gilmore
aa9384564f - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-03 01:57:40 -05:00
Dan Walsh
876a4a8ad9 Add sefcontext_compile.8 man page
- Add Russell Coker  patch to fix man pages
- Add patches from Laurent Bigonville to fix Makefiles for debian.
- modify spec file to use %{_prefix}/lib
2013-06-28 06:10:55 -04:00
Dan Walsh
4720ddb09f Fix patch that Handles substitutions for / 2013-05-06 09:43:03 -04:00
Dan Walsh
def2153558 Handle substitutions for /
- semanage fcontext -a -e  / /opt/rh/devtoolset-2/root
2013-04-17 18:07:46 -04:00
Dan Walsh
1961617545 Add Eric Paris patch to fix procattr calls after a fork. 2013-04-09 16:53:50 -04:00
Dan Walsh
4ab41c347b Move secolor.conf.5 into mcstrans package and out of libselinux 2013-03-26 13:04:11 -04:00
Dan Walsh
70712b9211 Fix python bindings for selinux_check_access 2013-03-20 13:34:37 -04:00
Dan Walsh
58f9722469 Fix reseting the policy root in matchpathcon 2013-03-19 21:38:02 -04:00
Dan Walsh
cc9c7ddcf7 Cleanup setfcontext_compile atomic patch
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
2013-03-08 12:23:30 -05:00
Dan Walsh
8047eef070 Make setfcontext_compile atomic 2013-03-06 13:51:35 -05:00
Dan Walsh
9df78f0c3b Fix memory leak in set*con calls. 2013-03-06 12:18:42 -05:00
Dan Walsh
afe87e85a1 Move matchpathcon to -utils package 2013-02-28 10:27:35 -05:00
Dan Walsh
e27f80642e Fix selinux man page to reflect what current selinux policy is. 2013-02-21 18:28:18 +01:00
Dan Walsh
0781a5c3ae Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files. 2013-02-15 15:13:59 -05:00
Dan Walsh
ade34f3e98 Bring back selinux_current_policy_path 2013-02-15 11:02:20 -05:00
Dan Walsh
5e85dc35bb Revert some changes which are causing the wrong policy version file to be created 2013-02-14 07:59:56 -05:00
Dan Walsh
c1553db668 Update to upstream
* audit2why: make sure path is nul terminated
        * utils: new file context regex compiler
        * label_file: use precompiled filecontext when possible
        * do not leak mmapfd
        * sefcontontext_compile: Add error handling to help debug problems in libsemanage.
        * man: make selinux.8 mention service man pages
        * audit2why: Fix segfault if finish() called twice
        * audit2why: do not leak on multiple init() calls
        * mode_to_security_class: interface to translate a mode_t in to a security class
        * audit2why: Cleanup audit2why analysys function
        * man: Fix program synopsis and function prototypes in man pages
        * man: Fix man pages formatting
        * man: Fix typo in man page
        * man: Add references and man page links to _raw function variants
        * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
        * man: context_new(3): fix the return value description
        * selinux_status_open: handle error from sysconf
        * selinux_status_open: do not leak statusfd on exec
        * Fix errors found by coverity
        * Change boooleans.subs to booleans.subs_dist.
        * optimize set*con functions
        * pkg-config do not specifc ruby version
        * unmap file contexts on selabel_close()
        * do not leak file contexts with mmap'd backend
        * sefcontext_compile: do not leak fd on error
        * matchmediacon: do not leak fd
        * src/label_android_property: do not leak fd on error
2013-02-07 12:33:50 -05:00
Dan Walsh
01e3787363 Update to latest patches from eparis/Upstream 2013-01-27 20:07:56 -05:00
Dan Walsh
976da17c28 Update to latest patches from eparis/Upstream 2013-01-25 09:35:30 -05:00
Dan Walsh
0a9b6f58d0 Try procatt speedup patch again 2013-01-23 14:26:18 -05:00
Dan Walsh
f297425de0 Roll back procattr speedups since it seems to be screwing up systemd labeling. 2013-01-23 06:39:46 -05:00
Dan Walsh
775a744b5d Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-22 17:23:19 -05:00
Dan Walsh
f0a059565a Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-18 10:01:45 -06:00
Dan Walsh
7a71cdb44d setfscreatecon after fork was broken by the Set*con patch.
- We needed to reset the thread variables after a fork.
2013-01-14 16:19:46 -05:00
Dan Walsh
a9a8a9f55f Fix setfscreatecon call to handle failure mode, which was breaking udev 2013-01-10 16:06:03 -05:00
Dan Walsh
0974ef2348 Ondrej Oprala patch to optimize set*con functions
-    Set*con now caches the security context and only re-sets it if it changes.
2013-01-09 10:18:51 -05:00
Dan Walsh
3fdab66ec0 Update to latest patches from eparis/Upstream
-    Fix errors found by coverity
-    set the sepol_compute_av_reason_buffer flag to 0.  This means calculate denials only?
-    audit2why: remove a useless policy vers variable
-    audit2why: use the new constraint information
2013-01-04 17:27:39 -05:00
Dan Walsh
e7604b157b Rebuild with latest libsepol 2012-11-19 15:17:16 -05:00
Dan Walsh
edd5aaafc0 Return EPERM if login program can not reach default label for user
- Attempt to return container info from audit2why
2012-11-16 16:49:57 -05:00
rhatdan
5a7e010f07 Apply patch from eparis to fix leaked file descriptor in new labeling code 2012-11-01 15:53:47 -04:00
rhatdan
e1c914df47 Add new function mode_to_security_class which takes mode instead of a string.
- Possibly will be used with coreutils.
2012-10-25 16:27:52 -04:00
rhatdan
166aec5994 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:21:17 -04:00
rhatdan
2b3728456a Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:03:06 -04:00
rhatdan
9fac486ba3 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:02:36 -04:00
rhatdan
01a1f705b5 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 05:59:45 -04:00