Commit Graph

276 Commits

Author SHA1 Message Date
Dan Walsh
70712b9211 Fix python bindings for selinux_check_access 2013-03-20 13:34:37 -04:00
Dan Walsh
58f9722469 Fix reseting the policy root in matchpathcon 2013-03-19 21:38:02 -04:00
Dan Walsh
cc9c7ddcf7 Cleanup setfcontext_compile atomic patch
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
2013-03-08 12:23:30 -05:00
Dan Walsh
8047eef070 Make setfcontext_compile atomic 2013-03-06 13:51:35 -05:00
Dan Walsh
9df78f0c3b Fix memory leak in set*con calls. 2013-03-06 12:18:42 -05:00
Dan Walsh
e27f80642e Fix selinux man page to reflect what current selinux policy is. 2013-02-21 18:28:18 +01:00
Dan Walsh
0781a5c3ae Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files. 2013-02-15 15:13:59 -05:00
Dan Walsh
ade34f3e98 Bring back selinux_current_policy_path 2013-02-15 11:02:20 -05:00
Dan Walsh
72cdfcb7ad Revert some changes which are causing the wrong policy version file to be created 2013-02-14 08:18:40 -05:00
Dan Walsh
5e85dc35bb Revert some changes which are causing the wrong policy version file to be created 2013-02-14 07:59:56 -05:00
Dan Walsh
c1553db668 Update to upstream
* audit2why: make sure path is nul terminated
        * utils: new file context regex compiler
        * label_file: use precompiled filecontext when possible
        * do not leak mmapfd
        * sefcontontext_compile: Add error handling to help debug problems in libsemanage.
        * man: make selinux.8 mention service man pages
        * audit2why: Fix segfault if finish() called twice
        * audit2why: do not leak on multiple init() calls
        * mode_to_security_class: interface to translate a mode_t in to a security class
        * audit2why: Cleanup audit2why analysys function
        * man: Fix program synopsis and function prototypes in man pages
        * man: Fix man pages formatting
        * man: Fix typo in man page
        * man: Add references and man page links to _raw function variants
        * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
        * man: context_new(3): fix the return value description
        * selinux_status_open: handle error from sysconf
        * selinux_status_open: do not leak statusfd on exec
        * Fix errors found by coverity
        * Change boooleans.subs to booleans.subs_dist.
        * optimize set*con functions
        * pkg-config do not specifc ruby version
        * unmap file contexts on selabel_close()
        * do not leak file contexts with mmap'd backend
        * sefcontext_compile: do not leak fd on error
        * matchmediacon: do not leak fd
        * src/label_android_property: do not leak fd on error
2013-02-07 12:33:50 -05:00
Dan Walsh
01e3787363 Update to latest patches from eparis/Upstream 2013-01-27 20:07:56 -05:00
Dan Walsh
976da17c28 Update to latest patches from eparis/Upstream 2013-01-25 09:35:30 -05:00
Dan Walsh
0a9b6f58d0 Try procatt speedup patch again 2013-01-23 14:26:18 -05:00
Dan Walsh
f297425de0 Roll back procattr speedups since it seems to be screwing up systemd labeling. 2013-01-23 06:39:46 -05:00
Dan Walsh
775a744b5d Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-22 17:23:19 -05:00
Dan Walsh
f0a059565a Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-18 10:01:45 -06:00
Dan Walsh
7a71cdb44d setfscreatecon after fork was broken by the Set*con patch.
- We needed to reset the thread variables after a fork.
2013-01-14 16:19:46 -05:00
Dan Walsh
a9a8a9f55f Fix setfscreatecon call to handle failure mode, which was breaking udev 2013-01-10 16:06:03 -05:00
Dan Walsh
0974ef2348 Ondrej Oprala patch to optimize set*con functions
-    Set*con now caches the security context and only re-sets it if it changes.
2013-01-09 10:18:51 -05:00
Dan Walsh
3fdab66ec0 Update to latest patches from eparis/Upstream
-    Fix errors found by coverity
-    set the sepol_compute_av_reason_buffer flag to 0.  This means calculate denials only?
-    audit2why: remove a useless policy vers variable
-    audit2why: use the new constraint information
2013-01-04 17:27:39 -05:00
Dan Walsh
e7604b157b Rebuild with latest libsepol 2012-11-19 15:17:16 -05:00
Dan Walsh
edd5aaafc0 Return EPERM if login program can not reach default label for user
- Attempt to return container info from audit2why
2012-11-16 16:49:57 -05:00
rhatdan
5a7e010f07 Apply patch from eparis to fix leaked file descriptor in new labeling code 2012-11-01 15:53:47 -04:00
rhatdan
e1c914df47 Add new function mode_to_security_class which takes mode instead of a string.
- Possibly will be used with coreutils.
2012-10-25 16:27:52 -04:00
rhatdan
01a1f705b5 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 05:59:45 -04:00
Dan Walsh
4eed7a5379 Ensure that we only close the selinux netlink socket once.
- Taken from our Android libselinux tree. From Stephen Smalley
2012-07-31 10:14:59 -04:00
Dan Walsh
852ea731d6 Revert Eric Paris Patch for selinux_binary_policy_path 2012-07-13 15:38:11 -04:00
Dan Walsh
cd092e1338 Update to upstream
* Fortify source now requires all code to be compiled with -O flag
	* asprintf return code must be checked
	* avc_netlink_recieve handle EINTR
	* audit2why: silence -Wmissing-prototypes warning
	* libsemanage: remove build warning when build swig c files
	* matchpathcon: bad handling of symlinks in /
	* seusers: remove unused lineno
	* seusers: getseuser: gracefully handle NULL service
	* New Android property labeling backend
	* label_android_property whitespace cleanups
	* additional makefile support for rubywrap
2012-07-04 07:31:12 -04:00
Dan Walsh
d9f6251b10 Fix booleans.subs name, change function name to selinux_boolean_sub,
add man page, minor fixes to the function
2012-06-11 13:31:23 -04:00
Dan Walsh
f9135bb77c Fix to compile with Fortify source
* Add -O compiler flag
      * Check return code from asprintf
- Fix handling of symbolic links in / by realpath_not_final
2012-05-25 07:20:38 -04:00
Dan Walsh
40eaa6c970 Add support for lxc contexts file 2012-04-19 16:34:27 -04:00
Dan Walsh
ce3cc634eb Update to upstream
* Fix dead links to www.nsa.gov/selinux
	* Remove jump over variable declaration
	* Fix old style function definitions
	* Fix const-correctness
	* Remove unused flush_class_cache method
	* Add prototype decl for destructor
	* Add more printf format annotations
	* Add printf format attribute annotation to die() method
	* Fix const-ness of parameters & make usage() methods static
	* Enable many more gcc warnings for libselinux/src/ builds
	* utils: Enable many more gcc warnings for libselinux/utils builds
	* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
	* Ensure there is a prototype for 'matchpathcon_lib_destructor'
	* Update Makefiles to handle /usrmove
	* utils: Stop separating out matchpathcon as something special
	* pkg-config to figure out where ruby include files are located
	* build with either ruby 1.9 or ruby 1.8
	* assert if avc_init() not called
	* take security_deny_unknown into account
	* security_compute_create_name(3)
	* Do not link against python library, this is considered
	* bad practice in debian
	* Hide unnecessarily-exported library destructors
2012-03-29 14:39:18 -04:00
Dan Walsh
76fb5c8e65 avc_netlink_recieve should continue to poll if it receinves an EINTR rather 2012-02-03 10:31:53 -05:00
Dan Walsh
86fcde8ff1 Rebuild with cleaned up upstream to work in /usr 2012-01-27 14:50:47 -05:00
Dan Walsh
f5849c1fad Add Dan Berrange code cleanup patches. 2012-01-23 13:39:03 -05:00
Dan Walsh
80c334bf8d Fix selabal_open man page to refer to proper selinux_opt structure 2012-01-23 11:28:11 -05:00
Dan Walsh
ad8477f7a1 Fix selabal_open man page to refer to proper selinux_opt structure 2012-01-04 11:03:19 -05:00
Dan Walsh
7959ef108b Update to upstream
* Fix setenforce man page to refer to selinux man page
	* Cleanup Man pages
	* merge freecon with getcon man page
2011-12-21 18:09:52 +00:00
Dan Walsh
0c717c5b8c Add patch from Richard Haines
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Fix setenforce manage page.
2011-12-19 14:48:33 -05:00
Dan Walsh
e9493af009 Fix setenforce man page, from Miroslav Grepl 2011-12-06 10:43:58 -05:00
Dan Walsh
de1ce20f11 Upgrade to upstream
* selinuxswig_python.i: don't make syscall if it won't change anything
	* Remove assert in security_get_boolean_names(3)
	* Mapped compute functions now obey deny_unknown flag
	* get_default_type now sets EINVAL if no entry.
	* return EINVAL if invalid role selected
	* Updated selabel_file(5) man page
	* Updated selabel_db(5) man page
	* Updated selabel_media(5) man page
	* Updated selabel_x(5) man page
	* Add man/man5 man pages
	* Add man/man5 man pages
	* Add man/man5 man pages
	* use -W and -Werror in utils
2011-12-06 08:55:52 -05:00
Dan Walsh
0921286973 Change python binding for restorecon to check if the context matches.
If it does do not reset
2011-11-29 09:47:57 -05:00
Dan Walsh
5cb2893d59 * Makefiles: syntax, convert all ${VAR} to $(VAR)
* load_policy: handle selinux=0 and /sys/fs/selinux not exist
	* regenerate .pc on VERSION change
	* label: cosmetic cleanups
	* simple interface for access checks
	* Don't reinitialize avc_init if it has been called previously
	* seusers: fix to handle large sets of groups
	* audit2why: close fd on enomem
	* rename and export symlink_realpath
	* label_file: style changes to make Eric happy.
2011-11-04 09:13:56 -04:00
Dan Walsh
8075466849 Apply libselinux patch to handle large groups in seusers. 2011-10-24 14:30:05 -04:00
Dan Walsh
9328ed5d59 Add selinux_check_access function. Needed for passwd, chfn, chsh 2011-10-20 16:50:40 -04:00
Dan Walsh
a8fa8756a9 Add selinux_check_access function. Needed for passwd, chfn, chsh 2011-10-20 15:44:39 -04:00
Dan Walsh
3f542ebbed Handle situation where selinux=0 passed to the kernel and both /selinux and 2011-09-22 09:38:06 -04:00
Dan Walsh
aa09b7d954 Update to upstream
* utils: matchpathcon: remove duplicate declaration
	* src: matchpathcon: use myprintf not fprintf
	* src: matchpathcon: make sure resolved path starts
	* put libselinux.so.1 in /lib not /usr/lib
	* tree: default make target to all not
2011-09-19 06:52:45 -04:00
Dan Walsh
5113c7563a Switch to use ":" as prefix separator rather then ";" 2011-09-14 22:01:30 -04:00