Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h --- nsalibselinux/include/selinux/selinux.h 2004-12-03 14:40:05.000000000 -0500 +++ libselinux-1.20.1/include/selinux/selinux.h 2005-01-12 10:13:25.000000000 -0500 @@ -226,6 +226,7 @@ extern const char *selinux_media_context_path(void); extern const char *selinux_contexts_path(void); extern const char *selinux_booleans_path(void); +extern const char *selinux_customizable_types_path(void); /* Check a permission in the passwd class. Return 0 if granted or -1 otherwise. */ @@ -242,6 +243,10 @@ const char *filename, char *const argv[], char *const envp[]); +/* Returns whether a file context is customizable, and should not + be relabeled . */ +extern int is_context_customizable (security_context_t scontext); + #ifdef __cplusplus } #endif diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3 --- nsalibselinux/man/man3/is_context_customizable.3 1969-12-31 19:00:00.000000000 -0500 +++ libselinux-1.20.1/man/man3/is_context_customizable.3 2005-01-12 10:13:25.000000000 -0500 @@ -0,0 +1,22 @@ +.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation" +.SH "NAME" +is_context_customizable \- check whether context type is customizable by the administrator. +.SH "SYNOPSIS" +.B #include +.sp +.B int is_context_customizable(security_context_t scon); + +.SH "DESCRIPTION" +.B is_context_customizable +.br +This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that +administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place. + + +.SH "RETURN VALUE" +returns 1 if security context is customizable or 0 if it is not. +returns -1 on error + +.SH "FILE" +/etc/selinux/SELINUXTYPE/context/customizable_types + diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3 --- nsalibselinux/man/man3/security_load_booleans.3 2004-11-30 15:59:02.000000000 -0500 +++ libselinux-1.20.1/man/man3/security_load_booleans.3 2005-01-18 17:24:31.326454550 -0500 @@ -1,10 +1,8 @@ .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" .SH "NAME" security_load_booleans, security_set_boolean, security_commit_booleans, -security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending -.sp -routines for manipulating SELinux boolean values - +security_get_boolean_names, security_get_boolean_active, +security_get_boolean_pending \- routines for manipulating SELinux boolean values .SH "SYNOPSIS" .B #include .sp diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 --- nsalibselinux/man/man3/selinux_binary_policy_path.3 2004-11-30 15:59:02.000000000 -0500 +++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 2005-01-18 17:24:31.344452529 -0500 @@ -1,8 +1,10 @@ .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" .SH "NAME" -selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path -.sp -These functions return the paths to the active policy configuration +selinux_policy_root, selinux_binary_policy_path, +selinux_failsafe_context_path, selinux_removable_context_path, +selinux_default_context_path, selinux_user_contexts_path, +selinux_file_context_path, selinux_media_context_path, +selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration directories and files. .SH "SYNOPSIS" diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h --- nsalibselinux/src/file_path_suffixes.h 2004-10-20 16:31:36.000000000 -0400 +++ libselinux-1.20.1/src/file_path_suffixes.h 2005-01-12 10:13:25.000000000 -0500 @@ -9,3 +9,4 @@ S_(BOOLEANS, "/booleans") S_(MEDIA_CONTEXTS, "/contexts/files/media") S_(REMOVABLE_CONTEXT, "/contexts/removable_context") +S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types") diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c --- nsalibselinux/src/is_customizable_type.c 1969-12-31 19:00:00.000000000 -0500 +++ libselinux-1.20.1/src/is_customizable_type.c 2005-01-12 10:13:25.000000000 -0500 @@ -0,0 +1,68 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +static int get_customizable_type_list (security_context_t **retlist) +{ + FILE *fp; + char buf[4097]; + int ctr=0, i; + security_context_t *list=NULL; + + fp = fopen(selinux_customizable_types_path(), "r"); + if (!fp) + return -1; + + while (fgets_unlocked(buf, 4096, fp)) { + ctr++; + } + rewind(fp); + if (ctr) { + list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1); + if (list) { + i=0; + while (fgets_unlocked(buf, 4096, fp)) { + buf[strlen(buf)-1]=0; + list[i++]=(security_context_t) strdup(buf); + if (i>ctr) { + /* Should never happen */ + free(list); + list=NULL; + break; + } + } + } + } + fclose(fp); + if (!list) + return -1; + *retlist=list; + return 0; +} + +static security_context_t *customizable_list=NULL; + +int is_context_customizable (security_context_t scontext) { + int i; + char *ptr; + if (! customizable_list) { + if (get_customizable_type_list(&customizable_list)!=0) + return -1; + } + + ptr=strrchr(scontext, ':'); + if (ptr) { + ptr++; + } else { + ptr=scontext; + } + for (i = 0; customizable_list[i]; i++) { + if (strcmp(customizable_list[i],ptr) == 0) return 1; + } + return 0; +} diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2004-12-29 11:51:23.000000000 -0500 +++ libselinux-1.20.1/src/matchpathcon.c 2005-01-12 10:13:25.000000000 -0500 @@ -207,15 +207,135 @@ } return; } - +static int process_line( const char *path, char *line_buf, int pass, int lineno) { + int items, len, regerr; + char *buf_p; + char *regex, *type, *context; + char *anchored_regex; + len = strlen(line_buf); + if (line_buf[len - 1] != '\n') { + myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); + return 0; + } + line_buf[len - 1] = 0; + buf_p = line_buf; + while (isspace(*buf_p)) + buf_p++; + /* Skip comment lines and empty lines. */ + if (*buf_p == '#' || *buf_p == 0) + return 0; + items = + sscanf(line_buf, "%as %as %as", ®ex, &type, + &context); + if (items < 2) { + myprintf("%s: line %d is missing fields\n, skipping", path, lineno); + return 0; + } else if (items == 2) { + /* The type field is optional. */ + free(context); + context = type; + type = 0; + } + + if (pass == 1) { + /* On the second pass, compile and store the specification in spec. */ + const char *reg_buf = regex; + char *cp; + spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); + spec_arr[nspec].regex_str = regex; + + /* Anchor the regular expression. */ + len = strlen(reg_buf); + cp = anchored_regex = malloc(len + 3); + if (!anchored_regex) + return -1; + /* Create ^...$ regexp. */ + *cp++ = '^'; + cp = mempcpy(cp, reg_buf, len); + *cp++ = '$'; + *cp = '\0'; + + /* Compile the regular expression. */ + regerr = + regcomp(&spec_arr[nspec].regex, + anchored_regex, + REG_EXTENDED | REG_NOSUB); + free(anchored_regex); + if (regerr < 0) { + myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); + return 0; + } + + /* Convert the type string to a mode format */ + spec_arr[nspec].type_str = type; + spec_arr[nspec].mode = 0; + if (!type) + goto skip_type; + len = strlen(type); + if (type[0] != '-' || len != 2) { + myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); + return 0; + } + switch (type[1]) { + case 'b': + spec_arr[nspec].mode = S_IFBLK; + break; + case 'c': + spec_arr[nspec].mode = S_IFCHR; + break; + case 'd': + spec_arr[nspec].mode = S_IFDIR; + break; + case 'p': + spec_arr[nspec].mode = S_IFIFO; + break; + case 'l': + spec_arr[nspec].mode = S_IFLNK; + break; + case 's': + spec_arr[nspec].mode = S_IFSOCK; + break; + case '-': + spec_arr[nspec].mode = S_IFREG; + break; + default: + myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); + return 0; + } + + skip_type: + + spec_arr[nspec].context = context; + + if (strcmp(context, "<>")) { + if (security_check_context(context) < 0 && errno != ENOENT) { + myprintf("%s: line %d has invalid context %s\n", path, lineno, context); + return 0; + } + } + + /* Determine if specification has + * any meta characters in the RE */ + spec_hasMetaChars(&spec_arr[nspec]); + } + + nspec++; + if (pass == 0) { + free(regex); + if (type) + free(type); + free(context); + } + return 0; +} static int matchpathcon_init(void) { FILE *fp; const char *path; - char line_buf[BUFSIZ + 1], *buf_p; - char *regex, *type, *context; - char *anchored_regex; - int items, len, lineno, pass, regerr, i, j; + FILE *localfp; + char local_path[PATH_MAX + 1]; + char line_buf[BUFSIZ + 1]; + int lineno, pass, i, j; spec_t *spec_copy; /* Open the specification file. */ @@ -223,6 +343,9 @@ if ((fp = fopen(path, "r")) == NULL) return -1; + snprintf(local_path, sizeof(local_path), "%s.local", path); + localfp = fopen(local_path, "r"); + /* * Perform two passes over the specification file. * The first pass counts the number of specifications and @@ -235,123 +358,15 @@ lineno = 0; nspec = 0; while (fgets_unlocked(line_buf, sizeof line_buf, fp)) { - lineno++; - len = strlen(line_buf); - if (line_buf[len - 1] != '\n') { - myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); - continue; - } - line_buf[len - 1] = 0; - buf_p = line_buf; - while (isspace(*buf_p)) - buf_p++; - /* Skip comment lines and empty lines. */ - if (*buf_p == '#' || *buf_p == 0) - continue; - items = - sscanf(line_buf, "%as %as %as", ®ex, &type, - &context); - if (items < 2) { - myprintf("%s: line %d is missing fields\n, skipping", path, lineno); - continue; - } else if (items == 2) { - /* The type field is optional. */ - free(context); - context = type; - type = 0; - } - - if (pass == 1) { - /* On the second pass, compile and store the specification in spec. */ - const char *reg_buf = regex; - char *cp; - spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); - spec_arr[nspec].regex_str = regex; - - /* Anchor the regular expression. */ - len = strlen(reg_buf); - cp = anchored_regex = malloc(len + 3); - if (!anchored_regex) + if (process_line(path, line_buf, pass, ++lineno) != 0) + return -1; + } + if (localfp) + while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) { + if (process_line(local_path, line_buf, pass, ++lineno) != 0) return -1; - /* Create ^...$ regexp. */ - *cp++ = '^'; - cp = mempcpy(cp, reg_buf, len); - *cp++ = '$'; - *cp = '\0'; - - /* Compile the regular expression. */ - regerr = - regcomp(&spec_arr[nspec].regex, - anchored_regex, - REG_EXTENDED | REG_NOSUB); - free(anchored_regex); - if (regerr < 0) { - myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); - continue; - } - - /* Convert the type string to a mode format */ - spec_arr[nspec].type_str = type; - spec_arr[nspec].mode = 0; - if (!type) - goto skip_type; - len = strlen(type); - if (type[0] != '-' || len != 2) { - myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); - continue; - } - switch (type[1]) { - case 'b': - spec_arr[nspec].mode = S_IFBLK; - break; - case 'c': - spec_arr[nspec].mode = S_IFCHR; - break; - case 'd': - spec_arr[nspec].mode = S_IFDIR; - break; - case 'p': - spec_arr[nspec].mode = S_IFIFO; - break; - case 'l': - spec_arr[nspec].mode = S_IFLNK; - break; - case 's': - spec_arr[nspec].mode = S_IFSOCK; - break; - case '-': - spec_arr[nspec].mode = S_IFREG; - break; - default: - myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); - continue; - } - - skip_type: - - spec_arr[nspec].context = context; - - if (strcmp(context, "<>")) { - if (security_check_context(context) < 0 && errno != ENOENT) { - myprintf("%s: line %d has invalid context %s\n", path, lineno, context); - continue; - } - } - - /* Determine if specification has - * any meta characters in the RE */ - spec_hasMetaChars(&spec_arr[nspec]); } - nspec++; - if (pass == 0) { - free(regex); - if (type) - free(type); - free(context); - } - } - if (pass == 0) { if (nspec == 0) return 0; @@ -360,9 +375,11 @@ return -1; memset(spec_arr, '\0', sizeof(spec_t) * nspec); rewind(fp); + if (localfp) rewind(localfp); } } fclose(fp); + if (localfp) fclose(localfp); /* Move exact pathname specifications to the end. */ spec_copy = malloc(sizeof(spec_t) * nspec); diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c --- nsalibselinux/src/selinux_config.c 2004-10-20 16:31:36.000000000 -0400 +++ libselinux-1.20.1/src/selinux_config.c 2005-01-12 10:13:25.000000000 -0500 @@ -26,7 +26,8 @@ #define BOOLEANS 7 #define MEDIA_CONTEXTS 8 #define REMOVABLE_CONTEXT 9 -#define NEL 10 +#define CUSTOMIZABLE_TYPES 10 +#define NEL 11 /* New layout is relative to SELINUXDIR/policytype. */ static char *file_paths[NEL]; @@ -211,6 +212,10 @@ return get_path(MEDIA_CONTEXTS); } +const char *selinux_customizable_types_path() { + return get_path(CUSTOMIZABLE_TYPES); +} + const char *selinux_contexts_path() { return get_path(CONTEXTS_DIR); }