From 410db78cc001770b7b8ebe5ce07e55438709ad25 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 7 Jun 2011 13:14:57 -0400 Subject: [PATCH] Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can ship active modules in rpm. --- libsemanage-rhat.patch | 224 ++++++++++++++++++++++++++++++++++++++++- libsemanage.spec | 7 +- 2 files changed, 225 insertions(+), 6 deletions(-) diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch index 4b9a32a..9d0bb5d 100644 --- a/libsemanage-rhat.patch +++ b/libsemanage-rhat.patch @@ -175,9 +175,18 @@ index 9b261b9..77c00b2 100644 free(arg); } else if (*arg == '/') { diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index bceb6a7..7416540 100644 +index bceb6a7..bfdcdbe 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c +@@ -2,7 +2,7 @@ + * Christopher Ashworth + * + * Copyright (C) 2004-2006 Tresys Technology, LLC +- * Copyright (C) 2005 Red Hat, Inc. ++ * Copyright (C) 2005-2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public @@ -95,7 +95,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh) { char polpath[PATH_MAX]; @@ -196,7 +205,92 @@ index bceb6a7..7416540 100644 sh->conf->store_path); if (semanage_check_init(polpath)) -@@ -1539,7 +1539,7 @@ int semanage_direct_access_check(semanage_handle_t * sh) +@@ -353,17 +353,11 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data, + semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES)) == NULL) { + return -1; + } +- if (asprintf(filename, "%s/%s.pp%s", module_path, *module_name, DISABLESTR) == -1) { ++ if (asprintf(filename, "%s/%s.pp", module_path, *module_name) == -1) { + ERR(sh, "Out of memory!"); + return -1; + } + +- if (access(*filename, F_OK) == -1) { +- char *ptr = *filename; +- int len = strlen(ptr) - strlen(DISABLESTR); +- if (len > 0) ptr[len]='\0'; +- } +- + return 0; + } + +@@ -1307,29 +1301,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name) + base++; + if (memcmp(module_name, base, name_len) == 0) { + +- if(strcmp(base + name_len + 3, DISABLESTR) != 0) { +- ERR(sh, "Module %s is already enabled.", module_name); ++ if (semanage_enable_module(module_filenames[i]) < 0) { ++ ERR(sh, "Could not enable module %s.", module_name); + retval = -2; + goto cleanup; + } +- +- int len = strlen(module_filenames[i]) - strlen(DISABLESTR); +- char *enabled_name = calloc(1, len+1); +- if (!enabled_name) { +- ERR(sh, "Could not allocate memory"); +- retval = -1; +- goto cleanup; +- } +- +- strncpy(enabled_name, module_filenames[i],len); +- +- if (rename(module_filenames[i], enabled_name) == -1) { +- ERR(sh, "Could not enable module file %s.", +- enabled_name); +- retval = -2; +- } + retval = 0; +- free(enabled_name); + goto cleanup; + } + } +@@ -1363,28 +1340,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name) + goto cleanup; + } + base++; +- if (memcmp(module_name, base, name_len) == 0) { +- if (strcmp(base + name_len + 3, DISABLESTR) == 0) { +- ERR(sh, "Module %s is already disabled.", module_name); ++ if ((memcmp(module_name, base, name_len) == 0) && ++ (strcmp(base + name_len, ".pp") == 0)) { ++ if (semanage_disable_module(module_filenames[i]) < 0) { + retval = -2; + goto cleanup; +- } else if (strcmp(base + name_len, ".pp") == 0) { +- char disabled_name[PATH_MAX]; +- if (snprintf(disabled_name, PATH_MAX, "%s%s", +- module_filenames[i], DISABLESTR) == PATH_MAX) { +- ERR(sh, "Could not disable module file %s.", +- module_filenames[i]); +- retval = -2; +- goto cleanup; +- } +- if (rename(module_filenames[i], disabled_name) == -1) { +- ERR(sh, "Could not disable module file %s.", +- module_filenames[i]); +- retval = -2; +- } +- retval = 0; +- goto cleanup; + } ++ retval=0; ++ goto cleanup; + } + } + ERR(sh, "Module %s was not found.", module_name); +@@ -1539,7 +1502,7 @@ int semanage_direct_access_check(semanage_handle_t * sh) { char polpath[PATH_MAX]; @@ -455,9 +549,18 @@ index 3cffef7..da0ad71 100644 return _semanage.semanage_module_install(*args) semanage_module_install = _semanage.semanage_module_install diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 339bbd0..e970a8b 100644 +index 339bbd0..f5e3572 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c +@@ -57,7 +57,7 @@ typedef struct dbase_policydb dbase_t; + + #include "debug.h" + +-const char *DISABLESTR=".disabled"; ++static const char *DISABLESTR="disabled"; + + #define SEMANAGE_CONF_FILE "semanage.conf" + /* relative path names to enum semanage_paths to special files and @@ -90,7 +90,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = { "/tmp" }; @@ -481,7 +584,62 @@ index 339bbd0..e970a8b 100644 SEMANAGE_CONF_FILE); return 0; -@@ -1071,14 +1071,14 @@ static int semanage_install_active(semanage_handle_t * sh) +@@ -425,6 +425,13 @@ int semanage_store_access_check(semanage_handle_t * sh) + + /********************* other I/O functions *********************/ + ++static int is_disabled_file(const char *file) { ++ char *ptr = strrchr(file, '.'); ++ if (! ptr) return 0; ++ ptr++; ++ return (strcmp(ptr, DISABLESTR) == 0); ++} ++ + /* Callback used by scandir() to select files. */ + static int semanage_filename_select(const struct dirent *d) + { +@@ -435,9 +442,38 @@ static int semanage_filename_select(const struct dirent *d) + return 1; + } + ++int semanage_disable_module(const char *file) { ++ char path[PATH_MAX]; ++ int in; ++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR); ++ if (n < 0 || n >= PATH_MAX) ++ return -1; ++ if ((in = open(path, O_WRONLY | O_CREAT )) == -1) { ++ return -1; ++ } ++ close(in); ++ return 0; ++} ++ ++int semanage_enable_module(const char *file) { ++ char path[PATH_MAX]; ++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR); ++ if (n < 0 || n >= PATH_MAX) ++ return 1; ++ ++ if ((unlink(path) < 0) && (errno != ENOENT)) ++ return -1; ++ return 0; ++} ++ + int semanage_module_enabled(const char *file) { +- int len = strlen(file) - strlen(DISABLESTR); +- return (len < 0 || strcmp(&file[len], DISABLESTR) != 0); ++ char path[PATH_MAX]; ++ if (is_disabled_file(file)) return 0; ++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR); ++ if (n < 0 || n >= PATH_MAX) ++ return 1; ++ ++ return (access(path, F_OK ) != 0); + } + + static int semanage_modulename_select(const struct dirent *d) +@@ -1071,14 +1107,14 @@ static int semanage_install_active(semanage_handle_t * sh) const char *active_fc_hd = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_FC_HOMEDIRS); @@ -504,7 +662,7 @@ index 339bbd0..e970a8b 100644 /* This is very unelegant, the right thing to do is export the path * building code in libselinux so that you can get paths for a given -@@ -1099,11 +1099,11 @@ static int semanage_install_active(semanage_handle_t * sh) +@@ -1099,11 +1135,11 @@ static int semanage_install_active(semanage_handle_t * sh) running_seusers += len; running_nc += len; @@ -518,6 +676,62 @@ index 339bbd0..e970a8b 100644 sh->conf->store_path); snprintf(store_pol, PATH_MAX, "%s%s.%d", storepath, +@@ -1632,18 +1668,21 @@ int semanage_link_sandbox(semanage_handle_t * sh, + num_modules = 0; + goto cleanup; + } ++ int disabled = 0; + for (i = 0; i < num_modules; i++) { +- if (semanage_load_module(sh, module_filenames[i], mods + i) == +- -1) { +- goto cleanup; ++ if (semanage_module_enabled(module_filenames[i])) { ++ if (semanage_load_module(sh, module_filenames[i], mods + (i - disabled)) == -1) { ++ goto cleanup; ++ } ++ } else { ++ disabled++; + } + } + +- if (sepol_link_packages(sh->sepolh, *base, mods, num_modules, 0) != 0) { ++ if (sepol_link_packages(sh->sepolh, *base, mods, num_modules - disabled, 0) != 0) { + ERR(sh, "Link packages failed"); + goto cleanup; + } +- + retval = 0; + + cleanup: +@@ -1651,7 +1690,7 @@ int semanage_link_sandbox(semanage_handle_t * sh, + free(module_filenames[i]); + } + free(module_filenames); +- for (i = 0; mods != NULL && i < num_modules; i++) { ++ for (i = 0; mods != NULL && i < num_modules -disabled; i++) { + sepol_module_package_free(mods[i]); + } + free(mods); +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index 6abb2ee..8470191 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -85,6 +85,8 @@ int semanage_get_modules_names(semanage_handle_t * sh, + char ***filenames, int *len); + + int semanage_module_enabled(const char *file); ++int semanage_enable_module(const char *file); ++int semanage_disable_module(const char *file); + /* lock file routines */ + int semanage_get_trans_lock(semanage_handle_t * sh); + int semanage_get_active_lock(semanage_handle_t * sh); +@@ -129,6 +131,4 @@ int semanage_nc_sort(semanage_handle_t * sh, + size_t buf_len, + char **sorted_buf, size_t * sorted_buf_len); + +-extern const char *DISABLESTR; +- + #endif diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i index 96c670c..c074f5f 100644 --- a/libsemanage/src/semanageswig_python.i diff --git a/libsemanage.spec b/libsemanage.spec index 183cbfd..d771331 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -10,7 +10,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.0.46 -Release: 4%{?dist} +Release: 5%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz @@ -208,6 +208,11 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Jun 7 2011 Dan Walsh - 2.0.46-5 +- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module +indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can +ship active modules in rpm. + * Wed Jun 1 2011 Dan Walsh - 2.0.46-4 - Add semanage_set_selinux_path, to allow semodule to work on alternate selinux pools