Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module

indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can ship active modules in rpm.
2011-06-07 13:14:57 -04:00 · 2011-06-07 13:14:57 -04:00 · 410db78cc0
commit 410db78cc0
parent 0984542175
2 changed files with 225 additions and 6 deletions
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@ -175,9 +175,18 @@ index 9b261b9..77c00b2 100644
 		free(arg);
 	} else if (*arg == '/') {
 diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index bceb6a7..7416540 100644
+index bceb6a7..bfdcdbe 100644
 --- a/libsemanage/src/direct_api.c
 +++ b/libsemanage/src/direct_api.c
@@ -2,7 +2,7 @@
  *         Christopher Ashworth <cashworth@tresys.com>
  *
  * Copyright (C) 2004-2006 Tresys Technology, LLC
 - * Copyright (C) 2005 Red Hat, Inc.
 + * Copyright (C) 2005-2011 Red Hat, Inc.
  * 
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -95,7 +95,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
 {
 	char polpath[PATH_MAX];
@ -196,7 +205,92 @@ index bceb6a7..7416540 100644
 		 sh->conf->store_path);
 	if (semanage_check_init(polpath))
-@@ -1539,7 +1539,7 @@ int semanage_direct_access_check(semanage_handle_t * sh)
+@@ -353,17 +353,11 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data,
 	     semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES)) == NULL) {
 		return -1;
 	}
 -	if (asprintf(filename, "%s/%s.pp%s", module_path, *module_name, DISABLESTR) == -1) {
 +	if (asprintf(filename, "%s/%s.pp", module_path, *module_name) == -1) {
 		ERR(sh, "Out of memory!");
 		return -1;
 	}
 -	if (access(*filename, F_OK) == -1) {
 -		char *ptr = *filename;
 -		int len = strlen(ptr) - strlen(DISABLESTR);
 -		if (len > 0) ptr[len]='\0';
 -	}
 -
 	return 0;
 }
@@ -1307,29 +1301,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
 		base++;
 		if (memcmp(module_name, base, name_len) == 0) {
 -			if(strcmp(base + name_len + 3, DISABLESTR) != 0) {
 -				ERR(sh, "Module %s is already enabled.", module_name);
 +			if (semanage_enable_module(module_filenames[i]) < 0) {
 +				ERR(sh, "Could not enable module %s.", module_name);
 				retval = -2;
 				goto cleanup;
 			}
 -
 -			int len = strlen(module_filenames[i]) - strlen(DISABLESTR);
 -			char *enabled_name = calloc(1, len+1);
 -			if (!enabled_name) {
 -				ERR(sh, "Could not allocate memory");
 -				retval = -1;
 -				goto cleanup;
 -			}
 -
 -			strncpy(enabled_name, module_filenames[i],len);
 -
 -			if (rename(module_filenames[i], enabled_name) == -1) {
 -				ERR(sh, "Could not enable module file %s.",
 -				    enabled_name);
 -				retval = -2;
 -			}
 			retval = 0;
 -			free(enabled_name);
 			goto cleanup;
 		}
 	}
@@ -1363,28 +1340,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
 			goto cleanup;
 		}
 		base++;
 -		if (memcmp(module_name, base, name_len) == 0) {
 -			if (strcmp(base + name_len + 3, DISABLESTR) == 0) {
 -				ERR(sh, "Module %s is already disabled.", module_name);
 +		if ((memcmp(module_name, base, name_len) == 0) &&
 +		    (strcmp(base + name_len, ".pp") == 0)) {
 +			if (semanage_disable_module(module_filenames[i]) < 0) {
 				retval = -2;
 				goto cleanup;
 -			} else if (strcmp(base + name_len, ".pp") == 0) {
 -				char disabled_name[PATH_MAX];
 -				if (snprintf(disabled_name, PATH_MAX, "%s%s", 
 -							module_filenames[i], DISABLESTR) == PATH_MAX) {
 -					ERR(sh, "Could not disable module file %s.",
 -							module_filenames[i]);
 -					retval = -2;
 -					goto cleanup;
 -				}
 -				if (rename(module_filenames[i], disabled_name) == -1) {
 -					ERR(sh, "Could not disable module file %s.",
 -							module_filenames[i]);
 -					retval = -2;
 -				}
 -				retval = 0;
 -				goto cleanup;
 			}
 +			retval=0;
 +			goto cleanup;
 		}
 	}
 	ERR(sh, "Module %s was not found.", module_name);
@@ -1539,7 +1502,7 @@ int semanage_direct_access_check(semanage_handle_t * sh)
 {
 	char polpath[PATH_MAX];
@ -455,9 +549,18 @@ index 3cffef7..da0ad71 100644
   return _semanage.semanage_module_install(*args)
 semanage_module_install = _semanage.semanage_module_install
 diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
-index 339bbd0..e970a8b 100644
+index 339bbd0..f5e3572 100644
 --- a/libsemanage/src/semanage_store.c
 +++ b/libsemanage/src/semanage_store.c
@@ -57,7 +57,7 @@ typedef struct dbase_policydb dbase_t;
 #include "debug.h"
 -const char *DISABLESTR=".disabled";
 +static const char *DISABLESTR="disabled";
 #define SEMANAGE_CONF_FILE "semanage.conf"
 /* relative path names to enum semanage_paths to special files and
@@ -90,7 +90,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
 	"/tmp"
 };
@ -481,7 +584,62 @@ index 339bbd0..e970a8b 100644
 		 SEMANAGE_CONF_FILE);
 	return 0;
-@@ -1071,14 +1071,14 @@ static int semanage_install_active(semanage_handle_t * sh)
+@@ -425,6 +425,13 @@ int semanage_store_access_check(semanage_handle_t * sh)
 /********************* other I/O functions *********************/
 +static int is_disabled_file(const char *file) {
 +	char *ptr = strrchr(file, '.');
 +	if (! ptr) return 0;
 +	ptr++;
 +	return (strcmp(ptr, DISABLESTR) == 0);
 +}
 +
 /* Callback used by scandir() to select files. */
 static int semanage_filename_select(const struct dirent *d)
 {
@@ -435,9 +442,38 @@ static int semanage_filename_select(const struct dirent *d)
 	return 1;
 }
 +int semanage_disable_module(const char *file) {
 +	char path[PATH_MAX];
 +	int in;
 +	int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
 +	if (n < 0 || n >= PATH_MAX)
 +		return -1;
 +	if ((in = open(path, O_WRONLY | O_CREAT )) == -1) {
 +		return -1;
 +	}
 +	close(in);
 +	return 0;
 +}
 +
 +int semanage_enable_module(const char *file) {
 +	char path[PATH_MAX];
 +	int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
 +	if (n < 0 || n >= PATH_MAX)
 +		return 1;
 +
 +	if ((unlink(path) < 0) && (errno != ENOENT))
 +		return -1;
 +	return 0;
 +}
 +
 int semanage_module_enabled(const char *file) {
 -	int len = strlen(file) - strlen(DISABLESTR);
 -	return (len < 0 || strcmp(&file[len], DISABLESTR) != 0);
 +	char path[PATH_MAX];
 +	if (is_disabled_file(file)) return 0;
 +	int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
 +	if (n < 0 || n >= PATH_MAX)
 +		return 1;
 +
 +	return (access(path, F_OK ) != 0);
 }
 static int semanage_modulename_select(const struct dirent *d)
@@ -1071,14 +1107,14 @@ static int semanage_install_active(semanage_handle_t * sh)
 	const char *active_fc_hd =
 	    semanage_path(SEMANAGE_ACTIVE, SEMANAGE_FC_HOMEDIRS);
@ -504,7 +662,7 @@ index 339bbd0..e970a8b 100644
 	/* This is very unelegant, the right thing to do is export the path 
 	 * building code in libselinux so that you can get paths for a given 
-@@ -1099,11 +1099,11 @@ static int semanage_install_active(semanage_handle_t * sh)
+@@ -1099,11 +1135,11 @@ static int semanage_install_active(semanage_handle_t * sh)
 	running_seusers += len;
 	running_nc += len;
@ -518,6 +676,62 @@ index 339bbd0..e970a8b 100644
 		 sh->conf->store_path);
 	snprintf(store_pol, PATH_MAX, "%s%s.%d", storepath,
@@ -1632,18 +1668,21 @@ int semanage_link_sandbox(semanage_handle_t * sh,
 		num_modules = 0;
 		goto cleanup;
 	}
 +	int disabled = 0;
 	for (i = 0; i < num_modules; i++) {
 -		if (semanage_load_module(sh, module_filenames[i], mods + i) ==
 -		    -1) {
 -			goto cleanup;
 +		if (semanage_module_enabled(module_filenames[i])) {
 +			if (semanage_load_module(sh, module_filenames[i], mods + (i - disabled)) == -1) {
 +				goto cleanup;
 +			}
 +		} else {
 +			disabled++;
 		}
 	}
 -	if (sepol_link_packages(sh->sepolh, *base, mods, num_modules, 0) != 0) {
 +	if (sepol_link_packages(sh->sepolh, *base, mods, num_modules - disabled, 0) != 0) {
 		ERR(sh, "Link packages failed");
 		goto cleanup;
 	}
 -
 	retval = 0;
       cleanup:
@@ -1651,7 +1690,7 @@ int semanage_link_sandbox(semanage_handle_t * sh,
 		free(module_filenames[i]);
 	}
 	free(module_filenames);
 -	for (i = 0; mods != NULL && i < num_modules; i++) {
 +	for (i = 0; mods != NULL && i < num_modules -disabled; i++) {
 		sepol_module_package_free(mods[i]);
 	}
 	free(mods);
 diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
 index 6abb2ee..8470191 100644
 --- a/libsemanage/src/semanage_store.h
 +++ b/libsemanage/src/semanage_store.h
@@ -85,6 +85,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
 			       char ***filenames, int *len);
 int semanage_module_enabled(const char *file);
 +int semanage_enable_module(const char *file);
 +int semanage_disable_module(const char *file);
 /* lock file routines */
 int semanage_get_trans_lock(semanage_handle_t * sh);
 int semanage_get_active_lock(semanage_handle_t * sh);
@@ -129,6 +131,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
 		     size_t buf_len,
 		     char **sorted_buf, size_t * sorted_buf_len);
 -extern const char *DISABLESTR;
 -
 #endif
 diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i
 index 96c670c..c074f5f 100644
 --- a/libsemanage/src/semanageswig_python.i
--- a/libsemanage.spec
+++ b/libsemanage.spec
@ -10,7 +10,7 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.0.46
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz
@ -208,6 +208,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Tue Jun 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.46-5
 - Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module 
 indicating the module is disabled.  MODULE.pp.disabled, it will no longer rename the module.  This way we can
 ship active modules in rpm.
 * Wed Jun 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.46-4
 - Add semanage_set_selinux_path, to allow semodule to work on alternate selinux pools