From 4bccd198db5e17c7b5e8dfa15ad391c5dc8b4699 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 23 Sep 2013 14:30:33 -0400 Subject: [PATCH] Do not write error message to screen when looking for previous record for auditing. - Add mls_range from user record if the MLS range is not specified by the seuser add record. - Error out if seuser or mls range is not specified when adding user records --- libsemanage-rhat.patch | 73 ++++++++++++++++++++++++++++++++++++++++-- libsemanage.spec | 7 +++- 2 files changed, 77 insertions(+), 3 deletions(-) diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch index 5fb78d9..ad45297 100644 --- a/libsemanage-rhat.patch +++ b/libsemanage-rhat.patch @@ -198,11 +198,66 @@ index 57ef49f..4b040c3 100644 free(storepath); return retval; } +diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c +index 8823b1e..d92633e 100644 +--- a/libsemanage/src/seuser_record.c ++++ b/libsemanage/src/seuser_record.c +@@ -140,19 +140,50 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser) + + hidden_def(semanage_seuser_get_sename) + ++#include ++#include ++#include + int semanage_seuser_set_sename(semanage_handle_t * handle, + semanage_seuser_t * seuser, const char *sename) + { + ++ semanage_user_t *u = NULL; ++ const char *mls_range = semanage_seuser_get_mlsrange(seuser); + char *tmp_sename = strdup(sename); ++ int rc; + if (!tmp_sename) { + ERR(handle, + "out of memory, could not set seuser (SELinux) name"); + return STATUS_ERR; + } ++ /* Default MLS_range if not set to the "sename" user record mls range */ ++ if (!mls_range && semanage_mls_enabled(handle)) { ++ semanage_user_key_t *key = NULL; ++ ++ rc = semanage_user_key_create(handle, sename, &key); ++ if (rc < 0) ++ goto err; ++ ++ rc = semanage_user_query(handle, key, &u); ++ semanage_user_key_free(key); ++ if (rc == STATUS_ERR) ++ goto err; ++ else if (rc == STATUS_NODATA) { ++ ERR(handle, "SELinux user %s does not exist", sename); ++ errno = EINVAL; ++ rc = STATUS_ERR; ++ goto err; ++ } ++ mls_range = semanage_user_get_mlsrange(u); ++ semanage_seuser_set_mlsrange(handle, seuser, mls_range); ++ semanage_user_free(u); ++ } + free(seuser->sename); + seuser->sename = tmp_sename; + return STATUS_SUCCESS; ++err: ++ free(tmp_sename); ++ return rc; + } + + hidden_def(semanage_seuser_set_sename) diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c -index e7cf12c..ed0af21 100644 +index e7cf12c..d8020a9 100644 --- a/libsemanage/src/seusers_local.c +++ b/libsemanage/src/seusers_local.c -@@ -8,27 +8,117 @@ typedef struct semanage_seuser record_t; +@@ -8,27 +8,131 @@ typedef struct semanage_seuser record_t; #include #include @@ -294,10 +349,24 @@ index e7cf12c..ed0af21 100644 { - + int rc; ++ void *callback = (void *) handle->msg_callback; dbase_config_t *dconfig = semanage_seuser_dbase_local(handle); - return dbase_modify(handle, dconfig, key, data); ++ const char *sename = semanage_seuser_get_sename(data); ++ const char *mls_range = semanage_seuser_get_mlsrange(data); + semanage_seuser_t *previous = NULL; ++ if (!sename) { ++ errno=EINVAL; ++ return -1; ++ } ++ if (!mls_range && semanage_mls_enabled(handle)) { ++ errno=EINVAL; ++ return -1; ++ } ++ ++ handle->msg_callback = NULL; + semanage_seuser_query(handle, key, &previous); ++ handle->msg_callback = callback; + rc = dbase_modify(handle, dconfig, key, data); + if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) + rc = -1; diff --git a/libsemanage.spec b/libsemanage.spec index 97a5096..dd3a771 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -7,7 +7,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.1.10 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: libsemanage-%{version}.tgz @@ -179,6 +179,11 @@ rm -rf ${RPM_BUILD_ROOT} %endif # if with_python3 %changelog +* Thu Sep 19 2013 Dan Walsh - 2.1.10-10 +- Do not write error message to screen when looking for previous record for auditing. +- Add mls_range from user record if the MLS range is not specified by the seuser add record. +- Error out if seuser or mls range is not specified when adding user records + * Mon Sep 9 2013 Dan Walsh - 2.1.10-9 - Create symlink from policy.kern to active kernel.