rpms/libsemanage
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Cleanup handling of missing mls_range to fix problems with useradd -Z

Browse Source 
- Fix auditing of login record changes, roles were not working correctly.
Resolves: #952237
This commit is contained in:
Dan Walsh 2013-10-16 14:34:13 -04:00
parent 8dcd430104
commit ab84ace2a1
2 changed files with 36 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
libsemanage-rhat.patch
View File

@ -198,62 +198,11 @@ index 57ef49f..4b040c3 100644
free(storepath); free(storepath);
return retval; return retval;
} }
diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c
index 8823b1e..cfcd039 100644
--- a/libsemanage/src/seuser_record.c
+++ b/libsemanage/src/seuser_record.c
@@ -140,19 +140,46 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser)
hidden_def(semanage_seuser_get_sename)
+#include <semanage/user_record.h>
+#include <semanage/users_policy.h>
+#include <errno.h>
int semanage_seuser_set_sename(semanage_handle_t * handle,
semanage_seuser_t * seuser, const char *sename)
{
+ semanage_user_t *u = NULL;
+ const char *mls_range = semanage_seuser_get_mlsrange(seuser);
char *tmp_sename = strdup(sename);
+ int rc;
if (!tmp_sename) {
ERR(handle,
"out of memory, could not set seuser (SELinux) name");
return STATUS_ERR;
}
+ /* Default MLS_range if not set to the "sename" user record mls range */
+ if (!mls_range && semanage_mls_enabled(handle)) {
+ semanage_user_key_t *key = NULL;
+
+ rc = semanage_user_key_create(handle, sename, &key);
+ if (rc < 0)
+ goto err;
+
+ rc = semanage_user_query(handle, key, &u);
+ semanage_user_key_free(key);
+ if (rc == STATUS_ERR)
+ goto err;
+ else if (rc == STATUS_SUCCESS) {
+ mls_range = semanage_user_get_mlsrange(u);
+ semanage_seuser_set_mlsrange(handle, seuser, mls_range);
+ semanage_user_free(u);
+ }
+ }
free(seuser->sename);
seuser->sename = tmp_sename;
return STATUS_SUCCESS;
+err:
+ free(tmp_sename);
+ return rc;
}
hidden_def(semanage_seuser_set_sename)
diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
index e7cf12c..c9a9ab2 100644 index e7cf12c..f379211 100644
--- a/libsemanage/src/seusers_local.c --- a/libsemanage/src/seusers_local.c
+++ b/libsemanage/src/seusers_local.c +++ b/libsemanage/src/seusers_local.c
@@ -8,27 +8,156 @@ typedef struct semanage_seuser record_t; @@ -8,27 +8,177 @@ typedef struct semanage_seuser record_t;
#include <sepol/policydb.h> #include <sepol/policydb.h>
#include <sepol/context.h> #include <sepol/context.h>
@ -289,7 +238,7 @@ index e7cf12c..c9a9ab2 100644
+ strcpy(roles,roles_arr[0]); + strcpy(roles,roles_arr[0]);
+ for (i = 1; i<num_roles; i++) { + for (i = 1; i<num_roles; i++) {
+ strcat(roles,","); + strcat(roles,",");
+ strcat(roles,roles_arr[0]); + strcat(roles,roles_arr[i]);
+ } + }
+ } + }
+ } + }
@ -376,23 +325,44 @@ index e7cf12c..c9a9ab2 100644
+ const char *sename = semanage_seuser_get_sename(data); + const char *sename = semanage_seuser_get_sename(data);
+ const char *mls_range = semanage_seuser_get_mlsrange(data); + const char *mls_range = semanage_seuser_get_mlsrange(data);
+ semanage_seuser_t *previous = NULL; + semanage_seuser_t *previous = NULL;
+ semanage_seuser_t *new = NULL;
+
+ if (!sename) { + if (!sename) {
+ errno=EINVAL; + errno=EINVAL;
+ return -1; + return -1;
+ } + }
+ if (semanage_seuser_clone(handle, data, &new) < 0) {
+ goto err;
+ }
+
+ if (!mls_range && semanage_mls_enabled(handle)) { + if (!mls_range && semanage_mls_enabled(handle)) {
+ errno=EINVAL; + semanage_user_key_t *ukey = NULL;
+ return -1; + semanage_user_t *u = NULL;
+ rc = semanage_user_key_create(handle, sename, &ukey);
+ if (rc < 0)
+ goto err;
+
+ rc = semanage_user_query(handle, ukey, &u);
+ semanage_user_key_free(ukey);
+ if (rc >= 0 ) {
+ mls_range = semanage_user_get_mlsrange(u);
+ rc = semanage_seuser_set_mlsrange(handle, new, mls_range);
+ semanage_user_free(u);
+ }
+ if (rc < 0)
+ goto err;
+ } + }
+ +
+ handle->msg_callback = NULL; + handle->msg_callback = NULL;
+ semanage_seuser_query(handle, key, &previous); + (void) semanage_seuser_query(handle, key, &previous);
+ handle->msg_callback = callback; + handle->msg_callback = callback;
+ rc = dbase_modify(handle, dconfig, key, data); + rc = dbase_modify(handle, dconfig, key, new);
+ if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) + if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
+ rc = -1; + rc = -1;
+err:
+ if (previous) + if (previous)
+ semanage_seuser_free(previous); + semanage_seuser_free(previous);
+ semanage_seuser_free(new);
+ return rc; + return rc;
} }

8
libsemanage.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux binary policy manipulation library Summary: SELinux binary policy manipulation library
Name: libsemanage Name: libsemanage
Version: 2.1.10 Version: 2.1.10
Release: 13%{?dist} Release: 14%{?dist}
License: LGPLv2+ License: LGPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
Source: libsemanage-%{version}.tgz Source: libsemanage-%{version}.tgz
@ -179,8 +179,14 @@ rm -rf ${RPM_BUILD_ROOT}
%endif # if with_python3 %endif # if with_python3
%changelog %changelog
* Wed Oct 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-14
- Cleanup handling of missing mls_range to fix problems with useradd -Z
- Fix auditing of login record changes, roles were not working correctly.
Resolves: #952237
* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-13 * Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-13
- Fix errors found by coverity - Fix errors found by coverity
Resolves: #952237
* Wed Sep 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-12 * Wed Sep 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-12
- Do not fail on missing SELinux User Record when adding login record - Do not fail on missing SELinux User Record when adding login record