From b7399a13578474eca7039c21547a7b392ed49be6 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 14 Sep 2011 22:29:13 -0400
Subject: [PATCH] Add support for preserving tunables
---
libsemanage-rhat.patch | 144 +++++++++++++++++++++++++++++++++++++----
libsemanage.spec | 5 +-
2 files changed, 135 insertions(+), 14 deletions(-)
diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 1e791c8..a7bfb6b 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -1,5 +1,22 @@
+diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
+index e303713..c746930 100644
+--- a/libsemanage/include/semanage/handle.h
++++ b/libsemanage/include/semanage/handle.h
+@@ -129,6 +129,12 @@ int semanage_mls_enabled(semanage_handle_t *sh);
+ /* Change to alternate selinux root path */
+ int semanage_set_root(const char *path);
+
++/* Get whether or not needless unused branch of tunables would be preserved */
++int semanage_get_preserve_tunables(semanage_handle_t * handle);
++
++/* Set whether or not to preserve the needless unused branch of tunables */
++void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables);
++
+ /* META NOTES
+ *
+ * For all functions a non-negative number indicates success. For some
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index aac1974..3dfa279 100644
+index aac1974..8fcfb88 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -353,17 +353,11 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data,
@@ -21,7 +38,57 @@ index aac1974..3dfa279 100644
return 0;
}
-@@ -1307,29 +1301,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
+@@ -695,7 +689,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+
+ /* Declare some variables */
+ int modified = 0, fcontexts_modified, ports_modified,
+- seusers_modified, users_extra_modified, dontaudit_modified;
++ seusers_modified, users_extra_modified, dontaudit_modified,
++ preserve_tunables_modified;
+ dbase_config_t *users = semanage_user_dbase_local(sh);
+ dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
+ dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
+@@ -737,6 +732,31 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ }
+ }
+
++ /* Create or remove the preserve_tunables flag file. */
++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
++ if (access(path, F_OK) == 0)
++ preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
++ else
++ preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
++ if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
++ FILE *touch;
++ touch = fopen(path, "w");
++ if (touch != NULL) {
++ if (fclose(touch) != 0) {
++ ERR(sh, "Error attempting to create preserve_tunable flag.");
++ goto cleanup;
++ }
++ } else {
++ ERR(sh, "Error attempting to create preserve_tunable flag.");
++ goto cleanup;
++ }
++ } else {
++ if (remove(path) == -1 && errno != ENOENT) {
++ ERR(sh, "Error removing the preserve_tunables flag.");
++ goto cleanup;
++ }
++ }
++
+ /* Before we do anything else, flush the join to its component parts.
+ * This *does not* flush to disk automatically */
+ if (users->dtable->is_modified(users->dbase)) {
+@@ -759,6 +779,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ modified |= ifaces->dtable->is_modified(ifaces->dbase);
+ modified |= nodes->dtable->is_modified(nodes->dbase);
+ modified |= dontaudit_modified;
++ modified |= preserve_tunables_modified;
+
+ /* If there were policy changes, or explicitly requested, rebuild the policy */
+ if (sh->do_rebuild || modified) {
+@@ -1307,29 +1328,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
base++;
if (memcmp(module_name, base, name_len) == 0) {
@@ -53,7 +120,7 @@ index aac1974..3dfa279 100644
goto cleanup;
}
}
-@@ -1363,28 +1340,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
+@@ -1363,28 +1367,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
goto cleanup;
}
base++;
@@ -87,7 +154,7 @@ index aac1974..3dfa279 100644
}
}
ERR(sh, "Module %s was not found.", module_name);
-@@ -1418,6 +1381,7 @@ static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
+@@ -1418,6 +1408,7 @@ static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
}
base++;
if (memcmp(module_name, base, name_len) == 0) {
@@ -117,8 +184,43 @@ index 847d87e..2870fa8 100644
if (push_user_entry(&head, name, seuname,
prefix, pwent->pw_dir, level) != STATUS_SUCCESS) {
*errors = STATUS_ERR;
+diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
+index 647f0ee..7adc1cc 100644
+--- a/libsemanage/src/handle.c
++++ b/libsemanage/src/handle.c
+@@ -261,6 +261,19 @@ void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudi
+ return;
+ }
+
++int semanage_get_preserve_tunables(semanage_handle_t * sh)
++{
++ assert(sh != NULL);
++ return sepol_get_preserve_tunables(sh->sepolh);
++}
++
++void semanage_set_preserve_tunables(semanage_handle_t * sh,
++ int preserve_tunables)
++{
++ assert(sh != NULL);
++ sepol_set_preserve_tunables(sh->sepolh, preserve_tunables);
++}
++
+ void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts)
+ {
+
+diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
+index 3222e3d..2827abe 100644
+--- a/libsemanage/src/libsemanage.map
++++ b/libsemanage/src/libsemanage.map
+@@ -22,5 +22,6 @@ LIBSEMANAGE_1.0 {
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
+ semanage_mls_enabled;
+ semanage_set_check_contexts;
++ semanage_get_preserve_tunables; semanage_set_preserve_tunables;
+ local: *;
+ };
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
-index 8d6ff1c..37b0c7a 100644
+index 8d6ff1c..e322992 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -57,7 +57,7 @@ typedef struct dbase_policydb dbase_t;
@@ -130,7 +232,15 @@ index 8d6ff1c..37b0c7a 100644
#define SEMANAGE_CONF_FILE "semanage.conf"
/* relative path names to enum semanage_paths to special files and
-@@ -425,6 +425,13 @@ int semanage_store_access_check(void)
+@@ -117,6 +117,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+ "/netfilter_contexts",
+ "/file_contexts.homedirs",
+ "/disable_dontaudit",
++ "/preserve_tunables",
+ };
+
+ /* A node used in a linked list of file contexts; used for sorting.
+@@ -425,6 +426,13 @@ int semanage_store_access_check(void)
/********************* other I/O functions *********************/
@@ -144,7 +254,7 @@ index 8d6ff1c..37b0c7a 100644
/* Callback used by scandir() to select files. */
static int semanage_filename_select(const struct dirent *d)
{
-@@ -435,11 +442,41 @@ static int semanage_filename_select(const struct dirent *d)
+@@ -435,11 +443,41 @@ static int semanage_filename_select(const struct dirent *d)
return 1;
}
@@ -188,7 +298,7 @@ index 8d6ff1c..37b0c7a 100644
static int semanage_modulename_select(const struct dirent *d)
{
if (d->d_name[0] == '.'
-@@ -447,7 +484,7 @@ static int semanage_modulename_select(const struct dirent *d)
+@@ -447,7 +485,7 @@ static int semanage_modulename_select(const struct dirent *d)
|| (d->d_name[1] == '.' && d->d_name[2] == '\0')))
return 0;
@@ -197,7 +307,7 @@ index 8d6ff1c..37b0c7a 100644
}
/* Copies a file from src to dst. If dst already exists then
-@@ -684,7 +721,7 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
+@@ -684,7 +722,7 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
int *len)
{
return semanage_get_modules_names_filter(sh, filenames,
@@ -206,7 +316,7 @@ index 8d6ff1c..37b0c7a 100644
}
/* Scans the modules directory for the current semanage handler. This
-@@ -697,8 +734,25 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
+@@ -697,8 +735,25 @@ int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
int semanage_get_active_modules_names(semanage_handle_t * sh, char ***filenames,
int *len)
{
@@ -235,10 +345,18 @@ index 8d6ff1c..37b0c7a 100644
/******************* routines that run external programs *******************/
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
-index a0b2dd8..e980cdc 100644
+index a0b2dd8..b451308 100644
--- a/libsemanage/src/semanage_store.h
+++ b/libsemanage/src/semanage_store.h
-@@ -85,6 +85,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
+@@ -59,6 +59,7 @@ enum semanage_sandbox_defs {
+ SEMANAGE_NC,
+ SEMANAGE_FC_HOMEDIRS,
+ SEMANAGE_DISABLE_DONTAUDIT,
++ SEMANAGE_PRESERVE_TUNABLES,
+ SEMANAGE_STORE_NUM_PATHS
+ };
+
+@@ -85,6 +86,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
char ***filenames, int *len);
int semanage_module_enabled(const char *file);
@@ -247,7 +365,7 @@ index a0b2dd8..e980cdc 100644
/* lock file routines */
int semanage_get_trans_lock(semanage_handle_t * sh);
int semanage_get_active_lock(semanage_handle_t * sh);
-@@ -129,6 +131,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
+@@ -129,6 +132,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
size_t buf_len,
char **sorted_buf, size_t * sorted_buf_len);
diff --git a/libsemanage.spec b/libsemanage.spec
index 1be62b6..273afcc 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -10,7 +10,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.1.3
-Release: 1%{?dist}
+Release: 2%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: libsemanage-%{version}.tgz
@@ -179,6 +179,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif # if with_python3
%changelog
+* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
+- Add support for preserving tunables
+
* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
-Update to upstream
* python wrapper makefile changes