diff --git libsemanage-2.6/src/Makefile libsemanage-2.6/src/Makefile index 68aab72..ccaa29d 100644 --- libsemanage-2.6/src/Makefile +++ libsemanage-2.6/src/Makefile @@ -2,7 +2,7 @@ # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build # targets with "PYPREFIX": PYTHON ?= python -PYPREFIX ?= $(notdir $(PYTHON)) +PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python%d" % sys.version_info[0])') RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config diff --git libsemanage-2.6/src/direct_api.c libsemanage-2.6/src/direct_api.c index e5c72cd..9c3149b 100644 --- libsemanage-2.6/src/direct_api.c +++ libsemanage-2.6/src/direct_api.c @@ -146,9 +146,6 @@ int semanage_direct_connect(semanage_handle_t * sh) if (semanage_create_store(sh, 1)) goto err; - if (semanage_access_check(sh) < SEMANAGE_CAN_READ) - goto err; - sh->u.direct.translock_file_fd = -1; sh->u.direct.activelock_file_fd = -1; @@ -345,10 +342,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) static int semanage_direct_begintrans(semanage_handle_t * sh) { - - if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) { - return -1; - } if (semanage_get_trans_lock(sh) < 0) { return -1; } @@ -617,13 +610,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c } if (size > 0) { + /* + * Write the users_extra entries from CIL modules. + * This file is used as our baseline when we do not require + * re-linking. + */ + ofilename = semanage_path(SEMANAGE_TMP, + SEMANAGE_USERS_EXTRA_LINKED); + if (ofilename == NULL) { + retval = -1; + goto cleanup; + } + retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; + + /* + * Write the users_extra file; users_extra.local + * will be merged into this file. + */ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA); if (ofilename == NULL) { - return retval; + retval = -1; + goto cleanup; } retval = write_file(sh, ofilename, data, size); if (retval < 0) - return retval; + goto cleanup; pusers_extra->dtable->drop_cache(pusers_extra->dbase); @@ -652,11 +665,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb } if (size > 0) { + /* + * Write the seusers entries from CIL modules. + * This file is used as our baseline when we do not require + * re-linking. + */ + ofilename = semanage_path(SEMANAGE_TMP, + SEMANAGE_SEUSERS_LINKED); + if (ofilename == NULL) { + retval = -1; + goto cleanup; + } + retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; + + /* + * Write the seusers file; seusers.local will be merged into + * this file. + */ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); if (ofilename == NULL) { - return -1; + retval = -1; + goto cleanup; } retval = write_file(sh, ofilename, data, size); + if (retval < 0) + goto cleanup; pseusers->dtable->drop_cache(pseusers->dbase); } else { @@ -1095,21 +1130,18 @@ static int semanage_direct_commit(semanage_handle_t * sh) size_t fc_buffer_len = 0; const char *ofilename = NULL; const char *path; - int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0, - missing_seusers = 0, missing_fc = 0, missing = 0; + int retval = -1, num_modinfos = 0, i; sepol_policydb_t *out = NULL; struct cil_db *cildb = NULL; semanage_module_info_t *modinfos = NULL; - /* Declare some variables */ - int modified = 0, fcontexts_modified, ports_modified, - seusers_modified, users_extra_modified, dontaudit_modified, - preserve_tunables_modified, bools_modified = 0, + int do_rebuild, do_write_kernel, do_install; + int fcontexts_modified, ports_modified, seusers_modified, disable_dontaudit, preserve_tunables; dbase_config_t *users = semanage_user_dbase_local(sh); dbase_config_t *users_base = semanage_user_base_dbase_local(sh); dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh); - dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh); + dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh); dbase_config_t *ports = semanage_port_dbase_local(sh); dbase_config_t *pports = semanage_port_dbase_policy(sh); dbase_config_t *bools = semanage_bool_dbase_local(sh); @@ -1121,13 +1153,22 @@ static int semanage_direct_commit(semanage_handle_t * sh) dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh); dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh); dbase_config_t *seusers = semanage_seuser_dbase_local(sh); + dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh); + + /* Modified flags that we need to use more than once. */ + ports_modified = ports->dtable->is_modified(ports->dbase); + seusers_modified = seusers->dtable->is_modified(seusers->dbase); + fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase); + + /* Rebuild if explicitly requested or any module changes occurred. */ + do_rebuild = sh->do_rebuild | sh->modules_modified; /* Create or remove the disable_dontaudit flag file. */ path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT); if (access(path, F_OK) == 0) - dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1); + do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1); else - dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1); + do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1); if (sepol_get_disable_dontaudit(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); @@ -1150,9 +1191,9 @@ static int semanage_direct_commit(semanage_handle_t * sh) /* Create or remove the preserve_tunables flag file. */ path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES); if (access(path, F_OK) == 0) - preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1); + do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1); else - preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1); + do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1); if (sepol_get_preserve_tunables(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); @@ -1180,54 +1221,75 @@ static int semanage_direct_commit(semanage_handle_t * sh) goto cleanup; } - /* Decide if anything was modified */ - fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase); - seusers_modified = seusers->dtable->is_modified(seusers->dbase); - users_extra_modified = - users_extra->dtable->is_modified(users_extra->dbase); - ports_modified = ports->dtable->is_modified(ports->dbase); - bools_modified = bools->dtable->is_modified(bools->dbase); - - modified = sh->modules_modified; - modified |= seusers_modified; - modified |= users_extra_modified; - modified |= ports_modified; - modified |= users->dtable->is_modified(users_base->dbase); - modified |= ifaces->dtable->is_modified(ifaces->dbase); - modified |= nodes->dtable->is_modified(nodes->dbase); - modified |= dontaudit_modified; - modified |= preserve_tunables_modified; - - /* This is for systems that have already migrated with an older version - * of semanage_migrate_store. The older version did not copy policy.kern so - * the policy binary must be rebuilt here. + /* + * This is for systems that have already migrated with an older version + * of semanage_migrate_store. The older version did not copy + * policy.kern so the policy binary must be rebuilt here. + * This also ensures that any linked files that are required + * in order to skip re-linking are present; otherwise, we force + * a rebuild. */ - if (!sh->do_rebuild && !modified) { + if (!do_rebuild) { path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); - if (access(path, F_OK) != 0) { - missing_policy_kern = 1; + do_rebuild = 1; + goto rebuild; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); - if (access(path, F_OK) != 0) { - missing_fc = 1; + do_rebuild = 1; + goto rebuild; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; + } + path = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED); if (access(path, F_OK) != 0) { - missing_seusers = 1; + do_rebuild = 1; + goto rebuild; } - } - missing |= missing_policy_kern; - missing |= missing_fc; - missing |= missing_seusers; + path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; + } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED); + if (access(path, F_OK) != 0) { + do_rebuild = 1; + goto rebuild; + } + } - /* If there were policy changes, or explicitly requested, rebuild the policy */ - if (sh->do_rebuild || modified || missing) { +rebuild: + /* + * Now that we know whether or not a rebuild is required, + * we can determine what else needs to be done. + * We need to write the kernel policy if we are rebuilding + * or if any other policy component that lives in the kernel + * policy has been modified. + * We need to install the policy files if any of the managed files + * that live under /etc/selinux (kernel policy, seusers, file contexts) + * will be modified. + */ + do_write_kernel = do_rebuild | ports_modified | + bools->dtable->is_modified(bools->dbase) | + ifaces->dtable->is_modified(ifaces->dbase) | + nodes->dtable->is_modified(nodes->dbase) | + users->dtable->is_modified(users_base->dbase); + do_install = do_write_kernel | seusers_modified | fcontexts_modified; + + /* + * If there were policy changes, or explicitly requested, or + * any required files are missing, rebuild the policy. + */ + if (do_rebuild) { /* =================== Module expansion =============== */ retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); @@ -1316,43 +1378,72 @@ static int semanage_direct_commit(semanage_handle_t * sh) goto cleanup; cil_db_destroy(&cildb); - + + /* Write the linked policy before merging local changes. */ + retval = semanage_write_policydb(sh, out, + SEMANAGE_LINKED); + if (retval < 0) + goto cleanup; } else { - /* Load already linked policy */ + /* Load the existing linked policy, w/o local changes */ retval = sepol_policydb_create(&out); if (retval < 0) goto cleanup; - retval = semanage_read_policydb(sh, out); + retval = semanage_read_policydb(sh, out, SEMANAGE_LINKED); if (retval < 0) goto cleanup; - } - if (sh->do_rebuild || modified || bools_modified) { - /* Attach to policy databases that work with a policydb. */ - dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); + path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED); + if (access(path, F_OK) == 0) { + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_STORE_SEUSERS), + sh->conf->file_mode); + if (retval < 0) + goto cleanup; + pseusers->dtable->drop_cache(pseusers->dbase); + } else { + pseusers->dtable->clear(sh, pseusers->dbase); + } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED); + if (access(path, F_OK) == 0) { + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_USERS_EXTRA), + sh->conf->file_mode); + if (retval < 0) + goto cleanup; + pusers_extra->dtable->drop_cache(pusers_extra->dbase); + } else { + pusers_extra->dtable->clear(sh, pusers_extra->dbase); + } + } - /* ============= Apply changes, and verify =============== */ + /* Attach our databases to the policydb we just created or loaded. */ + dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); - retval = semanage_base_merge_components(sh); - if (retval < 0) - goto cleanup; + /* Merge local changes */ + retval = semanage_base_merge_components(sh); + if (retval < 0) + goto cleanup; - retval = semanage_write_policydb(sh, out); + if (do_write_kernel) { + /* Write new kernel policy. */ + retval = semanage_write_policydb(sh, out, + SEMANAGE_STORE_KERNEL); if (retval < 0) goto cleanup; + /* Run the kernel policy verifier, if any. */ retval = semanage_verify_kernel(sh); if (retval < 0) goto cleanup; - } else { - retval = semanage_base_merge_components(sh); - if (retval < 0) - goto cleanup; } /* ======= Post-process: Validate non-policydb components ===== */ @@ -1361,21 +1452,21 @@ static int semanage_direct_commit(semanage_handle_t * sh) * Note: those are still cached, even though they've been * merged into the main file_contexts. We won't check the * large file_contexts - checked at compile time */ - if (sh->do_rebuild || modified || fcontexts_modified) { + if (do_rebuild || fcontexts_modified) { retval = semanage_fcontext_validate_local(sh, out); if (retval < 0) goto cleanup; } /* Validate local seusers against policy */ - if (sh->do_rebuild || modified || seusers_modified) { + if (do_rebuild || seusers_modified) { retval = semanage_seuser_validate_local(sh, out); if (retval < 0) goto cleanup; } /* Validate local ports for overlap */ - if (sh->do_rebuild || modified || ports_modified) { + if (do_rebuild || ports_modified) { retval = semanage_port_validate_local(sh); if (retval < 0) goto cleanup; @@ -1396,33 +1487,27 @@ static int semanage_direct_commit(semanage_handle_t * sh) } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } /* run genhomedircon if its enabled, this should be the last operation @@ -1444,9 +1529,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) sepol_policydb_free(out); out = NULL; - if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { + if (do_install) retval = semanage_install_sandbox(sh); - } cleanup: for (i = 0; i < num_modinfos; i++) { @@ -1458,14 +1542,12 @@ cleanup: free(mod_filenames[i]); } - if (modified || bools_modified) { - /* Detach from policydb, so it can be freed */ - dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); - dbase_policydb_detach((dbase_policydb_t *) pports->dbase); - dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); - dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); - dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); - } + /* Detach from policydb, so it can be freed */ + dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); + dbase_policydb_detach((dbase_policydb_t *) pports->dbase); + dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); + dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); + dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); free(mod_filenames); sepol_policydb_free(out); @@ -1981,7 +2063,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh) if (retval < 0) goto cleanup; - retval = semanage_read_policydb(sh, p); + retval = semanage_read_policydb(sh, p, SEMANAGE_STORE_KERNEL); if (retval < 0) goto cleanup; diff --git libsemanage-2.6/src/semanage_store.c libsemanage-2.6/src/semanage_store.c index ca29257..4b87d67 100644 --- libsemanage-2.6/src/semanage_store.c +++ libsemanage-2.6/src/semanage_store.c @@ -95,7 +95,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = { static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "", "/modules", - "/base.linked", + "/policy.linked", "/homedir_template", "/file_contexts.template", "/commit_num", @@ -104,8 +104,10 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "/nodes.local", "/booleans.local", "/seusers.local", + "/seusers.linked", "/users.local", "/users_extra.local", + "/users_extra.linked", "/users_extra", "/disable_dontaudit", "/preserve_tunables", @@ -533,7 +535,6 @@ char *semanage_conf_path(void) int semanage_create_store(semanage_handle_t * sh, int create) { struct stat sb; - int mode_mask = R_OK | W_OK | X_OK; const char *path = semanage_files[SEMANAGE_ROOT]; int fd; @@ -552,9 +553,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store at %s, or it is not a directory.", + "Module store at %s is not a directory.", path); return -1; } @@ -575,9 +576,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store active subdirectory at %s, or it is not a directory.", + "Module store active subdirectory at %s is not a directory.", path); return -1; } @@ -598,9 +599,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store active modules subdirectory at %s, or it is not a directory.", + "Module store active modules subdirectory at %s is not a directory.", path); return -1; } @@ -619,8 +620,8 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) { - ERR(sh, "Could not access lock file at %s.", path); + if (!S_ISREG(sb.st_mode)) { + ERR(sh, "Lock file at %s missing.", path); return -1; } } @@ -1158,7 +1159,7 @@ cleanup: free(all_modinfos); if (status != 0) { - for (i = 0; i < j; j++) { + for (i = 0; i < j; i++) { semanage_module_info_destroy(sh, &(*modinfo)[i]); } free(*modinfo); @@ -2037,9 +2038,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename */ /** - * Read the policy from the sandbox (kernel) + * Read the policy from the sandbox (linked or kernel) */ -int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in, + enum semanage_sandbox_defs file) { int retval = STATUS_ERR; @@ -2048,7 +2050,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) FILE *infile = NULL; if ((kernel_filename = - semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) { + semanage_path(SEMANAGE_ACTIVE, file)) == NULL) { goto cleanup; } if ((infile = fopen(kernel_filename, "r")) == NULL) { @@ -2078,9 +2080,10 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) return retval; } /** - * Writes the final policy to the sandbox (kernel) + * Writes the policy to the sandbox (linked or kernel) */ -int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) +int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out, + enum semanage_sandbox_defs file) { int retval = STATUS_ERR; @@ -2089,7 +2092,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) FILE *outfile = NULL; if ((kernel_filename = - semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) { + semanage_path(SEMANAGE_TMP, file)) == NULL) { goto cleanup; } if ((outfile = fopen(kernel_filename, "wb")) == NULL) { diff --git libsemanage-2.6/src/semanage_store.h libsemanage-2.6/src/semanage_store.h index c5b33c8..0b96fbe 100644 --- libsemanage-2.6/src/semanage_store.h +++ libsemanage-2.6/src/semanage_store.h @@ -49,8 +49,10 @@ enum semanage_sandbox_defs { SEMANAGE_NODES_LOCAL, SEMANAGE_BOOLEANS_LOCAL, SEMANAGE_SEUSERS_LOCAL, + SEMANAGE_SEUSERS_LINKED, SEMANAGE_USERS_BASE_LOCAL, SEMANAGE_USERS_EXTRA_LOCAL, + SEMANAGE_USERS_EXTRA_LINKED, SEMANAGE_USERS_EXTRA, SEMANAGE_DISABLE_DONTAUDIT, SEMANAGE_PRESERVE_TUNABLES, @@ -129,10 +131,12 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filenames, int num_modules); int semanage_read_policydb(semanage_handle_t * sh, - sepol_policydb_t * policydb); + sepol_policydb_t * policydb, + enum semanage_sandbox_defs file); int semanage_write_policydb(semanage_handle_t * sh, - sepol_policydb_t * policydb); + sepol_policydb_t * policydb, + enum semanage_sandbox_defs file); int semanage_install_sandbox(semanage_handle_t * sh); diff --git libsemanage-2.6/src/seuser_record.c libsemanage-2.6/src/seuser_record.c index 8823b1e..1ed4594 100644 --- libsemanage-2.6/src/seuser_record.c +++ libsemanage-2.6/src/seuser_record.c @@ -33,7 +33,7 @@ struct semanage_seuser { struct semanage_seuser_key { /* This user's name */ - const char *name; + char *name; }; int semanage_seuser_key_create(semanage_handle_t * handle, @@ -48,7 +48,12 @@ int semanage_seuser_key_create(semanage_handle_t * handle, ERR(handle, "out of memory, could not create seuser key"); return STATUS_ERR; } - tmp_key->name = name; + tmp_key->name = strdup(name); + if (!tmp_key->name) { + ERR(handle, "out of memory, could not create seuser key"); + free(tmp_key); + return STATUS_ERR; + } *key_ptr = tmp_key; return STATUS_SUCCESS; @@ -75,7 +80,7 @@ hidden_def(semanage_seuser_key_extract) void semanage_seuser_key_free(semanage_seuser_key_t * key) { - + free(key->name); free(key); }