diff --git libsemanage-2.7/include/Makefile libsemanage-2.7/include/Makefile index b660660..6e44a28 100644 --- libsemanage-2.7/include/Makefile +++ libsemanage-2.7/include/Makefile @@ -1,12 +1,12 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr INCDIR ?= $(PREFIX)/include/semanage all: install: all - test -d $(INCDIR) || install -m 755 -d $(INCDIR) - install -m 644 $(wildcard semanage/*.h) $(INCDIR) + test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR) + install -m 644 $(wildcard semanage/*.h) $(DESTDIR)$(INCDIR) indent: ../../scripts/Lindent $(wildcard semanage/*.h) diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h index a50db2b..199a1e1 100644 --- libsemanage-2.7/include/semanage/fcontexts_policy.h +++ libsemanage-2.7/include/semanage/fcontexts_policy.h @@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle, semanage_fcontext_t *** records, unsigned int *count); +extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle, + semanage_fcontext_t *** records, + unsigned int *count); + #endif diff --git libsemanage-2.7/man/Makefile libsemanage-2.7/man/Makefile index 852043d..8667c9b 100644 --- libsemanage-2.7/man/Makefile +++ libsemanage-2.7/man/Makefile @@ -1,12 +1,13 @@ # Installation directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +PREFIX ?= /usr +MAN3DIR ?= $(PREFIX)/share/man/man3 +MAN5DIR ?= $(PREFIX)/share/man/man5 all: install: all - mkdir -p $(MAN3DIR) - mkdir -p $(MAN5DIR) - install -m 644 man3/*.3 $(MAN3DIR) - install -m 644 man5/*.5 $(MAN5DIR) + mkdir -p $(DESTDIR)$(MAN3DIR) + mkdir -p $(DESTDIR)$(MAN5DIR) + install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR) + install -m 644 man5/*.5 $(DESTDIR)$(MAN5DIR) diff --git libsemanage-2.7/src/Makefile libsemanage-2.7/src/Makefile index fdb178f..e98d876 100644 --- libsemanage-2.7/src/Makefile +++ libsemanage-2.7/src/Makefile @@ -8,21 +8,18 @@ RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr LIBDIR ?= $(PREFIX)/lib -SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) -PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') +PYSITEDIR ?= $(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') -RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') +RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -LIBBASE=$(shell basename $(LIBDIR)) - -DEFAULT_SEMANAGE_CONF_LOCATION=$(DESTDIR)/etc/selinux/semanage.conf +DEFAULT_SEMANAGE_CONF_LOCATION=/etc/selinux/semanage.conf ifeq ($(DEBUG),1) export CFLAGS = -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror @@ -95,7 +92,7 @@ $(LIBSO): $(LOBJS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ semanageswig_python_exception.i: ../include/semanage/semanage.h bash -e exception.sh > $@ || (rm -f $@ ; false) @@ -136,26 +133,26 @@ swigify: $(SWIGIF) $(SWIG) $< install: all - test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) - install -m 644 $(LIBA) $(LIBDIR) - install -m 755 $(LIBSO) $(LIBDIR) - test -d $(LIBDIR)/pkgconfig || install -m 755 -d $(LIBDIR)/pkgconfig - install -m 644 $(LIBPC) $(LIBDIR)/pkgconfig - test -f $(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DEFAULT_SEMANAGE_CONF_LOCATION) - cd $(LIBDIR) && ln -sf $(LIBSO) $(TARGET) + test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) + install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) + install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR) + test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig + install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig + test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) + cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET) install-pywrap: pywrap - test -d $(PYSITEDIR) || install -m 755 -d $(PYSITEDIR) - install -m 755 $(SWIGSO) $(PYSITEDIR)/_semanage$(PYCEXT) - install -m 644 semanage.py $(PYSITEDIR) + test -d $(DESTDIR)$(PYSITEDIR) || install -m 755 -d $(DESTDIR)$(PYSITEDIR) + install -m 755 $(SWIGSO) $(DESTDIR)$(PYSITEDIR)/_semanage$(PYCEXT) + install -m 644 semanage.py $(DESTDIR)$(PYSITEDIR) install-rubywrap: rubywrap - test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL) - install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/semanage.so + test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) + install -m 755 $(SWIGRUBYSO) $(DESTDIR)$(RUBYINSTALL)/semanage.so relabel: - /sbin/restorecon $(LIBDIR)/$(LIBSO) + /sbin/restorecon $(DESTDIR)$(LIBDIR)/$(LIBSO) clean: -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c *.o *.lo *~ diff --git libsemanage-2.7/src/database_file.c libsemanage-2.7/src/database_file.c index a21b3ee..a51269e 100644 --- libsemanage-2.7/src/database_file.c +++ libsemanage-2.7/src/database_file.c @@ -119,13 +119,16 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase) cache_entry_t *ptr; const char *fname = NULL; FILE *str = NULL; + mode_t mask; if (!dbase_llist_is_modified(&dbase->llist)) return STATUS_SUCCESS; fname = dbase->path[handle->is_in_transaction]; + mask = umask(0077); str = fopen(fname, "w"); + umask(mask); if (!str) { ERR(handle, "could not open %s for writing: %s", fname, strerror(errno)); diff --git libsemanage-2.7/src/database_llist.c libsemanage-2.7/src/database_llist.c index 8ce2e2c..c8f4ff0 100644 --- libsemanage-2.7/src/database_llist.c +++ libsemanage-2.7/src/database_llist.c @@ -263,7 +263,7 @@ int dbase_llist_iterate(semanage_handle_t * handle, if (rc < 0) goto err; - else if (rc > 1) + else if (rc > 0) break; } diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c index 65842df..92d7517 100644 --- libsemanage-2.7/src/direct_api.c +++ libsemanage-2.7/src/direct_api.c @@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh) if (semanage_create_store(sh, 1)) goto err; - if (semanage_access_check(sh) < SEMANAGE_CAN_READ) - goto err; - sh->u.direct.translock_file_fd = -1; sh->u.direct.activelock_file_fd = -1; @@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh) semanage_fcontext_dbase_local(sh)) < 0) goto err; + if (fcontext_file_dbase_init(sh, + semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS), + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), + semanage_fcontext_dbase_homedirs(sh)) < 0) + goto err; + if (seuser_file_dbase_init(sh, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_SEUSERS_LOCAL), @@ -317,25 +320,43 @@ static void semanage_direct_destroy(semanage_handle_t * sh /* do nothing */ } -static int semanage_direct_disconnect(semanage_handle_t * sh) +static int semanage_remove_tmps(semanage_handle_t *sh) { - /* destroy transaction */ - if (sh->is_in_transaction) { - /* destroy sandbox */ - if (semanage_remove_directory - (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { + if (sh->commit_err) + return 0; + + /* destroy sandbox if it exists */ + if (semanage_remove_directory + (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { + if (errno != ENOENT) { ERR(sh, "Could not cleanly remove sandbox %s.", semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); return -1; } - if (semanage_remove_directory - (semanage_final_path(SEMANAGE_FINAL_TMP, - SEMANAGE_FINAL_TOPLEVEL)) < 0) { + } + + /* destroy tmp policy if it exists */ + if (semanage_remove_directory + (semanage_final_path(SEMANAGE_FINAL_TMP, + SEMANAGE_FINAL_TOPLEVEL)) < 0) { + if (errno != ENOENT) { ERR(sh, "Could not cleanly remove tmp %s.", semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FINAL_TOPLEVEL)); return -1; } + } + + return 0; +} + +static int semanage_direct_disconnect(semanage_handle_t *sh) +{ + int retval = 0; + + /* destroy transaction and remove tmp files if no commit error */ + if (sh->is_in_transaction) { + retval = semanage_remove_tmps(sh); semanage_release_trans_lock(sh); } @@ -349,6 +370,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) iface_file_dbase_release(semanage_iface_dbase_local(sh)); bool_file_dbase_release(semanage_bool_dbase_local(sh)); fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh)); + fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh)); seuser_file_dbase_release(semanage_seuser_dbase_local(sh)); node_file_dbase_release(semanage_node_dbase_local(sh)); @@ -368,15 +390,11 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) /* Release object databases: active kernel policy */ bool_activedb_dbase_release(semanage_bool_dbase_active(sh)); - return 0; + return retval; } static int semanage_direct_begintrans(semanage_handle_t * sh) { - - if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) { - return -1; - } if (semanage_get_trans_lock(sh) < 0) { return -1; } @@ -1153,6 +1171,14 @@ cleanup: return status; } +/* Copies a file from src to dst. If dst already exists then + * overwrite it. If source doesn't exist then return success. + * Returns 0 on success, -1 on error. */ +static int copy_file_if_exists(const char *src, const char *dst, mode_t mode){ + int rc = semanage_copy_file(src, dst, mode); + return (rc < 0 && errno != ENOENT) ? rc : 0; +} + /********************* direct API functions ********************/ /* Commits all changes in sandbox to the actual kernel policy. @@ -1169,6 +1195,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) sepol_policydb_t *out = NULL; struct cil_db *cildb = NULL; semanage_module_info_t *modinfos = NULL; + mode_t mask = umask(0077); int do_rebuild, do_write_kernel, do_install; int fcontexts_modified, ports_modified, seusers_modified, @@ -1544,44 +1571,44 @@ rebuild: goto cleanup; } - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; } - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; } - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; } /* run genhomedircon if its enabled, this should be the last operation * which requires the out policydb */ if (!sh->conf->disable_genhomedircon) { - if (out && (retval = - semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) { - ERR(sh, "semanage_genhomedircon returned error code %d.", - retval); - goto cleanup; + if (out){ + if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd, + sh->conf->ignoredirs)) != 0) { + ERR(sh, "semanage_genhomedircon returned error code %d.", retval); + goto cleanup; + } + /* file_contexts.homedirs was created in SEMANAGE_TMP store */ + retval = semanage_copy_file( + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS), + sh->conf->file_mode); + if (retval < 0) { + goto cleanup; + } } } else { WARN(sh, "WARNING: genhomedircon is disabled. \ @@ -1618,17 +1645,21 @@ cleanup: free(mod_filenames); sepol_policydb_free(out); cil_db_destroy(&cildb); - semanage_release_trans_lock(sh); free(fc_buffer); - /* regardless if the commit was successful or not, remove the - sandbox if it is still there */ - semanage_remove_directory(semanage_path - (SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); - semanage_remove_directory(semanage_final_path - (SEMANAGE_FINAL_TMP, - SEMANAGE_FINAL_TOPLEVEL)); + /* Set commit_err so other functions can detect any errors. Note that + * retval > 0 will be the commit number. + */ + if (retval < 0) + sh->commit_err = retval; + + if (semanage_remove_tmps(sh) != 0) + retval = -1; + + semanage_release_trans_lock(sh); + umask(mask); + return retval; } @@ -2000,6 +2031,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, const char *path = NULL; FILE *fp = NULL; semanage_module_info_t *modinfo = NULL; + mode_t mask; /* check transaction */ if (!sh->is_in_transaction) { @@ -2060,7 +2092,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, switch (enabled) { case 0: /* disable the module */ + mask = umask(0077); fp = fopen(fn, "w"); + umask(mask); if (fp == NULL) { ERR(sh, @@ -2706,6 +2740,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, int type; char path[PATH_MAX]; + mode_t mask = umask(0077); semanage_module_info_t *higher_info = NULL; semanage_module_key_t higher_key; @@ -2754,7 +2789,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, if (higher_info->enabled == 0 && modinfo->enabled == -1) { errno = 0; WARN(sh, - "%s module will be disabled after install due to default enabled status.", + "%s module will be disabled after install as there is a disabled instance of this module present in the system.", modinfo->name); } } @@ -2817,6 +2852,7 @@ cleanup: semanage_module_key_destroy(sh, &higher_key); semanage_module_info_destroy(sh, higher_info); free(higher_info); + umask(mask); return status; } diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c index 0b063b1..98490ab 100644 --- libsemanage-2.7/src/fcontexts_policy.c +++ libsemanage-2.7/src/fcontexts_policy.c @@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle, dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle); return dbase_list(handle, dconfig, records, count); } + +int semanage_fcontext_list_homedirs(semanage_handle_t * handle, + semanage_fcontext_t *** records, unsigned int *count) +{ + + dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle); + return dbase_list(handle, dconfig, records, count); +} diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c index b9a74b7..d09d82f 100644 --- libsemanage-2.7/src/genhomedircon.c +++ libsemanage-2.7/src/genhomedircon.c @@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh, s.homedir_template_path = semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL); - s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP, - SEMANAGE_FC_HOMEDIRS); + s.fcfilepath = + semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS); s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t)); if (s.fallback == NULL) { @@ -1385,7 +1385,9 @@ done: if (out != NULL) fclose(out); - pop_user_entry(&(s.fallback)); + while (s.fallback) + pop_user_entry(&(s.fallback)); + ignore_free(); return retval; diff --git libsemanage-2.7/src/handle.c libsemanage-2.7/src/handle.c index 4ce1df0..a6567bd 100644 --- libsemanage-2.7/src/handle.c +++ libsemanage-2.7/src/handle.c @@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void) * If any changes are made, this flag is ignored */ sh->do_rebuild = 0; + sh->commit_err = 0; + /* By default always reload policy after commit if SELinux is enabled. */ sh->do_reload = (is_selinux_enabled() > 0); diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h index 889871d..a91907b 100644 --- libsemanage-2.7/src/handle.h +++ libsemanage-2.7/src/handle.h @@ -62,6 +62,10 @@ struct semanage_handle { int is_in_transaction; int do_reload; /* whether to reload policy after commit */ int do_rebuild; /* whether to rebuild policy if there were no changes */ + int commit_err; /* set by semanage_direct_commit() if there are + * any errors when building or committing the + * sandbox to kernel policy at /etc/selinux + */ int modules_modified; int create_store; /* whether to create the store if it does not exist * this will only have an effect on direct connections */ @@ -79,7 +83,7 @@ struct semanage_handle { struct semanage_policy_table *funcs; /* Object databases */ -#define DBASE_COUNT 23 +#define DBASE_COUNT 24 /* Local modifications */ #define DBASE_LOCAL_USERS_BASE 0 @@ -102,13 +106,14 @@ struct semanage_handle { #define DBASE_POLICY_INTERFACES 15 #define DBASE_POLICY_BOOLEANS 16 #define DBASE_POLICY_FCONTEXTS 17 -#define DBASE_POLICY_SEUSERS 18 -#define DBASE_POLICY_NODES 19 -#define DBASE_POLICY_IBPKEYS 20 -#define DBASE_POLICY_IBENDPORTS 21 +#define DBASE_POLICY_FCONTEXTS_H 18 +#define DBASE_POLICY_SEUSERS 19 +#define DBASE_POLICY_NODES 20 +#define DBASE_POLICY_IBPKEYS 21 +#define DBASE_POLICY_IBENDPORTS 22 /* Active kernel policy */ -#define DBASE_ACTIVE_BOOLEANS 22 +#define DBASE_ACTIVE_BOOLEANS 23 dbase_config_t dbase[DBASE_COUNT]; }; @@ -235,6 +240,12 @@ static inline return &handle->dbase[DBASE_POLICY_FCONTEXTS]; } +static inline + dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle) +{ + return &handle->dbase[DBASE_POLICY_FCONTEXTS_H]; +} + static inline dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle) { diff --git libsemanage-2.7/src/libsemanage.pc.in libsemanage-2.7/src/libsemanage.pc.in index d3eaa06..43681dd 100644 --- libsemanage-2.7/src/libsemanage.pc.in +++ libsemanage-2.7/src/libsemanage.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libsemanage diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c index 6158d08..4bd1d65 100644 --- libsemanage-2.7/src/semanage_store.c +++ libsemanage-2.7/src/semanage_store.c @@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { "/modules/disabled", "/policy.kern", "/file_contexts.local", + "/file_contexts.homedirs", "/file_contexts", "/seusers" }; @@ -537,7 +538,6 @@ char *semanage_conf_path(void) int semanage_create_store(semanage_handle_t * sh, int create) { struct stat sb; - int mode_mask = R_OK | W_OK | X_OK; const char *path = semanage_files[SEMANAGE_ROOT]; int fd; @@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store at %s, or it is not a directory.", + "Module store at %s is not a directory.", path); return -1; } @@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store active subdirectory at %s, or it is not a directory.", + "Module store active subdirectory at %s is not a directory.", path); return -1; } @@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) { + if (!S_ISDIR(sb.st_mode)) { ERR(sh, - "Could not access module store active modules subdirectory at %s, or it is not a directory.", + "Module store active modules subdirectory at %s is not a directory.", path); return -1; } @@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { - if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) { - ERR(sh, "Could not access lock file at %s.", path); + if (!S_ISREG(sb.st_mode)) { + ERR(sh, "Object at %s is not a lock file.", path); return -1; } } @@ -1739,9 +1739,9 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) if (!sh->conf->save_previous) { int errsv = errno; - retval = semanage_remove_directory(backup); - if (retval < 0) { + if (semanage_remove_directory(backup) != 0) { ERR(sh, "Could not delete previous directory %s.", backup); + retval = -1; goto cleanup; } errno = errsv; @@ -2098,6 +2098,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out, const char *kernel_filename = NULL; struct sepol_policy_file *pf = NULL; FILE *outfile = NULL; + mode_t mask = umask(0077); if ((kernel_filename = semanage_path(SEMANAGE_TMP, file)) == NULL) { @@ -2126,6 +2127,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out, if (outfile != NULL) { fclose(outfile); } + umask(mask); sepol_policy_file_free(pf); return retval; } diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h index fcaa505..34bf852 100644 --- libsemanage-2.7/src/semanage_store.h +++ libsemanage-2.7/src/semanage_store.h @@ -61,6 +61,7 @@ enum semanage_sandbox_defs { SEMANAGE_MODULES_DISABLED, SEMANAGE_STORE_KERNEL, SEMANAGE_STORE_FC_LOCAL, + SEMANAGE_STORE_FC_HOMEDIRS, SEMANAGE_STORE_FC, SEMANAGE_STORE_SEUSERS, SEMANAGE_STORE_NUM_PATHS diff --git libsemanage-2.7/src/seusers_local.c libsemanage-2.7/src/seusers_local.c index 42c3a8b..413ebdd 100644 --- libsemanage-2.7/src/seusers_local.c +++ libsemanage-2.7/src/seusers_local.c @@ -35,12 +35,16 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) for (i = 0; i