rpms/libsemanage
5
0
Fork 0
Code Issues Pull Requests Releases Activity
2ce185aded
libsemanage/libsemanage-fedora.patch
Petr Lautrbach 2ce185aded libsemanage-2.7-12 
- build: Replace PYSITEDIR with PYTHONLIBDIR
- direct_api.c: Fix iterating over array (#1557468)
2018-03-21 16:37:35 +01:00

1042 lines
33 KiB
Diff
Raw Blame History

diff --git libsemanage-2.7/include/Makefile libsemanage-2.7/include/Makefile
index b660660..6e44a28 100644
--- libsemanage-2.7/include/Makefile
+++ libsemanage-2.7/include/Makefile
@@ -1,12 +1,12 @@
# Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
INCDIR ?= $(PREFIX)/include/semanage
all:
install: all
- test -d $(INCDIR) || install -m 755 -d $(INCDIR)
- install -m 644 $(wildcard semanage/*.h) $(INCDIR)
+ test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR)
+ install -m 644 $(wildcard semanage/*.h) $(DESTDIR)$(INCDIR)
indent:
../../scripts/Lindent $(wildcard semanage/*.h)
diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h
index a50db2b..199a1e1 100644
--- libsemanage-2.7/include/semanage/fcontexts_policy.h
+++ libsemanage-2.7/include/semanage/fcontexts_policy.h
@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle,
semanage_fcontext_t *** records,
unsigned int *count);
+extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
+ semanage_fcontext_t *** records,
+ unsigned int *count);
+
#endif
diff --git libsemanage-2.7/man/Makefile libsemanage-2.7/man/Makefile
index 852043d..8667c9b 100644
--- libsemanage-2.7/man/Makefile
+++ libsemanage-2.7/man/Makefile
@@ -1,12 +1,13 @@
# Installation directories.
-MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
-MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
+PREFIX ?= /usr
+MAN3DIR ?= $(PREFIX)/share/man/man3
+MAN5DIR ?= $(PREFIX)/share/man/man5
all:
install: all
- mkdir -p $(MAN3DIR)
- mkdir -p $(MAN5DIR)
- install -m 644 man3/*.3 $(MAN3DIR)
- install -m 644 man5/*.5 $(MAN5DIR)
+ mkdir -p $(DESTDIR)$(MAN3DIR)
+ mkdir -p $(DESTDIR)$(MAN5DIR)
+ install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR)
+ install -m 644 man5/*.5 $(DESTDIR)$(MAN5DIR)
diff --git libsemanage-2.7/src/Makefile libsemanage-2.7/src/Makefile
index fdb178f..dea751e 100644
--- libsemanage-2.7/src/Makefile
+++ libsemanage-2.7/src/Makefile
@@ -8,21 +8,18 @@ RUBYPREFIX ?= $(notdir $(RUBY))
PKG_CONFIG ?= pkg-config
# Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
LIBDIR ?= $(PREFIX)/lib
-SHLIBDIR ?= $(DESTDIR)/lib
INCLUDEDIR ?= $(PREFIX)/include
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
-PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])')
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
-RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
+RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
-LIBBASE=$(shell basename $(LIBDIR))
-
-DEFAULT_SEMANAGE_CONF_LOCATION=$(DESTDIR)/etc/selinux/semanage.conf
+DEFAULT_SEMANAGE_CONF_LOCATION=/etc/selinux/semanage.conf
ifeq ($(DEBUG),1)
export CFLAGS = -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror
@@ -95,7 +92,7 @@ $(LIBSO): $(LOBJS)
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
semanageswig_python_exception.i: ../include/semanage/semanage.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
@@ -136,26 +133,26 @@ swigify: $(SWIGIF)
$(SWIG) $<
install: all
- test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
- install -m 644 $(LIBA) $(LIBDIR)
- install -m 755 $(LIBSO) $(LIBDIR)
- test -d $(LIBDIR)/pkgconfig || install -m 755 -d $(LIBDIR)/pkgconfig
- install -m 644 $(LIBPC) $(LIBDIR)/pkgconfig
- test -f $(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DEFAULT_SEMANAGE_CONF_LOCATION)
- cd $(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
+ test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
+ install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
+ install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
+ test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
+ install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
+ test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION)
+ cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
install-pywrap: pywrap
- test -d $(PYSITEDIR) || install -m 755 -d $(PYSITEDIR)
- install -m 755 $(SWIGSO) $(PYSITEDIR)/_semanage$(PYCEXT)
- install -m 644 semanage.py $(PYSITEDIR)
+ test -d $(DESTDIR)$(PYTHONLIBDIR) || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)
+ install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_semanage$(PYCEXT)
+ install -m 644 semanage.py $(DESTDIR)$(PYTHONLIBDIR)
install-rubywrap: rubywrap
- test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL)
- install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/semanage.so
+ test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
+ install -m 755 $(SWIGRUBYSO) $(DESTDIR)$(RUBYINSTALL)/semanage.so
relabel:
- /sbin/restorecon $(LIBDIR)/$(LIBSO)
+ /sbin/restorecon $(DESTDIR)$(LIBDIR)/$(LIBSO)
clean:
-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c *.o *.lo *~
diff --git libsemanage-2.7/src/database_file.c libsemanage-2.7/src/database_file.c
index a21b3ee..a51269e 100644
--- libsemanage-2.7/src/database_file.c
+++ libsemanage-2.7/src/database_file.c
@@ -119,13 +119,16 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase)
cache_entry_t *ptr;
const char *fname = NULL;
FILE *str = NULL;
+ mode_t mask;
if (!dbase_llist_is_modified(&dbase->llist))
return STATUS_SUCCESS;
fname = dbase->path[handle->is_in_transaction];
+ mask = umask(0077);
str = fopen(fname, "w");
+ umask(mask);
if (!str) {
ERR(handle, "could not open %s for writing: %s",
fname, strerror(errno));
diff --git libsemanage-2.7/src/database_llist.c libsemanage-2.7/src/database_llist.c
index 8ce2e2c..c8f4ff0 100644
--- libsemanage-2.7/src/database_llist.c
+++ libsemanage-2.7/src/database_llist.c
@@ -263,7 +263,7 @@ int dbase_llist_iterate(semanage_handle_t * handle,
if (rc < 0)
goto err;
- else if (rc > 1)
+ else if (rc > 0)
break;
}
diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c
index 65842df..e7ec952 100644
--- libsemanage-2.7/src/direct_api.c
+++ libsemanage-2.7/src/direct_api.c
@@ -60,6 +60,7 @@
#define PIPE_READ 0
#define PIPE_WRITE 1
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
static void semanage_direct_destroy(semanage_handle_t * sh);
static int semanage_direct_disconnect(semanage_handle_t * sh);
@@ -140,6 +141,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
int semanage_direct_connect(semanage_handle_t * sh)
{
const char *path;
+ struct stat sb;
if (semanage_check_init(sh, sh->conf->store_root_path))
goto err;
@@ -148,9 +150,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
if (semanage_create_store(sh, 1))
goto err;
- if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
- goto err;
-
sh->u.direct.translock_file_fd = -1;
sh->u.direct.activelock_file_fd = -1;
@@ -210,6 +209,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
semanage_fcontext_dbase_local(sh)) < 0)
goto err;
+ if (fcontext_file_dbase_init(sh,
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_fcontext_dbase_homedirs(sh)) < 0)
+ goto err;
+
if (seuser_file_dbase_init(sh,
semanage_path(SEMANAGE_ACTIVE,
SEMANAGE_SEUSERS_LOCAL),
@@ -299,10 +304,16 @@ int semanage_direct_connect(semanage_handle_t * sh)
/* set the disable dontaudit value */
path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT);
- if (access(path, F_OK) == 0)
+
+ if (stat(path, &sb) == 0)
sepol_set_disable_dontaudit(sh->sepolh, 1);
- else
+ else if (errno == ENOENT) {
+ /* The file does not exist */
sepol_set_disable_dontaudit(sh->sepolh, 0);
+ } else {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ goto err;
+ }
return STATUS_SUCCESS;
@@ -317,25 +328,43 @@ static void semanage_direct_destroy(semanage_handle_t * sh
/* do nothing */
}
-static int semanage_direct_disconnect(semanage_handle_t * sh)
+static int semanage_remove_tmps(semanage_handle_t *sh)
{
- /* destroy transaction */
- if (sh->is_in_transaction) {
- /* destroy sandbox */
- if (semanage_remove_directory
- (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+ if (sh->commit_err)
+ return 0;
+
+ /* destroy sandbox if it exists */
+ if (semanage_remove_directory
+ (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) {
+ if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove sandbox %s.",
semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
return -1;
}
- if (semanage_remove_directory
- (semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+ }
+
+ /* destroy tmp policy if it exists */
+ if (semanage_remove_directory
+ (semanage_final_path(SEMANAGE_FINAL_TMP,
+ SEMANAGE_FINAL_TOPLEVEL)) < 0) {
+ if (errno != ENOENT) {
ERR(sh, "Could not cleanly remove tmp %s.",
semanage_final_path(SEMANAGE_FINAL_TMP,
SEMANAGE_FINAL_TOPLEVEL));
return -1;
}
+ }
+
+ return 0;
+}
+
+static int semanage_direct_disconnect(semanage_handle_t *sh)
+{
+ int retval = 0;
+
+ /* destroy transaction and remove tmp files if no commit error */
+ if (sh->is_in_transaction) {
+ retval = semanage_remove_tmps(sh);
semanage_release_trans_lock(sh);
}
@@ -349,6 +378,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
iface_file_dbase_release(semanage_iface_dbase_local(sh));
bool_file_dbase_release(semanage_bool_dbase_local(sh));
fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
+ fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh));
seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
node_file_dbase_release(semanage_node_dbase_local(sh));
@@ -368,15 +398,11 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
/* Release object databases: active kernel policy */
bool_activedb_dbase_release(semanage_bool_dbase_active(sh));
- return 0;
+ return retval;
}
static int semanage_direct_begintrans(semanage_handle_t * sh)
{
-
- if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
- return -1;
- }
if (semanage_get_trans_lock(sh) < 0) {
return -1;
}
@@ -1121,6 +1147,7 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
int status = 0;
int i;
char cil_path[PATH_MAX];
+ struct stat sb;
assert(sh);
assert(modinfos);
@@ -1137,9 +1164,13 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
}
if (semanage_get_ignore_module_cache(sh) == 0 &&
- access(cil_path, F_OK) == 0) {
+ (status = stat(cil_path, &sb)) == 0) {
continue;
}
+ if (status != 0 && errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", cil_path, strerror(errno));
+ goto cleanup; //an error in the "stat" call
+ }
status = semanage_compile_module(sh, &modinfos[i]);
if (status < 0) {
@@ -1153,6 +1184,14 @@ cleanup:
return status;
}
+/* Copies a file from src to dst. If dst already exists then
+ * overwrite it. If source doesn't exist then return success.
+ * Returns 0 on success, -1 on error. */
+static int copy_file_if_exists(const char *src, const char *dst, mode_t mode){
+ int rc = semanage_copy_file(src, dst, mode);
+ return (rc < 0 && errno != ENOENT) ? rc : 0;
+}
+
/********************* direct API functions ********************/
/* Commits all changes in sandbox to the actual kernel policy.
@@ -1169,6 +1208,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL;
+ mode_t mask = umask(0077);
+ struct stat sb;
int do_rebuild, do_write_kernel, do_install;
int fcontexts_modified, ports_modified, seusers_modified,
@@ -1207,10 +1248,16 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Create or remove the disable_dontaudit flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
- if (access(path, F_OK) == 0)
+ if (stat(path, &sb) == 0)
do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
- else
+ else if (errno == ENOENT) {
+ /* The file does not exist */
do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
+ } else {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ retval = -1;
+ goto cleanup;
+ }
if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
FILE *touch;
touch = fopen(path, "w");
@@ -1232,10 +1279,17 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Create or remove the preserve_tunables flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
- if (access(path, F_OK) == 0)
+ if (stat(path, &sb) == 0)
do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
- else
+ else if (errno == ENOENT) {
+ /* The file does not exist */
do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
+ } else {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ retval = -1;
+ goto cleanup;
+ }
+
if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
FILE *touch;
touch = fopen(path, "w");
@@ -1272,40 +1326,25 @@ static int semanage_direct_commit(semanage_handle_t * sh)
* a rebuild.
*/
if (!do_rebuild) {
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
- }
-
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
- }
-
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
- }
-
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
- }
-
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
- }
+ int files[] = {SEMANAGE_STORE_KERNEL,
+ SEMANAGE_STORE_FC,
+ SEMANAGE_STORE_SEUSERS,
+ SEMANAGE_LINKED,
+ SEMANAGE_SEUSERS_LINKED,
+ SEMANAGE_USERS_EXTRA_LINKED};
+
+ for (i = 0; i < (int) ARRAY_SIZE(files); i++) {
+ path = semanage_path(SEMANAGE_TMP, files[i]);
+ if (stat(path, &sb) != 0) {
+ if (errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ retval = -1;
+ goto cleanup;
+ }
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
- if (access(path, F_OK) != 0) {
- do_rebuild = 1;
- goto rebuild;
+ do_rebuild = 1;
+ goto rebuild;
+ }
}
}
@@ -1438,7 +1477,7 @@ rebuild:
goto cleanup;
path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
- if (access(path, F_OK) == 0) {
+ if (stat(path, &sb) == 0) {
retval = semanage_copy_file(path,
semanage_path(SEMANAGE_TMP,
SEMANAGE_STORE_SEUSERS),
@@ -1446,12 +1485,17 @@ rebuild:
if (retval < 0)
goto cleanup;
pseusers->dtable->drop_cache(pseusers->dbase);
- } else {
+ } else if (errno == ENOENT) {
+ /* The file does not exist */
pseusers->dtable->clear(sh, pseusers->dbase);
+ } else {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ retval = -1;
+ goto cleanup;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
- if (access(path, F_OK) == 0) {
+ if (stat(path, &sb) == 0) {
retval = semanage_copy_file(path,
semanage_path(SEMANAGE_TMP,
SEMANAGE_USERS_EXTRA),
@@ -1459,8 +1503,13 @@ rebuild:
if (retval < 0)
goto cleanup;
pusers_extra->dtable->drop_cache(pusers_extra->dbase);
- } else {
+ } else if (errno == ENOENT) {
+ /* The file does not exist */
pusers_extra->dtable->clear(sh, pusers_extra->dbase);
+ } else {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ retval = -1;
+ goto cleanup;
}
}
@@ -1544,44 +1593,44 @@ rebuild:
goto cleanup;
}
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
+ sh->conf->file_mode);
+ if (retval < 0) {
+ goto cleanup;
}
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+ sh->conf->file_mode);
+ if (retval < 0) {
+ goto cleanup;
}
- path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = copy_file_if_exists(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
+ sh->conf->file_mode);
+ if (retval < 0) {
+ goto cleanup;
}
/* run genhomedircon if its enabled, this should be the last operation
* which requires the out policydb */
if (!sh->conf->disable_genhomedircon) {
- if (out && (retval =
- semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
- ERR(sh, "semanage_genhomedircon returned error code %d.",
- retval);
- goto cleanup;
+ if (out){
+ if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd,
+ sh->conf->ignoredirs)) != 0) {
+ ERR(sh, "semanage_genhomedircon returned error code %d.", retval);
+ goto cleanup;
+ }
+ /* file_contexts.homedirs was created in SEMANAGE_TMP store */
+ retval = semanage_copy_file(
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS),
+ sh->conf->file_mode);
+ if (retval < 0) {
+ goto cleanup;
+ }
}
} else {
WARN(sh, "WARNING: genhomedircon is disabled. \
@@ -1618,17 +1667,21 @@ cleanup:
free(mod_filenames);
sepol_policydb_free(out);
cil_db_destroy(&cildb);
- semanage_release_trans_lock(sh);
free(fc_buffer);
- /* regardless if the commit was successful or not, remove the
- sandbox if it is still there */
- semanage_remove_directory(semanage_path
- (SEMANAGE_TMP, SEMANAGE_TOPLEVEL));
- semanage_remove_directory(semanage_final_path
- (SEMANAGE_FINAL_TMP,
- SEMANAGE_FINAL_TOPLEVEL));
+ /* Set commit_err so other functions can detect any errors. Note that
+ * retval > 0 will be the commit number.
+ */
+ if (retval < 0)
+ sh->commit_err = retval;
+
+ if (semanage_remove_tmps(sh) != 0)
+ retval = -1;
+
+ semanage_release_trans_lock(sh);
+ umask(mask);
+
return retval;
}
@@ -1786,6 +1839,7 @@ static int semanage_direct_extract(semanage_handle_t * sh,
ssize_t _data_len;
char *_data;
int compressed;
+ struct stat sb;
/* get path of module */
rc = semanage_module_get_path(
@@ -1798,8 +1852,8 @@ static int semanage_direct_extract(semanage_handle_t * sh,
goto cleanup;
}
- if (access(module_path, F_OK) != 0) {
- ERR(sh, "Module does not exist: %s", module_path);
+ if (stat(module_path, &sb) != 0) {
+ ERR(sh, "Unable to access %s: %s\n", module_path, strerror(errno));
rc = -1;
goto cleanup;
}
@@ -1828,7 +1882,13 @@ static int semanage_direct_extract(semanage_handle_t * sh,
goto cleanup;
}
- if (extract_cil == 1 && strcmp(_modinfo->lang_ext, "cil") && access(input_file, F_OK) != 0) {
+ if (extract_cil == 1 && strcmp(_modinfo->lang_ext, "cil") && stat(input_file, &sb) != 0) {
+ if (errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", input_file, strerror(errno));
+ rc = -1;
+ goto cleanup;
+ }
+
rc = semanage_compile_module(sh, _modinfo);
if (rc < 0) {
goto cleanup;
@@ -1973,6 +2033,12 @@ static int semanage_direct_get_enabled(semanage_handle_t *sh,
}
if (stat(path, &sb) < 0) {
+ if (errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ status = -1;
+ goto cleanup;
+ }
+
*enabled = 1;
}
else {
@@ -2000,6 +2066,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
const char *path = NULL;
FILE *fp = NULL;
semanage_module_info_t *modinfo = NULL;
+ mode_t mask;
/* check transaction */
if (!sh->is_in_transaction) {
@@ -2060,7 +2127,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
switch (enabled) {
case 0: /* disable the module */
+ mask = umask(0077);
fp = fopen(fn, "w");
+ umask(mask);
if (fp == NULL) {
ERR(sh,
@@ -2296,6 +2365,12 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
/* set enabled/disabled status */
if (stat(fn, &sb) < 0) {
+ if (errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", fn, strerror(errno));
+ status = -1;
+ goto cleanup;
+ }
+
ret = semanage_module_info_set_enabled(sh, *modinfo, 1);
if (ret != 0) {
status = -1;
@@ -2704,8 +2779,10 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
int status = 0;
int ret = 0;
int type;
+ struct stat sb;
char path[PATH_MAX];
+ mode_t mask = umask(0077);
semanage_module_info_t *higher_info = NULL;
semanage_module_key_t higher_key;
@@ -2754,7 +2831,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
if (higher_info->enabled == 0 && modinfo->enabled == -1) {
errno = 0;
WARN(sh,
- "%s module will be disabled after install due to default enabled status.",
+ "%s module will be disabled after install as there is a disabled instance of this module present in the system.",
modinfo->name);
}
}
@@ -2803,7 +2880,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
goto cleanup;
}
- if (access(path, F_OK) == 0) {
+ if (stat(path, &sb) == 0) {
ret = unlink(path);
if (ret != 0) {
ERR(sh, "Error while removing cached CIL file %s: %s", path, strerror(errno));
@@ -2817,6 +2894,7 @@ cleanup:
semanage_module_key_destroy(sh, &higher_key);
semanage_module_info_destroy(sh, higher_info);
free(higher_info);
+ umask(mask);
return status;
}
diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c
index 0b063b1..98490ab 100644
--- libsemanage-2.7/src/fcontexts_policy.c
+++ libsemanage-2.7/src/fcontexts_policy.c
@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
return dbase_list(handle, dconfig, records, count);
}
+
+int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
+ semanage_fcontext_t *** records, unsigned int *count)
+{
+
+ dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
+ return dbase_list(handle, dconfig, records, count);
+}
diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c
index b9a74b7..d09d82f 100644
--- libsemanage-2.7/src/genhomedircon.c
+++ libsemanage-2.7/src/genhomedircon.c
@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
s.homedir_template_path =
semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL);
- s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP,
- SEMANAGE_FC_HOMEDIRS);
+ s.fcfilepath =
+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS);
s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t));
if (s.fallback == NULL) {
@@ -1385,7 +1385,9 @@ done:
if (out != NULL)
fclose(out);
- pop_user_entry(&(s.fallback));
+ while (s.fallback)
+ pop_user_entry(&(s.fallback));
+
ignore_free();
return retval;
diff --git libsemanage-2.7/src/handle.c libsemanage-2.7/src/handle.c
index 4ce1df0..a6567bd 100644
--- libsemanage-2.7/src/handle.c
+++ libsemanage-2.7/src/handle.c
@@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void)
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
+ sh->commit_err = 0;
+
/* By default always reload policy after commit if SELinux is enabled. */
sh->do_reload = (is_selinux_enabled() > 0);
diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h
index 889871d..a91907b 100644
--- libsemanage-2.7/src/handle.h
+++ libsemanage-2.7/src/handle.h
@@ -62,6 +62,10 @@ struct semanage_handle {
int is_in_transaction;
int do_reload; /* whether to reload policy after commit */
int do_rebuild; /* whether to rebuild policy if there were no changes */
+ int commit_err; /* set by semanage_direct_commit() if there are
+ * any errors when building or committing the
+ * sandbox to kernel policy at /etc/selinux
+ */
int modules_modified;
int create_store; /* whether to create the store if it does not exist
* this will only have an effect on direct connections */
@@ -79,7 +83,7 @@ struct semanage_handle {
struct semanage_policy_table *funcs;
/* Object databases */
-#define DBASE_COUNT 23
+#define DBASE_COUNT 24
/* Local modifications */
#define DBASE_LOCAL_USERS_BASE 0
@@ -102,13 +106,14 @@ struct semanage_handle {
#define DBASE_POLICY_INTERFACES 15
#define DBASE_POLICY_BOOLEANS 16
#define DBASE_POLICY_FCONTEXTS 17
-#define DBASE_POLICY_SEUSERS 18
-#define DBASE_POLICY_NODES 19
-#define DBASE_POLICY_IBPKEYS 20
-#define DBASE_POLICY_IBENDPORTS 21
+#define DBASE_POLICY_FCONTEXTS_H 18
+#define DBASE_POLICY_SEUSERS 19
+#define DBASE_POLICY_NODES 20
+#define DBASE_POLICY_IBPKEYS 21
+#define DBASE_POLICY_IBENDPORTS 22
/* Active kernel policy */
-#define DBASE_ACTIVE_BOOLEANS 22
+#define DBASE_ACTIVE_BOOLEANS 23
dbase_config_t dbase[DBASE_COUNT];
};
@@ -235,6 +240,12 @@ static inline
return &handle->dbase[DBASE_POLICY_FCONTEXTS];
}
+static inline
+ dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle)
+{
+ return &handle->dbase[DBASE_POLICY_FCONTEXTS_H];
+}
+
static inline
dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
{
diff --git libsemanage-2.7/src/libsemanage.pc.in libsemanage-2.7/src/libsemanage.pc.in
index d3eaa06..43681dd 100644
--- libsemanage-2.7/src/libsemanage.pc.in
+++ libsemanage-2.7/src/libsemanage.pc.in
@@ -1,6 +1,6 @@
prefix=@prefix@
exec_prefix=${prefix}
-libdir=${exec_prefix}/@libdir@
+libdir=@libdir@
includedir=@includedir@
Name: libsemanage
diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c
index 6158d08..14ad99c 100644
--- libsemanage-2.7/src/semanage_store.c
+++ libsemanage-2.7/src/semanage_store.c
@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"/modules/disabled",
"/policy.kern",
"/file_contexts.local",
+ "/file_contexts.homedirs",
"/file_contexts",
"/seusers"
};
@@ -513,6 +514,7 @@ char *semanage_conf_path(void)
{
char *semanage_conf = NULL;
int len;
+ struct stat sb;
len = strlen(semanage_root()) + strlen(selinux_path()) + strlen(SEMANAGE_CONF_FILE);
semanage_conf = calloc(len + 1, sizeof(char));
@@ -521,7 +523,7 @@ char *semanage_conf_path(void)
snprintf(semanage_conf, len + 1, "%s%s%s", semanage_root(), selinux_path(),
SEMANAGE_CONF_FILE);
- if (access(semanage_conf, R_OK) != 0) {
+ if (stat(semanage_conf, &sb) != 0 && errno == ENOENT) {
snprintf(semanage_conf, len + 1, "%s%s", selinux_path(), SEMANAGE_CONF_FILE);
}
@@ -537,7 +539,6 @@ char *semanage_conf_path(void)
int semanage_create_store(semanage_handle_t * sh, int create)
{
struct stat sb;
- int mode_mask = R_OK | W_OK | X_OK;
const char *path = semanage_files[SEMANAGE_ROOT];
int fd;
@@ -556,9 +557,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store at %s, or it is not a directory.",
+ "Module store at %s is not a directory.",
path);
return -1;
}
@@ -579,9 +580,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active subdirectory at %s, or it is not a directory.",
+ "Module store active subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -602,9 +603,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active modules subdirectory at %s, or it is not a directory.",
+ "Module store active modules subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -623,8 +624,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
- ERR(sh, "Could not access lock file at %s.", path);
+ if (!S_ISREG(sb.st_mode)) {
+ ERR(sh, "Object at %s is not a lock file.", path);
return -1;
}
}
@@ -1508,8 +1509,14 @@ int semanage_split_fc(semanage_handle_t * sh)
static int sefcontext_compile(semanage_handle_t * sh, const char *path) {
int r;
+ struct stat sb;
+
+ if (stat(path, &sb) < 0) {
+ if (errno != ENOENT) {
+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ return -1;
+ }
- if (access(path, F_OK) != 0) {
return 0;
}
@@ -1739,9 +1746,9 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
if (!sh->conf->save_previous) {
int errsv = errno;
- retval = semanage_remove_directory(backup);
- if (retval < 0) {
+ if (semanage_remove_directory(backup) != 0) {
ERR(sh, "Could not delete previous directory %s.", backup);
+ retval = -1;
goto cleanup;
}
errno = errsv;
@@ -2098,6 +2105,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
const char *kernel_filename = NULL;
struct sepol_policy_file *pf = NULL;
FILE *outfile = NULL;
+ mode_t mask = umask(0077);
if ((kernel_filename =
semanage_path(SEMANAGE_TMP, file)) == NULL) {
@@ -2126,6 +2134,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
if (outfile != NULL) {
fclose(outfile);
}
+ umask(mask);
sepol_policy_file_free(pf);
return retval;
}
diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h
index fcaa505..34bf852 100644
--- libsemanage-2.7/src/semanage_store.h
+++ libsemanage-2.7/src/semanage_store.h
@@ -61,6 +61,7 @@ enum semanage_sandbox_defs {
SEMANAGE_MODULES_DISABLED,
SEMANAGE_STORE_KERNEL,
SEMANAGE_STORE_FC_LOCAL,
+ SEMANAGE_STORE_FC_HOMEDIRS,
SEMANAGE_STORE_FC,
SEMANAGE_STORE_SEUSERS,
SEMANAGE_STORE_NUM_PATHS
diff --git libsemanage-2.7/src/seusers_local.c libsemanage-2.7/src/seusers_local.c
index 42c3a8b..413ebdd 100644
--- libsemanage-2.7/src/seusers_local.c
+++ libsemanage-2.7/src/seusers_local.c
@@ -35,12 +35,16 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename)
for (i = 0; i<num_roles; i++) {
size += (strlen(roles_arr[i]) + 1);
}
- roles = malloc(size);
- if (roles) {
- strcpy(roles,roles_arr[0]);
- for (i = 1; i<num_roles; i++) {
- strcat(roles,",");
- strcat(roles,roles_arr[i]);
+ if (num_roles == 0) {
+ roles = strdup("");
+ } else {
+ roles = malloc(size);
+ if (roles) {
+ strcpy(roles,roles_arr[0]);
+ for (i = 1; i<num_roles; i++) {
+ strcat(roles,",");
+ strcat(roles,roles_arr[i]);
+ }
}
}
}
diff --git libsemanage-2.7/tests/Makefile libsemanage-2.7/tests/Makefile
index 2ef8d30..324766a 100644
--- libsemanage-2.7/tests/Makefile
+++ libsemanage-2.7/tests/Makefile
@@ -1,6 +1,3 @@
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-
# Add your test source files here:
SOURCES = $(sort $(wildcard *.c))
diff --git libsemanage-2.7/utils/Makefile libsemanage-2.7/utils/Makefile
index 725f0ee..5b8fbb6 100644
--- libsemanage-2.7/utils/Makefile
+++ libsemanage-2.7/utils/Makefile
@@ -1,13 +1,13 @@
# Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
LIBEXECDIR ?= $(PREFIX)/libexec
SELINUXEXECDIR ?= $(LIBEXECDIR)/selinux/
all:
install: all
- -mkdir -p $(SELINUXEXECDIR)
- install -m 755 semanage_migrate_store $(SELINUXEXECDIR)
+ -mkdir -p $(DESTDIR)$(SELINUXEXECDIR)
+ install -m 755 semanage_migrate_store $(DESTDIR)$(SELINUXEXECDIR)
clean:
Reference in New Issue View Git Blame Copy Permalink