From 1fd4fb2b1ed73323d29fcce2bce6406f6a20fcc3 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 6 Dec 2019 10:31:38 +0100 Subject: [PATCH] SELinux userspace 3.0 release --- .gitignore | 1 + ...OURCE_LEAK-and-USE_AFTER_FREE-coveri.patch | 129 ++++++++ ...mcstrans-Fix-USER_AFTER_FREE-problem.patch | 28 ++ ...ns-Do-not-accept-incomplete-contexts.patch | 59 ++++ mcstrans-0.3.2-writepid.patch | 51 --- mcstrans-0.3.3-inotify.patch | 294 ------------------ mcstrans-0.3.3-man.patch | 197 ------------ mcstrans.spec | 11 +- sources | 2 +- 9 files changed, 225 insertions(+), 547 deletions(-) create mode 100644 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch create mode 100644 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch create mode 100644 0003-mcstrans-Do-not-accept-incomplete-contexts.patch delete mode 100644 mcstrans-0.3.2-writepid.patch delete mode 100644 mcstrans-0.3.3-inotify.patch delete mode 100644 mcstrans-0.3.3-man.patch diff --git a/.gitignore b/.gitignore index 2e2fa7c..e47bc2c 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ mcstrans-0.3.1.tgz /mcstrans-2.9-rc2.tar.gz /mcstrans-2.9.tar.gz /mcstrans-3.0-rc1.tar.gz +/mcstrans-3.0.tar.gz diff --git a/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch new file mode 100644 index 0000000..f05287f --- /dev/null +++ b/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch @@ -0,0 +1,129 @@ +From a9eae01e435c2d6f13f3672a50f545bab03e9992 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 28 Nov 2018 18:28:05 +0100 +Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan + defects + +--- + mcstrans/src/mcstrans.c | 21 +++++++++++++++++++-- + mcstrans/src/mcstransd.c | 4 +++- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 96bdbdff7d8b..0d9d0f3e25b7 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { + + map->raw = strdup(raw); + if (!map->raw) { ++ free(map); + goto err; + } + map->trans = strdup(trans); + if (!map->trans) { ++ free(map->raw); ++ free(map); + goto err; + } + + log_debug(" add_cache (%s,%s)\n", raw, trans); +- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) ++ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { ++ free(map->trans); ++ free(map->raw); ++ free(map); + goto err; ++ } + + if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) + goto err; +@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + trans = compute_trans_from_raw(range, domain); + if (trans) + if (add_cache(domain, range, trans) < 0) { ++ free(trans); + free(range); + return -1; + } +@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + ltrans = compute_trans_from_raw(lrange, domain); + if (ltrans) { + if (add_cache(domain, lrange, ltrans) < 0) { ++ free(ltrans); + free(range); + return -1; + } +@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + utrans = compute_trans_from_raw(urange, domain); + if (utrans) { + if (add_cache(domain, urange, utrans) < 0) { ++ free(utrans); + free(ltrans); + free(range); + return -1; +@@ -1647,14 +1657,19 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(raw, domain); + if (canonical && strcmp(canonical, range)) + if (add_cache(domain, raw, canonical) < 0) { ++ free(canonical); + free(range); ++ free(raw); + return -1; + } + } +- if (canonical) ++ if (canonical) { + free(canonical); ++ free(raw); ++ } + if (add_cache(domain, raw, range) < 0) { + free(range); ++ free(raw); + return -1; + } + } else { +@@ -1672,6 +1687,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(lraw, domain); + if (canonical) + if (add_cache(domain, lraw, canonical) < 0) { ++ free(canonical); + free(lraw); + free(range); + return -1; +@@ -1703,6 +1719,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(uraw, domain); + if (canonical) + if (add_cache(domain, uraw, canonical) < 0) { ++ free(canonical); + free(uraw); + free(lraw); + free(range); +diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c +index 858994932e4f..a1ec81acb3c8 100644 +--- a/mcstrans/src/mcstransd.c ++++ b/mcstrans/src/mcstransd.c +@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds) + /* Setup pollfd for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + /* So we don't get bothered later */ + revents = revents & ~(POLLHUP); + } +@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds) + /* Set the pollfd up for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + + revents = revents & ~(POLLHUP); + } +- if (revents) { ++ if (revents && connfd != -1) { + syslog(LOG_ERR, "Unknown/error events (%x) encountered" + " for fd (%d)\n", revents, connfd); + +-- +2.23.0 + diff --git a/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch b/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch new file mode 100644 index 0000000..66098ad --- /dev/null +++ b/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch @@ -0,0 +1,28 @@ +From d09b54cfffaa3923c22bb3ff7818cb4a19325905 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 9 May 2019 16:44:43 +0200 +Subject: [PATCH] mcstrans: Fix USER_AFTER_FREE problem + +--- + mcstrans/src/mcstrans.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 0d9d0f3e25b7..29cadb78b62c 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -1663,10 +1663,8 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + return -1; + } + } +- if (canonical) { ++ if (canonical) + free(canonical); +- free(raw); +- } + if (add_cache(domain, raw, range) < 0) { + free(range); + free(raw); +-- +2.23.0 + diff --git a/0003-mcstrans-Do-not-accept-incomplete-contexts.patch b/0003-mcstrans-Do-not-accept-incomplete-contexts.patch new file mode 100644 index 0000000..1146adf --- /dev/null +++ b/0003-mcstrans-Do-not-accept-incomplete-contexts.patch @@ -0,0 +1,59 @@ +From 0173a950563b23080fd40433f55efcb1d6b77923 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 15 Apr 2019 15:22:51 +0200 +Subject: [PATCH] mcstrans: Do not accept incomplete contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +$ python3 +> import selinux +> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:") + +Traceback (most recent call last): + File "", line 2, in +OSError: [Errno 0] Error + +:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status' +Redirecting to /bin/systemctl status mcstransd.service +● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form + Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago + Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV) + Main PID: 16681 (code=dumped, signal=SEGV) + +systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV +systemd[1]: mcstrans.service: Failed with result 'core-dump'. + +Signed-off-by: Petr Lautrbach +--- + mcstrans/src/mcscolor.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c +index 4ee0db507ef2..3a3a6de9a02b 100644 +--- a/mcstrans/src/mcscolor.c ++++ b/mcstrans/src/mcscolor.c +@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = { + static const secolor_t default_color = { 0x000000, 0xffffff }; + + static int parse_components(context_t con, char **components) { +- components[COLOR_USER] = (char *)context_user_get(con); +- components[COLOR_ROLE] = (char *)context_role_get(con); +- components[COLOR_TYPE] = (char *)context_type_get(con); +- components[COLOR_RANGE] = (char *)context_range_get(con); ++ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL) ++ return -1; + + return 0; + } +-- +2.23.0 + diff --git a/mcstrans-0.3.2-writepid.patch b/mcstrans-0.3.2-writepid.patch deleted file mode 100644 index 927782a..0000000 --- a/mcstrans-0.3.2-writepid.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -up mcstrans-0.3.2/src/mcstransd.c.writepid mcstrans-0.3.2/src/mcstransd.c ---- mcstrans-0.3.2/src/mcstransd.c.writepid 2011-01-05 10:32:25.000000000 -0500 -+++ mcstrans-0.3.2/src/mcstransd.c 2012-02-01 16:14:02.085806490 -0500 -@@ -4,6 +4,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -556,6 +557,30 @@ void dropprivs(void) - cap_free(new_caps); - } - -+static const char *pidfile = "/var/run/mcstransd.pid"; -+ -+static int write_pid_file(void) -+{ -+ int pidfd, len; -+ char val[16]; -+ -+ len = snprintf(val, sizeof(val), "%u\n", getpid()); -+ if (len < 0) { -+ syslog(LOG_ERR, "Pid error (%s)", strerror(errno)); -+ pidfile = 0; -+ return 1; -+ } -+ pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644); -+ if (pidfd < 0) { -+ syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno)); -+ pidfile = 0; -+ return 1; -+ } -+ (void)write(pidfd, val, (unsigned int)len); -+ close(pidfd); -+ return 0; -+} -+ - int - main(int UNUSED(argc), char *argv[]) - { -@@ -582,6 +607,8 @@ main(int UNUSED(argc), char *argv[]) - } - #endif - -+ write_pid_file(); -+ - syslog(LOG_NOTICE, "%s initialized", argv[0]); - process_connections(); - diff --git a/mcstrans-0.3.3-inotify.patch b/mcstrans-0.3.3-inotify.patch deleted file mode 100644 index cf9122c..0000000 --- a/mcstrans-0.3.3-inotify.patch +++ /dev/null @@ -1,294 +0,0 @@ -diff -up mcstrans-0.3.3/src/mcstrans.c.inotify mcstrans-0.3.3/src/mcstrans.c ---- mcstrans-0.3.3/src/mcstrans.c.inotify 2011-12-06 08:45:02.000000000 -0500 -+++ mcstrans-0.3.3/src/mcstrans.c 2013-02-08 08:48:08.343787003 -0500 -@@ -1,6 +1,8 @@ - - /* Copyright (c) 2008-2009 Nall Design Works -- Copyright 2006 Trusted Computer Solutions, Inc. */ -+ Copyright 2006 Trusted Computer Solutions, Inc. -+ Copyright 2013 Red Hat, Inc. -+*/ - - /* - Exported Interface -@@ -12,6 +14,7 @@ - - */ - -+#include - #include - #include - #include -@@ -30,7 +33,7 @@ - #include - #include - #include -- -+#include - - #include "mls_level.h" - #include "mcstrans.h" -@@ -166,6 +169,30 @@ err: - } - - static int -+remove_from_hashtable(context_map_node_t **table, char *key) { -+ unsigned int bucket = hash(key) % N_BUCKETS; -+ context_map_node_t **n; -+ context_map_node_t **p = NULL; -+ context_map_node_t *next = NULL; -+ for (n = &table[bucket]; *n; n = &(*n)->next) { -+ if (!strcmp((*n)->key, key)) -+ break; -+ p = n; -+ } -+ if (! *n) -+ return -1; -+ -+ next = (*n)->next; -+ free(*n); -+ if (p) -+ (*p)->next = next; -+ else -+ table[bucket] = next; -+ -+ return 0; -+} -+ -+static int - numdigits(unsigned int n) - { - int count = 1; -@@ -665,6 +692,26 @@ find_in_table(context_map_node_t **table - return NULL; - } - -+static void -+remove_cache(domain_t *domain, char *raw) { -+ context_map_t *map=find_in_table(domain->raw_to_trans, raw); -+ if (!map) { -+ log_error("Failed to remove_cache (%s) does not exist\n", raw); -+ return; -+ } -+ log_debug(" remove_cache (%s,%s)\n", raw, map->trans); -+ if (remove_from_hashtable(domain->trans_to_raw, map->trans) < 0) { -+ log_error(" Failed to remove %s from trans_to_raw\n", map->trans); -+ } -+ -+ if (remove_from_hashtable(domain->raw_to_trans, raw) < 0) { -+ log_error(" Failed to remove %s from raw_to_trans\n", raw); -+ } -+ free(map->raw); -+ free(map->trans); -+ free(map); -+} -+ - char * - trim(char *str, const char *whitespace) { - char *p = str + strlen(str); -@@ -1760,3 +1809,113 @@ finish_context_translations(void) { - } - } - -+#define INOTIFY_WATCHDIR "/run/setrans" -+ -+/* size of the event structure, not counting name */ -+#define EVENT_SIZE (sizeof (struct inotify_event)) -+/* reasonable guess as to size of 1024 events */ -+#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -+static domain_t *inotify_domain; -+ -+int add_inotify_cache(char *raw) { -+ char trans[BUF_LEN+1]; -+ char path[PATH_MAX]; -+ FILE *f; -+ size_t len; -+ domain_t *domain = domains; -+ for (;domain; domain = domain->next) { -+ context_map_t *map=find_in_table(domain->raw_to_trans, raw); -+ if (map) { -+ log_error("Failed to add translation %s to cache (%s,%s) already exists\n", raw, raw, map->trans); -+ return -1; -+ } -+ } -+ memset(trans,0, sizeof(trans)); -+ memset(path,0, sizeof(path)); -+ len = snprintf(path, sizeof(path), "%s/%s", INOTIFY_WATCHDIR, raw); -+ if (len >= sizeof(path)) { -+ log_error("Failed to open %s/%s, too large for buffer\n", INOTIFY_WATCHDIR, raw); -+ } -+ f = fopen(path, "r"); -+ if(! f) { -+ log_error("Failed to open %s %s\n", path, strerror(errno)); -+ return -1; -+ } -+ fread(trans, 1, BUF_LEN, f); -+ fclose(f); -+ return add_cache(inotify_domain, raw, trans); -+} -+ -+int process_inotify(int inotifyfd) { -+ int i = 0; -+ char buf[BUF_LEN+1]; -+ int len; -+ memset(buf,0, BUF_LEN); -+ len = read(inotifyfd, buf, BUF_LEN); -+ if (len < 0) { -+ return -1; -+ } else if (!len) -+ /* BUF_LEN too small? */ -+ return -1; -+ while (i < len) { -+ struct inotify_event *event; -+ event = (struct inotify_event *)&buf[i]; -+ if (event->mask & IN_DELETE) { -+ if (event->len && event->name[0] != '.') { -+ remove_cache(inotify_domain, event->name); -+ } -+ } -+ if (event->mask & IN_CREATE) { -+ if (event->len && event->name[0] != '.') { -+ (void) add_inotify_cache(event->name); -+ } -+ } -+ -+ i += EVENT_SIZE + event->len; -+ } -+ return 0; -+} -+ -+/* Watch INOTIFY_WATCHDIR for file creaton and deletion, then attempt to -+ add/remove the contents of these files to the cache. The name of the -+ file is the raw MLS/MCS label, while the contents are the Translation name. -+*/ -+int init_inotify(void) { -+ DIR *dir; -+ struct dirent *entry; -+ int fd = inotify_init1(IN_CLOEXEC); -+ if (fd < 0) { -+ syslog(LOG_ERR, "socket() failed: %m"); -+ return -1; -+ } -+ -+ if (inotify_add_watch(fd, INOTIFY_WATCHDIR, IN_CREATE | IN_DELETE) < 0) -+ { -+ syslog(LOG_ERR, "inotify_add_watch( %s ) failed: %m", INOTIFY_WATCHDIR); -+ goto err; -+ } -+ inotify_domain = create_domain("inotify"); -+ if (!inotify_domain) { -+ syslog(LOG_ERR, "create_domain(inotify) failed: %m"); -+ goto err; -+ } -+ -+ /* read all existing files in the INOTIFY_WATCHDIR and add them to the -+ cache. -+ */ -+ if ((dir = opendir(INOTIFY_WATCHDIR)) == NULL) { -+ syslog(LOG_ERR, "opendirs(%s) failed: %m", INOTIFY_WATCHDIR); -+ goto err; -+ } -+ while ((entry = readdir(dir)) != NULL) { -+ if (entry->d_name[0] != '.') -+ (void) add_inotify_cache(entry->d_name); -+ } -+ closedir(dir); -+ -+ return fd; -+ -+err: -+ close(fd); -+ return -1; -+} -diff -up mcstrans-0.3.3/src/mcstransd.c.inotify mcstrans-0.3.3/src/mcstransd.c ---- mcstrans-0.3.3/src/mcstransd.c.inotify 2013-02-08 08:37:32.772422371 -0500 -+++ mcstrans-0.3.3/src/mcstransd.c 2013-02-08 08:37:32.784422421 -0500 -@@ -60,6 +60,7 @@ extern int raw_color(const security_cont - #define SETRANSD_PROGNAME "mcstransd" - - static int sockfd = -1; /* socket we are listening on */ -+static int inotifyfd = -1; /* inotify socket we are listening on */ - - static volatile int restart_daemon = 0; - static void cleanup_exit(int ret) __attribute__ ((noreturn)); -@@ -354,19 +355,23 @@ process_events(struct pollfd **ufds, int - return -1; - } - } else { -- ret = service_request(connfd); -- if (ret) { -- if (ret < 0) { -- syslog(LOG_ERR, -- "Servicing of request " -- "failed for fd (%d)\n", -- connfd); -+ if (connfd == inotifyfd) { -+ process_inotify(inotifyfd); -+ } else { -+ ret = service_request(connfd); -+ if (ret) { -+ if (ret < 0) { -+ syslog(LOG_ERR, -+ "Servicing of request " -+ "failed for fd (%d)\n", -+ connfd); -+ } -+ /* Setup pollfd for deletion later. */ -+ (*ufds)[ii].fd = -1; -+ close(connfd); -+ /* So we don't get bothered later */ -+ revents = revents & ~(POLLHUP); - } -- /* Setup pollfd for deletion later. */ -- (*ufds)[ii].fd = -1; -- close(connfd); -- /* So we don't get bothered later */ -- revents = revents & ~(POLLHUP); - } - } - revents = revents & ~(POLLIN | POLLPRI); -@@ -406,9 +411,9 @@ static void - process_connections(void) - { - int ret = 0; -- int nfds = 1; -+ int nfds = 2; - -- struct pollfd *ufds = (struct pollfd *)malloc(sizeof(struct pollfd)); -+ struct pollfd *ufds = (struct pollfd *)malloc(sizeof(struct pollfd)*nfds); - if (!ufds) { - syslog(LOG_ERR, "Failed to allocate a pollfd"); - cleanup_exit(1); -@@ -417,6 +422,10 @@ process_connections(void) - ufds[0].events = POLLIN|POLLPRI; - ufds[0].revents = 0; - -+ ufds[1].fd = inotifyfd; -+ ufds[1].events = POLLIN|POLLPRI; -+ ufds[1].revents = 0; -+ - while (1) { - if (restart_daemon) { - syslog(LOG_NOTICE, "Reload Translations"); -@@ -516,6 +525,11 @@ initialize(void) - cleanup_exit(1); - } - -+ inotifyfd = init_inotify(); -+ if (inotifyfd < 0) { -+ cleanup_exit(1); -+ } -+ - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path) - 1); -diff -up mcstrans-0.3.3/src/mcstrans.h.inotify mcstrans-0.3.3/src/mcstrans.h ---- mcstrans-0.3.3/src/mcstrans.h.inotify 2011-12-06 08:45:02.000000000 -0500 -+++ mcstrans-0.3.3/src/mcstrans.h 2013-02-08 08:37:32.784422421 -0500 -@@ -6,4 +6,5 @@ extern int init_translations(void); - extern void finish_context_translations(void); - extern int trans_context(const security_context_t, security_context_t *); - extern int untrans_context(const security_context_t, security_context_t *); -- -+extern int init_inotify(void); -+extern int process_inotify(int inotifyfd); diff --git a/mcstrans-0.3.3-man.patch b/mcstrans-0.3.3-man.patch deleted file mode 100644 index 70c1631..0000000 --- a/mcstrans-0.3.3-man.patch +++ /dev/null @@ -1,197 +0,0 @@ -diff -up mcstrans-0.3.3/man/man8/mcstransd.8.man mcstrans-0.3.3/man/man8/mcstransd.8 ---- mcstrans-0.3.3/man/man8/mcstransd.8.man 2011-12-06 08:45:02.000000000 -0500 -+++ mcstrans-0.3.3/man/man8/mcstransd.8 2013-03-26 12:54:30.653747835 -0400 -@@ -11,7 +11,8 @@ This manual page describes the - .BR mcstransd - program. - .P --This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans. -+This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf and /etc/selinux/{SELINUXTYPE}/secolors.conf configuration files, and communicates with libselinux via a socket in /var/run/setrans. -+It also watches for files created in /var/run/setrans and uses the contents of these files to generate translations to the names. For example writing a file /var/run/setrans/mydomain with content of s0:c1,c2 will cause mcstrans to translate s0:c1,c2 to mydomain. - - .SH "AUTHOR" - This man page was written by Dan Walsh . -diff -up mcstrans-0.3.3/man/man8/secolor.conf.8.man mcstrans-0.3.3/man/man8/secolor.conf.8 ---- mcstrans-0.3.3/man/man8/secolor.conf.8.man 2013-03-26 12:51:30.505001415 -0400 -+++ mcstrans-0.3.3/man/man8/secolor.conf.8 2013-03-26 12:51:30.504001411 -0400 -@@ -0,0 +1,180 @@ -+.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation" -+.SH "NAME" -+secolor.conf \- The SELinux color configuration file -+. -+.SH "DESCRIPTION" -+The -+.I /etc/selinux/{SELINUXTYPE}/secolor.conf -+configuation file controls the color to be associated to the context components associated to the -+.I raw -+context passed by -+.BR selinux_raw_context_to_color "(3)," -+when context related information is to be displayed in color by an SELinux-aware application. -+.sp -+.BR selinux_raw_context_to_color "(3)" -+obtains this color information from the active policy -+.B secolor.conf -+file as returned by -+.BR selinux_colors_path "(3)." -+. -+.SH "FILE FORMAT" -+The file format is as follows: -+.RS -+.B color -+.I color_name -+.BI "= #"color_mask -+.br -+[...] -+.sp -+.I context_component string -+.B = -+.I fg_color_name bg_color_name -+.br -+[...] -+.sp -+.RE -+ -+Where: -+.br -+.B color -+.RS -+The color keyword. Each color entry is on a new line. -+.RE -+.I color_name -+.RS -+A single word name for the color (e.g. red). -+.RE -+.I color_mask -+.RS -+A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff. -+.RE -+.I context_component -+.RS -+The context component name that must be one of the following: -+.br -+.RS -+user, role, type or range -+.RE -+Each -+.IR context_component " " string " ..." -+entry is on a new line. -+.RE -+.I string -+.RS -+This is the -+.I context_component -+string that will be matched with the -+.I raw -+context component passed by -+.BR selinux_raw_context_to_color "(3)." -+.br -+A wildcard '*' may be used to match any undefined string for the user, role and type -+.I context_component -+entries only. -+.RE -+ -+.I fg_color_name -+.RS -+The color_name string that will be used as the foreground color. -+A -+.I color_mask -+may also be used. -+.RE -+.I bg_color_name -+.RS -+The color_name string that will be used as the background color. -+A -+.I color_mask -+may also be used. -+.RE -+. -+.SH "EXAMPLES" -+Example 1 entries are: -+.RS -+color black = #000000 -+.br -+color green = #008000 -+.br -+color yellow = #ffff00 -+.br -+color blue = #0000ff -+.br -+color white = #ffffff -+.br -+color red = #ff0000 -+.br -+color orange = #ffa500 -+.br -+color tan = #D2B48C -+.sp -+user * = black white -+.br -+role * = white black -+.br -+type * = tan orange -+.br -+range s0\-s0:c0.c1023 = black green -+.br -+range s1\-s1:c0.c1023 = white green -+.br -+range s3\-s3:c0.c1023 = black tan -+.br -+range s5\-s5:c0.c1023 = white blue -+.br -+range s7\-s7:c0.c1023 = black red -+.br -+range s9\-s9:c0.c1023 = black orange -+.br -+range s15:c0.c1023 = black yellow -+.RE -+ -+.sp -+Example 2 entries are: -+.RS -+color black = #000000 -+.br -+color green = #008000 -+.br -+color yellow = #ffff00 -+.br -+color blue = #0000ff -+.br -+color white = #ffffff -+.br -+color red = #ff0000 -+.br -+color orange = #ffa500 -+.br -+color tan = #d2b48c -+.sp -+user unconfined_u = #ff0000 green -+.br -+role unconfined_r = red #ffffff -+.br -+type unconfined_t = red orange -+.br -+user user_u = black green -+.br -+role user_r = white black -+.br -+type user_t = tan red -+.br -+user xguest_u = black yellow -+.br -+role xguest_r = black red -+.br -+type xguest_t = black green -+.br -+user sysadm_u = white black -+.br -+range s0:c0.c1023 = black white -+.br -+user * = black white -+.br -+role * = black white -+.br -+type * = black white -+.RE -+. -+.SH "SEE ALSO" -+.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" diff --git a/mcstrans.spec b/mcstrans.spec index 84526ac..8969730 100644 --- a/mcstrans.spec +++ b/mcstrans.spec @@ -1,12 +1,12 @@ Summary: SELinux Translation Daemon Name: mcstrans Version: 3.0 -Release: 0.rc1.1%{?dist} +Release: 1%{?dist} License: GPL+ Url: https://github.com/SELinuxProject/selinux/wiki -Source: https://github.com/SELinuxProject/selinux/releases/download/20191031/mcstrans-3.0-rc1.tar.gz +Source: https://github.com/SELinuxProject/selinux/releases/download/20191204/mcstrans-3.0.tar.gz Source2: secolor.conf.8 -# fedora-selinux/selinux: git format-patch -N mcstrans-3.0-rc1 -- mcstrans +# fedora-selinux/selinux: git format-patch -N mcstrans-3.0 -- mcstrans # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch @@ -37,7 +37,7 @@ mcstrans provides an translation daemon to translate SELinux categories from internal representations to user defined representation. %prep -%autosetup -p 2 -n mcstrans-%{version}-rc1 +%autosetup -p 2 -n mcstrans-%{version} %build %set_build_flags @@ -93,6 +93,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ %{_usr}/share/mcstrans/util/* %changelog +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + * Mon Nov 11 2019 Petr Lautrbach - 3.0-0.rc1.1 - SELinux userspace 3.0-rc1 release candidate diff --git a/sources b/sources index c13f5a3..cbbdf54 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mcstrans-3.0-rc1.tar.gz) = b5d5bb88488bed6ee2b09be4cc7439cdec24a644ec08c70748fc520bccc2ca22e9f944ab06e952dadd1010f7f7cec1f4e77c54a357bb1cfe5376bf2e20ff2139 +SHA512 (mcstrans-3.0.tar.gz) = 02d9754daf1f85941cc8eea934931b6963d1a2133f6f313a2c7fc6a485687add434d587eeac96bfaf2b490c8e1cea34514a7689f880ebb49ca59ebf9b8956eba