SELinux userspace 3.0 release
This commit is contained in:
parent
bd1e6b9762
commit
1fd4fb2b1e
1
.gitignore
vendored
1
.gitignore
vendored
@ -28,3 +28,4 @@ mcstrans-0.3.1.tgz
|
|||||||
/mcstrans-2.9-rc2.tar.gz
|
/mcstrans-2.9-rc2.tar.gz
|
||||||
/mcstrans-2.9.tar.gz
|
/mcstrans-2.9.tar.gz
|
||||||
/mcstrans-3.0-rc1.tar.gz
|
/mcstrans-3.0-rc1.tar.gz
|
||||||
|
/mcstrans-3.0.tar.gz
|
||||||
|
129
0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
Normal file
129
0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
From a9eae01e435c2d6f13f3672a50f545bab03e9992 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Wed, 28 Nov 2018 18:28:05 +0100
|
||||||
|
Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan
|
||||||
|
defects
|
||||||
|
|
||||||
|
---
|
||||||
|
mcstrans/src/mcstrans.c | 21 +++++++++++++++++++--
|
||||||
|
mcstrans/src/mcstransd.c | 4 +++-
|
||||||
|
2 files changed, 22 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
|
||||||
|
index 96bdbdff7d8b..0d9d0f3e25b7 100644
|
||||||
|
--- a/mcstrans/src/mcstrans.c
|
||||||
|
+++ b/mcstrans/src/mcstrans.c
|
||||||
|
@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) {
|
||||||
|
|
||||||
|
map->raw = strdup(raw);
|
||||||
|
if (!map->raw) {
|
||||||
|
+ free(map);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
map->trans = strdup(trans);
|
||||||
|
if (!map->trans) {
|
||||||
|
+ free(map->raw);
|
||||||
|
+ free(map);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
log_debug(" add_cache (%s,%s)\n", raw, trans);
|
||||||
|
- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0)
|
||||||
|
+ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) {
|
||||||
|
+ free(map->trans);
|
||||||
|
+ free(map->raw);
|
||||||
|
+ free(map);
|
||||||
|
goto err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
trans = compute_trans_from_raw(range, domain);
|
||||||
|
if (trans)
|
||||||
|
if (add_cache(domain, range, trans) < 0) {
|
||||||
|
+ free(trans);
|
||||||
|
free(range);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
ltrans = compute_trans_from_raw(lrange, domain);
|
||||||
|
if (ltrans) {
|
||||||
|
if (add_cache(domain, lrange, ltrans) < 0) {
|
||||||
|
+ free(ltrans);
|
||||||
|
free(range);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
utrans = compute_trans_from_raw(urange, domain);
|
||||||
|
if (utrans) {
|
||||||
|
if (add_cache(domain, urange, utrans) < 0) {
|
||||||
|
+ free(utrans);
|
||||||
|
free(ltrans);
|
||||||
|
free(range);
|
||||||
|
return -1;
|
||||||
|
@@ -1647,14 +1657,19 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
canonical = compute_trans_from_raw(raw, domain);
|
||||||
|
if (canonical && strcmp(canonical, range))
|
||||||
|
if (add_cache(domain, raw, canonical) < 0) {
|
||||||
|
+ free(canonical);
|
||||||
|
free(range);
|
||||||
|
+ free(raw);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (canonical)
|
||||||
|
+ if (canonical) {
|
||||||
|
free(canonical);
|
||||||
|
+ free(raw);
|
||||||
|
+ }
|
||||||
|
if (add_cache(domain, raw, range) < 0) {
|
||||||
|
free(range);
|
||||||
|
+ free(raw);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
@@ -1672,6 +1687,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
canonical = compute_trans_from_raw(lraw, domain);
|
||||||
|
if (canonical)
|
||||||
|
if (add_cache(domain, lraw, canonical) < 0) {
|
||||||
|
+ free(canonical);
|
||||||
|
free(lraw);
|
||||||
|
free(range);
|
||||||
|
return -1;
|
||||||
|
@@ -1703,6 +1719,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
canonical = compute_trans_from_raw(uraw, domain);
|
||||||
|
if (canonical)
|
||||||
|
if (add_cache(domain, uraw, canonical) < 0) {
|
||||||
|
+ free(canonical);
|
||||||
|
free(uraw);
|
||||||
|
free(lraw);
|
||||||
|
free(range);
|
||||||
|
diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c
|
||||||
|
index 858994932e4f..a1ec81acb3c8 100644
|
||||||
|
--- a/mcstrans/src/mcstransd.c
|
||||||
|
+++ b/mcstrans/src/mcstransd.c
|
||||||
|
@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds)
|
||||||
|
/* Setup pollfd for deletion later. */
|
||||||
|
(*ufds)[ii].fd = -1;
|
||||||
|
close(connfd);
|
||||||
|
+ connfd = -1;
|
||||||
|
/* So we don't get bothered later */
|
||||||
|
revents = revents & ~(POLLHUP);
|
||||||
|
}
|
||||||
|
@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds)
|
||||||
|
/* Set the pollfd up for deletion later. */
|
||||||
|
(*ufds)[ii].fd = -1;
|
||||||
|
close(connfd);
|
||||||
|
+ connfd = -1;
|
||||||
|
|
||||||
|
revents = revents & ~(POLLHUP);
|
||||||
|
}
|
||||||
|
- if (revents) {
|
||||||
|
+ if (revents && connfd != -1) {
|
||||||
|
syslog(LOG_ERR, "Unknown/error events (%x) encountered"
|
||||||
|
" for fd (%d)\n", revents, connfd);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
28
0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
Normal file
28
0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From d09b54cfffaa3923c22bb3ff7818cb4a19325905 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Thu, 9 May 2019 16:44:43 +0200
|
||||||
|
Subject: [PATCH] mcstrans: Fix USER_AFTER_FREE problem
|
||||||
|
|
||||||
|
---
|
||||||
|
mcstrans/src/mcstrans.c | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
|
||||||
|
index 0d9d0f3e25b7..29cadb78b62c 100644
|
||||||
|
--- a/mcstrans/src/mcstrans.c
|
||||||
|
+++ b/mcstrans/src/mcstrans.c
|
||||||
|
@@ -1663,10 +1663,8 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (canonical) {
|
||||||
|
+ if (canonical)
|
||||||
|
free(canonical);
|
||||||
|
- free(raw);
|
||||||
|
- }
|
||||||
|
if (add_cache(domain, raw, range) < 0) {
|
||||||
|
free(range);
|
||||||
|
free(raw);
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
59
0003-mcstrans-Do-not-accept-incomplete-contexts.patch
Normal file
59
0003-mcstrans-Do-not-accept-incomplete-contexts.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 0173a950563b23080fd40433f55efcb1d6b77923 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Mon, 15 Apr 2019 15:22:51 +0200
|
||||||
|
Subject: [PATCH] mcstrans: Do not accept incomplete contexts
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
$ python3
|
||||||
|
> import selinux
|
||||||
|
> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:")
|
||||||
|
|
||||||
|
Traceback (most recent call last):
|
||||||
|
File "<stdin>", line 2, in <module>
|
||||||
|
OSError: [Errno 0] Error
|
||||||
|
|
||||||
|
:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status'
|
||||||
|
Redirecting to /bin/systemctl status mcstransd.service
|
||||||
|
● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form
|
||||||
|
Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled)
|
||||||
|
Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago
|
||||||
|
Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV)
|
||||||
|
Main PID: 16681 (code=dumped, signal=SEGV)
|
||||||
|
|
||||||
|
systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV
|
||||||
|
systemd[1]: mcstrans.service: Failed with result 'core-dump'.
|
||||||
|
|
||||||
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
---
|
||||||
|
mcstrans/src/mcscolor.c | 12 ++++++++----
|
||||||
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c
|
||||||
|
index 4ee0db507ef2..3a3a6de9a02b 100644
|
||||||
|
--- a/mcstrans/src/mcscolor.c
|
||||||
|
+++ b/mcstrans/src/mcscolor.c
|
||||||
|
@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = {
|
||||||
|
static const secolor_t default_color = { 0x000000, 0xffffff };
|
||||||
|
|
||||||
|
static int parse_components(context_t con, char **components) {
|
||||||
|
- components[COLOR_USER] = (char *)context_user_get(con);
|
||||||
|
- components[COLOR_ROLE] = (char *)context_role_get(con);
|
||||||
|
- components[COLOR_TYPE] = (char *)context_type_get(con);
|
||||||
|
- components[COLOR_RANGE] = (char *)context_range_get(con);
|
||||||
|
+ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL)
|
||||||
|
+ return -1;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
diff -up mcstrans-0.3.2/src/mcstransd.c.writepid mcstrans-0.3.2/src/mcstransd.c
|
|
||||||
--- mcstrans-0.3.2/src/mcstransd.c.writepid 2011-01-05 10:32:25.000000000 -0500
|
|
||||||
+++ mcstrans-0.3.2/src/mcstransd.c 2012-02-01 16:14:02.085806490 -0500
|
|
||||||
@@ -4,6 +4,7 @@
|
|
||||||
#include <sys/socket.h>
|
|
||||||
#include <sys/poll.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
#include <sys/un.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdint.h>
|
|
||||||
@@ -556,6 +557,30 @@ void dropprivs(void)
|
|
||||||
cap_free(new_caps);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const char *pidfile = "/var/run/mcstransd.pid";
|
|
||||||
+
|
|
||||||
+static int write_pid_file(void)
|
|
||||||
+{
|
|
||||||
+ int pidfd, len;
|
|
||||||
+ char val[16];
|
|
||||||
+
|
|
||||||
+ len = snprintf(val, sizeof(val), "%u\n", getpid());
|
|
||||||
+ if (len < 0) {
|
|
||||||
+ syslog(LOG_ERR, "Pid error (%s)", strerror(errno));
|
|
||||||
+ pidfile = 0;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
|
|
||||||
+ if (pidfd < 0) {
|
|
||||||
+ syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno));
|
|
||||||
+ pidfile = 0;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ (void)write(pidfd, val, (unsigned int)len);
|
|
||||||
+ close(pidfd);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int
|
|
||||||
main(int UNUSED(argc), char *argv[])
|
|
||||||
{
|
|
||||||
@@ -582,6 +607,8 @@ main(int UNUSED(argc), char *argv[])
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ write_pid_file();
|
|
||||||
+
|
|
||||||
syslog(LOG_NOTICE, "%s initialized", argv[0]);
|
|
||||||
process_connections();
|
|
||||||
|
|
@ -1,294 +0,0 @@
|
|||||||
diff -up mcstrans-0.3.3/src/mcstrans.c.inotify mcstrans-0.3.3/src/mcstrans.c
|
|
||||||
--- mcstrans-0.3.3/src/mcstrans.c.inotify 2011-12-06 08:45:02.000000000 -0500
|
|
||||||
+++ mcstrans-0.3.3/src/mcstrans.c 2013-02-08 08:48:08.343787003 -0500
|
|
||||||
@@ -1,6 +1,8 @@
|
|
||||||
|
|
||||||
/* Copyright (c) 2008-2009 Nall Design Works
|
|
||||||
- Copyright 2006 Trusted Computer Solutions, Inc. */
|
|
||||||
+ Copyright 2006 Trusted Computer Solutions, Inc.
|
|
||||||
+ Copyright 2013 Red Hat, Inc.
|
|
||||||
+*/
|
|
||||||
|
|
||||||
/*
|
|
||||||
Exported Interface
|
|
||||||
@@ -12,6 +14,7 @@
|
|
||||||
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#include <dirent.h>
|
|
||||||
#include <math.h>
|
|
||||||
#include <glob.h>
|
|
||||||
#include <values.h>
|
|
||||||
@@ -30,7 +33,7 @@
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <sys/time.h>
|
|
||||||
-
|
|
||||||
+#include <sys/inotify.h>
|
|
||||||
|
|
||||||
#include "mls_level.h"
|
|
||||||
#include "mcstrans.h"
|
|
||||||
@@ -166,6 +169,30 @@ err:
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
+remove_from_hashtable(context_map_node_t **table, char *key) {
|
|
||||||
+ unsigned int bucket = hash(key) % N_BUCKETS;
|
|
||||||
+ context_map_node_t **n;
|
|
||||||
+ context_map_node_t **p = NULL;
|
|
||||||
+ context_map_node_t *next = NULL;
|
|
||||||
+ for (n = &table[bucket]; *n; n = &(*n)->next) {
|
|
||||||
+ if (!strcmp((*n)->key, key))
|
|
||||||
+ break;
|
|
||||||
+ p = n;
|
|
||||||
+ }
|
|
||||||
+ if (! *n)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ next = (*n)->next;
|
|
||||||
+ free(*n);
|
|
||||||
+ if (p)
|
|
||||||
+ (*p)->next = next;
|
|
||||||
+ else
|
|
||||||
+ table[bucket] = next;
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
numdigits(unsigned int n)
|
|
||||||
{
|
|
||||||
int count = 1;
|
|
||||||
@@ -665,6 +692,26 @@ find_in_table(context_map_node_t **table
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void
|
|
||||||
+remove_cache(domain_t *domain, char *raw) {
|
|
||||||
+ context_map_t *map=find_in_table(domain->raw_to_trans, raw);
|
|
||||||
+ if (!map) {
|
|
||||||
+ log_error("Failed to remove_cache (%s) does not exist\n", raw);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ log_debug(" remove_cache (%s,%s)\n", raw, map->trans);
|
|
||||||
+ if (remove_from_hashtable(domain->trans_to_raw, map->trans) < 0) {
|
|
||||||
+ log_error(" Failed to remove %s from trans_to_raw\n", map->trans);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (remove_from_hashtable(domain->raw_to_trans, raw) < 0) {
|
|
||||||
+ log_error(" Failed to remove %s from raw_to_trans\n", raw);
|
|
||||||
+ }
|
|
||||||
+ free(map->raw);
|
|
||||||
+ free(map->trans);
|
|
||||||
+ free(map);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
char *
|
|
||||||
trim(char *str, const char *whitespace) {
|
|
||||||
char *p = str + strlen(str);
|
|
||||||
@@ -1760,3 +1809,113 @@ finish_context_translations(void) {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#define INOTIFY_WATCHDIR "/run/setrans"
|
|
||||||
+
|
|
||||||
+/* size of the event structure, not counting name */
|
|
||||||
+#define EVENT_SIZE (sizeof (struct inotify_event))
|
|
||||||
+/* reasonable guess as to size of 1024 events */
|
|
||||||
+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
|
|
||||||
+static domain_t *inotify_domain;
|
|
||||||
+
|
|
||||||
+int add_inotify_cache(char *raw) {
|
|
||||||
+ char trans[BUF_LEN+1];
|
|
||||||
+ char path[PATH_MAX];
|
|
||||||
+ FILE *f;
|
|
||||||
+ size_t len;
|
|
||||||
+ domain_t *domain = domains;
|
|
||||||
+ for (;domain; domain = domain->next) {
|
|
||||||
+ context_map_t *map=find_in_table(domain->raw_to_trans, raw);
|
|
||||||
+ if (map) {
|
|
||||||
+ log_error("Failed to add translation %s to cache (%s,%s) already exists\n", raw, raw, map->trans);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ memset(trans,0, sizeof(trans));
|
|
||||||
+ memset(path,0, sizeof(path));
|
|
||||||
+ len = snprintf(path, sizeof(path), "%s/%s", INOTIFY_WATCHDIR, raw);
|
|
||||||
+ if (len >= sizeof(path)) {
|
|
||||||
+ log_error("Failed to open %s/%s, too large for buffer\n", INOTIFY_WATCHDIR, raw);
|
|
||||||
+ }
|
|
||||||
+ f = fopen(path, "r");
|
|
||||||
+ if(! f) {
|
|
||||||
+ log_error("Failed to open %s %s\n", path, strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ fread(trans, 1, BUF_LEN, f);
|
|
||||||
+ fclose(f);
|
|
||||||
+ return add_cache(inotify_domain, raw, trans);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int process_inotify(int inotifyfd) {
|
|
||||||
+ int i = 0;
|
|
||||||
+ char buf[BUF_LEN+1];
|
|
||||||
+ int len;
|
|
||||||
+ memset(buf,0, BUF_LEN);
|
|
||||||
+ len = read(inotifyfd, buf, BUF_LEN);
|
|
||||||
+ if (len < 0) {
|
|
||||||
+ return -1;
|
|
||||||
+ } else if (!len)
|
|
||||||
+ /* BUF_LEN too small? */
|
|
||||||
+ return -1;
|
|
||||||
+ while (i < len) {
|
|
||||||
+ struct inotify_event *event;
|
|
||||||
+ event = (struct inotify_event *)&buf[i];
|
|
||||||
+ if (event->mask & IN_DELETE) {
|
|
||||||
+ if (event->len && event->name[0] != '.') {
|
|
||||||
+ remove_cache(inotify_domain, event->name);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (event->mask & IN_CREATE) {
|
|
||||||
+ if (event->len && event->name[0] != '.') {
|
|
||||||
+ (void) add_inotify_cache(event->name);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ i += EVENT_SIZE + event->len;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Watch INOTIFY_WATCHDIR for file creaton and deletion, then attempt to
|
|
||||||
+ add/remove the contents of these files to the cache. The name of the
|
|
||||||
+ file is the raw MLS/MCS label, while the contents are the Translation name.
|
|
||||||
+*/
|
|
||||||
+int init_inotify(void) {
|
|
||||||
+ DIR *dir;
|
|
||||||
+ struct dirent *entry;
|
|
||||||
+ int fd = inotify_init1(IN_CLOEXEC);
|
|
||||||
+ if (fd < 0) {
|
|
||||||
+ syslog(LOG_ERR, "socket() failed: %m");
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (inotify_add_watch(fd, INOTIFY_WATCHDIR, IN_CREATE | IN_DELETE) < 0)
|
|
||||||
+ {
|
|
||||||
+ syslog(LOG_ERR, "inotify_add_watch( %s ) failed: %m", INOTIFY_WATCHDIR);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ inotify_domain = create_domain("inotify");
|
|
||||||
+ if (!inotify_domain) {
|
|
||||||
+ syslog(LOG_ERR, "create_domain(inotify) failed: %m");
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* read all existing files in the INOTIFY_WATCHDIR and add them to the
|
|
||||||
+ cache.
|
|
||||||
+ */
|
|
||||||
+ if ((dir = opendir(INOTIFY_WATCHDIR)) == NULL) {
|
|
||||||
+ syslog(LOG_ERR, "opendirs(%s) failed: %m", INOTIFY_WATCHDIR);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ while ((entry = readdir(dir)) != NULL) {
|
|
||||||
+ if (entry->d_name[0] != '.')
|
|
||||||
+ (void) add_inotify_cache(entry->d_name);
|
|
||||||
+ }
|
|
||||||
+ closedir(dir);
|
|
||||||
+
|
|
||||||
+ return fd;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ close(fd);
|
|
||||||
+ return -1;
|
|
||||||
+}
|
|
||||||
diff -up mcstrans-0.3.3/src/mcstransd.c.inotify mcstrans-0.3.3/src/mcstransd.c
|
|
||||||
--- mcstrans-0.3.3/src/mcstransd.c.inotify 2013-02-08 08:37:32.772422371 -0500
|
|
||||||
+++ mcstrans-0.3.3/src/mcstransd.c 2013-02-08 08:37:32.784422421 -0500
|
|
||||||
@@ -60,6 +60,7 @@ extern int raw_color(const security_cont
|
|
||||||
#define SETRANSD_PROGNAME "mcstransd"
|
|
||||||
|
|
||||||
static int sockfd = -1; /* socket we are listening on */
|
|
||||||
+static int inotifyfd = -1; /* inotify socket we are listening on */
|
|
||||||
|
|
||||||
static volatile int restart_daemon = 0;
|
|
||||||
static void cleanup_exit(int ret) __attribute__ ((noreturn));
|
|
||||||
@@ -354,19 +355,23 @@ process_events(struct pollfd **ufds, int
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- ret = service_request(connfd);
|
|
||||||
- if (ret) {
|
|
||||||
- if (ret < 0) {
|
|
||||||
- syslog(LOG_ERR,
|
|
||||||
- "Servicing of request "
|
|
||||||
- "failed for fd (%d)\n",
|
|
||||||
- connfd);
|
|
||||||
+ if (connfd == inotifyfd) {
|
|
||||||
+ process_inotify(inotifyfd);
|
|
||||||
+ } else {
|
|
||||||
+ ret = service_request(connfd);
|
|
||||||
+ if (ret) {
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ syslog(LOG_ERR,
|
|
||||||
+ "Servicing of request "
|
|
||||||
+ "failed for fd (%d)\n",
|
|
||||||
+ connfd);
|
|
||||||
+ }
|
|
||||||
+ /* Setup pollfd for deletion later. */
|
|
||||||
+ (*ufds)[ii].fd = -1;
|
|
||||||
+ close(connfd);
|
|
||||||
+ /* So we don't get bothered later */
|
|
||||||
+ revents = revents & ~(POLLHUP);
|
|
||||||
}
|
|
||||||
- /* Setup pollfd for deletion later. */
|
|
||||||
- (*ufds)[ii].fd = -1;
|
|
||||||
- close(connfd);
|
|
||||||
- /* So we don't get bothered later */
|
|
||||||
- revents = revents & ~(POLLHUP);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
revents = revents & ~(POLLIN | POLLPRI);
|
|
||||||
@@ -406,9 +411,9 @@ static void
|
|
||||||
process_connections(void)
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
||||||
- int nfds = 1;
|
|
||||||
+ int nfds = 2;
|
|
||||||
|
|
||||||
- struct pollfd *ufds = (struct pollfd *)malloc(sizeof(struct pollfd));
|
|
||||||
+ struct pollfd *ufds = (struct pollfd *)malloc(sizeof(struct pollfd)*nfds);
|
|
||||||
if (!ufds) {
|
|
||||||
syslog(LOG_ERR, "Failed to allocate a pollfd");
|
|
||||||
cleanup_exit(1);
|
|
||||||
@@ -417,6 +422,10 @@ process_connections(void)
|
|
||||||
ufds[0].events = POLLIN|POLLPRI;
|
|
||||||
ufds[0].revents = 0;
|
|
||||||
|
|
||||||
+ ufds[1].fd = inotifyfd;
|
|
||||||
+ ufds[1].events = POLLIN|POLLPRI;
|
|
||||||
+ ufds[1].revents = 0;
|
|
||||||
+
|
|
||||||
while (1) {
|
|
||||||
if (restart_daemon) {
|
|
||||||
syslog(LOG_NOTICE, "Reload Translations");
|
|
||||||
@@ -516,6 +525,11 @@ initialize(void)
|
|
||||||
cleanup_exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ inotifyfd = init_inotify();
|
|
||||||
+ if (inotifyfd < 0) {
|
|
||||||
+ cleanup_exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
memset(&addr, 0, sizeof(addr));
|
|
||||||
addr.sun_family = AF_UNIX;
|
|
||||||
strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path) - 1);
|
|
||||||
diff -up mcstrans-0.3.3/src/mcstrans.h.inotify mcstrans-0.3.3/src/mcstrans.h
|
|
||||||
--- mcstrans-0.3.3/src/mcstrans.h.inotify 2011-12-06 08:45:02.000000000 -0500
|
|
||||||
+++ mcstrans-0.3.3/src/mcstrans.h 2013-02-08 08:37:32.784422421 -0500
|
|
||||||
@@ -6,4 +6,5 @@ extern int init_translations(void);
|
|
||||||
extern void finish_context_translations(void);
|
|
||||||
extern int trans_context(const security_context_t, security_context_t *);
|
|
||||||
extern int untrans_context(const security_context_t, security_context_t *);
|
|
||||||
-
|
|
||||||
+extern int init_inotify(void);
|
|
||||||
+extern int process_inotify(int inotifyfd);
|
|
@ -1,197 +0,0 @@
|
|||||||
diff -up mcstrans-0.3.3/man/man8/mcstransd.8.man mcstrans-0.3.3/man/man8/mcstransd.8
|
|
||||||
--- mcstrans-0.3.3/man/man8/mcstransd.8.man 2011-12-06 08:45:02.000000000 -0500
|
|
||||||
+++ mcstrans-0.3.3/man/man8/mcstransd.8 2013-03-26 12:54:30.653747835 -0400
|
|
||||||
@@ -11,7 +11,8 @@ This manual page describes the
|
|
||||||
.BR mcstransd
|
|
||||||
program.
|
|
||||||
.P
|
|
||||||
-This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans.
|
|
||||||
+This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf and /etc/selinux/{SELINUXTYPE}/secolors.conf configuration files, and communicates with libselinux via a socket in /var/run/setrans.
|
|
||||||
+It also watches for files created in /var/run/setrans and uses the contents of these files to generate translations to the names. For example writing a file /var/run/setrans/mydomain with content of s0:c1,c2 will cause mcstrans to translate s0:c1,c2 to mydomain.
|
|
||||||
|
|
||||||
.SH "AUTHOR"
|
|
||||||
This man page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
||||||
diff -up mcstrans-0.3.3/man/man8/secolor.conf.8.man mcstrans-0.3.3/man/man8/secolor.conf.8
|
|
||||||
--- mcstrans-0.3.3/man/man8/secolor.conf.8.man 2013-03-26 12:51:30.505001415 -0400
|
|
||||||
+++ mcstrans-0.3.3/man/man8/secolor.conf.8 2013-03-26 12:51:30.504001411 -0400
|
|
||||||
@@ -0,0 +1,180 @@
|
|
||||||
+.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation"
|
|
||||||
+.SH "NAME"
|
|
||||||
+secolor.conf \- The SELinux color configuration file
|
|
||||||
+.
|
|
||||||
+.SH "DESCRIPTION"
|
|
||||||
+The
|
|
||||||
+.I /etc/selinux/{SELINUXTYPE}/secolor.conf
|
|
||||||
+configuation file controls the color to be associated to the context components associated to the
|
|
||||||
+.I raw
|
|
||||||
+context passed by
|
|
||||||
+.BR selinux_raw_context_to_color "(3),"
|
|
||||||
+when context related information is to be displayed in color by an SELinux-aware application.
|
|
||||||
+.sp
|
|
||||||
+.BR selinux_raw_context_to_color "(3)"
|
|
||||||
+obtains this color information from the active policy
|
|
||||||
+.B secolor.conf
|
|
||||||
+file as returned by
|
|
||||||
+.BR selinux_colors_path "(3)."
|
|
||||||
+.
|
|
||||||
+.SH "FILE FORMAT"
|
|
||||||
+The file format is as follows:
|
|
||||||
+.RS
|
|
||||||
+.B color
|
|
||||||
+.I color_name
|
|
||||||
+.BI "= #"color_mask
|
|
||||||
+.br
|
|
||||||
+[...]
|
|
||||||
+.sp
|
|
||||||
+.I context_component string
|
|
||||||
+.B =
|
|
||||||
+.I fg_color_name bg_color_name
|
|
||||||
+.br
|
|
||||||
+[...]
|
|
||||||
+.sp
|
|
||||||
+.RE
|
|
||||||
+
|
|
||||||
+Where:
|
|
||||||
+.br
|
|
||||||
+.B color
|
|
||||||
+.RS
|
|
||||||
+The color keyword. Each color entry is on a new line.
|
|
||||||
+.RE
|
|
||||||
+.I color_name
|
|
||||||
+.RS
|
|
||||||
+A single word name for the color (e.g. red).
|
|
||||||
+.RE
|
|
||||||
+.I color_mask
|
|
||||||
+.RS
|
|
||||||
+A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff.
|
|
||||||
+.RE
|
|
||||||
+.I context_component
|
|
||||||
+.RS
|
|
||||||
+The context component name that must be one of the following:
|
|
||||||
+.br
|
|
||||||
+.RS
|
|
||||||
+user, role, type or range
|
|
||||||
+.RE
|
|
||||||
+Each
|
|
||||||
+.IR context_component " " string " ..."
|
|
||||||
+entry is on a new line.
|
|
||||||
+.RE
|
|
||||||
+.I string
|
|
||||||
+.RS
|
|
||||||
+This is the
|
|
||||||
+.I context_component
|
|
||||||
+string that will be matched with the
|
|
||||||
+.I raw
|
|
||||||
+context component passed by
|
|
||||||
+.BR selinux_raw_context_to_color "(3)."
|
|
||||||
+.br
|
|
||||||
+A wildcard '*' may be used to match any undefined string for the user, role and type
|
|
||||||
+.I context_component
|
|
||||||
+entries only.
|
|
||||||
+.RE
|
|
||||||
+
|
|
||||||
+.I fg_color_name
|
|
||||||
+.RS
|
|
||||||
+The color_name string that will be used as the foreground color.
|
|
||||||
+A
|
|
||||||
+.I color_mask
|
|
||||||
+may also be used.
|
|
||||||
+.RE
|
|
||||||
+.I bg_color_name
|
|
||||||
+.RS
|
|
||||||
+The color_name string that will be used as the background color.
|
|
||||||
+A
|
|
||||||
+.I color_mask
|
|
||||||
+may also be used.
|
|
||||||
+.RE
|
|
||||||
+.
|
|
||||||
+.SH "EXAMPLES"
|
|
||||||
+Example 1 entries are:
|
|
||||||
+.RS
|
|
||||||
+color black = #000000
|
|
||||||
+.br
|
|
||||||
+color green = #008000
|
|
||||||
+.br
|
|
||||||
+color yellow = #ffff00
|
|
||||||
+.br
|
|
||||||
+color blue = #0000ff
|
|
||||||
+.br
|
|
||||||
+color white = #ffffff
|
|
||||||
+.br
|
|
||||||
+color red = #ff0000
|
|
||||||
+.br
|
|
||||||
+color orange = #ffa500
|
|
||||||
+.br
|
|
||||||
+color tan = #D2B48C
|
|
||||||
+.sp
|
|
||||||
+user * = black white
|
|
||||||
+.br
|
|
||||||
+role * = white black
|
|
||||||
+.br
|
|
||||||
+type * = tan orange
|
|
||||||
+.br
|
|
||||||
+range s0\-s0:c0.c1023 = black green
|
|
||||||
+.br
|
|
||||||
+range s1\-s1:c0.c1023 = white green
|
|
||||||
+.br
|
|
||||||
+range s3\-s3:c0.c1023 = black tan
|
|
||||||
+.br
|
|
||||||
+range s5\-s5:c0.c1023 = white blue
|
|
||||||
+.br
|
|
||||||
+range s7\-s7:c0.c1023 = black red
|
|
||||||
+.br
|
|
||||||
+range s9\-s9:c0.c1023 = black orange
|
|
||||||
+.br
|
|
||||||
+range s15:c0.c1023 = black yellow
|
|
||||||
+.RE
|
|
||||||
+
|
|
||||||
+.sp
|
|
||||||
+Example 2 entries are:
|
|
||||||
+.RS
|
|
||||||
+color black = #000000
|
|
||||||
+.br
|
|
||||||
+color green = #008000
|
|
||||||
+.br
|
|
||||||
+color yellow = #ffff00
|
|
||||||
+.br
|
|
||||||
+color blue = #0000ff
|
|
||||||
+.br
|
|
||||||
+color white = #ffffff
|
|
||||||
+.br
|
|
||||||
+color red = #ff0000
|
|
||||||
+.br
|
|
||||||
+color orange = #ffa500
|
|
||||||
+.br
|
|
||||||
+color tan = #d2b48c
|
|
||||||
+.sp
|
|
||||||
+user unconfined_u = #ff0000 green
|
|
||||||
+.br
|
|
||||||
+role unconfined_r = red #ffffff
|
|
||||||
+.br
|
|
||||||
+type unconfined_t = red orange
|
|
||||||
+.br
|
|
||||||
+user user_u = black green
|
|
||||||
+.br
|
|
||||||
+role user_r = white black
|
|
||||||
+.br
|
|
||||||
+type user_t = tan red
|
|
||||||
+.br
|
|
||||||
+user xguest_u = black yellow
|
|
||||||
+.br
|
|
||||||
+role xguest_r = black red
|
|
||||||
+.br
|
|
||||||
+type xguest_t = black green
|
|
||||||
+.br
|
|
||||||
+user sysadm_u = white black
|
|
||||||
+.br
|
|
||||||
+range s0:c0.c1023 = black white
|
|
||||||
+.br
|
|
||||||
+user * = black white
|
|
||||||
+.br
|
|
||||||
+role * = black white
|
|
||||||
+.br
|
|
||||||
+type * = black white
|
|
||||||
+.RE
|
|
||||||
+.
|
|
||||||
+.SH "SEE ALSO"
|
|
||||||
+.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)"
|
|
@ -1,12 +1,12 @@
|
|||||||
Summary: SELinux Translation Daemon
|
Summary: SELinux Translation Daemon
|
||||||
Name: mcstrans
|
Name: mcstrans
|
||||||
Version: 3.0
|
Version: 3.0
|
||||||
Release: 0.rc1.1%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPL+
|
License: GPL+
|
||||||
Url: https://github.com/SELinuxProject/selinux/wiki
|
Url: https://github.com/SELinuxProject/selinux/wiki
|
||||||
Source: https://github.com/SELinuxProject/selinux/releases/download/20191031/mcstrans-3.0-rc1.tar.gz
|
Source: https://github.com/SELinuxProject/selinux/releases/download/20191204/mcstrans-3.0.tar.gz
|
||||||
Source2: secolor.conf.8
|
Source2: secolor.conf.8
|
||||||
# fedora-selinux/selinux: git format-patch -N mcstrans-3.0-rc1 -- mcstrans
|
# fedora-selinux/selinux: git format-patch -N mcstrans-3.0 -- mcstrans
|
||||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||||
# Patch list start
|
# Patch list start
|
||||||
Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
|
Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
|
||||||
@ -37,7 +37,7 @@ mcstrans provides an translation daemon to translate SELinux categories
|
|||||||
from internal representations to user defined representation.
|
from internal representations to user defined representation.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p 2 -n mcstrans-%{version}-rc1
|
%autosetup -p 2 -n mcstrans-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%set_build_flags
|
%set_build_flags
|
||||||
@ -93,6 +93,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
|
|||||||
%{_usr}/share/mcstrans/util/*
|
%{_usr}/share/mcstrans/util/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
|
||||||
|
- SELinux userspace 3.0 release
|
||||||
|
|
||||||
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
|
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
|
||||||
- SELinux userspace 3.0-rc1 release candidate
|
- SELinux userspace 3.0-rc1 release candidate
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (mcstrans-3.0-rc1.tar.gz) = b5d5bb88488bed6ee2b09be4cc7439cdec24a644ec08c70748fc520bccc2ca22e9f944ab06e952dadd1010f7f7cec1f4e77c54a357bb1cfe5376bf2e20ff2139
|
SHA512 (mcstrans-3.0.tar.gz) = 02d9754daf1f85941cc8eea934931b6963d1a2133f6f313a2c7fc6a485687add434d587eeac96bfaf2b490c8e1cea34514a7689f880ebb49ca59ebf9b8956eba
|
||||||
|
Loading…
Reference in New Issue
Block a user