rpms
/
mcstrans
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mcstrans-2.8-2.el8

This commit is contained in:
CentOS Sources 2019-05-07 07:00:29 -04:00 committed by Andrew Lukoshko
commit e76e77f16e
5 changed files with 694 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/mcstrans-2.8.tar.gz

1
.mcstrans.metadata Normal file
View File

@ -0,0 +1 @@
a52d02609e81fbfcc6de54457cc5f9c6da727c48 SOURCES/mcstrans-2.8.tar.gz

238
SOURCES/mcstrans-fedora.patch Normal file
View File

@ -0,0 +1,238 @@
diff --git mcstrans-2.8/src/mcstrans.c mcstrans-2.8/src/mcstrans.c
index 00fb808..0d9d0f3 100644
--- mcstrans-2.8/src/mcstrans.c
+++ mcstrans-2.8/src/mcstrans.c
@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) {
map->raw = strdup(raw);
if (!map->raw) {
+ free(map);
goto err;
}
map->trans = strdup(trans);
if (!map->trans) {
+ free(map->raw);
+ free(map);
goto err;
}
log_debug(" add_cache (%s,%s)\n", raw, trans);
- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0)
+ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) {
+ free(map->trans);
+ free(map->raw);
+ free(map);
goto err;
+ }
if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0)
goto err;
@@ -708,6 +715,7 @@ append(affix_t **affixes, const char *val) {
err:
log_error("allocation error %s", strerror(errno));
+ free(affix);
return -1;
}
@@ -1517,8 +1525,11 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
} else {
trans = compute_trans_from_raw(range, domain);
if (trans)
- if (add_cache(domain, range, trans) < 0)
+ if (add_cache(domain, range, trans) < 0) {
+ free(trans);
+ free(range);
return -1;
+ }
}
if (lrange && urange) {
@@ -1526,12 +1537,16 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
if (! ltrans) {
ltrans = compute_trans_from_raw(lrange, domain);
if (ltrans) {
- if (add_cache(domain, lrange, ltrans) < 0)
+ if (add_cache(domain, lrange, ltrans) < 0) {
+ free(ltrans);
+ free(range);
return -1;
+ }
} else {
ltrans = strdup(lrange);
if (! ltrans) {
log_error("strdup failed %s", strerror(errno));
+ free(range);
return -1;
}
}
@@ -1541,25 +1556,37 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
if (! utrans) {
utrans = compute_trans_from_raw(urange, domain);
if (utrans) {
- if (add_cache(domain, urange, utrans) < 0)
+ if (add_cache(domain, urange, utrans) < 0) {
+ free(utrans);
+ free(ltrans);
+ free(range);
return -1;
+ }
} else {
utrans = strdup(urange);
if (! utrans) {
log_error("strdup failed %s", strerror(errno));
- return -1;
- }
- }
+ free(ltrans);
+ free(range);
+ return -1;
+ }
+ }
}
if (strcmp(ltrans, utrans) == 0) {
if (asprintf(&trans, "%s", ltrans) < 0) {
log_error("asprintf failed %s", strerror(errno));
+ free(utrans);
+ free(ltrans);
+ free(range);
return -1;
}
} else {
if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) {
log_error("asprintf failed %s", strerror(errno));
+ free(utrans);
+ free(ltrans);
+ free(range);
return -1;
}
}
@@ -1629,13 +1656,22 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
if (!canonical) {
canonical = compute_trans_from_raw(raw, domain);
if (canonical && strcmp(canonical, range))
- if (add_cache(domain, raw, canonical) < 0)
+ if (add_cache(domain, raw, canonical) < 0) {
+ free(canonical);
+ free(range);
+ free(raw);
return -1;
+ }
}
- if (canonical)
+ if (canonical) {
free(canonical);
- if (add_cache(domain, raw, range) < 0)
+ free(raw);
+ }
+ if (add_cache(domain, raw, range) < 0) {
+ free(range);
+ free(raw);
return -1;
+ }
} else {
log_debug("untrans_context unable to compute raw context %s\n", range);
}
@@ -1650,17 +1686,25 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
if (!canonical) {
canonical = compute_trans_from_raw(lraw, domain);
if (canonical)
- if (add_cache(domain, lraw, canonical) < 0)
+ if (add_cache(domain, lraw, canonical) < 0) {
+ free(canonical);
+ free(lraw);
+ free(range);
return -1;
+ }
}
if (canonical)
free(canonical);
- if (add_cache(domain, lraw, lrange) < 0)
+ if (add_cache(domain, lraw, lrange) < 0) {
+ free(lraw);
+ free(range);
return -1;
+ }
} else {
lraw = strdup(lrange);
if (! lraw) {
log_error("strdup failed %s", strerror(errno));
+ free(range);
return -1;
}
}
@@ -1674,17 +1718,28 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
if (!canonical) {
canonical = compute_trans_from_raw(uraw, domain);
if (canonical)
- if (add_cache(domain, uraw, canonical) < 0)
+ if (add_cache(domain, uraw, canonical) < 0) {
+ free(canonical);
+ free(uraw);
+ free(lraw);
+ free(range);
return -1;
}
+ }
if (canonical)
free(canonical);
- if (add_cache(domain, uraw, urange) < 0)
+ if (add_cache(domain, uraw, urange) < 0) {
+ free(uraw);
+ free(lraw);
+ free(range);
return -1;
+ }
} else {
uraw = strdup(urange);
if (! uraw) {
log_error("strdup failed %s", strerror(errno));
+ free(lraw);
+ free(range);
return -1;
}
}
@@ -1694,11 +1749,17 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
if (strcmp(lraw, uraw) == 0) {
if (asprintf(&raw, "%s", lraw) < 0) {
log_error("asprintf failed %s", strerror(errno));
+ free(uraw);
+ free(lraw);
+ free(range);
return -1;
}
} else {
if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) {
log_error("asprintf failed %s", strerror(errno));
+ free(uraw);
+ free(lraw);
+ free(range);
return -1;
}
}
diff --git mcstrans-2.8/src/mcstransd.c mcstrans-2.8/src/mcstransd.c
index d7fc5de..a5a63d7 100644
--- mcstrans-2.8/src/mcstransd.c
+++ mcstrans-2.8/src/mcstransd.c
@@ -345,6 +345,7 @@ process_events(struct pollfd **ufds, int *nfds)
/* Setup pollfd for deletion later. */
(*ufds)[ii].fd = -1;
close(connfd);
+ connfd = -1;
/* So we don't get bothered later */
revents = revents & ~(POLLHUP);
}
@@ -358,10 +359,11 @@ process_events(struct pollfd **ufds, int *nfds)
/* Set the pollfd up for deletion later. */
(*ufds)[ii].fd = -1;
close(connfd);
+ connfd = -1;
revents = revents & ~(POLLHUP);
}
- if (revents) {
+ if (revents && connfd != -1) {
syslog(LOG_ERR, "Unknown/error events (%x) encountered"
" for fd (%d)\n", revents, connfd);

180
SOURCES/secolor.conf.8 Normal file
View File

@ -0,0 +1,180 @@
.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation"
.SH "NAME"
secolor.conf \- The SELinux color configuration file
.
.SH "DESCRIPTION"
The
.I /etc/selinux/{SELINUXTYPE}/secolor.conf
configuation file controls the color to be associated to the context components associated to the
.I raw
context passed by
.BR selinux_raw_context_to_color "(3),"
when context related information is to be displayed in color by an SELinux-aware application.
.sp
.BR selinux_raw_context_to_color "(3)"
obtains this color information from the active policy
.B secolor.conf
file as returned by
.BR selinux_colors_path "(3)."
.
.SH "FILE FORMAT"
The file format is as follows:
.RS
.B color
.I color_name
.BI "= #"color_mask
.br
[...]
.sp
.I context_component string
.B =
.I fg_color_name bg_color_name
.br
[...]
.sp
.RE
Where:
.br
.B color
.RS
The color keyword. Each color entry is on a new line.
.RE
.I color_name
.RS
A single word name for the color (e.g. red).
.RE
.I color_mask
.RS
A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff.
.RE
.I context_component
.RS
The context component name that must be one of the following:
.br
.RS
user, role, type or range
.RE
Each
.IR context_component " " string " ..."
entry is on a new line.
.RE
.I string
.RS
This is the
.I context_component
string that will be matched with the
.I raw
context component passed by
.BR selinux_raw_context_to_color "(3)."
.br
A wildcard '*' may be used to match any undefined string for the user, role and type
.I context_component
entries only.
.RE
.I fg_color_name
.RS
The color_name string that will be used as the foreground color.
A
.I color_mask
may also be used.
.RE
.I bg_color_name
.RS
The color_name string that will be used as the background color.
A
.I color_mask
may also be used.
.RE
.
.SH "EXAMPLES"
Example 1 entries are:
.RS
color black = #000000
.br
color green = #008000
.br
color yellow = #ffff00
.br
color blue = #0000ff
.br
color white = #ffffff
.br
color red = #ff0000
.br
color orange = #ffa500
.br
color tan = #D2B48C
.sp
user * = black white
.br
role * = white black
.br
type * = tan orange
.br
range s0\-s0:c0.c1023 = black green
.br
range s1\-s1:c0.c1023 = white green
.br
range s3\-s3:c0.c1023 = black tan
.br
range s5\-s5:c0.c1023 = white blue
.br
range s7\-s7:c0.c1023 = black red
.br
range s9\-s9:c0.c1023 = black orange
.br
range s15:c0.c1023 = black yellow
.RE
.sp
Example 2 entries are:
.RS
color black = #000000
.br
color green = #008000
.br
color yellow = #ffff00
.br
color blue = #0000ff
.br
color white = #ffffff
.br
color red = #ff0000
.br
color orange = #ffa500
.br
color tan = #d2b48c
.sp
user unconfined_u = #ff0000 green
.br
role unconfined_r = red #ffffff
.br
type unconfined_t = red orange
.br
user user_u = black green
.br
role user_r = white black
.br
type user_t = tan red
.br
user xguest_u = black yellow
.br
role xguest_r = black red
.br
type xguest_t = black green
.br
user sysadm_u = white black
.br
range s0:c0.c1023 = black white
.br
user * = black white
.br
role * = black white
.br
type * = black white
.RE
.
.SH "SEE ALSO"
.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)"

274
SPECS/mcstrans.spec Normal file
View File

@ -0,0 +1,274 @@
Summary: SELinux Translation Daemon
Name: mcstrans
Version: 2.8
Release: 2%{?dist}
License: GPL+
Url: https://github.com/SELinuxProject/selinux/wiki
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/mcstrans-2.8.tar.gz
Source2: secolor.conf.8
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# $ VERSION=2.8 ./make-fedora-selinux-patch.sh mcstrans
# HEAD 2b4b29f00e5f0746ff10e09686a23c6e96a11d5f
Patch1: mcstrans-fedora.patch
BuildRequires: gcc
BuildRequires: libselinux-devel >= %{version}
BuildRequires: libcap-devel pcre-devel libsepol-devel libsepol-static
BuildRequires: systemd
Requires: pcre
%{?systemd_requires}
Provides: setransd
Provides: libsetrans
Obsoletes: libsetrans
%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role-based Access
Control, and Multi-level Security.
mcstrans provides an translation daemon to translate SELinux categories
from internal representations to user defined representation.
%prep
%autosetup -p 1 -n mcstrans-%{version}
%build
make clean
make LIBDIR="%{_libdir}" LDFLAGS="%{?__global_ldflags}" CFLAGS="%{__global_cflags}" %{?_smp_mflags}
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/%{_lib}
mkdir -p %{buildroot}/%{_libdir}
mkdir -p %{buildroot}%{_usr}/share/mcstrans
mkdir -p %{buildroot}%{_sysconfdir}/selinux/mls/setrans.d
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" SBINDIR="%{_sbindir}" install
rm -f %{buildroot}%{_libdir}/*.a
cp -r share/* %{buildroot}%{_usr}/share/mcstrans/
# Systemd
mkdir -p %{buildroot}%{_unitdir}
ln -s %{_unitdir}/mcstrans.service %{buildroot}/%{_unitdir}/mcstransd.service
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/mcstrans
install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
%clean
rm -rf %{buildroot}
%post
%systemd_post mcstransd.service
%preun
%systemd_preun mcstransd.service
%postun
%systemd_postun mcstransd.service
%files
%defattr(-,root,root,0755)
%{_mandir}/man8/mcs.8.gz
%{_mandir}/man8/mcstransd.8.gz
%{_mandir}/man8/setrans.conf.8.gz
%{_mandir}/man8/secolor.conf.8.gz
/usr/sbin/mcstransd
%{_unitdir}/mcstrans.service
%{_unitdir}/mcstransd.service
%dir %{_sysconfdir}/selinux/mls/setrans.d
%dir %{_usr}/share/mcstrans
%defattr(0644,root,root,0755)
%dir %{_usr}/share/mcstrans/util
%dir %{_usr}/share/mcstrans/examples
%{_usr}/share/mcstrans/examples/*
%defattr(0755,root,root,0755)
%{_usr}/share/mcstrans/util/*
%changelog
* Sun Dec 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
- Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects
* Tue Oct 2 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
- Update to mcstrans-2.8
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.4-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.4-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.4-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed Mar 19 2014 Karsten Hopp |karsten@redhat.com> - 0.3.4-4
- fix changelog order so that it builds with a recent rpm
* Wed Oct 16 2013 Dan Walsh <dwalsh@redhat.com> - 0.3.4-3
- Make mcstrans PIE and fully relro
- Resolves: #983268
* Tue Oct 15 2013 Dan Walsh <dwalsh@redhat.com> - 0.3.4-2
- Add RELRO support for long running services
* Thu Sep 12 2013 Dan Walsh <dwalsh@redhat.com> - 0.3.4-1
- Update to latest version/applying patches
- Move binary to /usr/sbin rather then /sbin
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.3-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Mar 26 2013 Dan Walsh <dwalsh@redhat.com> - 0.3.3-7
- Add secolor.conf.5 man page
- Make mcstransd watch for content being written to /run/setrans for files names containing translations.
-- This will allow apps like libvirt to write content nameing randomly selected MCS labels
- Fix memory leak in mcstransd
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Feb 10 2012 Petr Pisar <ppisar@redhat.com> - 0.3.3-4
- Rebuild against PCRE 8.30
* Thu Feb 2 2012 Dan Walsh <dwalsh@redhat.com> - 0.3.3-3
- Fix the systemd service file
* Wed Feb 1 2012 Dan Walsh <dwalsh@redhat.com> - 0.3.3-2
- Update to upstream
- Write pid file
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.2-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Jan 5 2011 Ted X Toth <txtoth@gmail.com> - 0.3.2-0
- Add constraints
- Add setrans.conf man page
- Fix mixed raw and translated range bug
- Moved todo comments to TODO file
* Fri Oct 16 2009 Dan Walsh <dwalsh@redhat.com> 0.3.1-4
- Add mcstransd man page
* Thu Sep 17 2009 Miroslav Grepl <mgrepl@redhat.com> 0.3.1-3
- Fix init script
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Thu Feb 5 2009 Joe Nall <joe@nall.com> 0.3.1-1
- Rewrite translations to allow individual word/category mapping
- Eamon Walsh's color mapping changes
* Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> 0.2.11-2
- fix license tag
* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> 0.2.11-1
- More fixes from Jim Meyering
* Tue May 6 2008 Dan Walsh <dwalsh@redhat.com> 0.2.10-1
- More error checking on failed strdup
* Tue May 6 2008 Dan Walsh <dwalsh@redhat.com> 0.2.9-1
- Start mcstrans before netlabel
* Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 0.2.8-1
- Fix error handling
* Tue Feb 12 2008 Dan Walsh <dwalsh@redhat.com> 0.2.7-2
- Rebuild for gcc 4.3
* Tue Oct 30 2007 Steve Conklin <sconklin@redhat.com> - 0.2.7-1
- Folded current patches into tarball
* Thu Oct 25 2007 Steve Conklin <sconklin@redhat.com> - 0.2.6-3
- Fixed a compile problem with max_categories
* Thu Oct 25 2007 Steve Conklin <sconklin@redhat.com> - 0.2.6-2
- Fixed some init script errors
* Thu Sep 13 2007 Dan Walsh <dwalsh@redhat.com> 0.2.6-1
- Check for max_categories and error out
* Thu Mar 1 2007 Dan Walsh <dwalsh@redhat.com> 0.2.5-1
- Fix case where s0=""
* Mon Feb 26 2007 Dan Walsh <dwalsh@redhat.com> 0.2.4-1
- Translate range if fully specified correctly
* Mon Feb 12 2007 Dan Walsh <dwalsh@redhat.com> 0.2.3-1
- Additional fix to handle ssh root/sysadm_r/s0:c1,c2
Resolves: #224637
* Mon Feb 5 2007 Dan Walsh <dwalsh@redhat.com> 0.2.1-1
- Rewrite to handle MLS properly
Resolves: #225355
* Mon Jan 29 2007 Dan Walsh <dwalsh@redhat.com> 0.1.10-2
- Cleanup memory when complete
* Mon Dec 4 2006 Dan Walsh <dwalsh@redhat.com> 0.1.10-1
- Fix Memory Leak
Resolves: #218173
* Thu Sep 21 2006 Dan Walsh <dwalsh@redhat.com> 0.1.9-1
- Add -pie
- Fix compiler warnings
- Fix Memory Leak
Resolves: #218173
* Wed Sep 13 2006 Peter Jones <pjones@redhat.com> - 0.1.8-3
- Fix subsys locking in init script
* Wed Aug 23 2006 Dan Walsh <dwalsh@redhat.com> 0.1.8-1
- Only allow one version to run
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - sh: line 0: fg: no job control
- rebuild
* Mon Jun 19 2006 Dan Walsh <dwalsh@redhat.com> 0.1.7-1
- Apply sgrubb patch to only call getpeercon on translations
* Tue Jun 6 2006 Dan Walsh <dwalsh@redhat.com> 0.1.6-1
- Exit gracefully when selinux is not enabled
* Mon May 15 2006 Dan Walsh <dwalsh@redhat.com> 0.1.5-1
- Fix sighup handling
* Mon May 15 2006 Dan Walsh <dwalsh@redhat.com> 0.1.4-1
- Add patch from sgrubb
- Fix 64 bit size problems
- Increase the open file limit
- Make sure maximum size is not exceeded
* Fri May 12 2006 Dan Walsh <dwalsh@redhat.com> 0.1.3-1
- Move initscripts to /etc/rc.d/init.d
* Thu May 11 2006 Dan Walsh <dwalsh@redhat.com> 0.1.2-1
- Drop Privs
* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 0.1.1-1
- Initial Version
- This daemon reuses the code from libsetrans