From 3f2af1bab01198b10748c12760c67734e2f8c8c1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 20 Aug 2009 19:05:30 +0000 Subject: [PATCH] * Thu Aug 20 2009 Dan Walsh 2.0.71-7 - Fix glob handling of /.. --- policycoreutils-rhat.patch | 1148 +----------------------------------- policycoreutils.spec | 5 +- 2 files changed, 18 insertions(+), 1135 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 955d63c..dea1d9d 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.71/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.71/audit2allow/audit2allow 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/audit2allow/audit2allow 2009-08-20 12:53:16.000000000 -0400 @@ -42,6 +42,8 @@ from optparse import OptionParser @@ -40,1135 +40,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po f = sys.stdin diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/Makefile 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/Makefile 2009-08-20 12:53:16.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.71/restorecond/Makefile ---- nsapolicycoreutils/restorecond/Makefile 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/Makefile 2009-08-19 15:42:48.000000000 -0400 -@@ -2,16 +2,23 @@ - PREFIX ?= ${DESTDIR}/usr - SBINDIR ?= $(PREFIX)/sbin - MANDIR = $(PREFIX)/share/man -+AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart -+DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services -+ -+autostart_DATA = sealertauto.desktop - INITDIR = $(DESTDIR)/etc/rc.d/init.d - SELINUXDIR = $(DESTDIR)/etc/selinux - - CFLAGS ?= -g -Werror -Wall -W --override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 --LDLIBS += -lselinux -L$(PREFIX)/lib -+override CFLAGS += -I$(PREFIX)/include -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include -+ -+LDLIBS += -lselinux -ldbus-glib-1 -lglib-2.0 -L$(LIBDIR) - - all: restorecond - --restorecond: restorecond.o utmpwatcher.o stringslist.o -+restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h -+ -+restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) - - install: all -@@ -22,7 +29,12 @@ - -mkdir -p $(INITDIR) - install -m 755 restorecond.init $(INITDIR)/restorecond - -mkdir -p $(SELINUXDIR) -- install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf -+ install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf -+ install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf -+ -mkdir -p $(AUTOSTARTDIR) -+ install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop -+ -mkdir -p $(DBUSSERVICEDIR) -+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service - - relabel: install - /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service ---- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service 2009-08-19 12:25:41.000000000 -0400 -@@ -0,0 +1,3 @@ -+[D-BUS Service] -+Name=org.selinux.Restorecond -+Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c ---- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-19 15:42:48.000000000 -0400 -@@ -48,294 +48,39 @@ - #include - #include - #include --#include -+#include "../setfiles/restore.h" - #include --#include - #include - #include -+#include -+#include -+#include -+#include - #include -- - #include "restorecond.h" --#include "stringslist.h" - #include "utmpwatcher.h" - --extern char *dirname(char *path); -+const char *homedir; - static int master_fd = -1; --static int master_wd = -1; --static int terminate = 0; -- --#include --#include -- --/* size of the event structure, not counting name */ --#define EVENT_SIZE (sizeof (struct inotify_event)) --/* reasonable guess as to size of 1024 events */ --#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -- --static int debug_mode = 0; --static int verbose_mode = 0; -- --static void restore(const char *filename, int exact); -- --struct watchList { -- struct watchList *next; -- int wd; -- char *dir; -- struct stringsList *files; --}; --struct watchList *firstDir = NULL; -- --/* Compare two contexts to see if their differences are "significant", -- * or whether the only difference is in the user. */ --static int only_changed_user(const char *a, const char *b) --{ -- char *rest_a, *rest_b; /* Rest of the context after the user */ -- if (!a || !b) -- return 0; -- rest_a = strchr(a, ':'); -- rest_b = strchr(b, ':'); -- if (!rest_a || !rest_b) -- return 0; -- return (strcmp(rest_a, rest_b) == 0); --} -- --/* -- A file was in a direcroty has been created. This function checks to -- see if it is one that we are watching. --*/ -- --static int watch_list_find(int wd, const char *file) --{ -- struct watchList *ptr = NULL; -- ptr = firstDir; -- -- if (debug_mode) -- printf("%d: File=%s\n", wd, file); -- while (ptr != NULL) { -- if (ptr->wd == wd) { -- int exact=0; -- if (strings_list_find(ptr->files, file, &exact) == 0) { -- char *path = NULL; -- if (asprintf(&path, "%s/%s", ptr->dir, file) < -- 0) -- exitApp("Error allocating memory."); -- restore(path, exact); -- free(path); -- return 0; -- } -- if (debug_mode) -- strings_list_print(ptr->files); -- -- /* Not found in this directory */ -- return -1; -- } -- ptr = ptr->next; -- } -- /* Did not find a directory */ -- return -1; --} -- --static void watch_list_free(int fd) --{ -- struct watchList *ptr = NULL; -- struct watchList *prev = NULL; -- ptr = firstDir; -- -- while (ptr != NULL) { -- inotify_rm_watch(fd, ptr->wd); -- strings_list_free(ptr->files); -- free(ptr->dir); -- prev = ptr; -- ptr = ptr->next; -- free(prev); -- } -- firstDir = NULL; --} -- --/* -- Set the file context to the default file context for this system. -- Same as restorecon. --*/ --static void restore(const char *filename, int exact) --{ -- int retcontext = 0; -- security_context_t scontext = NULL; -- security_context_t prev_context = NULL; -- struct stat st; -- int fd = -1; -- if (debug_mode) -- printf("restore %s\n", filename); -- -- fd = open(filename, O_NOFOLLOW | O_RDONLY); -- if (fd < 0) { -- if (verbose_mode) -- syslog(LOG_ERR, "Unable to open file (%s) %s\n", -- filename, strerror(errno)); -- return; -- } -- -- if (fstat(fd, &st) != 0) { -- syslog(LOG_ERR, "Unable to stat file (%s) %s\n", filename, -- strerror(errno)); -- close(fd); -- return; -- } -- -- if (!(st.st_mode & S_IFDIR) && st.st_nlink > 1) { -- if (exact) { -- syslog(LOG_ERR, -- "Will not restore a file with more than one hard link (%s) %s\n", -- filename, strerror(errno)); -- } -- close(fd); -- return; -- } -- -- if (matchpathcon(filename, st.st_mode, &scontext) < 0) { -- if (errno == ENOENT) -- return; -- syslog(LOG_ERR, "matchpathcon(%s) failed %s\n", filename, -- strerror(errno)); -- return; -- } -- retcontext = fgetfilecon_raw(fd, &prev_context); -- -- if (retcontext >= 0 || errno == ENODATA) { -- if (retcontext < 0) -- prev_context = NULL; -- if (retcontext < 0 || (strcmp(prev_context, scontext) != 0)) { -- -- if (only_changed_user(scontext, prev_context) != 0) { -- free(scontext); -- free(prev_context); -- close(fd); -- return; -- } -- -- if (fsetfilecon(fd, scontext) < 0) { -- if (errno != EOPNOTSUPP) -- syslog(LOG_ERR, -- "set context %s->%s failed:'%s'\n", -- filename, scontext, strerror(errno)); -- if (retcontext >= 0) -- free(prev_context); -- free(scontext); -- close(fd); -- return; -- } -- syslog(LOG_WARNING, "Reset file context %s: %s->%s\n", -- filename, prev_context, scontext); -- } -- if (retcontext >= 0) -- free(prev_context); -- } else { -- if (errno != EOPNOTSUPP) -- syslog(LOG_ERR, "get context on %s failed: '%s'\n", -- filename, strerror(errno)); -- } -- free(scontext); -- close(fd); --} -- --static void process_config(int fd, FILE * cfg) --{ -- char *line_buf = NULL; -- size_t len = 0; -- -- while (getline(&line_buf, &len, cfg) > 0) { -- char *buffer = line_buf; -- while (isspace(*buffer)) -- buffer++; -- if (buffer[0] == '#') -- continue; -- int l = strlen(buffer) - 1; -- if (l <= 0) -- continue; -- buffer[l] = 0; -- if (buffer[0] == '~') -- utmpwatcher_add(fd, &buffer[1]); -- else { -- watch_list_add(fd, buffer); -- } -- } -- free(line_buf); --} -- --/* -- Read config file ignoring Comment lines -- Files specified one per line. Files with "~" will be expanded to the logged in users -- homedirs. --*/ - --static void read_config(int fd) --{ -- char *watch_file_path = "/etc/selinux/restorecond.conf"; -+static char *server_watch_file = "/etc/selinux/restorecond.conf"; -+static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; -+static char *watch_file; -+static struct restore_opts r_opts; - -- FILE *cfg = NULL; -- if (debug_mode) -- printf("Read Config\n"); -- -- watch_list_free(fd); -- -- cfg = fopen(watch_file_path, "r"); -- if (!cfg) -- exitApp("Error reading config file."); -- process_config(fd, cfg); -- fclose(cfg); -- -- inotify_rm_watch(fd, master_wd); -- master_wd = -- inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); -- if (master_wd == -1) -- exitApp("Error watching config file."); --} -+#include - --/* -- Inotify watch loop --*/ --static int watch(int fd) --{ -- char buf[BUF_LEN]; -- int len, i = 0; -- len = read(fd, buf, BUF_LEN); -- if (len < 0) { -- if (terminate == 0) { -- syslog(LOG_ERR, "Read error (%s)", strerror(errno)); -- return 0; -- } -- syslog(LOG_ERR, "terminated"); -- return -1; -- } else if (!len) -- /* BUF_LEN too small? */ -- return -1; -- while (i < len) { -- struct inotify_event *event; -- event = (struct inotify_event *)&buf[i]; -- if (debug_mode) -- printf("wd=%d mask=%u cookie=%u len=%u\n", -- event->wd, event->mask, -- event->cookie, event->len); -- if (event->wd == master_wd) -- read_config(fd); -- else { -- switch (utmpwatcher_handle(fd, event->wd)) { -- case -1: /* Message was not for utmpwatcher */ -- if (event->len) -- watch_list_find(event->wd, event->name); -- break; -- -- case 1: /* utmp has changed need to reload */ -- read_config(fd); -- break; -- -- default: /* No users logged in or out */ -- break; -- } -- } -+int debug_mode = 0; -+int verbose_mode = 0; -+int terminate = 0; -+int master_wd = -1; -+int run_as_user = 0; - -- i += EVENT_SIZE + event->len; -- } -- return 0; -+static void done(void) { -+ watch_list_free(master_fd); -+ close(master_fd); -+ utmpwatcher_free(); -+ matchpathcon_fini(); - } - - static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +119,7 @@ - - static void usage(char *program) - { -- printf("%s [-d] [-v] \n", program); -+ printf("%s [-d] [-s] [-f restorecond_file ] [-v] \n", program); - exit(0); - } - -@@ -390,74 +135,35 @@ - to see if it is one that we are watching. - */ - --void watch_list_add(int fd, const char *path) --{ -- struct watchList *ptr = NULL; -- struct watchList *prev = NULL; -- char *x = strdup(path); -- if (!x) -- exitApp("Out of Memory"); -- char *dir = dirname(x); -- char *file = basename(path); -- ptr = firstDir; -- -- restore(path, 1); -- -- while (ptr != NULL) { -- if (strcmp(dir, ptr->dir) == 0) { -- strings_list_add(&ptr->files, file); -- free(x); -- return; -- } -- prev = ptr; -- ptr = ptr->next; -- } -- ptr = calloc(1, sizeof(struct watchList)); -- -- if (!ptr) -- exitApp("Out of Memory"); -- -- ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); -- if (ptr->wd == -1) { -- free(ptr); -- syslog(LOG_ERR, "Unable to watch (%s) %s\n", -- path, strerror(errno)); -- return; -- } -- -- ptr->dir = strdup(dir); -- if (!ptr->dir) -- exitApp("Out of Memory"); -- -- strings_list_add(&ptr->files, file); -- if (prev) -- prev->next = ptr; -- else -- firstDir = ptr; -- -- if (debug_mode) -- printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); -- -- free(x); --} -- - int main(int argc, char **argv) - { - int opt; - struct sigaction sa; - --#ifndef DEBUG -- /* Make sure we are root */ -- if (getuid() != 0) { -- fprintf(stderr, "You must be root to run this program.\n"); -- return 1; -- } --#endif -- /* Make sure we are root */ -- if (is_selinux_enabled() != 1) { -- fprintf(stderr, "Daemon requires SELinux be enabled to run.\n"); -- return 1; -- } -+ memset(&r_opts, 0, sizeof(r_opts)); -+ -+ r_opts.progress = 0; -+ r_opts.count = 0; -+ r_opts.debug = 0; -+ r_opts.change = 1; -+ r_opts.verbose = 0; -+ r_opts.logging = 0; -+ r_opts.rootpath = NULL; -+ r_opts.expand_realpath = 0; -+ r_opts.rootpathlen = 0; -+ r_opts.outfile = NULL; -+ r_opts.force = 0; -+ r_opts.hard_links = 0; -+ r_opts.expand_realpath = 1; -+ r_opts.abort_on_error = 0; -+ r_opts.add_assoc = 0; -+ r_opts.fts_flags = FTS_PHYSICAL; -+ r_opts.selabel_opt_validate = NULL; -+ r_opts.selabel_opt_path = NULL; -+ -+ restore_init(&r_opts); -+ /* If we are not running SELinux then just exit */ -+ if (is_selinux_enabled() != 1) return 0; - - /* Register sighandlers */ - sa.sa_flags = 0; -@@ -467,15 +173,18 @@ - - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); - -- master_fd = inotify_init(); -- if (master_fd < 0) -- exitApp("inotify_init"); -- -- while ((opt = getopt(argc, argv, "dv")) > 0) { -+ atexit( done ); -+ while ((opt = getopt(argc, argv, "uf:dv")) > 0) { - switch (opt) { - case 'd': - debug_mode = 1; - break; -+ case 'f': -+ watch_file = optarg; -+ break; -+ case 'u': -+ run_as_user = 1; -+ break; - case 'v': - verbose_mode = 1; - break; -@@ -483,22 +192,40 @@ - usage(argv[0]); - } - } -- read_config(master_fd); -+ -+ master_fd = inotify_init(); -+ if (master_fd < 0) -+ exitApp("inotify_init"); -+ -+ uid_t uid = getuid(); -+ struct passwd *pwd = getpwuid(uid); -+ homedir = pwd->pw_dir; -+ if (uid != 0) { -+ if (run_as_user) -+ return server(master_fd, user_watch_file); -+ if (start() != 0) -+ return server(master_fd, user_watch_file); -+ return 0; -+ } -+ -+ watch_file = server_watch_file; -+ read_config(master_fd, watch_file); - - if (!debug_mode) - daemon(0, 0); - - write_pid_file(); - -- while (watch(master_fd) == 0) { -+ while (watch(master_fd, watch_file) == 0) { - }; - - watch_list_free(master_fd); - close(master_fd); - matchpathcon_fini(); -- utmpwatcher_free(); - if (pidfile) - unlink(pidfile); - - return 0; - } -+ -+ -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.71/restorecond/restorecond.conf ---- nsapolicycoreutils/restorecond/restorecond.conf 2009-05-18 13:53:14.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/restorecond.conf 2009-08-19 15:42:48.000000000 -0400 -@@ -4,8 +4,5 @@ - /etc/mtab - /var/run/utmp - /var/log/wtmp --~/* --/root/.ssh -+/root/* - /root/.ssh/* -- -- -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.71/restorecond/restorecond.desktop ---- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/restorecond.desktop 2009-08-19 12:25:41.000000000 -0400 -@@ -0,0 +1,7 @@ -+[Desktop Entry] -+Name=File Context maintainer -+Exec=/usr/sbin/restorecond -u -+Comment=Fix file context in owned by the user -+Encoding=UTF-8 -+Type=Application -+StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.71/restorecond/restorecond.h ---- nsapolicycoreutils/restorecond/restorecond.h 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/restorecond.h 2009-08-19 15:42:48.000000000 -0400 -@@ -24,7 +24,22 @@ - #ifndef RESTORED_CONFIG_H - #define RESTORED_CONFIG_H - --void exitApp(const char *msg); --void watch_list_add(int inotify_fd, const char *path); -+extern int debug_mode; -+extern int verbose_mode; -+extern const char *homedir; -+extern int terminate; -+extern int master_wd; -+extern int run_as_user; -+ -+extern int start(void); -+extern int server(int, const char *watch_file); -+ -+extern void exitApp(const char *msg); -+extern void read_config(int fd, const char *watch_file); -+ -+extern int watch(int fd, const char *watch_file); -+extern void watch_list_add(int inotify_fd, const char *path); -+extern int watch_list_find(int wd, const char *file); -+extern void watch_list_free(int fd); - - #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.71/restorecond/restorecond_user.conf ---- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/restorecond_user.conf 2009-08-19 12:25:41.000000000 -0400 -@@ -0,0 +1,2 @@ -+~/* -+~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.71/restorecond/user.c ---- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/user.c 2009-08-19 12:25:41.000000000 -0400 -@@ -0,0 +1,220 @@ -+/* -+ * restorecond -+ * -+ * Copyright (C) 2006-2009 Red Hat -+ * see file 'COPYING' for use and warranty information -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation; either version 2 of -+ * the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+.* -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA -+ * 02111-1307 USA -+ * -+ * Authors: -+ * Dan Walsh -+ * -+*/ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "restorecond.h" -+#include "stringslist.h" -+#include -+#include -+#include -+#include -+ -+static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data); -+ -+static const char *PATH="/org/selinux/Restorecond"; -+//static const char *BUSNAME="org.selinux.Restorecond"; -+static const char *INTERFACE="org.selinux.RestorecondIface"; -+static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'"; -+ -+#include -+#include -+ -+/* size of the event structure, not counting name */ -+#define EVENT_SIZE (sizeof (struct inotify_event)) -+/* reasonable guess as to size of 1024 events */ -+#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -+ -+static gboolean -+io_channel_callback -+ (GIOChannel *source, -+ GIOCondition condition, -+ gpointer data __attribute__((__unused__))) -+{ -+ -+ char buffer[BUF_LEN+1]; -+ gsize bytes_read; -+ unsigned int i = 0; -+ -+ if (condition & G_IO_IN) { -+ /* Data is available. */ -+ g_io_channel_read -+ (source, buffer, -+ sizeof (buffer), -+ &bytes_read); -+ -+ while (i < bytes_read) { -+ struct inotify_event *event; -+ event = (struct inotify_event *)&buffer[i]; -+ if (debug_mode) -+ printf("wd=%d mask=%u cookie=%u len=%u\n", -+ event->wd, event->mask, -+ event->cookie, event->len); -+ if (event->len) -+ watch_list_find(event->wd, event->name); -+ -+ i += EVENT_SIZE + event->len; -+ } -+ } -+ -+ /* An error happened while reading -+ the file. */ -+ -+ if (condition & G_IO_NVAL) -+ return FALSE; -+ -+ /* We have reached the end of the -+ file. */ -+ -+ if (condition & G_IO_HUP) { -+ g_io_channel_close (source); -+ return FALSE; -+ } -+ -+ /* Returning TRUE will make sure -+ the callback remains associated -+ to the channel. */ -+ -+ return TRUE; -+} -+ -+static DBusHandlerResult -+signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data) -+{ -+ /* User data is the event loop we are running in */ -+ GMainLoop *loop = user_data; -+ -+ /* A signal from the bus saying we are about to be disconnected */ -+ if (dbus_message_is_signal -+ (message, INTERFACE, "Stop")) { -+ -+ /* Tell the main loop to quit */ -+ g_main_loop_quit (loop); -+ /* We have handled this message, don't pass it on */ -+ return DBUS_HANDLER_RESULT_HANDLED; -+ } -+ /* A Ping signal on the com.burtonini.dbus.Signal interface */ -+ else if (dbus_message_is_signal (message, INTERFACE, "Start")) { -+ DBusError error; -+ dbus_error_init (&error); -+ g_print("Start received\n"); -+ return DBUS_HANDLER_RESULT_HANDLED; -+ } -+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; -+} -+ -+ -+int start() { -+ DBusConnection *bus; -+ DBusError error; -+ DBusMessage *message; -+ -+ /* Get a connection to the session bus */ -+ dbus_error_init (&error); -+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); -+ if (!bus) { -+ if (debug_mode) -+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message); -+ dbus_error_free (&error); -+ return 1; -+ } -+ -+ -+ /* Create a new signal "Start" on the interface, -+ * from the object */ -+ message = dbus_message_new_signal (PATH, -+ INTERFACE, "Start"); -+ /* Send the signal */ -+ dbus_connection_send (bus, message, NULL); -+ /* Free the signal now we have finished with it */ -+ dbus_message_unref (message); -+ return 0; -+} -+ -+int server(int master_fd, const char *watch_file) { -+ GMainLoop *loop; -+ DBusConnection *bus; -+ DBusError error; -+ -+ loop = g_main_loop_new (NULL, FALSE); -+ -+ dbus_error_init (&error); -+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); -+ if (bus) { -+ dbus_connection_setup_with_g_main (bus, NULL); -+ -+ /* listening to messages from all objects as no path is specified */ -+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey -+ dbus_connection_add_filter (bus, signal_filter, loop, NULL); -+ } else { -+ // ! dbus, run as local service -+ char *ptr=NULL; -+ asprintf(&ptr, "%s/.restorecond", homedir); -+ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR); -+ if (debug_mode) -+ g_warning ("Lock file: %s", ptr); -+ -+ free(ptr); -+ if (fd < 0) { -+ if (debug_mode) -+ perror("open"); -+ return 0; -+ } -+ if (flock(fd, LOCK_EX | LOCK_NB) < 0) { -+ if (debug_mode) -+ perror("flock"); -+ return 0; -+ } -+ } -+ -+ read_config(master_fd, watch_file); -+ -+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); -+ -+ GIOChannel *c = g_io_channel_unix_new(master_fd); -+ -+ g_io_add_watch_full( c, -+ G_PRIORITY_HIGH, -+ G_IO_IN|G_IO_ERR|G_IO_HUP, -+ io_channel_callback, NULL, NULL); -+ -+ g_main_loop_run (loop); -+ return 0; -+} -+ -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/walk.c policycoreutils-2.0.71/restorecond/walk.c ---- nsapolicycoreutils/restorecond/walk.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/walk.c 2009-08-19 16:30:32.000000000 -0400 -@@ -0,0 +1,30 @@ -+#define _XOPEN_SOURCE 500 -+#include -+#include -+#include -+#include -+ -+int ctr=0; -+static int -+display_info(const char *fpath, const struct stat *sb, -+ int tflag, struct FTW *ftwbuf) -+{ -+ if (tflag == FTW_D) { -+ printf(" %-40s %d %s\n", -+ fpath, ftwbuf->base, fpath + ftwbuf->base); -+ ctr++; -+ } -+ return 0; /* To tell nftw() to continue */ -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ int flags = 0; -+ -+ flags = FTW_PHYS | FTW_MOUNT; -+ -+ nftw((argc < 2) ? "." : argv[1], display_info, 20, flags); -+ printf("Total Dirs %d\n",ctr); -+ exit(EXIT_SUCCESS); -+} -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.71/restorecond/watch.c ---- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/watch.c 2009-08-19 13:27:16.000000000 -0400 -@@ -0,0 +1,253 @@ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "../setfiles/restore.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "restorecond.h" -+#include "stringslist.h" -+#include "utmpwatcher.h" -+ -+/* size of the event structure, not counting name */ -+#define EVENT_SIZE (sizeof (struct inotify_event)) -+/* reasonable guess as to size of 1024 events */ -+#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -+ -+ -+struct watchList { -+ struct watchList *next; -+ int wd; -+ char *dir; -+ struct stringsList *files; -+}; -+struct watchList *firstDir = NULL; -+ -+ -+void watch_list_add(int fd, const char *path) -+{ -+ struct watchList *ptr = NULL; -+ size_t i = 0; -+ struct watchList *prev = NULL; -+ glob_t globbuf; -+ char *x = strdup(path); -+ if (!x) -+ exitApp("Out of Memory"); -+ char *file = basename(x); -+ char *dir = dirname(x); -+ ptr = firstDir; -+ -+ globbuf.gl_offs = 1; -+ if (glob(path, -+ GLOB_TILDE | GLOB_PERIOD, -+ NULL, -+ &globbuf) >= 0) { -+ for (i=0; i < globbuf.gl_pathc; i++) { -+ printf("%s\n", globbuf.gl_pathv[i]); -+ -+ if (process_one(globbuf.gl_pathv[i], 0) > 0) -+ process_one(globbuf.gl_pathv[i], 1); -+ } -+ globfree(&globbuf); -+ } -+ -+ while (ptr != NULL) { -+ if (strcmp(dir, ptr->dir) == 0) { -+ strings_list_add(&ptr->files, file); -+ free(x); -+ return; -+ } -+ prev = ptr; -+ ptr = ptr->next; -+ } -+ ptr = calloc(1, sizeof(struct watchList)); -+ -+ if (!ptr) -+ exitApp("Out of Memory"); -+ -+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); -+ if (ptr->wd == -1) { -+ free(ptr); -+ syslog(LOG_ERR, "Unable to watch (%s) %s\n", -+ path, strerror(errno)); -+ return; -+ } -+ -+ ptr->dir = strdup(dir); -+ if (!ptr->dir) -+ exitApp("Out of Memory"); -+ -+ strings_list_add(&ptr->files, file); -+ if (prev) -+ prev->next = ptr; -+ else -+ firstDir = ptr; -+ -+ if (debug_mode) -+ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); -+ -+ free(x); -+} -+ -+/* -+ A file was in a direcroty has been created. This function checks to -+ see if it is one that we are watching. -+*/ -+ -+int watch_list_find(int wd, const char *file) -+{ -+ struct watchList *ptr = NULL; -+ ptr = firstDir; -+ if (debug_mode) -+ printf("%d: File=%s\n", wd, file); -+ while (ptr != NULL) { -+ if (ptr->wd == wd) { -+ int exact=0; -+ if (strings_list_find(ptr->files, file, &exact) == 0) { -+ char *path = NULL; -+ if (asprintf(&path, "%s/%s", ptr->dir, file) < -+ 0) -+ exitApp("Error allocating memory."); -+ -+ process_one(path, 0); -+ free(path); -+ return 0; -+ } -+ if (debug_mode) -+ strings_list_print(ptr->files); -+ -+ /* Not found in this directory */ -+ return -1; -+ } -+ ptr = ptr->next; -+ } -+ /* Did not find a directory */ -+ return -1; -+} -+ -+void watch_list_free(int fd) -+{ -+ struct watchList *ptr = NULL; -+ struct watchList *prev = NULL; -+ ptr = firstDir; -+ -+ while (ptr != NULL) { -+ inotify_rm_watch(fd, ptr->wd); -+ strings_list_free(ptr->files); -+ free(ptr->dir); -+ prev = ptr; -+ ptr = ptr->next; -+ free(prev); -+ } -+ firstDir = NULL; -+} -+ -+/* -+ Inotify watch loop -+*/ -+int watch(int fd, const char *watch_file) -+{ -+ char buf[BUF_LEN]; -+ int len, i = 0; -+ len = read(fd, buf, BUF_LEN); -+ if (len < 0) { -+ if (terminate == 0) { -+ syslog(LOG_ERR, "Read error (%s)", strerror(errno)); -+ return 0; -+ } -+ syslog(LOG_ERR, "terminated"); -+ return -1; -+ } else if (!len) -+ /* BUF_LEN too small? */ -+ return -1; -+ while (i < len) { -+ struct inotify_event *event; -+ event = (struct inotify_event *)&buf[i]; -+ if (debug_mode) -+ printf("wd=%d mask=%u cookie=%u len=%u\n", -+ event->wd, event->mask, -+ event->cookie, event->len); -+ if (event->wd == master_wd) -+ read_config(fd, watch_file); -+ else { -+ if (event->len) -+ watch_list_find(event->wd, event->name); -+ } -+ -+ i += EVENT_SIZE + event->len; -+ } -+ return 0; -+} -+ -+static void process_config(int fd, FILE * cfg) -+{ -+ char *line_buf = NULL; -+ size_t len = 0; -+ -+ while (getline(&line_buf, &len, cfg) > 0) { -+ char *buffer = line_buf; -+ while (isspace(*buffer)) -+ buffer++; -+ if (buffer[0] == '#') -+ continue; -+ int l = strlen(buffer) - 1; -+ if (l <= 0) -+ continue; -+ buffer[l] = 0; -+ if (buffer[0] == '~') { -+ if (run_as_user) { -+ char *ptr=NULL; -+ asprintf(&ptr, "%s%s", homedir, &buffer[1]); -+ watch_list_add(fd, ptr); -+ free(ptr); -+ } else { -+ utmpwatcher_add(fd, &buffer[1]); -+ } -+ } else { -+ watch_list_add(fd, buffer); -+ } -+ } -+ free(line_buf); -+} -+ -+/* -+ Read config file ignoring Comment lines -+ Files specified one per line. Files with "~" will be expanded to the logged in users -+ homedirs. -+*/ -+ -+void read_config(int fd, const char *watch_file_path) -+{ -+ -+ FILE *cfg = NULL; -+ if (debug_mode) -+ printf("Read Config\n"); -+ -+ watch_list_free(fd); -+ -+ cfg = fopen(watch_file_path, "r"); -+ if (!cfg){ -+ perror(watch_file_path); -+ exitApp("Error reading config file"); -+ } -+ process_config(fd, cfg); -+ fclose(cfg); -+ -+ inotify_rm_watch(fd, master_wd); -+ master_wd = -+ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); -+ if (master_wd == -1) -+ exitApp("Error watching config file."); -+} -+ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/chcat 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400 @@ -435,6 +435,8 @@ continue except ValueError, e: @@ -1180,7 +61,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/Makefile 2009-08-20 12:53:16.000000000 -0400 @@ -5,11 +5,12 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale @@ -1197,7 +78,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -mkdir -p $(MANDIR)/man8 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.71/scripts/sandbox --- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/sandbox 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,139 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl @@ -1340,7 +221,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + sys.exit(rc) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.71/scripts/sandbox.8 --- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,22 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME @@ -1366,7 +247,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +.PP diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.71/scripts/sandbox.py --- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,67 @@ +#!/usr/bin/python +import os, sys, getopt, socket, random, fcntl @@ -1437,7 +318,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +os.execvp(cmds[0], cmds) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400 -+++ policycoreutils-2.0.71/semanage/semanage 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/semanage/semanage 2009-08-20 12:53:16.000000000 -0400 @@ -68,6 +68,7 @@ -h, --help Display this message -n, --noheading Do not print heading when listing OBJECTS @@ -1547,7 +428,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.71/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-08-19 16:35:03.000000000 -0400 -+++ policycoreutils-2.0.71/semanage/seobject.py 2009-08-19 16:30:32.000000000 -0400 ++++ policycoreutils-2.0.71/semanage/seobject.py 2009-08-20 12:53:16.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007, 2008 Red Hat @@ -1676,7 +557,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def __init__(self, store = ""): diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/Makefile policycoreutils-2.0.71/setfiles/Makefile --- nsapolicycoreutils/setfiles/Makefile 2009-07-07 15:32:32.000000000 -0400 -+++ policycoreutils-2.0.71/setfiles/Makefile 2009-08-19 15:42:48.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/Makefile 2009-08-20 12:53:16.000000000 -0400 @@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) @@ -1697,8 +578,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po ln -sf setfiles restorecon diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c --- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-19 15:42:48.000000000 -0400 -@@ -0,0 +1,531 @@ ++++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-20 13:11:02.000000000 -0400 +@@ -0,0 +1,530 @@ +#include "restore.h" + +#define SKIP -2 @@ -1807,7 +688,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + int ret; + char *context, *newcon; + int user_only_changed = 0; -+ + if (match(my_file, ftsent->fts_statp, &newcon) < 0) + /* Check for no matching specification. */ + return (errno == ENOENT) ? 0 : -1; @@ -2232,7 +1112,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h --- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-19 15:42:48.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,50 @@ +#ifndef RESTORE_H +#define RESTORE_H @@ -2286,7 +1166,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +#endif diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2009-08-12 12:08:15.000000000 -0400 -+++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-19 15:42:48.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-20 12:53:16.000000000 -0400 @@ -1,26 +1,12 @@ -#ifndef _GNU_SOURCE -#define _GNU_SOURCE diff --git a/policycoreutils.spec b/policycoreutils.spec index 705fa80..9921a7f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.71 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -265,6 +265,9 @@ else fi %changelog +* Thu Aug 20 2009 Dan Walsh 2.0.71-7 +- Fix glob handling of /.. + * Wed Aug 19 2009 Dan Walsh 2.0.71-6 - Redesign restorecond to use setfiles/restore functionality