* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
- Fix realpath usage to only happen on argv input from user
This commit is contained in:
parent
f6cc437735
commit
4b8a9749e9
@ -105,7 +105,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+Exec=/usr/sbin/restorecond -u
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c
|
||||
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-20 15:30:44.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-22 08:03:13.000000000 -0400
|
||||
@@ -48,294 +48,38 @@
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
@ -430,7 +430,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -390,74 +134,35 @@
|
||||
@@ -390,74 +134,33 @@
|
||||
to see if it is one that we are watching.
|
||||
*/
|
||||
|
||||
@ -511,12 +511,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ r_opts.verbose = 0;
|
||||
+ r_opts.logging = 0;
|
||||
+ r_opts.rootpath = NULL;
|
||||
+ r_opts.expand_realpath = 0;
|
||||
+ r_opts.rootpathlen = 0;
|
||||
+ r_opts.outfile = NULL;
|
||||
+ r_opts.force = 0;
|
||||
+ r_opts.hard_links = 0;
|
||||
+ r_opts.expand_realpath = 1;
|
||||
+ r_opts.abort_on_error = 0;
|
||||
+ r_opts.add_assoc = 0;
|
||||
+ r_opts.fts_flags = FTS_PHYSICAL;
|
||||
@ -529,7 +527,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
/* Register sighandlers */
|
||||
sa.sa_flags = 0;
|
||||
@@ -467,38 +172,59 @@
|
||||
@@ -467,38 +170,59 @@
|
||||
|
||||
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
|
||||
|
||||
@ -1685,8 +1683,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
ln -sf setfiles restorecon
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c
|
||||
--- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-20 13:11:02.000000000 -0400
|
||||
@@ -0,0 +1,530 @@
|
||||
+++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-22 07:59:20.000000000 -0400
|
||||
@@ -0,0 +1,519 @@
|
||||
+#include "restore.h"
|
||||
+
|
||||
+#define SKIP -2
|
||||
@ -1949,17 +1947,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ dev_t dev_num = 0;
|
||||
+ FTS *fts_handle;
|
||||
+ FTSENT *ftsent;
|
||||
+
|
||||
+ if (r_opts->expand_realpath) {
|
||||
+ char *p;
|
||||
+ p = realpath(name, NULL);
|
||||
+ if (!p) {
|
||||
+ fprintf(stderr, "realpath(%s) failed %s\n", name,
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ name = p;
|
||||
+ }
|
||||
+
|
||||
+ if (r_opts == NULL){
|
||||
+ fprintf(stderr,
|
||||
@ -2219,8 +2206,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h
|
||||
--- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,50 @@
|
||||
+++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-22 08:02:45.000000000 -0400
|
||||
@@ -0,0 +1,49 @@
|
||||
+#ifndef RESTORE_H
|
||||
+#define RESTORE_H
|
||||
+#ifndef _GNU_SOURCE
|
||||
@ -2256,7 +2243,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ FILE *outfile;
|
||||
+ int force;
|
||||
+ struct selabel_handle *hnd;
|
||||
+ int expand_realpath; /* Expand paths via realpath. */
|
||||
+ int abort_on_error; /* Abort the file tree walk upon an error. */
|
||||
+ int quiet;
|
||||
+ int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
|
||||
@ -2273,7 +2259,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+#endif
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c
|
||||
--- nsapolicycoreutils/setfiles/setfiles.c 2009-08-12 12:08:15.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-20 12:53:16.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-22 08:06:25.000000000 -0400
|
||||
@@ -1,26 +1,12 @@
|
||||
-#ifndef _GNU_SOURCE
|
||||
-#define _GNU_SOURCE
|
||||
@ -2837,7 +2823,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
- goto err;
|
||||
- }
|
||||
-
|
||||
|
||||
-
|
||||
- ftsent = fts_read(fts_handle);
|
||||
- if (ftsent != NULL) {
|
||||
- /* Keep the inode of the first one. */
|
||||
@ -2881,7 +2867,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
- if (expand_realpath)
|
||||
- free(name);
|
||||
- return rc;
|
||||
-
|
||||
|
||||
-err:
|
||||
- if (!strcmp(name, "/"))
|
||||
- mass_relabel_errs = 1;
|
||||
@ -2891,7 +2877,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
#ifndef USE_AUDIT
|
||||
static void maybe_audit_mass_relabel(void)
|
||||
@@ -729,21 +209,32 @@
|
||||
@@ -729,27 +209,37 @@
|
||||
int use_input_file = 0;
|
||||
char *buf = NULL;
|
||||
size_t buf_len;
|
||||
@ -2932,7 +2918,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
if (!strcmp(base, SETFILES)) {
|
||||
/*
|
||||
@@ -757,10 +248,10 @@
|
||||
* setfiles:
|
||||
* Recursive descent,
|
||||
- * Does not expand paths via realpath,
|
||||
* Aborts on errors during the file tree walk,
|
||||
* Try to track inode associations for conflict detection,
|
||||
* Does not follow mounts,
|
||||
@@ -757,29 +247,26 @@
|
||||
*/
|
||||
iamrestorecon = 0;
|
||||
recurse = 1;
|
||||
@ -2940,14 +2932,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
- abort_on_error = 1;
|
||||
- add_assoc = 1;
|
||||
- fts_flags = FTS_PHYSICAL | FTS_XDEV;
|
||||
+ r_opts.expand_realpath = 0;
|
||||
+ r_opts.abort_on_error = 1;
|
||||
+ r_opts.add_assoc = 1;
|
||||
+ r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
|
||||
ctx_validate = 1;
|
||||
} else {
|
||||
/*
|
||||
@@ -772,14 +263,14 @@
|
||||
* restorecon:
|
||||
* No recursive descent unless -r/-R,
|
||||
- * Expands paths via realpath,
|
||||
* Do not abort on errors during the file tree walk,
|
||||
* Do not try to track inode associations for conflict detection,
|
||||
* Follows mounts,
|
||||
* Does lazy validation of contexts upon use.
|
||||
*/
|
||||
@ -2960,14 +2955,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
- abort_on_error = 0;
|
||||
- add_assoc = 0;
|
||||
- fts_flags = FTS_PHYSICAL;
|
||||
+ r_opts.expand_realpath = 1;
|
||||
+ r_opts.abort_on_error = 0;
|
||||
+ r_opts.add_assoc = 0;
|
||||
+ r_opts.fts_flags = FTS_PHYSICAL;
|
||||
ctx_validate = 0;
|
||||
|
||||
/* restorecon only: silent exit if no SELinux.
|
||||
@@ -828,11 +319,6 @@
|
||||
@@ -828,11 +315,6 @@
|
||||
}
|
||||
case 'e':
|
||||
remove_exclude(optarg);
|
||||
@ -2979,7 +2973,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
if (add_exclude(optarg))
|
||||
exit(1);
|
||||
break;
|
||||
@@ -841,37 +327,37 @@
|
||||
@@ -841,37 +323,37 @@
|
||||
input_filename = optarg;
|
||||
break;
|
||||
case 'd':
|
||||
@ -3026,7 +3020,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
break;
|
||||
case 'R':
|
||||
case 'r':
|
||||
@@ -880,11 +366,11 @@
|
||||
@@ -880,11 +362,11 @@
|
||||
break;
|
||||
}
|
||||
if (optind + 1 >= argc) {
|
||||
@ -3040,7 +3034,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
fprintf(stderr,
|
||||
"%s: only one -r can be specified\n",
|
||||
argv[0]);
|
||||
@@ -895,23 +381,23 @@
|
||||
@@ -895,23 +377,23 @@
|
||||
case 's':
|
||||
use_input_file = 1;
|
||||
input_filename = "-";
|
||||
@ -3069,7 +3063,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
break;
|
||||
case 'W':
|
||||
warn_no_match = 1;
|
||||
@@ -959,18 +445,13 @@
|
||||
@@ -959,18 +441,13 @@
|
||||
}
|
||||
|
||||
/* Load the file contexts configuration and check it. */
|
||||
@ -3091,14 +3085,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
if (use_input_file) {
|
||||
FILE *f = stdin;
|
||||
ssize_t len;
|
||||
@@ -987,31 +468,34 @@
|
||||
@@ -987,31 +464,49 @@
|
||||
delim = (null_terminated != 0) ? '\0' : '\n';
|
||||
while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) {
|
||||
buf[len - 1] = 0;
|
||||
- errors |= process_one(buf);
|
||||
+ if (!strcmp(buf, "/"))
|
||||
+ mass_relabel = 1;
|
||||
+ errors |= process_one(buf, recurse) < 0;
|
||||
+
|
||||
+ char *filename = realpath(buf, NULL);
|
||||
+ if (!filename) {
|
||||
+ fprintf(stderr, "realpath(%s) failed %s\n", buf,
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ errors |= process_one(filename, recurse) < 0;
|
||||
+ free(filename);
|
||||
}
|
||||
if (strcmp(input_filename, "-") != 0)
|
||||
fclose(f);
|
||||
@ -3107,7 +3109,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
- errors |= process_one(argv[i]);
|
||||
+ if (!strcmp(argv[i], "/"))
|
||||
+ mass_relabel = 1;
|
||||
+ errors |= process_one(argv[i], recurse) < 0;
|
||||
+ char *filename = realpath(argv[i], NULL);
|
||||
+ if (!filename) {
|
||||
+ fprintf(stderr, "realpath(%s) failed %s\n", argv[i],
|
||||
+ strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ errors |= process_one(filename, recurse) < 0;
|
||||
+ free(filename);
|
||||
}
|
||||
}
|
||||
-
|
||||
@ -3118,15 +3127,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
if (warn_no_match)
|
||||
- selabel_stats(hnd);
|
||||
-
|
||||
- selabel_close(hnd);
|
||||
+ selabel_stats(r_opts.hnd);
|
||||
|
||||
- if (outfile)
|
||||
- fclose(outfile);
|
||||
- selabel_close(hnd);
|
||||
+ selabel_close(r_opts.hnd);
|
||||
+ restore_finish();
|
||||
|
||||
- if (outfile)
|
||||
- fclose(outfile);
|
||||
-
|
||||
- for (i = 0; i < excludeCtr; i++) {
|
||||
- free(excludeArray[i].directory);
|
||||
- }
|
||||
|
@ -6,7 +6,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.71
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -265,6 +265,9 @@ fi
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
|
||||
- Fix realpath usage to only happen on argv input from user
|
||||
|
||||
* Fri Aug 21 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.0.71-9
|
||||
- Don't try to remove restorecond after last erase (done already in %%preun).
|
||||
- Ensure scriptlets exit with status 0.
|
||||
|
Loading…
Reference in New Issue
Block a user