* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10

- Fix realpath usage to only happen on argv input from user
This commit is contained in:
Daniel J Walsh 2009-08-22 12:08:34 +00:00
parent f6cc437735
commit 4b8a9749e9
2 changed files with 54 additions and 42 deletions

View File

@ -105,7 +105,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+Exec=/usr/sbin/restorecond -u +Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400 --- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-20 15:30:44.000000000 -0400 +++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-22 08:03:13.000000000 -0400
@@ -48,294 +48,38 @@ @@ -48,294 +48,38 @@
#include <signal.h> #include <signal.h>
#include <string.h> #include <string.h>
@ -430,7 +430,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
exit(0); exit(0);
} }
@@ -390,74 +134,35 @@ @@ -390,74 +134,33 @@
to see if it is one that we are watching. to see if it is one that we are watching.
*/ */
@ -511,12 +511,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ r_opts.verbose = 0; + r_opts.verbose = 0;
+ r_opts.logging = 0; + r_opts.logging = 0;
+ r_opts.rootpath = NULL; + r_opts.rootpath = NULL;
+ r_opts.expand_realpath = 0;
+ r_opts.rootpathlen = 0; + r_opts.rootpathlen = 0;
+ r_opts.outfile = NULL; + r_opts.outfile = NULL;
+ r_opts.force = 0; + r_opts.force = 0;
+ r_opts.hard_links = 0; + r_opts.hard_links = 0;
+ r_opts.expand_realpath = 1;
+ r_opts.abort_on_error = 0; + r_opts.abort_on_error = 0;
+ r_opts.add_assoc = 0; + r_opts.add_assoc = 0;
+ r_opts.fts_flags = FTS_PHYSICAL; + r_opts.fts_flags = FTS_PHYSICAL;
@ -529,7 +527,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
/* Register sighandlers */ /* Register sighandlers */
sa.sa_flags = 0; sa.sa_flags = 0;
@@ -467,38 +172,59 @@ @@ -467,38 +170,59 @@
set_matchpathcon_flags(MATCHPATHCON_NOTRANS); set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@ -1685,8 +1683,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
ln -sf setfiles restorecon ln -sf setfiles restorecon
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c
--- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-20 13:11:02.000000000 -0400 +++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-22 07:59:20.000000000 -0400
@@ -0,0 +1,530 @@ @@ -0,0 +1,519 @@
+#include "restore.h" +#include "restore.h"
+ +
+#define SKIP -2 +#define SKIP -2
@ -1949,17 +1947,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ dev_t dev_num = 0; + dev_t dev_num = 0;
+ FTS *fts_handle; + FTS *fts_handle;
+ FTSENT *ftsent; + FTSENT *ftsent;
+
+ if (r_opts->expand_realpath) {
+ char *p;
+ p = realpath(name, NULL);
+ if (!p) {
+ fprintf(stderr, "realpath(%s) failed %s\n", name,
+ strerror(errno));
+ return -1;
+ }
+ name = p;
+ }
+ +
+ if (r_opts == NULL){ + if (r_opts == NULL){
+ fprintf(stderr, + fprintf(stderr,
@ -2219,8 +2206,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ +
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h
--- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-20 12:53:16.000000000 -0400 +++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-22 08:02:45.000000000 -0400
@@ -0,0 +1,50 @@ @@ -0,0 +1,49 @@
+#ifndef RESTORE_H +#ifndef RESTORE_H
+#define RESTORE_H +#define RESTORE_H
+#ifndef _GNU_SOURCE +#ifndef _GNU_SOURCE
@ -2256,7 +2243,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ FILE *outfile; + FILE *outfile;
+ int force; + int force;
+ struct selabel_handle *hnd; + struct selabel_handle *hnd;
+ int expand_realpath; /* Expand paths via realpath. */
+ int abort_on_error; /* Abort the file tree walk upon an error. */ + int abort_on_error; /* Abort the file tree walk upon an error. */
+ int quiet; + int quiet;
+ int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */ + int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
@ -2273,7 +2259,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+#endif +#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2009-08-12 12:08:15.000000000 -0400 --- nsapolicycoreutils/setfiles/setfiles.c 2009-08-12 12:08:15.000000000 -0400
+++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-20 12:53:16.000000000 -0400 +++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-22 08:06:25.000000000 -0400
@@ -1,26 +1,12 @@ @@ -1,26 +1,12 @@
-#ifndef _GNU_SOURCE -#ifndef _GNU_SOURCE
-#define _GNU_SOURCE -#define _GNU_SOURCE
@ -2837,7 +2823,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
- goto err; - goto err;
- } - }
- -
-
- ftsent = fts_read(fts_handle); - ftsent = fts_read(fts_handle);
- if (ftsent != NULL) { - if (ftsent != NULL) {
- /* Keep the inode of the first one. */ - /* Keep the inode of the first one. */
@ -2881,7 +2867,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
- if (expand_realpath) - if (expand_realpath)
- free(name); - free(name);
- return rc; - return rc;
-
-err: -err:
- if (!strcmp(name, "/")) - if (!strcmp(name, "/"))
- mass_relabel_errs = 1; - mass_relabel_errs = 1;
@ -2891,7 +2877,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
#ifndef USE_AUDIT #ifndef USE_AUDIT
static void maybe_audit_mass_relabel(void) static void maybe_audit_mass_relabel(void)
@@ -729,21 +209,32 @@ @@ -729,27 +209,37 @@
int use_input_file = 0; int use_input_file = 0;
char *buf = NULL; char *buf = NULL;
size_t buf_len; size_t buf_len;
@ -2932,7 +2918,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
if (!strcmp(base, SETFILES)) { if (!strcmp(base, SETFILES)) {
/* /*
@@ -757,10 +248,10 @@ * setfiles:
* Recursive descent,
- * Does not expand paths via realpath,
* Aborts on errors during the file tree walk,
* Try to track inode associations for conflict detection,
* Does not follow mounts,
@@ -757,29 +247,26 @@
*/ */
iamrestorecon = 0; iamrestorecon = 0;
recurse = 1; recurse = 1;
@ -2940,14 +2932,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
- abort_on_error = 1; - abort_on_error = 1;
- add_assoc = 1; - add_assoc = 1;
- fts_flags = FTS_PHYSICAL | FTS_XDEV; - fts_flags = FTS_PHYSICAL | FTS_XDEV;
+ r_opts.expand_realpath = 0;
+ r_opts.abort_on_error = 1; + r_opts.abort_on_error = 1;
+ r_opts.add_assoc = 1; + r_opts.add_assoc = 1;
+ r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV; + r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
ctx_validate = 1; ctx_validate = 1;
} else { } else {
/* /*
@@ -772,14 +263,14 @@ * restorecon:
* No recursive descent unless -r/-R,
- * Expands paths via realpath,
* Do not abort on errors during the file tree walk,
* Do not try to track inode associations for conflict detection,
* Follows mounts, * Follows mounts,
* Does lazy validation of contexts upon use. * Does lazy validation of contexts upon use.
*/ */
@ -2960,14 +2955,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
- abort_on_error = 0; - abort_on_error = 0;
- add_assoc = 0; - add_assoc = 0;
- fts_flags = FTS_PHYSICAL; - fts_flags = FTS_PHYSICAL;
+ r_opts.expand_realpath = 1;
+ r_opts.abort_on_error = 0; + r_opts.abort_on_error = 0;
+ r_opts.add_assoc = 0; + r_opts.add_assoc = 0;
+ r_opts.fts_flags = FTS_PHYSICAL; + r_opts.fts_flags = FTS_PHYSICAL;
ctx_validate = 0; ctx_validate = 0;
/* restorecon only: silent exit if no SELinux. /* restorecon only: silent exit if no SELinux.
@@ -828,11 +319,6 @@ @@ -828,11 +315,6 @@
} }
case 'e': case 'e':
remove_exclude(optarg); remove_exclude(optarg);
@ -2979,7 +2973,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
if (add_exclude(optarg)) if (add_exclude(optarg))
exit(1); exit(1);
break; break;
@@ -841,37 +327,37 @@ @@ -841,37 +323,37 @@
input_filename = optarg; input_filename = optarg;
break; break;
case 'd': case 'd':
@ -3026,7 +3020,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
break; break;
case 'R': case 'R':
case 'r': case 'r':
@@ -880,11 +366,11 @@ @@ -880,11 +362,11 @@
break; break;
} }
if (optind + 1 >= argc) { if (optind + 1 >= argc) {
@ -3040,7 +3034,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
fprintf(stderr, fprintf(stderr,
"%s: only one -r can be specified\n", "%s: only one -r can be specified\n",
argv[0]); argv[0]);
@@ -895,23 +381,23 @@ @@ -895,23 +377,23 @@
case 's': case 's':
use_input_file = 1; use_input_file = 1;
input_filename = "-"; input_filename = "-";
@ -3069,7 +3063,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
break; break;
case 'W': case 'W':
warn_no_match = 1; warn_no_match = 1;
@@ -959,18 +445,13 @@ @@ -959,18 +441,13 @@
} }
/* Load the file contexts configuration and check it. */ /* Load the file contexts configuration and check it. */
@ -3091,14 +3085,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
if (use_input_file) { if (use_input_file) {
FILE *f = stdin; FILE *f = stdin;
ssize_t len; ssize_t len;
@@ -987,31 +468,34 @@ @@ -987,31 +464,49 @@
delim = (null_terminated != 0) ? '\0' : '\n'; delim = (null_terminated != 0) ? '\0' : '\n';
while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) { while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) {
buf[len - 1] = 0; buf[len - 1] = 0;
- errors |= process_one(buf); - errors |= process_one(buf);
+ if (!strcmp(buf, "/")) + if (!strcmp(buf, "/"))
+ mass_relabel = 1; + mass_relabel = 1;
+ errors |= process_one(buf, recurse) < 0; +
+ char *filename = realpath(buf, NULL);
+ if (!filename) {
+ fprintf(stderr, "realpath(%s) failed %s\n", buf,
+ strerror(errno));
+ return -1;
+ }
+ errors |= process_one(filename, recurse) < 0;
+ free(filename);
} }
if (strcmp(input_filename, "-") != 0) if (strcmp(input_filename, "-") != 0)
fclose(f); fclose(f);
@ -3107,7 +3109,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
- errors |= process_one(argv[i]); - errors |= process_one(argv[i]);
+ if (!strcmp(argv[i], "/")) + if (!strcmp(argv[i], "/"))
+ mass_relabel = 1; + mass_relabel = 1;
+ errors |= process_one(argv[i], recurse) < 0; + char *filename = realpath(argv[i], NULL);
+ if (!filename) {
+ fprintf(stderr, "realpath(%s) failed %s\n", argv[i],
+ strerror(errno));
+ return -1;
+ }
+ errors |= process_one(filename, recurse) < 0;
+ free(filename);
} }
} }
- -
@ -3118,15 +3127,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
if (warn_no_match) if (warn_no_match)
- selabel_stats(hnd); - selabel_stats(hnd);
-
- selabel_close(hnd);
+ selabel_stats(r_opts.hnd); + selabel_stats(r_opts.hnd);
- if (outfile) - selabel_close(hnd);
- fclose(outfile);
+ selabel_close(r_opts.hnd); + selabel_close(r_opts.hnd);
+ restore_finish(); + restore_finish();
- if (outfile)
- fclose(outfile);
-
- for (i = 0; i < excludeCtr; i++) { - for (i = 0; i < excludeCtr; i++) {
- free(excludeArray[i].directory); - free(excludeArray[i].directory);
- } - }

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.71 Version: 2.0.71
Release: 9%{?dist} Release: 10%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -265,6 +265,9 @@ fi
exit 0 exit 0
%changelog %changelog
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
- Fix realpath usage to only happen on argv input from user
* Fri Aug 21 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.0.71-9 * Fri Aug 21 2009 Ville Skyttä <ville.skytta@iki.fi> - 2.0.71-9
- Don't try to remove restorecond after last erase (done already in %%preun). - Don't try to remove restorecond after last erase (done already in %%preun).
- Ensure scriptlets exit with status 0. - Ensure scriptlets exit with status 0.