From 942b683f29eba458d3fc1cba3dad05980363c5e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 9 Nov 2009 21:12:58 +0000 Subject: [PATCH] * Tue Nov 2 2009 Dan Walsh 2.0.75-1 - Update to upstream * Factor out restoring logic from setfiles.c into restore.c --- .cvsignore | 1 + policycoreutils-rhat.patch | 1625 +++--------------------------------- policycoreutils.spec | 8 +- sources | 3 +- 4 files changed, 117 insertions(+), 1520 deletions(-) diff --git a/.cvsignore b/.cvsignore index 78fa5a0..1ae5f20 100644 --- a/.cvsignore +++ b/.cvsignore @@ -208,3 +208,4 @@ policycoreutils-2.0.71.tgz sepolgen-1.0.17.tgz policycoreutils-2.0.73.tgz policycoreutils-2.0.74.tgz +policycoreutils-2.0.75.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index eff746b..7834d42 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.74/audit2allow/audit2allow +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.75/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.74/audit2allow/audit2allow 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/audit2allow/audit2allow 2009-11-03 09:44:56.000000000 -0500 @@ -42,6 +42,8 @@ from optparse import OptionParser @@ -38,9 +38,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po else: # This is the default if no input is specified f = sys.stdin -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/Makefile policycoreutils-2.0.74/load_policy/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/Makefile policycoreutils-2.0.75/load_policy/Makefile --- nsapolicycoreutils/load_policy/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/load_policy/Makefile 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/load_policy/Makefile 2009-11-03 09:44:56.000000000 -0500 @@ -1,6 +1,7 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -59,18 +59,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po clean: -rm -f $(TARGETS) *.o -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.74/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.75/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/Makefile 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/Makefile 2009-11-03 09:44:56.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.74/restorecond/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.75/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/Makefile 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/Makefile 2009-11-03 09:44:56.000000000 -0500 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -117,16 +117,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.75/restorecond/org.selinux.Restorecond.service --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/org.selinux.Restorecond.service 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.74/restorecond/restorecond.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.75/restorecond/restorecond.8 --- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.8 2009-10-20 09:32:14.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.8 2009-11-03 09:44:56.000000000 -0500 @@ -3,7 +3,7 @@ restorecond \- daemon that watches for file creation and then sets the default SELinux file context @@ -161,9 +161,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .SH "SEE ALSO" .BR restorecon (8), -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.74/restorecond/restorecond.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.75/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.c 2009-10-20 09:29:06.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.c 2009-11-03 09:47:48.000000000 -0500 @@ -30,9 +30,11 @@ * and makes sure that there security context matches the systems defaults * @@ -501,7 +501,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po exit(0); } -@@ -390,74 +136,33 @@ +@@ -390,74 +136,34 @@ to see if it is one that we are watching. */ @@ -588,6 +588,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + r_opts.hard_links = 0; + r_opts.abort_on_error = 0; + r_opts.add_assoc = 0; ++ r_opts.expand_realpath = 0; + r_opts.fts_flags = FTS_PHYSICAL; + r_opts.selabel_opt_validate = NULL; + r_opts.selabel_opt_path = NULL; @@ -598,7 +599,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,38 +172,59 @@ +@@ -467,38 +173,59 @@ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -667,9 +668,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po } + + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.74/restorecond/restorecond.conf +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.75/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.conf 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.conf 2009-11-03 09:44:56.000000000 -0500 @@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp @@ -680,9 +681,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po /root/.ssh/* - - -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.74/restorecond/restorecond.desktop +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.75/restorecond/restorecond.desktop --- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/restorecond.desktop 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.desktop 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -691,9 +692,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.74/restorecond/restorecond.h +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.75/restorecond/restorecond.h --- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.h 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.h 2009-11-03 09:44:56.000000000 -0500 @@ -24,7 +24,21 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -718,9 +719,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +extern void watch_list_free(int fd); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.74/restorecond/restorecond.init +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.75/restorecond/restorecond.init --- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.init 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond.init 2009-11-03 09:44:56.000000000 -0500 @@ -75,16 +75,15 @@ status restorecond RETVAL=$? @@ -740,15 +741,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po exit $RETVAL - -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.74/restorecond/restorecond_user.conf +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.75/restorecond/restorecond_user.conf --- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/restorecond_user.conf 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/restorecond_user.conf 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.74/restorecond/user.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.75/restorecond/user.c --- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/user.c 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/user.c 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,237 @@ +/* + * restorecond @@ -987,9 +988,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.74/restorecond/watch.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.75/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/watch.c 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/restorecond/watch.c 2009-11-03 09:46:05.000000000 -0500 @@ -0,0 +1,253 @@ +#define _GNU_SOURCE +#include @@ -1049,8 +1050,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + int len = strlen(globbuf.gl_pathv[i]) -2; + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; -+ if (process_one(globbuf.gl_pathv[i], 0) > 0) -+ process_one(globbuf.gl_pathv[i], 1); ++ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0) ++ process_one_realpath(globbuf.gl_pathv[i], 1); + } + globfree(&globbuf); + } @@ -1113,7 +1114,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + 0) + exitApp("Error allocating memory."); + -+ process_one(path, 0); ++ process_one_realpath(path, 0); + free(path); + return 0; + } @@ -1244,17 +1245,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + exitApp("Error watching config file."); +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.74/sandbox/deliverables/basicwrapper +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.75/sandbox/deliverables/basicwrapper --- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/basicwrapper 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/deliverables/basicwrapper 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,4 @@ +import os, sys +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] +SANDBOX_ARGS.extend(sys.argv[1::]) +os.execv('/usr/bin/sandbox',SANDBOX_ARGS) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.74/sandbox/deliverables/README +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.75/sandbox/deliverables/README --- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/README 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/deliverables/README 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,32 @@ +Files: +run-in-sandbox.py: @@ -1288,9 +1289,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + +Thanks for a great summer. +Chris Pardy -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.75/sandbox/deliverables/run-in-sandbox.py --- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/deliverables/run-in-sandbox.py 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,49 @@ +import os +import os.path @@ -1341,9 +1342,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + def get_background_items(self, window, file): + return + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.74/sandbox/deliverables/sandbox +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.75/sandbox/deliverables/sandbox --- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/sandbox 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/deliverables/sandbox 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,216 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil @@ -1561,9 +1562,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + sys.exit(rc) + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.74/sandbox/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.75/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/Makefile 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/Makefile 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,31 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -1596,9 +1597,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + ../../scripts/Lindent $(wildcard *.[ch]) + +relabel: -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.75/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandbox 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/sandbox 2009-11-04 22:17:55.000000000 -0500 @@ -0,0 +1,242 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil @@ -1786,10 +1787,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + warnings.simplefilter("ignore") + newhomedir = os.tempnam(".", ".sandbox%s") + os.mkdir(newhomedir) -+ selinux.setfilecon(newhomedir, filecon) + newtmpdir = os.tempnam("/tmp", ".sandbox") + os.mkdir(newtmpdir) -+ selinux.setfilecon(newtmpdir, filecon) ++ chcon = ("/usr/bin/chcon %s %s %s" % (filecon, newhomedir, newtmpdir)).split() ++ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon) + warnings.resetwarnings() + paths = [] + for i in cmds: @@ -1842,9 +1843,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + sys.exit(rc) + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.74/sandbox/sandbox.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.75/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandbox.8 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/sandbox.8 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,26 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME @@ -1872,9 +1873,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +.TP +runcon(1) +.PP -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.74/sandbox/sandboxX.sh +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.75/sandbox/sandboxX.sh --- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandboxX.sh 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/sandboxX.sh 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,16 @@ +#!/bin/bash +export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`" @@ -1892,9 +1893,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +kill -HUP 0 +break +done -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.74/sandbox/seunshare.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.75/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/seunshare.c 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/sandbox/seunshare.c 2009-11-03 09:44:56.000000000 -0500 @@ -0,0 +1,265 @@ +#include +#include @@ -2161,9 +2162,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + return status; +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.74/scripts/chcat +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.75/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/chcat 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/scripts/chcat 2009-11-03 09:44:56.000000000 -0500 @@ -435,6 +435,8 @@ continue except ValueError, e: @@ -2173,9 +2174,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po sys.exit(errors) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.74/scripts/fixfiles +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.75/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2009-08-05 15:10:56.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/fixfiles 2009-10-22 08:49:41.000000000 -0400 ++++ policycoreutils-2.0.75/scripts/fixfiles 2009-11-03 09:44:56.000000000 -0500 @@ -27,7 +27,6 @@ FORCEFLAG="" DIRS="" @@ -2251,9 +2252,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po l) LOGFILE=$OPTARG ;; -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.74/scripts/fixfiles.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.75/scripts/fixfiles.8 --- nsapolicycoreutils/scripts/fixfiles.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/fixfiles.8 2009-10-22 08:55:09.000000000 -0400 ++++ policycoreutils-2.0.75/scripts/fixfiles.8 2009-11-03 09:44:56.000000000 -0500 @@ -3,11 +3,18 @@ fixfiles \- fix file SELinux security contexts. @@ -2287,9 +2288,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .B -F Force reset of context to match file_context for customizable files -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.74/scripts/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.75/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/Makefile 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/scripts/Makefile 2009-11-03 09:44:56.000000000 -0500 @@ -5,7 +5,7 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale @@ -2299,9 +2300,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po install: all -mkdir -p $(BINDIR) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.74/semanage/semanage +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.75/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-09-08 09:03:10.000000000 -0400 -+++ policycoreutils-2.0.74/semanage/semanage 2009-10-30 16:31:40.000000000 -0400 ++++ policycoreutils-2.0.75/semanage/semanage 2009-11-03 09:44:56.000000000 -0500 @@ -39,19 +39,27 @@ __builtin__.__dict__['_'] = unicode @@ -2665,9 +2666,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po process_args(mkargv(l)) trans.finish() else: -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.74/semanage/seobject.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.75/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-09-08 09:03:10.000000000 -0400 -+++ policycoreutils-2.0.74/semanage/seobject.py 2009-11-02 11:39:02.000000000 -0500 ++++ policycoreutils-2.0.75/semanage/seobject.py 2009-11-09 16:03:04.000000000 -0500 @@ -37,40 +37,6 @@ import syslog @@ -3067,17 +3068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -843,7 +880,8 @@ - if rc < 0: - raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) - if exists: -- raise ValueError(_("Port %s/%s already defined") % (proto, port)) -+ semanage_port_key_free(k) -+ return self.__modify(port, proto, serange, type) - - (rc, p) = semanage_port_create(self.sh) - if rc < 0: -@@ -890,6 +928,7 @@ +@@ -890,6 +927,7 @@ self.commit() def __modify(self, port, proto, serange, setype): @@ -3085,7 +3076,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -1024,6 +1063,18 @@ +@@ -1024,6 +1062,18 @@ ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) return ddict @@ -3104,7 +3095,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) -@@ -1040,7 +1091,8 @@ +@@ -1040,7 +1090,8 @@ class nodeRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self,store) @@ -3114,7 +3105,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def __add(self, addr, mask, proto, serange, ctype): if addr == "": raise ValueError(_("Node Address is required")) -@@ -1048,14 +1100,11 @@ +@@ -1048,14 +1099,11 @@ if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3132,7 +3123,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -1073,7 +1122,8 @@ +@@ -1073,7 +1121,8 @@ (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -3142,7 +3133,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po (rc, node) = semanage_node_create(self.sh) if rc < 0: -@@ -1120,7 +1170,7 @@ +@@ -1120,7 +1169,7 @@ def add(self, addr, mask, proto, serange, ctype): self.begin() @@ -3151,7 +3142,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po self.commit() def __modify(self, addr, mask, proto, serange, setype): -@@ -1129,13 +1179,10 @@ +@@ -1129,13 +1178,10 @@ if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3169,7 +3160,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -@@ -1180,11 +1227,9 @@ +@@ -1180,11 +1226,9 @@ if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3184,7 +3175,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po raise ValueError(_("Unknown or missing protocol")) (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1214,6 +1259,16 @@ +@@ -1214,6 +1258,16 @@ self.__delete(addr, mask, proto) self.commit() @@ -3201,7 +3192,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist : -@@ -1227,15 +1282,20 @@ +@@ -1227,15 +1281,20 @@ con = semanage_node_get_con(node) addr = semanage_node_get_addr(self.sh, node) mask = semanage_node_get_mask(self.sh, node) @@ -3227,7 +3218,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") -@@ -1275,7 +1335,8 @@ +@@ -1275,7 +1334,8 @@ if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -3237,7 +3228,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1389,6 +1450,16 @@ +@@ -1389,6 +1449,16 @@ self.__delete(interface) self.commit() @@ -3254,7 +3245,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -1404,6 +1475,15 @@ +@@ -1404,6 +1474,15 @@ return ddict @@ -3270,7 +3261,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) -@@ -1420,6 +1500,48 @@ +@@ -1420,6 +1499,48 @@ class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -3319,7 +3310,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1470,7 +1592,8 @@ +@@ -1470,7 +1591,8 @@ raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -3329,7 +3320,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1586,9 +1709,16 @@ +@@ -1586,9 +1708,16 @@ raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -3346,7 +3337,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1643,12 +1773,22 @@ +@@ -1643,12 +1772,22 @@ return ddict @@ -3371,7 +3362,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1794,6 +1934,16 @@ +@@ -1794,6 +1933,16 @@ else: return _("unknown") @@ -3388,9 +3379,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.74/semodule/semodule.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.75/semodule/semodule.8 --- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/semodule/semodule.8 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/semodule/semodule.8 2009-11-03 09:44:56.000000000 -0500 @@ -35,6 +35,12 @@ .B \-b,\-\-base=MODULE_PKG install/replace base module package @@ -3404,9 +3395,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .B \-r,\-\-remove=MODULE_NAME remove existing module .TP -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.74/semodule/semodule.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.75/semodule/semodule.c --- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/semodule/semodule.c 2009-10-15 10:37:41.000000000 -0400 ++++ policycoreutils-2.0.75/semodule/semodule.c 2009-11-03 09:44:56.000000000 -0500 @@ -22,12 +22,12 @@ #include @@ -3524,544 +3515,25 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po semanage_module_info_datum_destroy (m); } -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/Makefile policycoreutils-2.0.74/setfiles/Makefile ---- nsapolicycoreutils/setfiles/Makefile 2009-07-07 15:32:32.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/Makefile 2009-10-15 10:37:41.000000000 -0400 -@@ -16,7 +16,7 @@ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.75/setfiles/restore.c +--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500 ++++ policycoreutils-2.0.75/setfiles/restore.c 2009-11-03 09:44:56.000000000 -0500 +@@ -303,6 +303,12 @@ + FTS *fts_handle; + FTSENT *ftsent; - all: setfiles restorecon - --setfiles: setfiles.o -+setfiles: setfiles.o restore.o - - restorecon: setfiles - ln -sf setfiles restorecon -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.74/setfiles/restore.c ---- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/setfiles/restore.c 2009-10-15 10:37:41.000000000 -0400 -@@ -0,0 +1,519 @@ -+#include "restore.h" -+ -+#define SKIP -2 -+#define ERR -1 -+#define MAX_EXCLUDES 1000 -+ -+/* -+ * The hash table of associations, hashed by inode number. -+ * Chaining is used for collisions, with elements ordered -+ * by inode number in each bucket. Each hash bucket has a dummy -+ * header. -+ */ -+#define HASH_BITS 16 -+#define HASH_BUCKETS (1 << HASH_BITS) -+#define HASH_MASK (HASH_BUCKETS-1) -+ -+/* -+ * An association between an inode and a context. -+ */ -+typedef struct file_spec { -+ ino_t ino; /* inode number */ -+ char *con; /* matched context */ -+ char *file; /* full pathname */ -+ struct file_spec *next; /* next association in hash bucket chain */ -+} file_spec_t; -+ -+struct edir { -+ char *directory; -+ size_t size; -+}; -+ -+ -+static file_spec_t *fl_head; -+static int exclude(const char *file); -+static int filespec_add(ino_t ino, const security_context_t con, const char *file); -+static int only_changed_user(const char *a, const char *b); -+struct restore_opts *r_opts = NULL; -+static void filespec_destroy(void); -+static void filespec_eval(void); -+static int excludeCtr = 0; -+static struct edir excludeArray[MAX_EXCLUDES]; -+ -+void remove_exclude(const char *directory) -+{ -+ int i = 0; -+ for (i = 0; i < excludeCtr; i++) { -+ if (strcmp(directory, excludeArray[i].directory) == 0) { -+ if (i != excludeCtr-1) -+ excludeArray[i] = excludeArray[excludeCtr-1]; -+ excludeCtr--; -+ return; -+ } -+ } -+ return; -+ -+} -+ -+void restore_init(struct restore_opts *opts) -+{ -+ r_opts = opts; -+ struct selinux_opt selinux_opts[] = { -+ { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, -+ { SELABEL_OPT_PATH, r_opts->selabel_opt_path } -+ }; -+ r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2); -+ if (!r_opts->hnd) { -+ perror(r_opts->selabel_opt_path); -+ exit(1); -+ } -+} -+ -+void restore_finish() -+{ -+ int i; -+ for (i = 0; i < excludeCtr; i++) { -+ free(excludeArray[i].directory); -+ } -+} -+ -+static int match(const char *name, struct stat *sb, char **con) -+{ -+ if (!(r_opts->hard_links) && !S_ISDIR(sb->st_mode) && (sb->st_nlink > 1)) { -+ fprintf(stderr, "Warning! %s refers to a hard link, not fixing hard links.\n", -+ name); -+ return -1; -+ } -+ -+ if (NULL != r_opts->rootpath) { -+ if (0 != strncmp(r_opts->rootpath, name, r_opts->rootpathlen)) { -+ fprintf(stderr, "%s: %s is not located in %s\n", -+ r_opts->progname, name, r_opts->rootpath); -+ return -1; -+ } -+ name += r_opts->rootpathlen; -+ } -+ -+ if (r_opts->rootpath != NULL && name[0] == '\0') -+ /* this is actually the root dir of the alt root */ -+ return selabel_lookup_raw(r_opts->hnd, con, "/", sb->st_mode); -+ else -+ return selabel_lookup_raw(r_opts->hnd, con, name, sb->st_mode); -+} -+static int restore(FTSENT *ftsent) -+{ -+ char *my_file = strdupa(ftsent->fts_path); -+ int ret; -+ char *context, *newcon; -+ int user_only_changed = 0; -+ if (match(my_file, ftsent->fts_statp, &newcon) < 0) -+ /* Check for no matching specification. */ -+ return (errno == ENOENT) ? 0 : -1; -+ -+ if (r_opts->progress) { -+ r_opts->count++; -+ if (r_opts->count % (80 * STAR_COUNT) == 0) { -+ fprintf(stdout, "\n"); -+ fflush(stdout); -+ } -+ if (r_opts->count % STAR_COUNT == 0) { -+ fprintf(stdout, "*"); -+ fflush(stdout); -+ } -+ } -+ -+ /* -+ * Try to add an association between this inode and -+ * this specification. If there is already an association -+ * for this inode and it conflicts with this specification, -+ * then use the last matching specification. -+ */ -+ if (r_opts->add_assoc) { -+ ret = filespec_add(ftsent->fts_statp->st_ino, newcon, my_file); -+ if (ret < 0) -+ goto err; -+ -+ if (ret > 0) -+ /* There was already an association and it took precedence. */ -+ goto out; -+ } -+ -+ if (r_opts->debug) { -+ printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); -+ } -+ -+ /* Get the current context of the file. */ -+ ret = lgetfilecon_raw(ftsent->fts_accpath, &context); -+ if (ret < 0) { -+ if (errno == ENODATA) { -+ context = NULL; -+ } else { -+ fprintf(stderr, "%s get context on %s failed: '%s'\n", -+ r_opts->progname, my_file, strerror(errno)); -+ goto err; -+ } -+ user_only_changed = 0; -+ } else -+ user_only_changed = only_changed_user(context, newcon); -+ /* lgetfilecon returns number of characters and ret needs to be reset -+ * to 0. -+ */ -+ ret = 0; -+ -+ /* -+ * Do not relabel the file if the matching specification is -+ * <> or the file is already labeled according to the -+ * specification. -+ */ -+ if ((strcmp(newcon, "<>") == 0) || -+ (context && (strcmp(context, newcon) == 0))) { -+ freecon(context); -+ goto out; -+ } -+ -+ if (!r_opts->force && context && (is_context_customizable(context) > 0)) { -+ if (r_opts->verbose > 1) { -+ fprintf(stderr, -+ "%s: %s not reset customized by admin to %s\n", -+ r_opts->progname, my_file, context); -+ } -+ freecon(context); -+ goto out; -+ } -+ -+ if (r_opts->verbose) { -+ /* If we're just doing "-v", trim out any relabels where -+ * the user has r_opts->changed but the role and type are the -+ * same. For "-vv", emit everything. */ -+ if (r_opts->verbose > 1 || !user_only_changed) { -+ printf("%s reset %s context %s->%s\n", -+ r_opts->progname, my_file, context ?: "", newcon); -+ } -+ } -+ -+ if (r_opts->logging && !user_only_changed) { -+ if (context) -+ syslog(LOG_INFO, "relabeling %s from %s to %s\n", -+ my_file, context, newcon); -+ else -+ syslog(LOG_INFO, "labeling %s to %s\n", -+ my_file, newcon); -+ } -+ -+ if (r_opts->outfile && !user_only_changed) -+ fprintf(r_opts->outfile, "%s\n", my_file); -+ -+ if (context) -+ freecon(context); -+ -+ /* -+ * Do not relabel the file if -n was used. -+ */ -+ if (!r_opts->change || user_only_changed) -+ goto out; -+ -+ /* -+ * Relabel the file to the specified context. -+ */ -+ ret = lsetfilecon(ftsent->fts_accpath, newcon); -+ if (ret) { -+ fprintf(stderr, "%s set context %s->%s failed:'%s'\n", -+ r_opts->progname, my_file, newcon, strerror(errno)); -+ goto skip; -+ } -+ ret = 1; -+out: -+ freecon(newcon); -+ return ret; -+skip: -+ freecon(newcon); -+ return SKIP; -+err: -+ freecon(newcon); -+ return ERR; -+} -+/* -+ * Apply the last matching specification to a file. -+ * This function is called by fts on each file during -+ * the directory traversal. -+ */ -+static int apply_spec(FTSENT *ftsent) -+{ -+ if (ftsent->fts_info == FTS_DNR) { -+ fprintf(stderr, "%s: unable to read directory %s\n", -+ r_opts->progname, ftsent->fts_path); -+ return SKIP; -+ } -+ -+ int rc = restore(ftsent); -+ if (rc == ERR) { -+ if (!r_opts->abort_on_error) -+ return SKIP; -+ } -+ return rc; -+} -+ -+int process_one(char *name, int recurse_this_path) -+{ -+ int rc = 0; -+ const char *namelist[2] = {name, NULL}; -+ dev_t dev_num = 0; -+ FTS *fts_handle; -+ FTSENT *ftsent; -+ + if (r_opts == NULL){ + fprintf(stderr, + "Must call initialize first!"); + goto err; + } + -+ fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); -+ if (fts_handle == NULL) { -+ fprintf(stderr, -+ "%s: error while labeling %s: %s\n", -+ r_opts->progname, namelist[0], strerror(errno)); -+ goto err; -+ } -+ -+ -+ ftsent = fts_read(fts_handle); -+ if (ftsent != NULL) { -+ /* Keep the inode of the first one. */ -+ dev_num = ftsent->fts_statp->st_dev; -+ } -+ -+ do { -+ rc = 0; -+ /* Skip the post order nodes. */ -+ if (ftsent->fts_info == FTS_DP) -+ continue; -+ /* If the XDEV flag is set and the device is different */ -+ if (ftsent->fts_statp->st_dev != dev_num && -+ FTS_XDEV == (r_opts->fts_flags & FTS_XDEV)) -+ continue; -+ if (excludeCtr > 0) { -+ if (exclude(ftsent->fts_path)) { -+ fts_set(fts_handle, ftsent, FTS_SKIP); -+ continue; -+ } -+ } -+ rc = apply_spec(ftsent); -+ if (rc == SKIP) -+ fts_set(fts_handle, ftsent, FTS_SKIP); -+ if (rc == ERR) -+ goto err; -+ if (!recurse_this_path) -+ break; -+ } while ((ftsent = fts_read(fts_handle)) != NULL); -+ -+ -+out: -+ if (r_opts->add_assoc) { -+ if (!r_opts->quiet) -+ filespec_eval(); -+ filespec_destroy(); -+ } -+ if (fts_handle) -+ fts_close(fts_handle); -+ return rc; -+ -+err: -+ rc = -1; -+ goto out; -+} -+ -+static int exclude(const char *file) -+{ -+ int i = 0; -+ for (i = 0; i < excludeCtr; i++) { -+ if (strncmp -+ (file, excludeArray[i].directory, -+ excludeArray[i].size) == 0) { -+ if (file[excludeArray[i].size] == 0 -+ || file[excludeArray[i].size] == '/') { -+ return 1; -+ } -+ } -+ } -+ return 0; -+} -+ -+int add_exclude(const char *directory) -+{ -+ size_t len = 0; -+ -+ if (directory == NULL || directory[0] != '/') { -+ fprintf(stderr, "Full path required for exclude: %s.\n", -+ directory); -+ return 1; -+ } -+ if (excludeCtr == MAX_EXCLUDES) { -+ fprintf(stderr, "Maximum excludes %d exceeded.\n", -+ MAX_EXCLUDES); -+ return 1; -+ } -+ -+ len = strlen(directory); -+ while (len > 1 && directory[len - 1] == '/') { -+ len--; -+ } -+ excludeArray[excludeCtr].directory = strndup(directory, len); -+ -+ if (excludeArray[excludeCtr].directory == NULL) { -+ fprintf(stderr, "Out of memory.\n"); -+ return 1; -+ } -+ excludeArray[excludeCtr++].size = len; -+ -+ return 0; -+} -+ -+/* Compare two contexts to see if their differences are "significant", -+ * or whether the only difference is in the user. */ -+static int only_changed_user(const char *a, const char *b) -+{ -+ char *rest_a, *rest_b; /* Rest of the context after the user */ -+ if (r_opts->force) -+ return 0; -+ if (!a || !b) -+ return 0; -+ rest_a = strchr(a, ':'); -+ rest_b = strchr(b, ':'); -+ if (!rest_a || !rest_b) -+ return 0; -+ return (strcmp(rest_a, rest_b) == 0); -+} -+ -+/* -+ * Evaluate the association hash table distribution. -+ */ -+static void filespec_eval(void) -+{ -+ file_spec_t *fl; -+ int h, used, nel, len, longest; -+ -+ if (!fl_head) -+ return; -+ -+ used = 0; -+ longest = 0; -+ nel = 0; -+ for (h = 0; h < HASH_BUCKETS; h++) { -+ len = 0; -+ for (fl = fl_head[h].next; fl; fl = fl->next) { -+ len++; -+ } -+ if (len) -+ used++; -+ if (len > longest) -+ longest = len; -+ nel += len; -+ } -+ -+ if (r_opts->verbose > 1) -+ printf -+ ("%s: hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n", -+ __FUNCTION__, nel, used, HASH_BUCKETS, longest); -+} -+ -+/* -+ * Destroy the association hash table. -+ */ -+static void filespec_destroy(void) -+{ -+ file_spec_t *fl, *tmp; -+ int h; -+ -+ if (!fl_head) -+ return; -+ -+ for (h = 0; h < HASH_BUCKETS; h++) { -+ fl = fl_head[h].next; -+ while (fl) { -+ tmp = fl; -+ fl = fl->next; -+ freecon(tmp->con); -+ free(tmp->file); -+ free(tmp); -+ } -+ fl_head[h].next = NULL; -+ } -+ free(fl_head); -+ fl_head = NULL; -+} -+/* -+ * Try to add an association between an inode and a context. -+ * If there is a different context that matched the inode, -+ * then use the first context that matched. -+ */ -+static int filespec_add(ino_t ino, const security_context_t con, const char *file) -+{ -+ file_spec_t *prevfl, *fl; -+ int h, ret; -+ struct stat sb; -+ -+ if (!fl_head) { -+ fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -+ if (!fl_head) -+ goto oom; -+ memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS); -+ } -+ -+ h = (ino + (ino >> HASH_BITS)) & HASH_MASK; -+ for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; -+ prevfl = fl, fl = fl->next) { -+ if (ino == fl->ino) { -+ ret = lstat(fl->file, &sb); -+ if (ret < 0 || sb.st_ino != ino) { -+ freecon(fl->con); -+ free(fl->file); -+ fl->file = strdup(file); -+ if (!fl->file) -+ goto oom; -+ fl->con = strdup(con); -+ if (!fl->con) -+ goto oom; -+ return 1; -+ } -+ -+ if (strcmp(fl->con, con) == 0) -+ return 1; -+ -+ fprintf(stderr, -+ "%s: conflicting specifications for %s and %s, using %s.\n", -+ __FUNCTION__, file, fl->file, fl->con); -+ free(fl->file); -+ fl->file = strdup(file); -+ if (!fl->file) -+ goto oom; -+ return 1; -+ } -+ -+ if (ino > fl->ino) -+ break; -+ } -+ -+ fl = malloc(sizeof(file_spec_t)); -+ if (!fl) -+ goto oom; -+ fl->ino = ino; -+ fl->con = strdup(con); -+ if (!fl->con) -+ goto oom_freefl; -+ fl->file = strdup(file); -+ if (!fl->file) -+ goto oom_freefl; -+ fl->next = prevfl->next; -+ prevfl->next = fl; -+ return 0; -+ oom_freefl: -+ free(fl); -+ oom: -+ fprintf(stderr, -+ "%s: insufficient memory for file label entry for %s\n", -+ __FUNCTION__, file); -+ return -1; -+} -+ -+ -+ -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.74/setfiles/restorecon.8 + fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); + if (fts_handle == NULL) { + fprintf(stderr, +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.75/setfiles/restorecon.8 --- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/restorecon.8 2009-10-22 08:41:15.000000000 -0400 ++++ policycoreutils-2.0.75/setfiles/restorecon.8 2009-11-03 09:44:56.000000000 -0500 @@ -4,10 +4,10 @@ .SH "SYNOPSIS" @@ -4085,62 +3557,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .TP .B \-v show changes in file labels. -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.74/setfiles/restore.h ---- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/setfiles/restore.h 2009-10-15 10:37:41.000000000 -0400 -@@ -0,0 +1,49 @@ -+#ifndef RESTORE_H -+#define RESTORE_H -+#ifndef _GNU_SOURCE -+#define _GNU_SOURCE -+#endif -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define STAR_COUNT 1000 -+ -+/* Things that need to be init'd */ -+struct restore_opts { -+ int add_assoc; /* Track inode associations for conflict detection. */ -+ int progress; -+ unsigned long long count; -+ int debug; -+ int change; -+ int hard_links; -+ int verbose; -+ int logging; -+ char *rootpath; -+ int rootpathlen; -+ char *progname; -+ FILE *outfile; -+ int force; -+ struct selabel_handle *hnd; -+ int abort_on_error; /* Abort the file tree walk upon an error. */ -+ int quiet; -+ int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */ -+ const char *selabel_opt_validate; -+ const char *selabel_opt_path; -+}; -+ -+void restore_init(struct restore_opts *opts); -+void restore_finish(); -+int add_exclude(const char *directory); -+void remove_exclude(const char *directory); -+int process_one(char *name, int recurse); -+ -+#endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.74/setfiles/setfiles.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.75/setfiles/setfiles.8 --- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/setfiles.8 2009-10-22 08:37:16.000000000 -0400 ++++ policycoreutils-2.0.75/setfiles/setfiles.8 2009-11-03 09:44:56.000000000 -0500 @@ -31,6 +31,9 @@ .TP .B \-n @@ -4151,329 +3570,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .TP .B \-q suppress non-error output. -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.74/setfiles/setfiles.c ---- nsapolicycoreutils/setfiles/setfiles.c 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/setfiles.c 2009-10-22 08:42:29.000000000 -0400 -@@ -1,26 +1,12 @@ --#ifndef _GNU_SOURCE --#define _GNU_SOURCE --#endif -+#include "restore.h" - #include --#include - #include --#include - #include --#include --#include - #include - #include - #include - #include - #define __USE_XOPEN_EXTENDED 1 /* nftw */ --#define SKIP -2 --#define ERR -1 --#include --#include --#include --#include --#include --#include - #include - #ifdef USE_AUDIT - #include -@@ -32,40 +18,22 @@ - static int mass_relabel; - static int mass_relabel_errs; - --#define STAR_COUNT 1000 -- --static FILE *outfile = NULL; --static int force = 0; --#define STAT_BLOCK_SIZE 1 --static int progress = 0; --static unsigned long long count = 0; -- --#define MAX_EXCLUDES 1000 --static int excludeCtr = 0; --struct edir { -- char *directory; -- size_t size; --}; --static struct edir excludeArray[MAX_EXCLUDES]; - - /* - * Command-line options. - */ -+ - static char *policyfile = NULL; --static int debug = 0; --static int change = 1; --static int quiet = 0; --static int ignore_enoent; --static int verbose = 0; --static int logging = 0; - static int warn_no_match = 0; - static int null_terminated = 0; --static char *rootpath = NULL; --static int rootpathlen = 0; - static int recurse; /* Recursive descent. */ - static int errors; -+static int ignore_enoent; -+static struct restore_opts r_opts; -+ -+#define STAT_BLOCK_SIZE 1 -+ - --static char *progname; - - #define SETFILES "setfiles" - #define RESTORECON "restorecon" -@@ -73,257 +41,20 @@ - - /* Behavior flags determined based on setfiles vs. restorecon */ - static int expand_realpath; /* Expand paths via realpath. */ --static int abort_on_error; /* Abort the file tree walk upon an error. */ --static int add_assoc; /* Track inode associations for conflict detection. */ --static int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */ - static int ctx_validate; /* Validate contexts */ - static const char *altpath; /* Alternate path to file_contexts */ - --/* Label interface handle */ --static struct selabel_handle *hnd; -- --/* -- * An association between an inode and a context. -- */ --typedef struct file_spec { -- ino_t ino; /* inode number */ -- char *con; /* matched context */ -- char *file; /* full pathname */ -- struct file_spec *next; /* next association in hash bucket chain */ --} file_spec_t; -- --/* -- * The hash table of associations, hashed by inode number. -- * Chaining is used for collisions, with elements ordered -- * by inode number in each bucket. Each hash bucket has a dummy -- * header. -- */ --#define HASH_BITS 16 --#define HASH_BUCKETS (1 << HASH_BITS) --#define HASH_MASK (HASH_BUCKETS-1) --static file_spec_t *fl_head; -- --/* -- * Try to add an association between an inode and a context. -- * If there is a different context that matched the inode, -- * then use the first context that matched. -- */ --int filespec_add(ino_t ino, const security_context_t con, const char *file) --{ -- file_spec_t *prevfl, *fl; -- int h, ret; -- struct stat sb; -- -- if (!fl_head) { -- fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -- if (!fl_head) -- goto oom; -- memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS); -- } -- -- h = (ino + (ino >> HASH_BITS)) & HASH_MASK; -- for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; -- prevfl = fl, fl = fl->next) { -- if (ino == fl->ino) { -- ret = lstat(fl->file, &sb); -- if (ret < 0 || sb.st_ino != ino) { -- freecon(fl->con); -- free(fl->file); -- fl->file = strdup(file); -- if (!fl->file) -- goto oom; -- fl->con = strdup(con); -- if (!fl->con) -- goto oom; -- return 1; -- } -- -- if (strcmp(fl->con, con) == 0) -- return 1; -- -- fprintf(stderr, -- "%s: conflicting specifications for %s and %s, using %s.\n", -- __FUNCTION__, file, fl->file, fl->con); -- free(fl->file); -- fl->file = strdup(file); -- if (!fl->file) -- goto oom; -- return 1; -- } -- -- if (ino > fl->ino) -- break; -- } -- -- fl = malloc(sizeof(file_spec_t)); -- if (!fl) -- goto oom; -- fl->ino = ino; -- fl->con = strdup(con); -- if (!fl->con) -- goto oom_freefl; -- fl->file = strdup(file); -- if (!fl->file) -- goto oom_freefl; -- fl->next = prevfl->next; -- prevfl->next = fl; -- return 0; -- oom_freefl: -- free(fl); -- oom: -- fprintf(stderr, -- "%s: insufficient memory for file label entry for %s\n", -- __FUNCTION__, file); -- return -1; --} -- --/* -- * Evaluate the association hash table distribution. -- */ --void filespec_eval(void) --{ -- file_spec_t *fl; -- int h, used, nel, len, longest; -- -- if (!fl_head) -- return; -- -- used = 0; -- longest = 0; -- nel = 0; -- for (h = 0; h < HASH_BUCKETS; h++) { -- len = 0; -- for (fl = fl_head[h].next; fl; fl = fl->next) { -- len++; -- } -- if (len) -- used++; -- if (len > longest) -- longest = len; -- nel += len; -- } -- -- printf -- ("%s: hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n", -- __FUNCTION__, nel, used, HASH_BUCKETS, longest); --} -- --/* -- * Destroy the association hash table. -- */ --void filespec_destroy(void) --{ -- file_spec_t *fl, *tmp; -- int h; -- -- if (!fl_head) -- return; -- -- for (h = 0; h < HASH_BUCKETS; h++) { -- fl = fl_head[h].next; -- while (fl) { -- tmp = fl; -- fl = fl->next; -- freecon(tmp->con); -- free(tmp->file); -- free(tmp); -- } -- fl_head[h].next = NULL; -- } -- free(fl_head); -- fl_head = NULL; --} -- --static int add_exclude(const char *directory) --{ -- size_t len = 0; -- -- if (directory == NULL || directory[0] != '/') { -- fprintf(stderr, "Full path required for exclude: %s.\n", -- directory); -- return 1; -- } -- if (excludeCtr == MAX_EXCLUDES) { -- fprintf(stderr, "Maximum excludes %d exceeded.\n", -- MAX_EXCLUDES); -- return 1; -- } -- -- len = strlen(directory); -- while (len > 1 && directory[len - 1] == '/') { -- len--; -- } -- excludeArray[excludeCtr].directory = strndup(directory, len); -- -- if (excludeArray[excludeCtr].directory == NULL) { -- fprintf(stderr, "Out of memory.\n"); -- return 1; -- } -- excludeArray[excludeCtr++].size = len; -- -- return 0; --} -- --static void remove_exclude(const char *directory) --{ -- int i = 0; -- for (i = 0; i < excludeCtr; i++) { -- if (strcmp(directory, excludeArray[i].directory) == 0) { -- free(excludeArray[i].directory); -- if (i != excludeCtr-1) -- excludeArray[i] = excludeArray[excludeCtr-1]; -- excludeCtr--; -- return; -- } -- } -- return; --} -- --static int exclude(const char *file) --{ -- int i = 0; -- for (i = 0; i < excludeCtr; i++) { -- if (strncmp -- (file, excludeArray[i].directory, -- excludeArray[i].size) == 0) { -- if (file[excludeArray[i].size] == 0 -- || file[excludeArray[i].size] == '/') { -- return 1; -- } -- } -- } -- return 0; --} -- --int match(const char *name, struct stat *sb, char **con) --{ -- if (NULL != rootpath) { -- if (0 != strncmp(rootpath, name, rootpathlen)) { -- fprintf(stderr, "%s: %s is not located in %s\n", -- progname, name, rootpath); -- return -1; -- } -- name += rootpathlen; -- } -- -- if (rootpath != NULL && name[0] == '\0') -- /* this is actually the root dir of the alt root */ -- return selabel_lookup_raw(hnd, con, "/", sb->st_mode); -- else -- return selabel_lookup_raw(hnd, con, name, sb->st_mode); --} -- - void usage(const char *const name) +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.75/setfiles/setfiles.c +--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500 ++++ policycoreutils-2.0.75/setfiles/setfiles.c 2009-11-03 09:48:38.000000000 -0500 +@@ -44,13 +44,13 @@ { if (iamrestorecon) { fprintf(stderr, @@ -4489,519 +3589,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po name); } exit(1); -@@ -334,194 +65,30 @@ - void inc_err() - { - nerr++; -- if (nerr > 9 && !debug) { -+ if (nerr > 9 && !r_opts.debug) { - fprintf(stderr, "Exiting after 10 errors.\n"); - exit(1); - } - } - --/* Compare two contexts to see if their differences are "significant", -- * or whether the only difference is in the user. */ --static int only_changed_user(const char *a, const char *b) --{ -- char *rest_a, *rest_b; /* Rest of the context after the user */ -- if (force) -- return 0; -- if (!a || !b) -- return 0; -- rest_a = strchr(a, ':'); -- rest_b = strchr(b, ':'); -- if (!rest_a || !rest_b) -- return 0; -- return (strcmp(rest_a, rest_b) == 0); --} -- --static int restore(FTSENT *ftsent) --{ -- char *my_file = strdupa(ftsent->fts_path); -- int ret; -- char *context, *newcon; -- int user_only_changed = 0; -- -- if (match(my_file, ftsent->fts_statp, &newcon) < 0) -- /* Check for no matching specification. */ -- return (errno == ENOENT) ? 0 : -1; -- -- if (progress) { -- count++; -- if (count % (80 * STAR_COUNT) == 0) { -- fprintf(stdout, "\n"); -- fflush(stdout); -- } -- if (count % STAR_COUNT == 0) { -- fprintf(stdout, "*"); -- fflush(stdout); -- } -- } -- -- /* -- * Try to add an association between this inode and -- * this specification. If there is already an association -- * for this inode and it conflicts with this specification, -- * then use the last matching specification. -- */ -- if (add_assoc) { -- ret = filespec_add(ftsent->fts_statp->st_ino, newcon, my_file); -- if (ret < 0) -- goto err; -- -- if (ret > 0) -- /* There was already an association and it took precedence. */ -- goto out; -- } -- -- if (debug) { -- printf("%s: %s matched by %s\n", progname, my_file, newcon); -- } -- -- /* Get the current context of the file. */ -- ret = lgetfilecon_raw(ftsent->fts_accpath, &context); -- if (ret < 0) { -- if (errno == ENODATA) { -- context = NULL; -- } else { -- fprintf(stderr, "%s get context on %s failed: '%s'\n", -- progname, my_file, strerror(errno)); -- goto err; -- } -- user_only_changed = 0; -- } else -- user_only_changed = only_changed_user(context, newcon); -- -- /* -- * Do not relabel the file if the matching specification is -- * <> or the file is already labeled according to the -- * specification. -- */ -- if ((strcmp(newcon, "<>") == 0) || -- (context && (strcmp(context, newcon) == 0))) { -- freecon(context); -- goto out; -- } -- -- if (!force && context && (is_context_customizable(context) > 0)) { -- if (verbose > 1) { -- fprintf(stderr, -- "%s: %s not reset customized by admin to %s\n", -- progname, my_file, context); -- } -- freecon(context); -- goto out; -- } -- -- if (verbose) { -- /* If we're just doing "-v", trim out any relabels where -- * the user has changed but the role and type are the -- * same. For "-vv", emit everything. */ -- if (verbose > 1 || !user_only_changed) { -- printf("%s reset %s context %s->%s\n", -- progname, my_file, context ?: "", newcon); -- } -- } -- -- if (logging && !user_only_changed) { -- if (context) -- syslog(LOG_INFO, "relabeling %s from %s to %s\n", -- my_file, context, newcon); -- else -- syslog(LOG_INFO, "labeling %s to %s\n", -- my_file, newcon); -- } -- -- if (outfile && !user_only_changed) -- fprintf(outfile, "%s\n", my_file); -- -- if (context) -- freecon(context); - -- /* -- * Do not relabel the file if -n was used. -- */ -- if (!change || user_only_changed) -- goto out; -- -- /* -- * Relabel the file to the specified context. -- */ -- ret = lsetfilecon(ftsent->fts_accpath, newcon); -- if (ret) { -- fprintf(stderr, "%s set context %s->%s failed:'%s'\n", -- progname, my_file, newcon, strerror(errno)); -- goto skip; -- } --out: -- freecon(newcon); -- return 0; --skip: -- freecon(newcon); -- return SKIP; --err: -- freecon(newcon); -- return ERR; --} -- --/* -- * Apply the last matching specification to a file. -- * This function is called by fts on each file during -- * the directory traversal. -- */ --static int apply_spec(FTSENT *ftsent) --{ -- if (ftsent->fts_info == FTS_DNR) { -- fprintf(stderr, "%s: unable to read directory %s\n", -- progname, ftsent->fts_path); -- return SKIP; -- } -- -- int rc = restore(ftsent); -- if (rc == ERR) { -- if (!abort_on_error) -- return SKIP; -- } -- return rc; --} - - void set_rootpath(const char *arg) - { - int len; - -- rootpath = strdup(arg); -- if (NULL == rootpath) { -- fprintf(stderr, "%s: insufficient memory for rootpath\n", -- progname); -+ r_opts.rootpath = strdup(arg); -+ if (NULL == r_opts.rootpath) { -+ fprintf(stderr, "%s: insufficient memory for r_opts.rootpath\n", -+ r_opts.progname); - exit(1); - } - - /* trim trailing /, if present */ -- len = strlen(rootpath); -- while (len && ('/' == rootpath[len - 1])) -- rootpath[--len] = 0; -- rootpathlen = len; -+ len = strlen(r_opts.rootpath); -+ while (len && ('/' == r_opts.rootpath[len - 1])) -+ r_opts.rootpath[--len] = 0; -+ r_opts.rootpathlen = len; - } - - int canoncon(char **contextp) -@@ -585,77 +152,6 @@ - return 0; - } - --static int process_one(char *name, int recurse_this_path) --{ -- int rc = 0; -- const char *namelist[2]; -- dev_t dev_num = 0; -- FTS *fts_handle; -- FTSENT *ftsent; -- -- if (!strcmp(name, "/")) -- mass_relabel = 1; -- -- namelist[0] = name; -- namelist[1] = NULL; -- fts_handle = fts_open((char **)namelist, fts_flags, NULL); -- if (fts_handle == NULL) { -- fprintf(stderr, -- "%s: error while labeling %s: %s\n", -- progname, namelist[0], strerror(errno)); -- goto err; -- } -- -- -- ftsent = fts_read(fts_handle); -- if (ftsent != NULL) { -- /* Keep the inode of the first one. */ -- dev_num = ftsent->fts_statp->st_dev; -- } -- -- do { -- /* Skip the post order nodes. */ -- if (ftsent->fts_info == FTS_DP) -- continue; -- /* If the XDEV flag is set and the device is different */ -- if (ftsent->fts_statp->st_dev != dev_num && -- FTS_XDEV == (fts_flags & FTS_XDEV)) -- continue; -- if (excludeCtr > 0) { -- if (exclude(ftsent->fts_path)) { -- fts_set(fts_handle, ftsent, FTS_SKIP); -- continue; -- } -- } -- int rc = apply_spec(ftsent); -- if (rc == SKIP) -- fts_set(fts_handle, ftsent, FTS_SKIP); -- if (rc == ERR) -- goto err; -- if (!recurse_this_path) -- break; -- } while ((ftsent = fts_read(fts_handle)) != NULL); -- -- if (!strcmp(name, "/")) -- mass_relabel_errs = 0; -- --out: -- if (add_assoc) { -- if (!quiet) -- filespec_eval(); -- filespec_destroy(); -- } -- if (fts_handle) -- fts_close(fts_handle); -- return rc; -- --err: -- if (!strcmp(name, "/")) -- mass_relabel_errs = 1; -- rc = -1; -- goto out; --} -- - static int process_one_realpath(char *name) - { - int rc = 0; -@@ -668,7 +164,7 @@ - rc = lstat(name, &sb); - if (rc < 0) { - fprintf(stderr, "%s: lstat(%s) failed: %s\n", -- progname, name, strerror(errno)); -+ r_opts.progname, name, strerror(errno)); - return -1; - } - -@@ -804,20 +300,30 @@ - char *buf = NULL; - size_t buf_len; - char *base; -- struct selinux_opt opts[] = { -- { SELABEL_OPT_VALIDATE, NULL }, -- { SELABEL_OPT_PATH, NULL } -- }; -+ -+ memset(&r_opts, 0, sizeof(r_opts)); -+ -+ /* Initialize variables */ -+ r_opts.progress = 0; -+ r_opts.count = 0; -+ r_opts.debug = 0; -+ r_opts.change = 1; -+ r_opts.verbose = 0; -+ r_opts.logging = 0; -+ r_opts.rootpath = NULL; -+ r_opts.rootpathlen = 0; -+ r_opts.outfile = NULL; -+ r_opts.force = 0; -+ r_opts.hard_links = 1; - -- memset(excludeArray, 0, sizeof(excludeArray)); - altpath = NULL; - -- progname = strdup(argv[0]); -- if (!progname) { -+ r_opts.progname = strdup(argv[0]); -+ if (!r_opts.progname) { - fprintf(stderr, "%s: Out of memory!\n", argv[0]); - exit(1); - } -- base = basename(progname); -+ base = basename(r_opts.progname); - - if (!strcmp(base, SETFILES)) { - /* -@@ -832,28 +338,28 @@ - iamrestorecon = 0; - recurse = 1; - expand_realpath = 0; -- abort_on_error = 1; -- add_assoc = 1; -- fts_flags = FTS_PHYSICAL | FTS_XDEV; -+ r_opts.abort_on_error = 1; -+ r_opts.add_assoc = 1; -+ r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV; - ctx_validate = 1; - } else { - /* - * restorecon: - * No recursive descent unless -r/-R, -- * Expands paths via realpath, - * Do not abort on errors during the file tree walk, -+ * Expands paths via realpath, - * Do not try to track inode associations for conflict detection, - * Follows mounts, - * Does lazy validation of contexts upon use. - */ -- if (strcmp(base, RESTORECON) && !quiet) -+ if (strcmp(base, RESTORECON) && !r_opts.quiet) - printf("Executed with an unrecognized name (%s), defaulting to %s behavior.\n", base, RESTORECON); - iamrestorecon = 1; - recurse = 0; - expand_realpath = 1; -- abort_on_error = 0; -- add_assoc = 0; -- fts_flags = FTS_PHYSICAL; -+ r_opts.abort_on_error = 0; -+ r_opts.add_assoc = 0; -+ r_opts.fts_flags = FTS_PHYSICAL; - ctx_validate = 0; - - /* restorecon only: silent exit if no SELinux. -@@ -915,37 +421,37 @@ - input_filename = optarg; - break; - case 'd': -- debug = 1; -+ r_opts.debug = 1; - break; - case 'i': - ignore_enoent = 1; - break; - case 'l': -- logging = 1; -+ r_opts.logging = 1; - break; - case 'F': -- force = 1; -+ r_opts.force = 1; - break; - case 'n': -- change = 0; -+ r_opts.change = 0; - break; - case 'o': - if (strcmp(optarg, "-") == 0) { -- outfile = stdout; -+ r_opts.outfile = stdout; +@@ -371,7 +371,7 @@ break; } - -- outfile = fopen(optarg, "w"); -- if (!outfile) { -+ r_opts.outfile = fopen(optarg, "w"); -+ if (!r_opts.outfile) { - fprintf(stderr, "Error opening %s: %s\n", - optarg, strerror(errno)); - - usage(argv[0]); - } -- __fsetlocking(outfile, FSETLOCKING_BYCALLER); -+ __fsetlocking(r_opts.outfile, FSETLOCKING_BYCALLER); - break; - case 'q': -- quiet = 1; -+ r_opts.quiet = 1; - break; - case 'R': - case 'r': -@@ -958,7 +464,7 @@ + if (optind + 1 >= argc) { +- fprintf(stderr, "usage: %s -r r_opts.rootpath\n", ++ fprintf(stderr, "usage: %s -r rootpath\n", argv[0]); exit(1); } -- if (NULL != rootpath) { -+ if (NULL != r_opts.rootpath) { - fprintf(stderr, - "%s: only one -r can be specified\n", - argv[0]); -@@ -969,23 +475,23 @@ - case 's': - use_input_file = 1; - input_filename = "-"; -- add_assoc = 0; -+ r_opts.add_assoc = 0; - break; - case 'v': -- if (progress) { -+ if (r_opts.progress) { - fprintf(stderr, - "Progress and Verbose mutually exclusive\n"); - exit(1); - } -- verbose++; -+ r_opts.verbose++; - break; - case 'p': -- if (verbose) { -+ if (r_opts.verbose) { - fprintf(stderr, - "Progress and Verbose mutually exclusive\n"); - usage(argv[0]); - } -- progress = 1; -+ r_opts.progress = 1; - break; - case 'W': - warn_no_match = 1; -@@ -1033,18 +539,13 @@ - } - - /* Load the file contexts configuration and check it. */ -- opts[0].value = (ctx_validate ? (char*)1 : NULL); -- opts[1].value = altpath; -- -- hnd = selabel_open(SELABEL_CTX_FILE, opts, 2); -- if (!hnd) { -- perror(altpath); -- exit(1); -- } -+ r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL); -+ r_opts.selabel_opt_path = altpath; - - if (nerr) - exit(1); - -+ restore_init(&r_opts); - if (use_input_file) { - FILE *f = stdin; - ssize_t len; -@@ -1061,6 +562,9 @@ - delim = (null_terminated != 0) ? '\0' : '\n'; - while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) { - buf[len - 1] = 0; -+ if (!strcmp(buf, "/")) -+ mass_relabel = 1; -+ - errors |= process_one_realpath(buf); - } - if (strcmp(input_filename, "-") != 0) -@@ -1070,22 +574,21 @@ - errors |= process_one_realpath(argv[i]); - } - } -- -+ -+ if (mass_relabel) -+ mass_relabel_errs = errors; - maybe_audit_mass_relabel(); - - if (warn_no_match) -- selabel_stats(hnd); -+ selabel_stats(r_opts.hnd); - -- selabel_close(hnd); -+ selabel_close(r_opts.hnd); -+ restore_finish(); - -- if (outfile) -- fclose(outfile); -- -- for (i = 0; i < excludeCtr; i++) { -- free(excludeArray[i].directory); -- } -+ if (r_opts.outfile) -+ fclose(r_opts.outfile); - -- if (progress && count >= STAR_COUNT) -+ if (r_opts.progress && r_opts.count >= STAR_COUNT) - printf("\n"); - exit(errors); - } diff --git a/policycoreutils.spec b/policycoreutils.spec index 7a7b169..90978d0 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -5,8 +5,8 @@ %define sepolgenver 1.0.17 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.0.74 -Release: 15%{?dist} +Version: 2.0.75 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -296,6 +296,10 @@ fi exit 0 %changelog +* Tue Nov 2 2009 Dan Walsh 2.0.75-1 +- Update to upstream + * Factor out restoring logic from setfiles.c into restore.c + * Fri Oct 30 2009 Dan Walsh 2.0.74-15 - Fix typo in seobject.py diff --git a/sources b/sources index 7600223..f09c2b4 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 480cc64a050735fa1163a87dc89c4f49 sepolgen-1.0.17.tgz -60aa41df668a557892296ff02c7411aa policycoreutils-2.0.74.tgz -59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 +3798f448cdc084e535507f0eee209fc7 policycoreutils-2.0.75.tgz