* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> 1.30-3
- Fixes for restorecond attack via symlinks - Fixes for fixfiles
This commit is contained in:
parent
2fc100201a
commit
b0a7b268a9
@ -77,8 +77,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.
|
||||
+.BR restorecon (8),
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-1.30/restorecond/restorecond.c
|
||||
--- nsapolicycoreutils/restorecond/restorecond.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-1.30/restorecond/restorecond.c 2006-03-17 23:56:29.000000000 -0500
|
||||
@@ -0,0 +1,469 @@
|
||||
+++ policycoreutils-1.30/restorecond/restorecond.c 2006-03-20 15:57:28.000000000 -0500
|
||||
@@ -0,0 +1,436 @@
|
||||
+/*
|
||||
+ * restorecond
|
||||
+ *
|
||||
@ -240,44 +240,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.
|
||||
+
|
||||
+ if (lstat(filename, &st)!=0) return;
|
||||
+
|
||||
+ if (S_ISLNK(st.st_mode)) {
|
||||
+ char *p = NULL, *file_sep;
|
||||
+ char *tmp_path = strdupa(filename);
|
||||
+ size_t len=0;
|
||||
+ if (!tmp_path) {
|
||||
+ exitApp("Out of Memory");
|
||||
+ }
|
||||
+ file_sep = strrchr(tmp_path, '/');
|
||||
+ if(file_sep)
|
||||
+ {
|
||||
+ *file_sep = 0;
|
||||
+ file_sep++;
|
||||
+ p = realpath(tmp_path, path);
|
||||
+ }
|
||||
+ else {
|
||||
+ file_sep = tmp_path;
|
||||
+ p = realpath("./", path);
|
||||
+ }
|
||||
+ if(p)
|
||||
+ len = strlen(p);
|
||||
+ if (!p || len + strlen(file_sep) + 2 > PATH_MAX) {
|
||||
+ syslog(LOG_ERR,"realpath(%s) failed %s\n", filename, strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ p += len;
|
||||
+ *p = '/';
|
||||
+ p++;
|
||||
+ strcpy(p, file_sep);
|
||||
+ filename = path;
|
||||
+ } else {
|
||||
+ char *p;
|
||||
+ p = realpath(filename, path);
|
||||
+ if (!p) {
|
||||
+ syslog(LOG_ERR,"realpath(%s) failed %s\n", filename, strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ filename = p;
|
||||
+ if (st.st_nlink > 1) {
|
||||
+ syslog(LOG_ERR,"Will not restore a file with more than one hard link (%s) %s\n", filename,strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (matchpathcon(filename, st.st_mode, &scontext) < 0) {
|
||||
+ if (errno == ENOENT)
|
||||
+ return;
|
||||
@ -958,7 +925,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.
|
||||
+#endif
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.30/scripts/fixfiles
|
||||
--- nsapolicycoreutils/scripts/fixfiles 2006-01-04 13:07:46.000000000 -0500
|
||||
+++ policycoreutils-1.30/scripts/fixfiles 2006-03-17 23:29:02.000000000 -0500
|
||||
+++ policycoreutils-1.30/scripts/fixfiles 2006-03-20 15:50:23.000000000 -0500
|
||||
@@ -124,7 +124,15 @@
|
||||
exit $?
|
||||
fi
|
||||
@ -966,7 +933,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policyc
|
||||
- ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $1 -v $DIRS 2>&1 >> $LOGFILE
|
||||
+ if [ -x /usr/bin/find ]; then
|
||||
+ for d in ${DIRS} ; do find $d \
|
||||
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o -print; \
|
||||
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o -print | \
|
||||
+ ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $1 -v -f - 2>&1 >> $LOGFILE
|
||||
+ done
|
||||
+ else
|
||||
@ -979,20 +946,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policyc
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.30/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2006-03-10 09:48:05.000000000 -0500
|
||||
+++ policycoreutils-1.30/semanage/seobject.py 2006-03-17 23:29:02.000000000 -0500
|
||||
@@ -229,10 +229,9 @@
|
||||
if rc < 0:
|
||||
raise ValueError("Could not set name for %s" % name)
|
||||
|
||||
- if serange != "":
|
||||
- rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
|
||||
- if rc < 0:
|
||||
- raise ValueError("Could not set MLS range for %s" % name)
|
||||
+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
|
||||
+ if rc < 0:
|
||||
+ raise ValueError("Could not set MLS range for %s" % name)
|
||||
|
||||
rc = semanage_seuser_set_sename(self.sh, u, sename)
|
||||
if rc < 0:
|
||||
@@ -549,7 +548,7 @@
|
||||
raise ValueError("Could not list roles for user %s" % name)
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
Summary: SELinux policy core utilities.
|
||||
Name: policycoreutils
|
||||
Version: 1.30
|
||||
Release: 2
|
||||
Release: 3
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
|
Loading…
Reference in New Issue
Block a user