[libselinux/f16] Avoid unnecessary shell invocation in %post.
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Sep 12 20:33:44 UTC 2011
commit 85306700027d14b9347deacdd14f112e2ccbcda5
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Sep 12 16:33:28 2011 -0400
Avoid unnecessary shell invocation in %post.
libselinux-rhat.patch | 633 ++++++++++++++----------------------------------
libselinux.spec | 27 ++-
sources | 2 +-
3 files changed, 208 insertions(+), 454 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index e103180..60675f0 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,235 +1,48 @@
-diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index f110dcf..d29b0c1 100644
---- a/libselinux/include/selinux/selinux.h
-+++ b/libselinux/include/selinux/selinux.h
-@@ -566,7 +566,7 @@ extern int selinux_file_context_cmp(const security_context_t a,
+diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
+index cdbb252..0cc2268 100644
+--- a/libselinux/man/man3/matchpathcon.3
++++ b/libselinux/man/man3/matchpathcon.3
+@@ -8,7 +8,7 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
- /*
- * Verify the context of the file 'path' against policy.
-- * Return 0 if correct.
-+ * Return 1 if match, 0 if not and -1 on error.
- */
- extern int selinux_file_context_verify(const char *path, mode_t mode);
+ .BI "int matchpathcon_init(const char *" path ");"
-diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3
-index 51e8c20..cd67188 100644
---- a/libselinux/man/man3/selinux_file_context_cmp.3
-+++ b/libselinux/man/man3/selinux_file_context_cmp.3
-@@ -1,25 +1,75 @@
--.TH "selinux_file_context_cmp" "3" "21 November 2009" "sds at tycho.nsa.gov" "SELinux API documentation"
-+.TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation"
-+
- .SH "NAME"
--selinux_file_context_cmp, selinux_file_context_verify \- comparison of two file contexts.
-+selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component.
+-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
++.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
- .SH "SYNOPSIS"
- .B #include <selinux/selinux.h>
+ .BI "int matchpathcon_fini(void);"
.sp
+@@ -48,7 +48,7 @@ is the same as
+ but only loads entries with regular expressions that have stems prefixed
+ by
+ .I prefix.
-
--.BI "int selinux_file_context_cmp(const security_context_t " a ", const security_context_t " b ");"
--
--.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
-+.BI "int selinux_file_context_cmp(const security_context_t " a ", "
-+.RS
-+.BI "const security_context_t " b ");"
-+.RE
-
- .SH "DESCRIPTION"
- .B selinux_file_context_cmp
--compares two file contexts to see if their differences are "significant", the function runs the strcmp function ignoring the user componant of the file context.
--.sp
--.B selinux_file_context_verify
--compares the file context on disk to the system default.
-+compares two context strings excluding the user component with
-+.B strcmp(3)
-+as shown in the
-+.B EXAMPLE
-+section.
++prefix can have multiple paths separated by ";", for example "/dev;/var/run;/tmp"
.sp
-+This is useful as for most object contexts, the user component is not relevant.
-
- .SH "RETURN VALUE"
--Returns zero on success or \-1 otherwise.
-+The return values follow the
-+.B strcmp(3)
-+function, where:
-+.RS
-+0 if they are equal.
-+.RE
-+.RS
-+1 if
-+.I a
-+is greater than
-+.I b
-+.RE
-+.RS
-+\-1 if
-+.I a
-+is less than
-+.I b
-+.RE
-+
-+.SH "ERRORS"
-+None.
-+
-+.SH "NOTES"
-+The contexts being compared do not specifically need to be file contexts.
-+
-+.SH "EXAMPLE"
-+If context
-+.I a
-+is:
-+.RS
-+user_u:user_r:user_t:s0
-+.RE
-+.sp
-+and context
-+.I b
-+is:
-+.RS
-+root:user_r:user_t:s0
-+.RE
-+.sp
-+then the actual strings compared are:
-+.RS
-+:user_r:user_t:s0 and :user_r:user_t:s0
-+.RE
-+.sp
-+Therefore they will match and
-+.B selinux_file_context_cmp
-+will return zero.
-
- .SH "SEE ALSO"
--.BR selinux "(8), " selinux_lsetfilecon "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
-+.BR selinux "(8)"
-diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3
-index d777547..e22be70 100644
---- a/libselinux/man/man3/selinux_file_context_verify.3
-+++ b/libselinux/man/man3/selinux_file_context_verify.3
-@@ -1 +1,98 @@
--.so man3/selinux_file_context_cmp.3
-+.TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation"
-+
-+.SH "NAME"
-+selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file.
-+
-+.SH "SYNOPSIS"
-+.B #include <selinux/selinux.h>
-+.sp
-+.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
-+
-+.SH "DESCRIPTION"
-+.B selinux_file_context_verify
-+compares the context of the specified
-+.I path
-+that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files.
-+.sp
-+The
-+.I mode
-+may be zero.
-+.sp
-+Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the
-+.B EXAMPLE
-+section.
-+
-+.SH "RETURN VALUE"
-+If the contexts significantly match, 1 (one) is returned.
-+.sp
-+If the contexts do not match 0 (zero) is returned and
-+.I errno
-+is set to either
-+.B ENOENT
-+or
-+.B EINVAL
-+for the reasons listed in the
-+.B ERRORS
-+section, or if
-+.I errno
-+= 0 then the contexts did not match.
-+.sp
-+On failure \-1 is returned and
-+.I errno
-+set appropriately.
-+
-+.SH "ERRORS"
-+.TP
-+.B ENOTSUP
-+if extended attributes are not supported by the file system.
-+.TP
-+.B ENOENT
-+if there is no entry in the file contexts series of files or
-+.I path
-+does not exist.
+ .B matchpathcon_fini
+ frees the memory allocated by a prior call to
+diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
+index 8674e37..23df23b 100644
+--- a/libselinux/man/man3/selabel_open.3
++++ b/libselinux/man/man3/selabel_open.3
+@@ -66,6 +66,13 @@ A non-null value for this option enables context validation. By default,
+ is used; a custom validation function can be provided via
+ .BR selinux_set_callback (3).
+ Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+.TP
-+.B EINVAL
-+if the entry in the file contexts series of files or
-+.I path
-+are invalid, or the returned context fails validation.
++.B SELABEL_OPT_SUBSET
++A ";" separates string of path prefixes that tell the system to only loads entries with regular expressions that could match this strings. For example "/dev;/var/run;/tmp". This option can cause the system to use less memory and work faster, but you should only use paths that begin with a prefix.
+.TP
-+.B ENOMEM
-+if attempt to allocate memory failed.
-+
-+.SH "FILES"
-+The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the
-+.I path
-+default context:
-+.sp
-+.RS
-+contexts/files/file_contexts - This file must exist.
-+.sp
-+contexts/files/file_contexts.local - If exists has local customizations.
-+.sp
-+contexts/files/file_contexts.homedirs - If exists has users home directory customizations.
-+.sp
-+contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files.
-+.RE
-+
-+.SH "EXAMPLE"
-+If the files context is:
-+.RS
-+unconfined_u:object_r:admin_home_t:s0
-+.RE
-+.sp
-+and the default context defined in the file contexts file is:
-+.RS
-+system_u:object_r:admin_home_t:s0
-+.RE
-+.sp
-+then the actual strings compared are:
-+.RS
-+:object_r:admin_home_t:s0 and :object_r:admin_home_t:s0
-+.RE
++.B SELABEL_OPT_PATH
++A string representing an alternate path the the regular expressions.
+.sp
-+Therefore they will match and
-+.B selinux_file_context_verify
-+will return 1.
-+
-+.SH "SEE ALSO"
-+.BR selinux "(8)"
-diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 15f7c1a..7680008 100644
---- a/libselinux/src/Makefile
-+++ b/libselinux/src/Makefile
-@@ -10,7 +10,8 @@ LIBDIR ?= $(PREFIX)/lib
- SHLIBDIR ?= $(PREFIX)/lib
- INCLUDEDIR ?= $(PREFIX)/include
- PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
--PYINC ?= $(shell pkg-config --cflags `basename $(PYTHON)`)
-+PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
-+PYTHONLIBDIR ?= $(shell pkg-config --libs $(PYPREFIX))
- PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
- RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
- RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM')
-@@ -78,7 +79,7 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
- $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $<
- $(SWIGSO): $(SWIGLOBJ)
-- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
-+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs
+ .SH "BACKENDS"
- $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
+@@ -99,4 +106,3 @@ Eamon Walsh <ewalsh at tycho.nsa.gov>
+ .BR selabel_stats (3),
+ .BR selinux_set_callback (3),
+ .BR selinux (8)
+-
diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
index b245364..7c47222 100644
--- a/libselinux/src/callbacks.c
@@ -242,11 +55,120 @@ index b245364..7c47222 100644
va_start(ap, fmt);
rc = vfprintf(stderr, fmt, ap);
va_end(ap);
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 3b8346d..ead3b0b 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -27,6 +27,7 @@
+ * Internals, mostly moved over from matchpathcon.c
+ */
+
++#define MAX_PREFIX 100
+ /* A file security context specification. */
+ typedef struct spec {
+ struct selabel_lookup_rec lr; /* holds contexts for lookup result */
+@@ -279,7 +280,7 @@ static int compile_regex(struct saved_data *data, spec_t *spec, char **errbuf)
+
+
+ static int process_line(struct selabel_handle *rec,
+- const char *path, const char *prefix,
++ const char *path, const char **prefix_array,
+ char *line_buf, int pass, unsigned lineno)
+ {
+ int items, len;
+@@ -313,12 +314,24 @@ static int process_line(struct selabel_handle *rec,
+ }
+
+ len = get_stem_from_spec(regex);
+- if (len && prefix && strncmp(prefix, regex, len)) {
+- /* Stem of regex does not match requested prefix, discard. */
+- free(regex);
+- free(type);
+- free(context);
+- return 0;
++ if (len && prefix_array[0]) {
++ int i = 0;
++ int found = 0;
++ while (i < MAX_PREFIX && prefix_array[i]) {
++ if (strncmp(prefix_array[i], regex, len) == 0) {
++ found = 1;
++ break;
++ }
++ i++;
++ }
++
++ if (! found) {
++ /* Stem of regex does not match requested prefix, discard. */
++ free(regex);
++ free(type);
++ free(context);
++ return 0;
++ }
+ }
+
+ if (pass == 1) {
+@@ -400,7 +413,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ {
+ struct saved_data *data = (struct saved_data *)rec->data;
+ const char *path = NULL;
+- const char *prefix = NULL;
++ const char *prefix_array[MAX_PREFIX] = {NULL,};
+ FILE *fp;
+ FILE *localfp = NULL;
+ FILE *homedirfp = NULL;
+@@ -421,8 +434,19 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ path = opts[n].value;
+ break;
+ case SELABEL_OPT_SUBSET:
+- prefix = opts[n].value;
++ {
++ char *ptr;
++ i = 0;
++ if (opts[n].value) {
++ prefix_array[i] = strtok_r((char *)opts[n].value, ";", &ptr);
++ while ((prefix_array[i] != NULL) && i < MAX_PREFIX - 1) {
++ i++;
++ prefix_array[i] = strtok_r(NULL, ";", &ptr);
++ }
++ }
++
+ break;
++ }
+ case SELABEL_OPT_BASEONLY:
+ baseonly = !!opts[n].value;
+ break;
+@@ -481,7 +505,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ data->ncomp = 0;
+ while (getline(&line_buf, &line_len, fp) > 0
+ && data->nspec < maxnspec) {
+- if (process_line(rec, path, prefix, line_buf,
++ if (process_line(rec, path, prefix_array, line_buf,
+ pass, ++lineno) != 0)
+ goto finish;
+ }
+@@ -495,7 +519,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ while (getline(&line_buf, &line_len, homedirfp) > 0
+ && data->nspec < maxnspec) {
+ if (process_line
+- (rec, homedir_path, prefix,
++ (rec, homedir_path, prefix_array,
+ line_buf, pass, ++lineno) != 0)
+ goto finish;
+ }
+@@ -505,7 +529,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ while (getline(&line_buf, &line_len, localfp) > 0
+ && data->nspec < maxnspec) {
+ if (process_line
+- (rec, local_path, prefix, line_buf,
++ (rec, local_path, prefix_array, line_buf,
+ pass, ++lineno) != 0)
+ goto finish;
+ }
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 5fd8fe4..410dd9d 100644
+index 9717b14..df83b30 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
-@@ -2,9 +2,11 @@
+@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
#include <stdio.h>
@@ -254,11 +176,7 @@ index 5fd8fe4..410dd9d 100644
#include "selinux_internal.h"
#include "label_internal.h"
#include "callbacks.h"
-+#include <limits.h>
-
- static __thread struct selabel_handle *hnd;
-
-@@ -61,7 +63,7 @@ static void
+@@ -62,7 +63,7 @@ static void
{
va_list ap;
va_start(ap, fmt);
@@ -267,234 +185,53 @@ index 5fd8fe4..410dd9d 100644
va_end(ap);
}
-@@ -337,14 +339,82 @@ void matchpathcon_fini(void)
- }
- }
+@@ -353,7 +354,7 @@ static int symlink_realpath(const char *name, char *resolved_path)
--int matchpathcon(const char *name, mode_t mode, security_context_t * con)
-+/*
-+ * We do not want to resolve a symlink to a real path if it is the final
-+ * component of the name. Thus we split the pathname on the last "/" and
-+ * determine a real path component of the first portion. We then have to
-+ * copy the last part back on to get the final real path. Wheww.
-+ */
-+static int symlink_realpath(const char *name, char *resolved_path)
-+{
-+ char *last_component;
-+ char *tmp_path, *p;
-+ size_t len = 0;
-+ int rc = 0;
-+
-+ tmp_path = strdup(name);
-+ if (!tmp_path) {
-+ fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
-+ name, strerror(errno));
-+ rc = -1;
-+ goto out;
-+ }
-+
-+ last_component = strrchr(tmp_path, '/');
-+
-+ if (last_component == tmp_path) {
-+ last_component++;
-+ p = strcpy(resolved_path, "/");
-+ } else if (last_component) {
-+ *last_component = '\0';
-+ last_component++;
-+ p = realpath(tmp_path, resolved_path);
-+ } else {
-+ last_component = tmp_path;
-+ p = realpath("./", resolved_path);
-+ }
-+
-+ if (!p) {
-+ fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
-+ name, strerror(errno));
-+ rc = -1;
-+ goto out;
-+ }
-+
-+ len = strlen(p);
-+ if (len + strlen(last_component) + 1 > PATH_MAX) {
-+ fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
-+ name);
-+ rc = -1;
-+ goto out;
-+ }
-+
-+ resolved_path += len;
-+ strcpy(resolved_path, last_component);
-+out:
-+ free(tmp_path);
-+ return rc;
-+}
-+
-+int matchpathcon(const char *path, mode_t mode, security_context_t * con)
- {
-+ char stackpath[PATH_MAX + 1];
-+ char *p = NULL;
- if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
- return -1;
-
-+ if (S_ISLNK(mode)) {
-+ if (!symlink_realpath(path, stackpath))
-+ path = stackpath;
-+ } else {
-+ p = realpath(path, stackpath);
-+ if (p)
-+ path = p;
-+ }
-+
- return notrans ?
-- selabel_lookup_raw(hnd, con, name, mode) :
-- selabel_lookup(hnd, con, name, mode);
-+ selabel_lookup_raw(hnd, con, path, mode) :
-+ selabel_lookup(hnd, con, path, mode);
- }
+ tmp_path = strdup(name);
+ if (!tmp_path) {
+- fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
++ myprintf("symlink_realpath(%s) strdup() failed: %s\n",
+ name, strerror(errno));
+ rc = -1;
+ goto out;
+@@ -374,21 +375,24 @@ static int symlink_realpath(const char *name, char *resolved_path)
+ }
- int matchpathcon_index(const char *name, mode_t mode, security_context_t * con)
-@@ -394,7 +464,7 @@ int selinux_file_context_verify(const char *path, mode_t mode)
- rc = lgetfilecon_raw(path, &con);
- if (rc == -1) {
- if (errno != ENOTSUP)
-- return 1;
-+ return -1;
- else
- return 0;
+ if (!p) {
+- fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
++ myprintf("symlink_realpath(%s) realpath() failed: %s\n",
+ name, strerror(errno));
+ rc = -1;
+ goto out;
}
-@@ -404,11 +474,18 @@ int selinux_file_context_verify(const char *path, mode_t mode)
- if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
- if (errno != ENOENT)
-- rc = 1;
-+ rc = -1;
- else
- rc = 0;
-- } else
-+ } else {
-+ /*
-+ * Need to set errno to 0 as it can be set to ENOENT if the
-+ * file_contexts.subs file does not exist (see selabel_open in
-+ * label.c), thus causing confusion if errno is checked on return.
-+ */
-+ errno = 0;
- rc = (selinux_file_context_cmp(fcontext, con) == 0);
-+ }
+ len = strlen(p);
+- if (len + strlen(last_component) + 1 > PATH_MAX) {
+- fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
++ if (len + strlen(last_component) + 2 > PATH_MAX) {
++ myprintf("symlink_realpath(%s) failed: Filename too long \n",
+ name);
++ errno=ENAMETOOLONG;
+ rc = -1;
+ goto out;
+ }
- freecon(con);
- freecon(fcontext);
+ resolved_path += len;
++ strcpy(resolved_path, "/");
++ resolved_path += 1;
+ strcpy(resolved_path, last_component);
+ out:
+ free(tmp_path);
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
-index 3ecd52f..5f0a4c2 100644
+index 2fa21bc..5f0a4c2 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
-@@ -43,63 +43,6 @@ int printmatchpathcon(char *path, int header, int mode)
- return 0;
- }
+@@ -45,7 +45,7 @@ int printmatchpathcon(char *path, int header, int mode)
--/*
-- * We do not want to resolve a symlink to a real path if it is the final
-- * component of the name. Thus we split the pathname on the last "/" and
-- * determine a real path component of the first portion. We then have to
-- * copy the last part back on to get the final real path. Wheww.
-- */
--static int symlink_realpath(char *name, char *resolved_path)
--{
-- char *last_component;
-- char *tmp_path, *p;
-- size_t len = 0;
-- int rc = 0;
--
-- tmp_path = strdup(name);
-- if (!tmp_path) {
-- fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
-- name, strerror(errno));
-- rc = -1;
-- goto out;
-- }
--
-- last_component = strrchr(tmp_path, '/');
--
-- if (last_component == tmp_path) {
-- last_component++;
-- p = strcpy(resolved_path, "/");
-- } else if (last_component) {
-- *last_component = '\0';
-- last_component++;
-- p = realpath(tmp_path, resolved_path);
-- } else {
-- last_component = tmp_path;
-- p = realpath("./", resolved_path);
-- }
--
-- if (!p) {
-- fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
-- name, strerror(errno));
-- rc = -1;
-- goto out;
-- }
--
-- len = strlen(p);
-- if (len + strlen(last_component) + 1 > PATH_MAX) {
-- fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
-- name);
-- rc = -1;
-- goto out;
-- }
--
-- resolved_path += len;
-- strcpy(resolved_path, last_component);
--out:
-- free(tmp_path);
-- return rc;
--}
--
int main(int argc, char **argv)
{
- int i, init = 0;
-@@ -166,8 +109,7 @@ int main(int argc, char **argv)
- for (i = optind; i < argc; i++) {
- int rc, mode = 0;
- struct stat buf;
-- char *p, *path = argv[i];
-- char stackpath[PATH_MAX + 1];
-+ char *path = argv[i];
- int len = strlen(path);
- if (len > 1 && path[len - 1 ] == '/')
- path[len - 1 ] = '\0';
-@@ -175,31 +117,23 @@ int main(int argc, char **argv)
- if (lstat(path, &buf) == 0)
- mode = buf.st_mode;
-
-- if (S_ISLNK(mode)) {
-- rc = symlink_realpath(path, stackpath);
-- if (!rc)
-- path = stackpath;
-- } else {
-- p = realpath(path, stackpath);
-- if (p)
-- path = p;
-- }
--
- if (verify) {
- rc = selinux_file_context_verify(path, mode);
-
- if (quiet) {
-- if (rc)
-+ if (rc == 1)
- continue;
- else
- exit(1);
- }
-
-- if (rc) {
-+ if (rc == -1) {
-+ printf("%s error: %s\n", path, strerror(errno));
-+ exit(1);
-+ } else if (rc == 1) {
- printf("%s verified.\n", path);
- } else {
- security_context_t con;
-- int rc;
- error = 1;
- if (notrans)
- rc = lgetfilecon_raw(path, &con);
+- int i, init = 0, rc = 0;
++ int i, init = 0;
+ int header = 1, opt;
+ int verify = 0;
+ int notrans = 0;
diff --git a/libselinux.spec b/libselinux.spec
index 958a277..6d3048b 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -6,8 +6,8 @@
Summary: SELinux library and simple utilities
Name: libselinux
-Version: 2.1.4
-Release: 2%{?dist}
+Version: 2.1.5
+Release: 4%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
@@ -173,9 +173,7 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
%clean
rm -rf %{buildroot}
-%post
-/sbin/ldconfig
-exit 0
+%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
@@ -233,6 +231,25 @@ exit 0
%{ruby_sitearch}/selinux.so
%changelog
+* Thu Sep 8 2011 Ville Skyttä <ville.skytta at iki.fi> - 2.1.5-4
+- Avoid unnecessary shell invocation in %%post.
+
+* Tue Sep 6 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-3
+- Fix handling of subset labeling that is causing segfault in restorecon
+
+* Fri Sep 2 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-2
+- Change matchpathcon_init_prefix and selabel_open to allow multiple initial
+prefixes. Now you can specify a ";" separated list of prefixes and the
+labeling system will only load regular expressions that match these prefixes.
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-1
+- Change matchpatcon to use proper myprintf
+- Fix symlink_realpath to always include "/"
+- Update to upstream
+ * selinux_file_context_verify function returns wrong value.
+ * move realpath helper to matchpathcon library
+ * python wrapper makefile changes
+
* Mon Aug 22 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-2
- Move to new Makefile that can build with or without PYTHON being set
diff --git a/sources b/sources
index 1197224..e2bc444 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d908f2816d00111c222ccd081e7de80d libselinux-2.1.4.tgz
+e0da22061511b669c324bb2c96d2c668 libselinux-2.1.5.tgz
More information about the scm-commits
mailing list