[libselinux] Add new function mode_to_security_class which takes mode instead of a string.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 25 20:28:03 UTC 2012
commit e1c914df474eca94474e7d0e856e04b4715f200b
Author: rhatdan <dwalsh at redhat.com>
Date: Thu Oct 25 16:27:52 2012 -0400
Add new function mode_to_security_class which takes mode instead of a string.
- Possibly will be used with coreutils.
libselinux-rhat.patch | 169 ++++++++++++++++++++++++++++++++++++++++++++++---
libselinux.spec | 25 +++++++-
2 files changed, 182 insertions(+), 12 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index a146711..227ac07 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,8 +1,17 @@
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index 6b9089d..85b0cfc 100644
+index 6b9089d..aba6e33 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
-@@ -496,7 +496,9 @@ extern const char *selinux_policy_root(void);
+@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map);
+
+ /* Common helpers */
+
++/* Convert between mode and security class values */
++extern security_class_t mode_to_security_class(mode_t mode);
+ /* Convert between security class values and string names */
+ extern security_class_t string_to_security_class(const char *name);
+ extern const char *security_class_to_string(security_class_t cls);
+@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void);
/* These functions return the paths to specific files under the
policy root directory. */
@@ -12,6 +21,45 @@ index 6b9089d..85b0cfc 100644
extern const char *selinux_failsafe_context_path(void);
extern const char *selinux_removable_context_path(void);
extern const char *selinux_default_context_path(void);
+diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3
+index 140737e..e82e1d8 100644
+--- a/libselinux/man/man3/security_class_to_string.3
++++ b/libselinux/man/man3/security_class_to_string.3
+@@ -3,7 +3,7 @@
+ .\" Author: Eamon Walsh (ewalsh at tycho.nsa.gov) 2007
+ .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation"
+ .SH "NAME"
+-security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
++security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert
+ between SELinux class and permission values and string names.
+
+ print_access_vector \- display an access vector in human-readable form.
+@@ -21,6 +21,8 @@ print_access_vector \- display an access vector in human-readable form.
+ .sp
+ .BI "security_class_t string_to_security_class(const char *" name ");"
+ .sp
++.BI "security_class_t mode_to_security_class(mode_t " mode ");"
++.sp
+ .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
+ .sp
+ .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
+@@ -53,6 +55,11 @@ returns the class value corresponding to the string name
+ .IR name ,
+ or zero if no such class exists.
+
++.B mode_to_security_class
++returns the class value corresponding to the specified
++.IR mode ,
++or zero if no such class exists.
++
+ .B string_to_av_perm
+ returns the access vector bit corresponding to the string name
+ .I name
+@@ -88,3 +95,4 @@ Eamon Walsh <ewalsh at tycho.nsa.gov>
+ .BR selinux (8),
+ .BR getcon (3),
+ .BR getfilecon (3)
++.BR stat (3)
diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
index 8ead1a4..c68ace5 100644
--- a/libselinux/man/man3/selinux_binary_policy_path.3
@@ -36,11 +84,64 @@ index 8ead1a4..c68ace5 100644
.sp
selinux_default_type_path - context file mapping roles to default types.
.sp
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 9f16f77..4835f2f 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -69,14 +69,27 @@ Many domains that are protected by SELinux also include SELinux man pages explai
+ All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
+ Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
+
+-The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
++The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-selinux, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
+
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
+ .SH "SEE ALSO"
+-booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
++booleans(8), setsebool(8), selinuxenabled(8), restorecon(8), setfiles(8), semanage(8), sepolicy(8)
++.br
+
++Every confined service on the system has a man page in the following format:
++.br
++
++.B <servicename>_selinux(8)
++
++For example, httpd has the
++.B httpd_selinux(8)
++man page.
++
++.B man -k selinux
++
++Will list all SELinux man pages.
+
+ .SH FILES
+ /etc/selinux/config
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
-index 02483a3..89953d7 100644
+index 02483a3..c804e84 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
-@@ -206,27 +206,12 @@ static int __policy_init(const char *init_path)
+@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
+
+ if (PyArg_ParseTuple(args,(char *)":finish")) {
+ int i = 0;
++ if (! avc)
++ Py_RETURN_NONE;
++
+ for (i = 0; i < boolcnt; i++) {
+ free(boollist[i]->name);
+ free(boollist[i]);
+@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
+ avc = NULL;
+ boollist = NULL;
+ boolcnt = 0;
+-
++
+ /* Boilerplate to return "None" */
+ Py_RETURN_NONE;
+ }
+@@ -206,27 +209,12 @@ static int __policy_init(const char *init_path)
return 1;
}
} else {
@@ -72,6 +173,17 @@ index 02483a3..89953d7 100644
PyErr_SetString( PyExc_ValueError, errormsg);
return 1;
}
+@@ -295,6 +283,10 @@ static int __policy_init(const char *init_path)
+ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
+ int result;
+ char *init_path=NULL;
++ if (avc) {
++ PyErr_SetString( PyExc_RuntimeError, "init called multiple times");
++ return NULL;
++ }
+ if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
+ return NULL;
+ result = __policy_init(init_path);
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 802a07f..6ff83a7 100644
--- a/libselinux/src/avc.c
@@ -625,6 +737,38 @@ index cfea186..8b1eba6 100644
char **r_seuser, char **r_level) {
int ret = -1;
int len = 0;
+diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
+index 176ac34..082778e 100644
+--- a/libselinux/src/stringrep.c
++++ b/libselinux/src/stringrep.c
+@@ -436,6 +436,27 @@ security_class_t string_to_security_class(const char *s)
+ return map_class(node->value);
+ }
+
++security_class_t mode_to_security_class(mode_t m) {
++
++ if (S_ISREG(m))
++ return string_to_security_class("file");
++ if (S_ISDIR(m))
++ return string_to_security_class("dir");
++ if (S_ISCHR(m))
++ return string_to_security_class("chr_file");
++ if (S_ISBLK(m))
++ return string_to_security_class("blk_file");
++ if (S_ISFIFO(m))
++ return string_to_security_class("fifo_file");
++ if (S_ISLNK(m))
++ return string_to_security_class("lnk_file");
++ if (S_ISSOCK(m))
++ return string_to_security_class("sock_file");
++
++ errno=EINVAL;
++ return 0;
++}
++
+ access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
+ {
+ struct discover_class_node *node;
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index 8b9294d..060eaab 100644
--- a/libselinux/utils/.gitignore
@@ -651,10 +795,10 @@ index 5f3e047..f469924 100644
UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
new file mode 100644
-index 0000000..f8a5fea
+index 0000000..15cc836
--- /dev/null
+++ b/libselinux/utils/sefcontext_compile.c
-@@ -0,0 +1,345 @@
+@@ -0,0 +1,350 @@
+#include <ctype.h>
+#include <errno.h>
+#include <pcre.h>
@@ -676,8 +820,10 @@ index 0000000..f8a5fea
+ FILE *context_file;
+
+ context_file = fopen(filename, "r");
-+ if (!context_file)
++ if (!context_file) {
++ fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno));
+ return -1;
++ }
+
+ line_num = 0;
+ while ((len = getline(&line_buf, &line_len, context_file)) != -1) {
@@ -715,8 +861,10 @@ index 0000000..f8a5fea
+ }
+
+ rc = grow_specs(data);
-+ if (rc)
++ if (rc) {
++ fprintf(stderr, "grow_specs failed: %s\n", strerror(errno));
+ return rc;
++ }
+
+ spec = &data->spec_arr[data->nspec];
+
@@ -738,9 +886,10 @@ index 0000000..f8a5fea
+
+ regex_len = strlen(regex);
+ cp = anchored_regex = malloc(regex_len + 3);
-+ if (!cp)
++ if (!cp) {
++ fprintf(stderr, "Malloc Failed: %s\n", strerror(errno));
+ return -1;
-+
++ }
+ *cp++ = '^';
+ memcpy(cp, regex, regex_len);
+ cp += regex_len;
diff --git a/libselinux.spec b/libselinux.spec
index 270fb7e..9ece3f0 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -4,16 +4,18 @@
%define ruby_inc %(pkg-config --cflags ruby-1.9)
%define ruby_sitearch %(ruby -rrbconfig -e "puts RbConfig::CONFIG['vendorarchdir']")
-%define libsepolver 2.1.8-1
+%define libsepolver 2.1.7-4
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.1.12
-Release: 1%{?dist}
+Release: 6%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
+Source1: selinuxconlist.8
+Source2: selinuxdefcon.8
Url: http://oss.tresys.com/git/selinux.git
Patch1: libselinux-rhat.patch
BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel
@@ -174,6 +176,9 @@ rm -f %{buildroot}%{_sbindir}/getseuser
rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
%clean
rm -rf %{buildroot}
@@ -236,6 +241,22 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
+* Fri Oct 19 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-6
+- Add new function mode_to_security_class which takes mode instead of a string.
+- Possibly will be used with coreutils.
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-5
+- Add back selinuxconlist and selinuxdefcon man pages
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-4
+- Fix segfault from calling audit2why.finish() multiple times
+
+* Fri Oct 12 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-3
+- Fix up selinux man page to reference service man pages
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-2
+- Rebuild with fixed libsepol
+
* Thu Sep 13 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-1
- Update to upstream
* Add support for lxc_contexts_path
More information about the scm-commits
mailing list