[libsemanage] Add support for ignoredirs param in /etc/selinux/semanage.conf
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 15 15:32:48 UTC 2011
commit 32db1066268adb37bbbe1d03f79b623a05f82a9d
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Dec 15 10:32:47 2011 -0500
Add support for ignoredirs param in /etc/selinux/semanage.conf
libsemanage-rhat.patch | 228 ++++++++++++++++++++++++++++++++++++++++++++++-
libsemanage.spec | 5 +-
semanage.conf | 1 +
3 files changed, 228 insertions(+), 6 deletions(-)
---
diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 9af62d8..a6a6be1 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -1,22 +1,240 @@
+diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
+index c60bdc6..6a8b4e8 100644
+--- a/libsemanage/man/man5/semanage.conf.5
++++ b/libsemanage/man/man5/semanage.conf.5
+@@ -56,6 +56,11 @@ It controls whether the previously linked module is saved (with name "base.linke
+ It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted).
+
+ .TP
++.B ignoredirs
++List, separated by ";", of directories to ignore when setting up users homedirs.
++Some distributions use this to stop labeling /root as a homedir.
++
++.TP
+ .B usepasswd
+ Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false".
+ By default it is set to "true".
+diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
+index 77c00b2..bbdac1d 100644
+--- a/libsemanage/src/conf-parse.y
++++ b/libsemanage/src/conf-parse.y
+@@ -58,7 +58,7 @@ static int parse_errors;
+ }
+
+ %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
+-%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD
++%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
+ %token BZIP_BLOCKSIZE BZIP_SMALL
+ %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
+ %token PROG_PATH PROG_ARGS
+@@ -84,6 +84,7 @@ single_opt: module_store
+ | save_linked
+ | disable_genhomedircon
+ | usepasswd
++ | ignoredirs
+ | handle_unknown
+ | bzip_blocksize
+ | bzip_small
+@@ -166,6 +167,10 @@ usepasswd: USEPASSWD '=' ARG {
+ free($3);
+ }
+
++ignoredirs: IGNOREDIRS '=' ARG {
++ current_conf->ignoredirs = strdup($3);
++ }
++
+ handle_unknown: HANDLE_UNKNOWN '=' ARG {
+ if (strcasecmp($3, "deny") == 0) {
+ current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
+@@ -262,6 +267,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
+ {
+ conf->store_type = SEMANAGE_CON_DIRECT;
+ conf->store_path = strdup(basename(semanage_policy_root()));
++ conf->ignoredirs = NULL;
+ conf->policyvers = sepol_policy_kern_vers_max();
+ conf->expand_check = 1;
+ conf->handle_unknown = -1;
+@@ -354,6 +360,7 @@ void semanage_conf_destroy(semanage_conf_t * conf)
+ {
+ if (conf != NULL) {
+ free(conf->store_path);
++ free(conf->ignoredirs);
+ semanage_conf_external_prog_destroy(conf->load_policy);
+ semanage_conf_external_prog_destroy(conf->setfiles);
+ semanage_conf_external_prog_destroy(conf->mod_prog);
+diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
+index e57119d..7ef4154 100644
+--- a/libsemanage/src/conf-scan.l
++++ b/libsemanage/src/conf-scan.l
+@@ -47,6 +47,7 @@ save-previous return SAVE_PREVIOUS;
+ save-linked return SAVE_LINKED;
+ disable-genhomedircon return DISABLE_GENHOMEDIRCON;
+ usepasswd return USEPASSWD;
++ignoredirs return IGNOREDIRS;
+ handle-unknown return HANDLE_UNKNOWN;
+ bzip-blocksize return BZIP_BLOCKSIZE;
+ bzip-small return BZIP_SMALL;
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 8fcfb88..4f919a6 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -992,7 +992,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ * which requires the out policydb */
+ if (!sh->conf->disable_genhomedircon) {
+ if (out && (retval =
+- semanage_genhomedircon(sh, out, sh->conf->usepasswd)) != 0) {
++ semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
+ ERR(sh, "semanage_genhomedircon returned error code %d.",
+ retval);
+ goto cleanup;
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
-index 847d87e..2870fa8 100644
+index 847d87e..d2646ae 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
-@@ -314,6 +314,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
+@@ -113,6 +113,61 @@ typedef struct {
+ int matched;
+ } fc_match_handle_t;
+
++typedef struct IgnoreDir {
++ struct IgnoreDir *next;
++ char *dir;
++} ignoredir_t;
++
++ignoredir_t *ignore_head = NULL;
++
++static void ignore_free(void) {
++ ignoredir_t *next;
++
++ while (ignore_head) {
++ next = ignore_head->next;
++ free(ignore_head->dir);
++ free(ignore_head);
++ ignore_head = next;
++ }
++}
++
++static int ignore_setup(char *ignoredirs) {
++ char *tok;
++ ignoredir_t *ptr = NULL;
++
++ tok = strtok(ignoredirs, ";");
++ while(tok) {
++ ptr = calloc(sizeof(ignoredir_t),1);
++ if (!ptr)
++ goto err;
++ ptr->dir = strdup(tok);
++ if (!ptr->dir)
++ goto err;
++
++ ptr->next = ignore_head;
++ ignore_head = ptr;
++
++ tok = strtok(NULL, ";");
++ }
++
++ return 0;
++err:
++ free(ptr);
++ ignore_free();
++ return -1;
++}
++
++static int ignore(const char *homedir) {
++ ignoredir_t *ptr = ignore_head;
++ while (ptr) {
++ if (strcmp(ptr->dir, homedir) == 0) {
++ return 1;
++ }
++ ptr = ptr->next;
++ }
++ return 0;
++}
++
+ static semanage_list_t *default_shell_list(void)
+ {
+ semanage_list_t *list = NULL;
+@@ -314,6 +369,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
}
if (strcmp(pwbuf->pw_dir, "/") == 0)
continue;
-+ if (strcmp(pwbuf->pw_dir, "/root") == 0)
++ if (ignore(pwbuf->pw_dir))
+ continue;
if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
continue;
if (!(path = strdup(pwbuf->pw_dir))) {
-@@ -829,6 +831,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
+@@ -660,9 +717,12 @@ static int set_fallback_user(genhomedircon_settings_t *s, const char *user,
+ {
+ char *fallback_user = strdup(user);
+ char *fallback_user_prefix = strdup(prefix);
+- char *fallback_user_level = strdup(level);
++ char *fallback_user_level = NULL;
++ if (level)
++ fallback_user_level = strdup(level);
+
+- if (fallback_user == NULL || fallback_user_prefix == NULL || fallback_user_level == NULL) {
++ if (fallback_user == NULL || fallback_user_prefix == NULL ||
++ (fallback_user_level == NULL && level != NULL)) {
+ free(fallback_user);
+ free(fallback_user_prefix);
+ free(fallback_user_level);
+@@ -829,6 +889,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
* /root */
continue;
}
-+ if (strcmp(pwent->pw_dir, "/root") == 0)
++ if (ignore(pwent->pw_dir))
+ continue;
if (push_user_entry(&head, name, seuname,
prefix, pwent->pw_dir, level) != STATUS_SUCCESS) {
*errors = STATUS_ERR;
+@@ -980,7 +1042,8 @@ done:
+
+ int semanage_genhomedircon(semanage_handle_t * sh,
+ sepol_policydb_t * policydb,
+- int usepasswd)
++ int usepasswd,
++ char *ignoredirs)
+ {
+ genhomedircon_settings_t s;
+ FILE *out = NULL;
+@@ -998,6 +1061,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+ if (s.fallback_user == NULL || s.fallback_user_prefix == NULL || s.fallback_user_level == NULL)
+ return STATUS_ERR;
+
++ if (ignoredirs) ignore_setup(ignoredirs);
++
+ s.usepasswd = usepasswd;
+ s.h_semanage = sh;
+ s.policydb = policydb;
+@@ -1014,6 +1079,7 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+
+ free(s.fallback_user);
+ free(s.fallback_user_prefix);
++ ignore_free();
+
+ return retval;
+ }
+diff --git a/libsemanage/src/genhomedircon.h b/libsemanage/src/genhomedircon.h
+index 443e345..3f9ef8f 100644
+--- a/libsemanage/src/genhomedircon.h
++++ b/libsemanage/src/genhomedircon.h
+@@ -23,6 +23,7 @@
+ #include "utilities.h"
+
+ int semanage_genhomedircon(semanage_handle_t * sh,
+- sepol_policydb_t * policydb, int usepasswd);
++ sepol_policydb_t * policydb, int usepasswd,
++ char *ignoredirs);
+
+ #endif
+diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
+index f58d9ac..95f8ec3 100644
+--- a/libsemanage/src/semanage_conf.h
++++ b/libsemanage/src/semanage_conf.h
+@@ -43,6 +43,7 @@ typedef struct semanage_conf {
+ mode_t file_mode;
+ int bzip_blocksize;
+ int bzip_small;
++ char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
+ struct external_prog *load_policy;
+ struct external_prog *setfiles;
+ struct external_prog *mod_prog, *linked_prog, *kernel_prog;
diff --git a/libsemanage.spec b/libsemanage.spec
index c6d7f74..a9b5202 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -10,7 +10,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.1.5
-Release: 1%{?dist}
+Release: 2%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: libsemanage-%{version}.tgz
@@ -180,6 +180,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif # if with_python3
%changelog
+* Thu Dec 15 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-2
+- Add support for ignoredirs param in /etc/selinux/semanage.conf
+
* Fri Nov 4 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-1
- Upgrade to upstream
* regenerate .pc on VERSION change
diff --git a/semanage.conf b/semanage.conf
index 882b8f0..bc9d4ac 100644
--- a/semanage.conf
+++ b/semanage.conf
@@ -48,3 +48,4 @@ expand-check=0
usepasswd=False
bzip-small=true
bzip-blocksize=5
+ignoredirs=/root
More information about the scm-commits
mailing list