[libselinux] Add patch from Richard Haines When selabel_lookup found an invalid context with validation enabled,

Daniel J Walsh dwalsh at fedoraproject.org
Mon Dec 19 19:48:35 UTC 2011 

commit 0c717c5b8ce3d5542cffcb25d7a50515ff78daf6
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Dec 19 14:48:33 2011 -0500

    Add patch from Richard Haines
    When selabel_lookup found an invalid context with validation enabled, it
    always stated it was 'file_contexts' whether media, x, db or file.
    The fix is to store the spec file name in the selabel_lookup_rec on
    selabel_open and use this as output for logs. Also a minor fix if key is
    NULL to stop seg faults.
    Fix setenforce manage page.

 libselinux-rhat.patch |  156 ++++++++++++++++++++++++++++++++++++++++++++++--
 libselinux.spec       |   11 +++-
 2 files changed, 159 insertions(+), 8 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index 40ddfb7..5e11a60 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -96,21 +96,32 @@ index 8674e37..89bb4d3 100644
  .BR selinux (8)
 -
 diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8
-index 8a010d6..9a779db 100644
+index 8a010d6..639883e 100644
 --- a/libselinux/man/man8/setenforce.8
 +++ b/libselinux/man/man8/setenforce.8
-@@ -7,11 +7,6 @@ setenforce \- modify the mode SELinux is running in.
+@@ -6,18 +6,14 @@ setenforce \- modify the mode SELinux is running in.
+ 
  .SH "DESCRIPTION"
  Use Enforcing or 1 to put SELinux in enforcing mode.
++.br
  Use Permissive or 0 to put SELinux in permissive mode.
 -You need to modify 
 -.I /etc/grub.conf
 -or
 -.I /etc/selinux/config
 -to disable SELinux.
++
++If SELinux is disabled and you want to enable it, or SELinux is enabled and you want to disable it, please see 
++.B selinux(8).
  
  .SH AUTHOR	
  Dan Walsh, <dwalsh at redhat.com>
+ 
+ .SH "SEE ALSO"
+ selinux(8), getenforce(8), selinuxenabled(8)
+-
+-.SH FILES
+-/etc/grub.conf, /etc/selinux/config
 diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
 index b245364..7c47222 100644
 --- a/libselinux/src/callbacks.c
@@ -123,8 +134,72 @@ index b245364..7c47222 100644
  	va_start(ap, fmt);
  	rc = vfprintf(stderr, fmt, ap);
  	va_end(ap);
+diff --git a/libselinux/src/label.c b/libselinux/src/label.c
+index f1c9a25..a9e0853 100644
+--- a/libselinux/src/label.c
++++ b/libselinux/src/label.c
+@@ -184,6 +184,12 @@ selabel_lookup_common(struct selabel_handle *rec, int translating,
+ 		      const char *key, int type)
+ {
+ 	struct selabel_lookup_rec *lr;
++
++	if (key == NULL) {
++		errno = EINVAL;
++		return NULL;
++	}
++
+ 	char *ptr = selabel_sub(rec->subs, key);
+ 	if (ptr) {
+ 		lr = rec->func_lookup(rec, ptr, type); 
+@@ -194,7 +200,7 @@ selabel_lookup_common(struct selabel_handle *rec, int translating,
+ 	if (!lr)
+ 		return NULL;
+ 
+-	if (compat_validate(rec, lr, "file_contexts", 0))
++	if (compat_validate(rec, lr, rec->spec_file, 0))
+ 		return NULL;
+ 
+ 	if (translating && !lr->ctx_trans &&
+@@ -234,6 +240,7 @@ void selabel_close(struct selabel_handle *rec)
+ {
+ 	selabel_subs_fini(rec->subs);
+ 	rec->func_close(rec);
++	free(rec->spec_file);
+ 	free(rec);
+ }
+ 
+diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
+index 7afacf0..ab0696a 100644
+--- a/libselinux/src/label_db.c
++++ b/libselinux/src/label_db.c
+@@ -230,7 +230,7 @@ db_stats(struct selabel_handle *rec)
+  * selabel_open() handler
+  */
+ static catalog_t *
+-db_init(struct selinux_opt *opts, unsigned nopts)
++db_init(struct selinux_opt *opts, unsigned nopts, struct selabel_handle *rec)
+ {
+ 	catalog_t      *catalog;
+ 	FILE	       *filp;
+@@ -275,6 +275,7 @@ db_init(struct selinux_opt *opts, unsigned nopts)
+ 		free(catalog);
+ 		return NULL;
+ 	}
++	rec->spec_file = strdup(path);
+ 
+ 	/*
+ 	 * Parse for each lines
+@@ -332,7 +333,7 @@ int selabel_db_init(struct selabel_handle *rec,
+ 	rec->func_close = &db_close;
+ 	rec->func_lookup = &db_lookup;
+ 	rec->func_stats = &db_stats;
+-	rec->data = db_init(opts, nopts);
++	rec->data = db_init(opts, nopts, rec);
+ 
+ 	return !rec->data ? -1 : 0;
+ }
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index ac11b37..42889cf 100644
+index ac11b37..82a608c 100644
 --- a/libselinux/src/label_file.c
 +++ b/libselinux/src/label_file.c
 @@ -27,6 +27,7 @@
@@ -197,7 +272,15 @@ index ac11b37..42889cf 100644
  			break;
  		case SELABEL_OPT_BASEONLY:
  			baseonly = !!opts[n].value;
-@@ -480,7 +497,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -462,6 +479,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ 		if (localfp != NULL)
+ 			__fsetlocking(localfp, FSETLOCKING_BYCALLER);
+ 	}
++	rec->spec_file = strdup(path);
+ 
+ 	/* 
+ 	 * Perform two passes over the specification file.
+@@ -480,7 +498,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
  		while (getline(&line_buf, &line_len, fp) > 0) {
  			if (data->nspec >= maxnspec)
  				break;
@@ -206,7 +289,7 @@ index ac11b37..42889cf 100644
  			if (status)
  				goto finish;
  		}
-@@ -496,7 +513,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -496,7 +514,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
  			while (getline(&line_buf, &line_len, homedirfp) > 0) {
  				if (data->nspec >= maxnspec)
  					break;
@@ -215,7 +298,7 @@ index ac11b37..42889cf 100644
  				if (status)
  					goto finish;
  			}
-@@ -506,7 +523,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -506,7 +524,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
  			while (getline(&line_buf, &line_len, localfp) > 0) {
  				if (data->nspec >= maxnspec)
  					break;
@@ -224,8 +307,49 @@ index ac11b37..42889cf 100644
  				if (status)
  					goto finish;
  			}
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 02dbe73..79d5495 100644
+--- a/libselinux/src/label_internal.h
++++ b/libselinux/src/label_internal.h
+@@ -59,6 +59,12 @@ struct selabel_handle {
+ 	/* supports backend-specific state information */
+ 	void *data;
+ 
++	/*
++	 * The main spec file used. Note for file contexts the local and/or
++	 * homedirs could also have been used to resolve a context.
++	 */
++	char *spec_file;
++
+ 	/* substitution support */
+ 	struct selabel_sub *subs;
+ };
+diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c
+index f8986e4..227785f 100644
+--- a/libselinux/src/label_media.c
++++ b/libselinux/src/label_media.c
+@@ -100,6 +100,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ 		errno = EINVAL;
+ 		return -1;
+ 	}
++	rec->spec_file = strdup(path);
+ 
+ 	/* 
+ 	 * Perform two passes over the specification file.
+diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c
+index a9bfaa5..896ef02 100644
+--- a/libselinux/src/label_x.c
++++ b/libselinux/src/label_x.c
+@@ -127,6 +127,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+ 		errno = EINVAL;
+ 		return -1;
+ 	}
++	rec->spec_file = strdup(path);
+ 
+ 	/* 
+ 	 * Perform two passes over the specification file.
 diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index c396add..489ef3a 100644
+index c396add..c625f55 100644
 --- a/libselinux/src/matchpathcon.c
 +++ b/libselinux/src/matchpathcon.c
 @@ -2,6 +2,7 @@
@@ -279,6 +403,24 @@ index c396add..489ef3a 100644
  hidden_def(matchpathcon_init_prefix)
  
  int matchpathcon_init(const char *path)
+@@ -531,9 +539,14 @@ int compat_validate(struct selabel_handle *rec,
+ 	else {
+ 		rc = selabel_validate(rec, contexts);
+ 		if (rc < 0) {
+-			COMPAT_LOG(SELINUX_WARNING,
+-				    "%s:  line %d has invalid context %s\n",
+-				    path, lineno, *ctx);
++			if (lineno) {
++				COMPAT_LOG(SELINUX_WARNING,
++					    "%s: line %d has invalid context %s\n",
++						path, lineno, *ctx);
++			} else {
++				COMPAT_LOG(SELINUX_WARNING,
++					    "%s: has invalid context %s\n", path, *ctx);
++			}
+ 		}
+ 	}
+ 
 diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
 index 710396a..9a3fc14 100644
 --- a/libselinux/src/selinux_internal.h
diff --git a/libselinux.spec b/libselinux.spec
index 06818d9..2233788 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -7,7 +7,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.1.8
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@@ -231,6 +231,15 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Mon Dec 18 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.8-5
+- Add patch from Richard Haines
+      When selabel_lookup found an invalid context with validation enabled, it
+      always stated it was 'file_contexts' whether media, x, db or file.
+      The fix is to store the spec file name in the selabel_lookup_rec on
+      selabel_open and use this as output for logs. Also a minor fix if key is
+      NULL to stop seg faults.
+- Fix setenforce manage page.
+
 * Thu Dec 15 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.8-4
 - Rebuild with new libsepol

More information about the scm-commits mailing list