[libsemanage] Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a mod
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Jun 7 17:15:11 UTC 2011
commit 410db78cc001770b7b8ebe5ce07e55438709ad25
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Jun 7 13:14:57 2011 -0400
Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module
indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can
ship active modules in rpm.
libsemanage-rhat.patch | 224 ++++++++++++++++++++++++++++++++++++++++++++++-
libsemanage.spec | 7 ++-
2 files changed, 225 insertions(+), 6 deletions(-)
---
diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 4b9a32a..9d0bb5d 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -175,9 +175,18 @@ index 9b261b9..77c00b2 100644
free(arg);
} else if (*arg == '/') {
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index bceb6a7..7416540 100644
+index bceb6a7..bfdcdbe 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
+@@ -2,7 +2,7 @@
+ * Christopher Ashworth <cashworth at tresys.com>
+ *
+ * Copyright (C) 2004-2006 Tresys Technology, LLC
+- * Copyright (C) 2005 Red Hat, Inc.
++ * Copyright (C) 2005-2011 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
@@ -95,7 +95,7 @@ int semanage_direct_is_managed(semanage_handle_t * sh)
{
char polpath[PATH_MAX];
@@ -196,7 +205,92 @@ index bceb6a7..7416540 100644
sh->conf->store_path);
if (semanage_check_init(polpath))
-@@ -1539,7 +1539,7 @@ int semanage_direct_access_check(semanage_handle_t * sh)
+@@ -353,17 +353,11 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data,
+ semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES)) == NULL) {
+ return -1;
+ }
+- if (asprintf(filename, "%s/%s.pp%s", module_path, *module_name, DISABLESTR) == -1) {
++ if (asprintf(filename, "%s/%s.pp", module_path, *module_name) == -1) {
+ ERR(sh, "Out of memory!");
+ return -1;
+ }
+
+- if (access(*filename, F_OK) == -1) {
+- char *ptr = *filename;
+- int len = strlen(ptr) - strlen(DISABLESTR);
+- if (len > 0) ptr[len]='\0';
+- }
+-
+ return 0;
+ }
+
+@@ -1307,29 +1301,12 @@ static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
+ base++;
+ if (memcmp(module_name, base, name_len) == 0) {
+
+- if(strcmp(base + name_len + 3, DISABLESTR) != 0) {
+- ERR(sh, "Module %s is already enabled.", module_name);
++ if (semanage_enable_module(module_filenames[i]) < 0) {
++ ERR(sh, "Could not enable module %s.", module_name);
+ retval = -2;
+ goto cleanup;
+ }
+-
+- int len = strlen(module_filenames[i]) - strlen(DISABLESTR);
+- char *enabled_name = calloc(1, len+1);
+- if (!enabled_name) {
+- ERR(sh, "Could not allocate memory");
+- retval = -1;
+- goto cleanup;
+- }
+-
+- strncpy(enabled_name, module_filenames[i],len);
+-
+- if (rename(module_filenames[i], enabled_name) == -1) {
+- ERR(sh, "Could not enable module file %s.",
+- enabled_name);
+- retval = -2;
+- }
+ retval = 0;
+- free(enabled_name);
+ goto cleanup;
+ }
+ }
+@@ -1363,28 +1340,14 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
+ goto cleanup;
+ }
+ base++;
+- if (memcmp(module_name, base, name_len) == 0) {
+- if (strcmp(base + name_len + 3, DISABLESTR) == 0) {
+- ERR(sh, "Module %s is already disabled.", module_name);
++ if ((memcmp(module_name, base, name_len) == 0) &&
++ (strcmp(base + name_len, ".pp") == 0)) {
++ if (semanage_disable_module(module_filenames[i]) < 0) {
+ retval = -2;
+ goto cleanup;
+- } else if (strcmp(base + name_len, ".pp") == 0) {
+- char disabled_name[PATH_MAX];
+- if (snprintf(disabled_name, PATH_MAX, "%s%s",
+- module_filenames[i], DISABLESTR) == PATH_MAX) {
+- ERR(sh, "Could not disable module file %s.",
+- module_filenames[i]);
+- retval = -2;
+- goto cleanup;
+- }
+- if (rename(module_filenames[i], disabled_name) == -1) {
+- ERR(sh, "Could not disable module file %s.",
+- module_filenames[i]);
+- retval = -2;
+- }
+- retval = 0;
+- goto cleanup;
+ }
++ retval=0;
++ goto cleanup;
+ }
+ }
+ ERR(sh, "Module %s was not found.", module_name);
+@@ -1539,7 +1502,7 @@ int semanage_direct_access_check(semanage_handle_t * sh)
{
char polpath[PATH_MAX];
@@ -455,9 +549,18 @@ index 3cffef7..da0ad71 100644
return _semanage.semanage_module_install(*args)
semanage_module_install = _semanage.semanage_module_install
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
-index 339bbd0..e970a8b 100644
+index 339bbd0..f5e3572 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
+@@ -57,7 +57,7 @@ typedef struct dbase_policydb dbase_t;
+
+ #include "debug.h"
+
+-const char *DISABLESTR=".disabled";
++static const char *DISABLESTR="disabled";
+
+ #define SEMANAGE_CONF_FILE "semanage.conf"
+ /* relative path names to enum semanage_paths to special files and
@@ -90,7 +90,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
"/tmp"
};
@@ -481,7 +584,62 @@ index 339bbd0..e970a8b 100644
SEMANAGE_CONF_FILE);
return 0;
-@@ -1071,14 +1071,14 @@ static int semanage_install_active(semanage_handle_t * sh)
+@@ -425,6 +425,13 @@ int semanage_store_access_check(semanage_handle_t * sh)
+
+ /********************* other I/O functions *********************/
+
++static int is_disabled_file(const char *file) {
++ char *ptr = strrchr(file, '.');
++ if (! ptr) return 0;
++ ptr++;
++ return (strcmp(ptr, DISABLESTR) == 0);
++}
++
+ /* Callback used by scandir() to select files. */
+ static int semanage_filename_select(const struct dirent *d)
+ {
+@@ -435,9 +442,38 @@ static int semanage_filename_select(const struct dirent *d)
+ return 1;
+ }
+
++int semanage_disable_module(const char *file) {
++ char path[PATH_MAX];
++ int in;
++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
++ if (n < 0 || n >= PATH_MAX)
++ return -1;
++ if ((in = open(path, O_WRONLY | O_CREAT )) == -1) {
++ return -1;
++ }
++ close(in);
++ return 0;
++}
++
++int semanage_enable_module(const char *file) {
++ char path[PATH_MAX];
++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
++ if (n < 0 || n >= PATH_MAX)
++ return 1;
++
++ if ((unlink(path) < 0) && (errno != ENOENT))
++ return -1;
++ return 0;
++}
++
+ int semanage_module_enabled(const char *file) {
+- int len = strlen(file) - strlen(DISABLESTR);
+- return (len < 0 || strcmp(&file[len], DISABLESTR) != 0);
++ char path[PATH_MAX];
++ if (is_disabled_file(file)) return 0;
++ int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR);
++ if (n < 0 || n >= PATH_MAX)
++ return 1;
++
++ return (access(path, F_OK ) != 0);
+ }
+
+ static int semanage_modulename_select(const struct dirent *d)
+@@ -1071,14 +1107,14 @@ static int semanage_install_active(semanage_handle_t * sh)
const char *active_fc_hd =
semanage_path(SEMANAGE_ACTIVE, SEMANAGE_FC_HOMEDIRS);
@@ -504,7 +662,7 @@ index 339bbd0..e970a8b 100644
/* This is very unelegant, the right thing to do is export the path
* building code in libselinux so that you can get paths for a given
-@@ -1099,11 +1099,11 @@ static int semanage_install_active(semanage_handle_t * sh)
+@@ -1099,11 +1135,11 @@ static int semanage_install_active(semanage_handle_t * sh)
running_seusers += len;
running_nc += len;
@@ -518,6 +676,62 @@ index 339bbd0..e970a8b 100644
sh->conf->store_path);
snprintf(store_pol, PATH_MAX, "%s%s.%d", storepath,
+@@ -1632,18 +1668,21 @@ int semanage_link_sandbox(semanage_handle_t * sh,
+ num_modules = 0;
+ goto cleanup;
+ }
++ int disabled = 0;
+ for (i = 0; i < num_modules; i++) {
+- if (semanage_load_module(sh, module_filenames[i], mods + i) ==
+- -1) {
+- goto cleanup;
++ if (semanage_module_enabled(module_filenames[i])) {
++ if (semanage_load_module(sh, module_filenames[i], mods + (i - disabled)) == -1) {
++ goto cleanup;
++ }
++ } else {
++ disabled++;
+ }
+ }
+
+- if (sepol_link_packages(sh->sepolh, *base, mods, num_modules, 0) != 0) {
++ if (sepol_link_packages(sh->sepolh, *base, mods, num_modules - disabled, 0) != 0) {
+ ERR(sh, "Link packages failed");
+ goto cleanup;
+ }
+-
+ retval = 0;
+
+ cleanup:
+@@ -1651,7 +1690,7 @@ int semanage_link_sandbox(semanage_handle_t * sh,
+ free(module_filenames[i]);
+ }
+ free(module_filenames);
+- for (i = 0; mods != NULL && i < num_modules; i++) {
++ for (i = 0; mods != NULL && i < num_modules -disabled; i++) {
+ sepol_module_package_free(mods[i]);
+ }
+ free(mods);
+diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
+index 6abb2ee..8470191 100644
+--- a/libsemanage/src/semanage_store.h
++++ b/libsemanage/src/semanage_store.h
+@@ -85,6 +85,8 @@ int semanage_get_modules_names(semanage_handle_t * sh,
+ char ***filenames, int *len);
+
+ int semanage_module_enabled(const char *file);
++int semanage_enable_module(const char *file);
++int semanage_disable_module(const char *file);
+ /* lock file routines */
+ int semanage_get_trans_lock(semanage_handle_t * sh);
+ int semanage_get_active_lock(semanage_handle_t * sh);
+@@ -129,6 +131,4 @@ int semanage_nc_sort(semanage_handle_t * sh,
+ size_t buf_len,
+ char **sorted_buf, size_t * sorted_buf_len);
+
+-extern const char *DISABLESTR;
+-
+ #endif
diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i
index 96c670c..c074f5f 100644
--- a/libsemanage/src/semanageswig_python.i
diff --git a/libsemanage.spec b/libsemanage.spec
index 183cbfd..d771331 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -10,7 +10,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.0.46
-Release: 4%{?dist}
+Release: 5%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz
@@ -208,6 +208,11 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Tue Jun 7 2011 Dan Walsh <dwalsh at redhat.com> - 2.0.46-5
+- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module
+indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can
+ship active modules in rpm.
+
* Wed Jun 1 2011 Dan Walsh <dwalsh at redhat.com> - 2.0.46-4
- Add semanage_set_selinux_path, to allow semodule to work on alternate selinux pools
More information about the scm-commits
mailing list