[policycoreutils/f15/master] Fix sepolgen-ifgen call
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Mar 23 13:52:53 UTC 2011
commit 4189d94570ac474da96a141c5dbf4a6b06099062
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Mar 23 09:52:42 2011 -0400
Fix sepolgen-ifgen call
policycoreutils-rhat.patch | 103 ++++++++++++++++++++++++-------------------
policycoreutils.spec | 5 ++-
2 files changed, 61 insertions(+), 47 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 6e09801..3520885 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -192,7 +192,7 @@ index 6178cc8..b6f386d 100644
.PP
.SH AUTHOR
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
-index 03f95a1..dda432e 100644
+index 03f95a1..466e8ea 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
@@ -220,7 +220,7 @@ index 03f95a1..dda432e 100644
def parse_options():
from optparse import OptionParser
-@@ -44,14 +49,55 @@ def parse_options():
+@@ -44,14 +49,56 @@ def parse_options():
help="filename to store output")
parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(),
help="location of the interface header files")
@@ -236,6 +236,7 @@ index 03f95a1..dda432e 100644
return options
+def get_policy():
++ i = selinux.security_policyvers()
+ p = selinux.selinux_binary_policy_path() + "." + str(i)
+ while i > 0 and not os.path.exists(p):
+ i = i - 1
@@ -276,7 +277,7 @@ index 03f95a1..dda432e 100644
def main():
options = parse_options()
-@@ -68,6 +114,14 @@ def main():
+@@ -68,6 +115,14 @@ def main():
else:
log = None
@@ -291,7 +292,7 @@ index 03f95a1..dda432e 100644
try:
headers = refparser.parse_headers(options.headers, output=log, debug=options.debug)
except ValueError, e:
-@@ -76,7 +130,7 @@ def main():
+@@ -76,7 +131,7 @@ def main():
return 1
if_set = interfaces.InterfaceSet(output=log)
@@ -2122,7 +2123,7 @@ index 0000000..e7b8991
+and
+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index ec692e7..629a2d3 100644
+index ec692e7..05a18b3 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1,28 +1,35 @@
@@ -2253,10 +2254,14 @@ index ec692e7..629a2d3 100644
+ retval = -1; \
+ } while(0)
+
-+/**
+ /**
+- * This function makes sure the mounted directory is owned by the user executing
+- * seunshare.
+- * If so, it returns 0. If it can not figure this out or they are different, it returns -1.
+ * Spawn external command using system() with dropped privileges.
+ * TODO: avoid system() and use exec*() instead
-+ */
+ */
+-static int verify_mount(const char *mntdir, struct passwd *pwd) {
+static int spawn_command(const char *cmd, uid_t uid){
+ int child;
+ int status = -1;
@@ -2316,15 +2321,11 @@ index ec692e7..629a2d3 100644
+ (one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \
+ (one)->st_mode == (two)->st_mode)
+
- /**
-- * This function makes sure the mounted directory is owned by the user executing
-- * seunshare.
-- * If so, it returns 0. If it can not figure this out or they are different, it returns -1.
++/**
+ * Sanity check specified directory. Store stat info for future comparison, or
+ * compare with previously saved info to detect replaced directories.
+ * Note: This function does not perform owner checks.
- */
--static int verify_mount(const char *mntdir, struct passwd *pwd) {
++ */
+static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) {
struct stat sb;
- if (stat(mntdir, &sb) == -1) {
@@ -2361,7 +2362,7 @@ index ec692e7..629a2d3 100644
break;
}
}
-@@ -131,45 +236,509 @@ static int verify_shell(const char *shell_name)
+@@ -131,45 +236,519 @@ static int verify_shell(const char *shell_name)
return rc;
}
@@ -2630,64 +2631,74 @@ index ec692e7..629a2d3 100644
+ return rc;
+}
+
-+/*
-+ This function returns 0 on success and -1 on failure.
-+ The cmdbuf will contain the rsync command string to copy all files from
-+ src dir to tmp. cmdbuf can be NULL if no files need to be compied;
-+*/
++/*
++ If path is empy or ends with "/." or "/.. return -1 else return 0;
++ */
++static int bad_path(const char *path) {
++ const char *ptr;
++ ptr = path;
++ while (*ptr) ptr++;
++ if (ptr == path) return -1; // ptr null
++ ptr--;
++ if (ptr != path && *ptr == '.') {
++ ptr--;
++ if (*ptr == '/') return -1; // path ends in /.
++ if (*ptr == '.') {
++ if (ptr != path) {
++ ptr--;
++ if (*ptr == '/') return -1; // path ends in /..
++ }
++ }
++ }
++ return 0;
++}
++
+static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
+{
+ char *buf = NULL;
+ char *newbuf = NULL;
+ glob_t fglob;
+ fglob.gl_offs = 0;
-+ int flags = GLOB_DOOFFS | GLOB_TILDE;
++ int flags = GLOB_PERIOD;
+ unsigned int i = 0;
+ int rc = -1;
+
+ /* match glob for all files in src dir */
+ if (asprintf(&buf, "%s/*", src) == -1) {
+ fprintf(stderr, "Out of memory\n");
- return -1;
++ return -1;
+ }
+
-+ if (glob(buf, flags, NULL, &fglob) < 0) {
++ if (glob(buf, flags, NULL, &fglob) != 0) {
+ free(buf); buf = NULL;
-+ return -1;
+ return -1;
+ }
+
+ free(buf); buf = NULL;
+
-+ /* append match glob for all hidden files in src dir exclude . and .. */
-+ if (asprintf(&buf, "%s/.[^.]*", src) == -1) {
-+ fprintf(stderr, "Out of memory\n");
-+ goto err;
-+ }
-+
-+ if (glob(buf, flags | GLOB_APPEND ,NULL, &fglob) < 0) {
-+ goto err;
-+ }
++ for ( i=0; i < fglob.gl_pathc; i++) {
++ const char *path = fglob.gl_pathv[i];
+
-+ free(buf); buf = NULL;
++ if (bad_path(path)) continue;
+
-+ for ( i=0; i < fglob.gl_pathc; i++) {
+ if (!buf) {
-+ if (asprintf(&newbuf, "%s", fglob.gl_pathv[i]) == -1) {
++ if (asprintf(&newbuf, "\'%s\'", path) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
+ } else {
-+ if (asprintf(&newbuf, "%s %s", buf, fglob.gl_pathv[i]) == -1) {
++ if (asprintf(&newbuf, "%s \'%s\'", buf, path) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
+ }
++
+ free(buf); buf = newbuf;
+ newbuf = NULL;
+ }
+
+ if (buf) {
-+ if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s/'", buf, dst) == -1) {
++ if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
@@ -2702,8 +2713,9 @@ index ec692e7..629a2d3 100644
+ free(buf); buf = NULL;
+ globfree(&fglob);
+ return rc;
-+}
-+
+ }
+
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+/**
+ * Clean up runtime temporary directory. Returns 0 if no problem was detected,
+ * >0 if some error was detected, but errors here are treated as non-fatal and
@@ -2746,9 +2758,8 @@ index ec692e7..629a2d3 100644
+ setfsuid(pwd->pw_uid);
+
+ return 0;
- }
-
--#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++}
++
+/**
+ * seunshare will create a tmpdir in /tmp, with root ownership. The parent
+ * process waits for it child to exit to attempt to remove the directory. If
@@ -2885,7 +2896,7 @@ index ec692e7..629a2d3 100644
{NULL, 0, 0, 0}
};
-@@ -180,6 +749,12 @@ int main(int argc, char **argv) {
+@@ -180,6 +759,12 @@ int main(int argc, char **argv) {
return -1;
}
@@ -2898,7 +2909,7 @@ index ec692e7..629a2d3 100644
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
-@@ -187,34 +762,30 @@ int main(int argc, char **argv) {
+@@ -187,34 +772,30 @@ int main(int argc, char **argv) {
}
if (verify_shell(pwd->pw_shell) < 0) {
@@ -2944,7 +2955,7 @@ index ec692e7..629a2d3 100644
break;
default:
fprintf(stderr, "%s\n", USAGE_STRING);
-@@ -223,76 +794,84 @@ int main(int argc, char **argv) {
+@@ -223,76 +804,84 @@ int main(int argc, char **argv) {
}
if (! homedir_s && ! tmpdir_s) {
@@ -3078,7 +3089,7 @@ index ec692e7..629a2d3 100644
if (display)
rc |= setenv("DISPLAY", display, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
-@@ -300,22 +879,41 @@ int main(int argc, char **argv) {
+@@ -300,22 +889,41 @@ int main(int argc, char **argv) {
rc |= setenv("USER", pwd->pw_name, 1);
rc |= setenv("LOGNAME", pwd->pw_name, 1);
rc |= setenv("PATH", DEFAULT_PATH, 1);
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 33be631..623e472 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -331,6 +331,9 @@ fi
exit 0
%changelog
+* Wed Mar 23 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-25
+- Fix sepolgen-ifgen call
+
* Fri Mar 18 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-24
- Fix rsync command to work if the directory is old.
- Fix all tests
More information about the scm-commits
mailing list