[libselinux/f16] Change python binding for restorecon to check if the context matches. If it does do not reset
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Nov 29 14:52:43 UTC 2011
commit b02e0597419838ab1cc5ab50cb5ca8761184f9c7
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Nov 29 09:52:39 2011 -0500
Change python binding for restorecon to check if the context matches.
If it does do not reset
libselinux-rhat.patch | 128 +++++++++++++++++++++++++------------------------
libselinux.spec | 6 ++-
2 files changed, 70 insertions(+), 64 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index b3fbef9..1c6d32c 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,8 +1,7 @@
-diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index d29b0c1..792e68e 100644
---- a/libselinux/include/selinux/selinux.h
-+++ b/libselinux/include/selinux/selinux.h
-@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(void);
+diff -up libselinux-2.1.6/include/selinux/selinux.h.rhat libselinux-2.1.6/include/selinux/selinux.h
+--- libselinux-2.1.6/include/selinux/selinux.h.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/include/selinux/selinux.h 2011-11-29 09:48:44.543942189 -0500
+@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(v
extern const char *selinux_netfilter_context_path(void);
extern const char *selinux_path(void);
@@ -28,11 +27,10 @@ index d29b0c1..792e68e 100644
/* Check a permission in the passwd class.
Return 0 if granted or -1 otherwise. */
extern int selinux_check_passwd_access(access_vector_t requested);
-diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
-index cdbb252..e2a4371 100644
---- a/libselinux/man/man3/matchpathcon.3
-+++ b/libselinux/man/man3/matchpathcon.3
-@@ -8,7 +8,7 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
+diff -up libselinux-2.1.6/man/man3/matchpathcon.3.rhat libselinux-2.1.6/man/man3/matchpathcon.3
+--- libselinux-2.1.6/man/man3/matchpathcon.3.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/man/man3/matchpathcon.3 2011-11-29 09:48:44.544942189 -0500
+@@ -8,7 +8,7 @@ matchpathcon, matchpathcon_index \- get
.BI "int matchpathcon_init(const char *" path ");"
@@ -50,11 +48,10 @@ index cdbb252..e2a4371 100644
.sp
.B matchpathcon_fini
frees the memory allocated by a prior call to
-diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
-index f2d9f30..1e36952 100644
---- a/libselinux/man/man3/security_compute_av.3
-+++ b/libselinux/man/man3/security_compute_av.3
-@@ -24,6 +24,8 @@ the SELinux policy database in the kernel.
+diff -up libselinux-2.1.6/man/man3/security_compute_av.3.rhat libselinux-2.1.6/man/man3/security_compute_av.3
+--- libselinux-2.1.6/man/man3/security_compute_av.3.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/man/man3/security_compute_av.3 2011-11-29 09:48:44.545942189 -0500
+@@ -24,6 +24,8 @@ the SELinux policy database in the kerne
.BI "int security_get_initial_context(const char *" name ", security_context_t
"con );
.sp
@@ -73,11 +70,10 @@ index f2d9f30..1e36952 100644
.B selinux_check_passwd_access
is used to check for a permission in the
.I passwd
-diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
-index 8674e37..89bb4d3 100644
---- a/libselinux/man/man3/selabel_open.3
-+++ b/libselinux/man/man3/selabel_open.3
-@@ -66,6 +66,13 @@ A non-null value for this option enables context validation. By default,
+diff -up libselinux-2.1.6/man/man3/selabel_open.3.rhat libselinux-2.1.6/man/man3/selabel_open.3
+--- libselinux-2.1.6/man/man3/selabel_open.3.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/man/man3/selabel_open.3 2011-11-29 09:48:44.546942189 -0500
+@@ -66,6 +66,13 @@ A non-null value for this option enables
is used; a custom validation function can be provided via
.BR selinux_set_callback (3).
Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
@@ -96,17 +92,14 @@ index 8674e37..89bb4d3 100644
.BR selinux_set_callback (3),
.BR selinux (8)
-
-diff --git a/libselinux/man/man3/selinux_check_access.3 b/libselinux/man/man3/selinux_check_access.3
-new file mode 100644
-index 0000000..a60bca4
---- /dev/null
-+++ b/libselinux/man/man3/selinux_check_access.3
+diff -up libselinux-2.1.6/man/man3/selinux_check_access.3.rhat libselinux-2.1.6/man/man3/selinux_check_access.3
+--- libselinux-2.1.6/man/man3/selinux_check_access.3.rhat 2011-11-29 09:48:44.546942189 -0500
++++ libselinux-2.1.6/man/man3/selinux_check_access.3 2011-11-29 09:48:44.546942189 -0500
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
-diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
-index 74591b4..e7ad31d 100644
---- a/libselinux/src/avc.c
-+++ b/libselinux/src/avc.c
+diff -up libselinux-2.1.6/src/avc.c.rhat libselinux-2.1.6/src/avc.c
+--- libselinux-2.1.6/src/avc.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/avc.c 2011-11-29 09:48:44.548942190 -0500
@@ -165,6 +165,9 @@ int avc_init(const char *prefix,
struct avc_node *new;
int i, rc = 0;
@@ -117,11 +110,10 @@ index 74591b4..e7ad31d 100644
if (prefix)
strncpy(avc_prefix, prefix, AVC_PREFIX_SIZE - 1);
-diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
-index b245364..7c47222 100644
---- a/libselinux/src/callbacks.c
-+++ b/libselinux/src/callbacks.c
-@@ -16,6 +16,7 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
+diff -up libselinux-2.1.6/src/callbacks.c.rhat libselinux-2.1.6/src/callbacks.c
+--- libselinux-2.1.6/src/callbacks.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/callbacks.c 2011-11-29 09:48:44.549942191 -0500
+@@ -16,6 +16,7 @@ default_selinux_log(int type __attribute
{
int rc;
va_list ap;
@@ -129,10 +121,9 @@ index b245364..7c47222 100644
va_start(ap, fmt);
rc = vfprintf(stderr, fmt, ap);
va_end(ap);
-diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
-index c1982c7..59c8abb 100644
---- a/libselinux/src/checkAccess.c
-+++ b/libselinux/src/checkAccess.c
+diff -up libselinux-2.1.6/src/checkAccess.c.rhat libselinux-2.1.6/src/checkAccess.c
+--- libselinux-2.1.6/src/checkAccess.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/checkAccess.c 2011-11-29 09:48:44.550942192 -0500
@@ -4,8 +4,40 @@
#include <errno.h>
#include "selinux_internal.h"
@@ -174,10 +165,9 @@ index c1982c7..59c8abb 100644
int selinux_check_passwd_access(access_vector_t requested)
{
int status = -1;
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 3b8346d..02f3f98 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
+diff -up libselinux-2.1.6/src/label_file.c.rhat libselinux-2.1.6/src/label_file.c
+--- libselinux-2.1.6/src/label_file.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/label_file.c 2011-11-29 09:48:44.551942192 -0500
@@ -27,6 +27,7 @@
* Internals, mostly moved over from matchpathcon.c
*/
@@ -186,7 +176,7 @@ index 3b8346d..02f3f98 100644
/* A file security context specification. */
typedef struct spec {
struct selabel_lookup_rec lr; /* holds contexts for lookup result */
-@@ -279,7 +280,7 @@ static int compile_regex(struct saved_data *data, spec_t *spec, char **errbuf)
+@@ -279,7 +280,7 @@ static int compile_regex(struct saved_da
static int process_line(struct selabel_handle *rec,
@@ -195,7 +185,7 @@ index 3b8346d..02f3f98 100644
char *line_buf, int pass, unsigned lineno)
{
int items, len;
-@@ -313,12 +314,24 @@ static int process_line(struct selabel_handle *rec,
+@@ -313,12 +314,24 @@ static int process_line(struct selabel_h
}
len = get_stem_from_spec(regex);
@@ -226,7 +216,7 @@ index 3b8346d..02f3f98 100644
}
if (pass == 1) {
-@@ -400,7 +413,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -400,7 +413,7 @@ static int init(struct selabel_handle *r
{
struct saved_data *data = (struct saved_data *)rec->data;
const char *path = NULL;
@@ -235,7 +225,7 @@ index 3b8346d..02f3f98 100644
FILE *fp;
FILE *localfp = NULL;
FILE *homedirfp = NULL;
-@@ -421,8 +434,19 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -421,8 +434,19 @@ static int init(struct selabel_handle *r
path = opts[n].value;
break;
case SELABEL_OPT_SUBSET:
@@ -256,7 +246,7 @@ index 3b8346d..02f3f98 100644
case SELABEL_OPT_BASEONLY:
baseonly = !!opts[n].value;
break;
-@@ -481,7 +505,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -481,7 +505,7 @@ static int init(struct selabel_handle *r
data->ncomp = 0;
while (getline(&line_buf, &line_len, fp) > 0
&& data->nspec < maxnspec) {
@@ -265,7 +255,7 @@ index 3b8346d..02f3f98 100644
pass, ++lineno) != 0)
goto finish;
}
-@@ -495,7 +519,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -495,7 +519,7 @@ static int init(struct selabel_handle *r
while (getline(&line_buf, &line_len, homedirfp) > 0
&& data->nspec < maxnspec) {
if (process_line
@@ -274,7 +264,7 @@ index 3b8346d..02f3f98 100644
line_buf, pass, ++lineno) != 0)
goto finish;
}
-@@ -505,7 +529,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
+@@ -505,7 +529,7 @@ static int init(struct selabel_handle *r
while (getline(&line_buf, &line_len, localfp) > 0
&& data->nspec < maxnspec) {
if (process_line
@@ -283,11 +273,10 @@ index 3b8346d..02f3f98 100644
pass, ++lineno) != 0)
goto finish;
}
-diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index 868660f..7fa6383 100644
---- a/libselinux/src/load_policy.c
-+++ b/libselinux/src/load_policy.c
-@@ -380,7 +380,7 @@ int selinux_init_load_policy(int *enforce)
+diff -up libselinux-2.1.6/src/load_policy.c.rhat libselinux-2.1.6/src/load_policy.c
+--- libselinux-2.1.6/src/load_policy.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/load_policy.c 2011-11-29 09:48:44.552942192 -0500
+@@ -380,7 +380,7 @@ int selinux_init_load_policy(int *enforc
}
if (! mntpoint ) {
@@ -296,10 +285,9 @@ index 868660f..7fa6383 100644
/*
* SELinux was disabled in the kernel, either
* omitted entirely or disabled at boot via selinux=0.
-diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 5914afa..df83b30 100644
---- a/libselinux/src/matchpathcon.c
-+++ b/libselinux/src/matchpathcon.c
+diff -up libselinux-2.1.6/src/matchpathcon.c.rhat libselinux-2.1.6/src/matchpathcon.c
+--- libselinux-2.1.6/src/matchpathcon.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/matchpathcon.c 2011-11-29 09:48:44.553942192 -0500
@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
@@ -317,10 +305,24 @@ index 5914afa..df83b30 100644
va_end(ap);
}
-diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
-index fc75cb6..b653cad 100644
---- a/libselinux/src/seusers.c
-+++ b/libselinux/src/seusers.c
+diff -up libselinux-2.1.6/src/selinuxswig_python.i.rhat libselinux-2.1.6/src/selinuxswig_python.i
+--- libselinux-2.1.6/src/selinuxswig_python.i.rhat 2011-11-29 09:49:35.354958034 -0500
++++ libselinux-2.1.6/src/selinuxswig_python.i 2011-11-29 09:50:00.282963933 -0500
+@@ -22,7 +22,10 @@ def restorecon(path, recursive=False):
+ status, context = matchpathcon(path, mode)
+
+ if status == 0:
+- lsetfilecon(path, context)
++ status, oldcontext = lgetfilecon(path)
++ if context != oldcontext:
++ lsetfilecon(path, context)
++
+ if recursive:
+ os.path.walk(path, lambda arg, dirname, fnames:
+ map(restorecon, [os.path.join(dirname, fname)
+diff -up libselinux-2.1.6/src/seusers.c.rhat libselinux-2.1.6/src/seusers.c
+--- libselinux-2.1.6/src/seusers.c.rhat 2011-09-19 06:33:13.000000000 -0400
++++ libselinux-2.1.6/src/seusers.c 2011-11-29 09:48:44.554942192 -0500
@@ -5,6 +5,7 @@
#include <stdio.h>
#include <stdio_ext.h>
@@ -329,7 +331,7 @@ index fc75cb6..b653cad 100644
#include <selinux/selinux.h>
#include <selinux/context.h>
#include "selinux_internal.h"
-@@ -118,13 +119,26 @@ static int check_group(const char *group, const char *name, const gid_t gid) {
+@@ -118,13 +119,26 @@ static int check_group(const char *group
long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
if (rbuflen <= 0)
return 0;
diff --git a/libselinux.spec b/libselinux.spec
index 964cc3f..b7c0e7f 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -7,7 +7,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.1.6
-Release: 4%{?dist}
+Release: 5%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
@@ -231,6 +231,10 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
+* Tue Nov 29 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-5
+- Change python binding for restorecon to check if the context matches.
+- If it does do not reset
+
* Mon Oct 24 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-4
- Apply libselinux patch to handle large groups in seusers.
More information about the scm-commits
mailing list