[libselinux/f16] Apply libselinux patch to handle large groups in seusers.

Daniel J Walsh dwalsh at fedoraproject.org
Mon Oct 24 18:41:49 UTC 2011 

commit fb2ea7dbfb2d198949a618a16603b5b6c239cd61
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Oct 24 14:41:47 2011 -0400

    Apply libselinux patch to handle large groups in seusers.

 .gitignore            |    1 +
 libselinux-rhat.patch |  238 ++++++++++++++++++++++++++++++++++++-------------
 libselinux.spec       |   22 ++++-
 sources               |    2 +-
 4 files changed, 196 insertions(+), 67 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 936d759..52a6ebf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -187,3 +187,4 @@ libselinux-2.0.96.tgz
 /libselinux-2.1.0.tgz
 /libselinux-2.1.4.tgz
 /libselinux-2.1.5.tgz
+/libselinux-2.1.6.tgz
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index 77f745a..b3fbef9 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,3 +1,33 @@
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index d29b0c1..792e68e 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -500,6 +500,25 @@ extern const char *selinux_colors_path(void);
+ extern const char *selinux_netfilter_context_path(void);
+ extern const char *selinux_path(void);
+ 
++/**
++ * selinux_check_access - Check permissions and perform appropriate auditing.
++ * @scon: source security context
++ * @tcon: target security context
++ * @tclass: target security class string
++ * @perm: requested permissions string, interpreted based on @tclass
++ * @auditdata: auxiliary audit data
++ *
++ * Check the AVC to determine whether the @perm permissions are granted
++ * for the SID pair (@scon, @tcon), interpreting the permissions
++ * based on @tclass.
++ * Return %0 if all @perm permissions are granted, -%1 with 
++ * @errno set to %EACCES if any permissions are denied or to another 
++ * value upon other errors.
++ * If auditing or logging is configured the appropriate callbacks will be called
++ * and passed the auditdata field
++ */
++extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata);
++
+ /* Check a permission in the passwd class.
+    Return 0 if granted or -1 otherwise. */
+ extern int selinux_check_passwd_access(access_vector_t requested);
 diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
 index cdbb252..e2a4371 100644
 --- a/libselinux/man/man3/matchpathcon.3
@@ -20,6 +50,29 @@ index cdbb252..e2a4371 100644
  .sp
  .B matchpathcon_fini
  frees the memory allocated by a prior call to
+diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
+index f2d9f30..1e36952 100644
+--- a/libselinux/man/man3/security_compute_av.3
++++ b/libselinux/man/man3/security_compute_av.3
+@@ -24,6 +24,8 @@ the SELinux policy database in the kernel.
+ .BI "int security_get_initial_context(const char *" name ", security_context_t
+ "con );
+ .sp
++.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata);
++.sp
+ .BI "int selinux_check_passwd_access(access_vector_t " requested );
+ .sp
+ .BI "int checkPasswdAccess(access_vector_t " requested );
+@@ -74,6 +76,9 @@ source context. It is mainly used by
+ is used to get the context of a kernel initial security identifier specified by 
+ .I name
+ 
++.B selinux_check_access
++is used to check if the source context has the access permission for the specified class on the target context.
++
+ .B selinux_check_passwd_access
+ is used to check for a permission in the
+ .I passwd
 diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
 index 8674e37..89bb4d3 100644
 --- a/libselinux/man/man3/selabel_open.3
@@ -43,6 +96,27 @@ index 8674e37..89bb4d3 100644
  .BR selinux_set_callback (3),
  .BR selinux (8)
 -
+diff --git a/libselinux/man/man3/selinux_check_access.3 b/libselinux/man/man3/selinux_check_access.3
+new file mode 100644
+index 0000000..a60bca4
+--- /dev/null
++++ b/libselinux/man/man3/selinux_check_access.3
+@@ -0,0 +1 @@
++.so man3/security_compute_av.3
+diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
+index 74591b4..e7ad31d 100644
+--- a/libselinux/src/avc.c
++++ b/libselinux/src/avc.c
+@@ -165,6 +165,9 @@ int avc_init(const char *prefix,
+ 	struct avc_node *new;
+ 	int i, rc = 0;
+ 
++	if (avc_running)
++		return 0;
++
+ 	if (prefix)
+ 		strncpy(avc_prefix, prefix, AVC_PREFIX_SIZE - 1);
+ 
 diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
 index b245364..7c47222 100644
 --- a/libselinux/src/callbacks.c
@@ -55,6 +129,51 @@ index b245364..7c47222 100644
  	va_start(ap, fmt);
  	rc = vfprintf(stderr, fmt, ap);
  	va_end(ap);
+diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
+index c1982c7..59c8abb 100644
+--- a/libselinux/src/checkAccess.c
++++ b/libselinux/src/checkAccess.c
+@@ -4,8 +4,40 @@
+ #include <errno.h>
+ #include "selinux_internal.h"
+ #include <selinux/flask.h>
++#include <selinux/avc.h>
+ #include <selinux/av_permissions.h>
+ 
++static pthread_once_t once = PTHREAD_ONCE_INIT;
++
++static void avc_init_once(void)
++{
++	avc_open(NULL, 0);
++}
++
++int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
++	int status = -1;
++	int rc = -1;
++	security_id_t scon_id;
++	security_id_t tcon_id;
++	security_class_t sclass;
++	access_vector_t av;
++
++	if (is_selinux_enabled() == 0)
++		return 0;
++
++	__selinux_once(once, avc_init_once);
++
++	if ((rc = avc_context_to_sid(scon, &scon_id)) < 0)  return rc;
++
++	if ((rc = avc_context_to_sid(tcon, &tcon_id)) < 0)  return rc;
++
++	if ((sclass = string_to_security_class(class)) == 0) return status;
++
++	if ((av = string_to_av_perm(sclass, perm)) == 0) return status;
++
++	return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
++}
++
+ int selinux_check_passwd_access(access_vector_t requested)
+ {
+ 	int status = -1;
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
 index 3b8346d..02f3f98 100644
 --- a/libselinux/src/label_file.c
@@ -164,8 +283,21 @@ index 3b8346d..02f3f98 100644
  				     pass, ++lineno) != 0)
  					goto finish;
  			}
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 868660f..7fa6383 100644
+--- a/libselinux/src/load_policy.c
++++ b/libselinux/src/load_policy.c
+@@ -380,7 +380,7 @@ int selinux_init_load_policy(int *enforce)
+ 	}
+ 
+ 	if (! mntpoint ) {
+-		if (errno == ENODEV) {
++		if (errno == ENODEV || errno == ENOENT) {
+ 			/*
+ 			 * SELinux was disabled in the kernel, either
+ 			 * omitted entirely or disabled at boot via selinux=0.
 diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 9717b14..df83b30 100644
+index 5914afa..df83b30 100644
 --- a/libselinux/src/matchpathcon.c
 +++ b/libselinux/src/matchpathcon.c
 @@ -2,6 +2,7 @@
@@ -185,66 +317,48 @@ index 9717b14..df83b30 100644
  	va_end(ap);
  }
  
-@@ -353,7 +354,7 @@ static int symlink_realpath(const char *name, char *resolved_path)
- 
- 	tmp_path = strdup(name);
- 	if (!tmp_path) {
--		fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n",
-+		myprintf("symlink_realpath(%s) strdup() failed: %s\n",
- 			name, strerror(errno));
- 		rc = -1;
- 		goto out;
-@@ -374,21 +375,24 @@ static int symlink_realpath(const char *name, char *resolved_path)
- 	}
- 
- 	if (!p) {
--		fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n",
-+		myprintf("symlink_realpath(%s) realpath() failed: %s\n",
- 			name, strerror(errno));
- 		rc = -1;
- 		goto out;
- 	}
- 
- 	len = strlen(p);
--	if (len + strlen(last_component) + 1 > PATH_MAX) {
--		fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n",
-+	if (len + strlen(last_component) + 2 > PATH_MAX) {
-+		myprintf("symlink_realpath(%s) failed: Filename too long \n",
- 			name);
-+		errno=ENAMETOOLONG;
- 		rc = -1;
- 		goto out;
- 	}
+diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
+index fc75cb6..b653cad 100644
+--- a/libselinux/src/seusers.c
++++ b/libselinux/src/seusers.c
+@@ -5,6 +5,7 @@
+ #include <stdio.h>
+ #include <stdio_ext.h>
+ #include <ctype.h>
++#include <errno.h>
+ #include <selinux/selinux.h>
+ #include <selinux/context.h>
+ #include "selinux_internal.h"
+@@ -118,13 +119,26 @@ static int check_group(const char *group, const char *name, const gid_t gid) {
+ 	long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+ 	if (rbuflen <= 0)
+ 		return 0;
+-	char *rbuf = malloc(rbuflen);
+-	if (rbuf == NULL)
+-		return 0;
++	char *rbuf;
  
- 	resolved_path += len;
-+	strcpy(resolved_path, "/");
-+	resolved_path += 1;
- 	strcpy(resolved_path, last_component);
- out:
- 	free(tmp_path);
-diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
-index 2fa21bc..5f0a4c2 100644
---- a/libselinux/utils/matchpathcon.c
-+++ b/libselinux/utils/matchpathcon.c
-@@ -45,7 +45,7 @@ int printmatchpathcon(char *path, int header, int mode)
- 
- int main(int argc, char **argv)
- {
--	int i, init = 0, rc = 0;
-+	int i, init = 0;
- 	int header = 1, opt;
- 	int verify = 0;
- 	int notrans = 0;
-diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index 868660f..7fa6383 100644
---- a/libselinux/src/load_policy.c
-+++ b/libselinux/src/load_policy.c
-@@ -380,7 +380,7 @@ int selinux_init_load_policy(int *enforce)
- 	}
+-	if (getgrnam_r(group, &gbuf, rbuf, rbuflen, 
+-		       &grent) != 0)
+-		goto done;
++	while(1) {
++		rbuf = malloc(rbuflen);
++		if (rbuf == NULL)
++			return 0;
++		int retval = getgrnam_r(group, &gbuf, rbuf, 
++				rbuflen, &grent);
++		if ( retval == ERANGE )
++		{
++			free(rbuf);
++			rbuflen = rbuflen * 2;
++		} else if ( retval != 0 || grent == NULL )
++		{
++			goto done;
++		} else
++		{
++			break;
++		}
++	}
  
- 	if (! mntpoint ) {
--		if (errno == ENODEV) {
-+		if (errno == ENODEV || errno == ENOENT) {
- 			/*
- 			 * SELinux was disabled in the kernel, either
- 			 * omitted entirely or disabled at boot via selinux=0.
+ 	if (getgrouplist(name, gid, NULL, &ng) < 0) {
+ 		groups = (gid_t *) malloc(sizeof (gid_t) * ng);
diff --git a/libselinux.spec b/libselinux.spec
index e95f820..964cc3f 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -1,13 +1,13 @@
 %global with_python3 1
 
 %define ruby_sitearch %(ruby -rrbconfig -e "puts Config::CONFIG['sitearchdir']")
-%define libsepolver 2.1.0-1
+%define libsepolver 2.1.1-1
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 2.1.5
-Release: 5.1%{?dist}
+Version: 2.1.6
+Release: 4%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: %{name}-%{version}.tgz
@@ -231,9 +231,23 @@ rm -rf %{buildroot}
 %{ruby_sitearch}/selinux.so
 
 %changelog
-* Thu Sep 22 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-5.1
+* Mon Oct 24 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-4
+- Apply libselinux patch to handle large groups in seusers.
+
+* Wed Oct 19 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-3
+- Add selinux_check_access function. Needed for passwd, chfn, chsh
+
+* Thu Sep 22 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-2
 - Handle situation where selinux=0 passed to the kernel and both /selinux and 
 
+* Mon Sep 19 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-1
+-Update to upstream
+	* utils: matchpathcon: remove duplicate declaration
+	* src: matchpathcon: use myprintf not fprintf
+	* src: matchpathcon: make sure resolved path starts
+	* put libselinux.so.1 in /lib not /usr/lib
+	* tree: default make target to all not
+
 * Wed Sep 14 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-5
 - Switch to use ":" as prefix separator rather then ";"
 
diff --git a/sources b/sources
index e2bc444..e3724b3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-e0da22061511b669c324bb2c96d2c668  libselinux-2.1.5.tgz
+94fa8daf439f79db14821d4ff7f68f98  libselinux-2.1.6.tgz

More information about the scm-commits mailing list