[libselinux] Cleanup setfcontext_compile atomic patch
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Mar 8 17:23:39 UTC 2013
commit cc9c7ddcf72ffd4df8c208e1dbd647cc769b81e8
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Mar 8 12:23:30 2013 -0500
Cleanup setfcontext_compile atomic patch
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
libselinux-rhat.patch | 301 ++++++++++++++++++++++++++++++++++++++++++-------
libselinux.spec | 7 +-
2 files changed, 265 insertions(+), 43 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index 016cf1a..34b06c8 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,5 +1,5 @@
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
-index a4079aa..80ba628 100644
+index a4079aa..0b122af 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
@@ -10,8 +10,16 @@ index a4079aa..80ba628 100644
/* Compute an access decision. */
extern int security_compute_av(const security_context_t scon,
-@@ -498,6 +499,7 @@ extern const char *selinux_policy_root(void);
+@@ -496,8 +497,15 @@ extern int selinux_getpolicytype(char **policytype);
+ */
+ extern const char *selinux_policy_root(void);
++/*
++ selinux_set_policy_root sets an alternate policy root directory path under
++ which the compiled policy file and context configuration files exist.
++ */
++extern int selinux_set_policy_root(const char *rootpath);
++
/* These functions return the paths to specific files under the
policy root directory. */
+extern const char *selinux_current_policy_path(void);
@@ -72,6 +80,77 @@ index 0000000..175a611
+++ b/libselinux/man/man3/selinux_current_policy_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
+diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
+index a6ccf86..63dc901 100644
+--- a/libselinux/man/man3/selinux_policy_root.3
++++ b/libselinux/man/man3/selinux_policy_root.3
+@@ -1,21 +1,34 @@
+ .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh at redhat.com" "SELinux API documentation"
+ .SH "NAME"
+ selinux_policy_root \- return the path of the SELinux policy files for this machine
++selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine.
+ .
+ .SH "SYNOPSIS"
+ .B #include <selinux/selinux.h>
+ .sp
+ .B const char *selinux_policy_root(void);
+ .
++.sp
++.B int selinux_set_policy_root(const char *policypath);
++.
+ .SH "DESCRIPTION"
+ .BR selinux_policy_root ()
+ reads the contents of the
+ .I /etc/selinux/config
+ file to determine which policy files should be used for this machine.
+ .
++.BR selinux_set_policy_root ()
++sets up all all policy paths based on the alternate root
++
++.I /etc/selinux/config
++file to determine which policy files should be used for this machine.
++.
+ .SH "RETURN VALUE"
+-On success, returns a directory path containing the SELinux policy files.
+-On failure, NULL is returned.
++On success, selinux_policy_root returns a directory path containing the SELinux policy files.
++On failure, selinux_policy_root returns NULL.
++
++On success, selinux_set_policy_root returns 0 on success -1 on failure.
++
+ .
+ .SH "SEE ALSO"
+ .BR selinux "(8)"
+diff --git a/libselinux/man/man3/selinux_set_policy_root.3 b/libselinux/man/man3/selinux_set_policy_root.3
+new file mode 100644
+index 0000000..8077658
+--- /dev/null
++++ b/libselinux/man/man3/selinux_set_policy_root.3
+@@ -0,0 +1 @@
++.so man3/selinux_policy_root.3
+diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
+index 368991f..5d60789 100644
+--- a/libselinux/man/man8/matchpathcon.8
++++ b/libselinux/man/man8/matchpathcon.8
+@@ -13,6 +13,8 @@ matchpathcon \- get the default SELinux security context for the specified path
+ .IR file_contexts_file ]
+ .RB [ \-p
+ .IR prefix ]
++.RB [ \-P
++.IR policy_root_path ]
+ .I filepath...
+ .
+ .SH "DESCRIPTION"
+@@ -46,6 +48,9 @@ Use alternate file_context file
+ .BI \-p " prefix"
+ Use prefix to speed translations
+ .TP
++.BI \-P " policy_root_path"
++Use alternate policy root path
++.TP
+ .B \-V
+ Verify file context on disk matches defaults
+ .
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index a328866..50868e4 100644
--- a/libselinux/man/man8/selinux.8
@@ -389,6 +468,27 @@ index b9e8002..355730a 100644
}
hidden_def(get_ordered_context_list)
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 5f697f3..9b0d6b0 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
+ break;
+ } else if (rc == PCRE_ERROR_NOMATCH)
+ continue;
++
++ errno = ENOENT;
+ /* else it's an error */
+ goto finish;
+ }
+@@ -660,6 +662,7 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
+ goto finish;
+ }
+
++ errno = 0;
+ ret = &spec_arr[i].lr;
+
+ finish:
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
@@ -423,18 +523,71 @@ index 6c5b45a..0a0dd3e 100644
return 0;
}
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 296f357..4913c55 100644
+index 296f357..0040524 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
-@@ -8,6 +8,7 @@
+@@ -8,6 +8,8 @@
#include <limits.h>
#include <unistd.h>
#include <pthread.h>
++#include <errno.h>
+#include "policy.h"
#include "selinux_internal.h"
#include "get_default_type_internal.h"
-@@ -303,6 +304,29 @@ const char *selinux_binary_policy_path(void)
+@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type)
+
+ hidden_def(selinux_getpolicytype)
+
++static int setpolicytype(const char *type)
++{
++ free(selinux_policytype);
++ selinux_policytype = strdup(type);
++ return selinux_policytype ? 0 : -1;
++}
++
+ static char *selinux_policyroot = NULL;
+ static const char *selinux_rootpath = SELINUXDIR;
+
+@@ -261,6 +270,37 @@ const char *selinux_policy_root(void)
+ return selinux_policyroot;
+ }
+
++int selinux_set_policy_root(const char *path)
++{
++ int i;
++ char *policy_type = strchr(selinux_policyroot, '/');
++ if (!policy_type) {
++ errno = EINVAL;
++ return -1;
++ }
++ policy_type++;
++
++ fini_selinuxmnt();
++ fini_selinux_policyroot();
++
++ selinux_policyroot = strdup(path);
++ if (! selinux_policyroot)
++ return -1;
++
++ if (setpolicytype(policy_type) != 0)
++ return -1;
++
++ for (i = 0; i < NEL; i++)
++ if (asprintf(&file_paths[i], "%s%s",
++ selinux_policyroot,
++ file_path_suffixes_data.str +
++ file_path_suffixes_idx[i])
++ == -1)
++ return -1;
++
++ return 0;
++}
++
+ const char *selinux_path(void)
+ {
+ return selinux_rootpath;
+@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void)
hidden_def(selinux_binary_policy_path)
@@ -444,18 +597,20 @@ index 296f357..4913c55 100644
+ int vers = 0;
+ static char policy_path[PATH_MAX];
+
-+ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
-+ if (access(policy_path, F_OK) != 0 ) {
-+ vers = security_policyvers();
-+ do {
-+ /* Check prior versions to see if old policy is available */
-+ snprintf(policy_path, sizeof(policy_path), "%s.%d",
-+ selinux_binary_policy_path(), vers);
-+ } while ((rc = access(policy_path, F_OK)) && --vers > 0);
-+
-+ if (rc) return NULL;
++ if (selinux_mnt) {
++ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
++ if (access(policy_path, F_OK) == 0 ) {
++ return policy_path;
++ }
+ }
-+
++ vers = security_policyvers();
++ do {
++ /* Check prior versions to see if old policy is available */
++ snprintf(policy_path, sizeof(policy_path), "%s.%d",
++ selinux_binary_policy_path(), vers);
++ } while ((rc = access(policy_path, F_OK)) && --vers > 0);
++
++ if (rc) return NULL;
+ return policy_path;
+}
+
@@ -489,50 +644,112 @@ index a801ee8..b3bdca2 100644
#define RAW_TO_TRANS_CONTEXT 2
#define TRANS_TO_RAW_CONTEXT 3
+diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
+index dd5aaa3..9d3ff3a 100644
+--- a/libselinux/utils/matchpathcon.c
++++ b/libselinux/utils/matchpathcon.c
+@@ -12,11 +12,10 @@
+ #include <limits.h>
+ #include <stdlib.h>
+
+-
+ static void usage(const char *progname)
+ {
+ fprintf(stderr,
+- "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
++ "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
+ progname);
+ exit(1);
+ }
+@@ -78,7 +77,7 @@ int main(int argc, char **argv)
+ if (argc < 2)
+ usage(argv[0]);
+
+- while ((opt = getopt(argc, argv, "m:Nnf:p:Vq")) > 0) {
++ while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
+ switch (opt) {
+ case 'n':
+ header = 0;
+@@ -113,6 +112,15 @@ int main(int argc, char **argv)
+ exit(1);
+ }
+ break;
++ case 'P':
++ if (selinux_set_policy_root(optarg) < 0 ) {
++ fprintf(stderr,
++ "Error setting policy root %s: %s\n",
++ optarg,
++ errno ? strerror(errno) : "invalid");
++ exit(1);
++ }
++ break;
+ case 'p':
+ if (init) {
+ fprintf(stderr,
diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
-index 6f79dd6..eb88ea8 100644
+index 6f79dd6..e019a07 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
-@@ -6,6 +6,7 @@
- #include <string.h>
-
- #include <linux/limits.h>
-+#include <libgen.h>
-
- #include "../src/label_file.h"
+@@ -145,7 +145,7 @@ static int process_file(struct saved_data *data, const char *filename)
+ * u32 - data length of the pcre regex study daya
+ * char - a buffer holding the raw pcre regex study data
+ */
+-static int write_binary_file(struct saved_data *data, char *filename)
++static int write_binary_file(struct saved_data *data, int fd)
+ {
+ struct spec *specs = data->spec_arr;
+ FILE *bin_file;
+@@ -155,7 +155,7 @@ static int write_binary_file(struct saved_data *data, char *filename)
+ uint32_t i;
+ int rc;
-@@ -321,7 +322,8 @@ int main(int argc, char *argv[])
+- bin_file = fopen(filename, "w");
++ bin_file = fdopen(fd, "w");
+ if (!bin_file) {
+ perror("fopen output_file");
+ exit(EXIT_FAILURE);
+@@ -321,7 +321,9 @@ int main(int argc, char *argv[])
const char *path;
char stack_path[PATH_MAX + 1];
int rc;
-
-+ char *tmp, *tmppath;
++ char *tmp= NULL;
++ int fd;
+
if (argc != 2) {
fprintf(stderr, "usage: %s input_file\n", argv[0]);
exit(EXIT_FAILURE);
-@@ -342,10 +344,21 @@ int main(int argc, char *argv[])
+@@ -342,13 +344,29 @@ int main(int argc, char *argv[])
rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path);
if (rc < 0 || rc >= sizeof(stack_path))
return rc;
- rc = write_binary_file(&data, stack_path);
-- if (rc < 0)
++
++ if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0)
++ return -1;
++
++ fd = mkstemp(tmp);
++ if (fd < 0)
++ goto err;
++
++ rc = write_binary_file(&data, fd);
++
+ if (rc < 0)
- return rc;
++ goto err;
-+ tmppath = strdup(stack_path);
-+ if (!tmppath)
-+ return -1;
-+ tmp = tempnam(dirname(tmppath), ".bin");
-+ free(tmppath);
-+ if (!tmp)
-+ return -1;
-+ rc = write_binary_file(&data, tmp);
-+ if (rc < 0) {
-+ free(tmp);
-+ return rc;
-+ }
+ rename(tmp, stack_path);
-+ free(tmp);
rc = free_specs(&data);
if (rc < 0)
- return rc;
+- return rc;
++ goto err;
+
+- return 0;
++ rc = 0;
++out:
++ free(tmp);
++ return rc;
++err:
++ rc = -1;
++ goto out;
+ }
diff --git a/libselinux.spec b/libselinux.spec
index 176a4ea..bf190bd 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -10,7 +10,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.1.13
-Release: 8%{?dist}
+Release: 9%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
@@ -241,6 +241,11 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
+* Wed Mar 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.13-9
+- Cleanup setfcontext_compile atomic patch
+- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
+- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
+
* Wed Mar 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.13-8
- Make setfcontext_compile atomic
More information about the scm-commits
mailing list