[libsemanage] Cleanup handling of missing mls_range to fix problems with useradd -Z

Wed Oct 16 18:34:17 UTC 2013

commit ab84ace2a1f9ff8da6403f42d829a079c04f8f62
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Wed Oct 16 14:34:13 2013 -0400

    Cleanup handling of missing mls_range to fix problems with useradd -Z
    
    - Fix auditing of login record changes, roles were not working correctly.
    Resolves: #952237

 libsemanage-rhat.patch |   88 ++++++++++++++++--------------------------------
 libsemanage.spec       |    8 ++++-
 2 files changed, 36 insertions(+), 60 deletions(-)
---

diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 9f6cf94..dd66fa0 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -198,62 +198,11 @@ index 57ef49f..4b040c3 100644
  	free(storepath);
  	return retval;
  }
-diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c
-index 8823b1e..cfcd039 100644
---- a/libsemanage/src/seuser_record.c
-+++ b/libsemanage/src/seuser_record.c
-@@ -140,19 +140,46 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser)
- 
- hidden_def(semanage_seuser_get_sename)
- 
-+#include <semanage/user_record.h>
-+#include <semanage/users_policy.h>
-+#include <errno.h>
- int semanage_seuser_set_sename(semanage_handle_t * handle,
- 			       semanage_seuser_t * seuser, const char *sename)
- {
- 
-+	semanage_user_t *u = NULL;
-+	const char *mls_range = semanage_seuser_get_mlsrange(seuser);
- 	char *tmp_sename = strdup(sename);
-+	int rc;
- 	if (!tmp_sename) {
- 		ERR(handle,
- 		    "out of memory, could not set seuser (SELinux) name");
- 		return STATUS_ERR;
- 	}
-+	/* Default MLS_range if not set to the "sename" user record mls range */
-+	if (!mls_range && semanage_mls_enabled(handle)) {
-+		semanage_user_key_t *key = NULL;
-+		
-+		rc = semanage_user_key_create(handle, sename, &key);
-+		if (rc < 0)
-+			goto err;
-+
-+		rc = semanage_user_query(handle, key, &u);
-+		semanage_user_key_free(key);
-+		if (rc == STATUS_ERR)
-+			goto err;
-+		else if (rc == STATUS_SUCCESS) {
-+			mls_range = semanage_user_get_mlsrange(u);
-+			semanage_seuser_set_mlsrange(handle, seuser, mls_range);
-+			semanage_user_free(u);
-+		}
-+	}
- 	free(seuser->sename);
- 	seuser->sename = tmp_sename;
- 	return STATUS_SUCCESS;
-+err:
-+	free(tmp_sename);
-+	return rc;
- }
- 
- hidden_def(semanage_seuser_set_sename)
 diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
-index e7cf12c..c9a9ab2 100644
+index e7cf12c..f379211 100644
 --- a/libsemanage/src/seusers_local.c
 +++ b/libsemanage/src/seusers_local.c
-@@ -8,27 +8,156 @@ typedef struct semanage_seuser record_t;
+@@ -8,27 +8,177 @@ typedef struct semanage_seuser record_t;
  
  #include <sepol/policydb.h>
  #include <sepol/context.h>
@@ -289,7 +238,7 @@ index e7cf12c..c9a9ab2 100644
 +					strcpy(roles,roles_arr[0]);
 +					for (i = 1; i<num_roles; i++) {
 +						strcat(roles,",");
-+						strcat(roles,roles_arr[0]);
++						strcat(roles,roles_arr[i]);
 +					}
 +				}
 +			}
@@ -376,23 +325,44 @@ index e7cf12c..c9a9ab2 100644
 +	const char *sename = semanage_seuser_get_sename(data);
 +	const char *mls_range = semanage_seuser_get_mlsrange(data);
 +	semanage_seuser_t *previous = NULL;
++	semanage_seuser_t *new = NULL;
++
 +	if (!sename) {
 +		errno=EINVAL;
 +		return -1;
 +	}
++	if (semanage_seuser_clone(handle, data, &new) < 0) {
++		goto err;
++	}
++		
 +	if (!mls_range && semanage_mls_enabled(handle)) {
-+		errno=EINVAL;
-+		return -1;
++		semanage_user_key_t *ukey = NULL;
++		semanage_user_t *u = NULL;
++		rc = semanage_user_key_create(handle, sename, &ukey);
++		if (rc < 0)
++			goto err;
++
++		rc = semanage_user_query(handle, ukey, &u);
++		semanage_user_key_free(ukey);
++		if (rc >= 0 ) {
++			mls_range = semanage_user_get_mlsrange(u);
++			rc = semanage_seuser_set_mlsrange(handle, new, mls_range);
++			semanage_user_free(u);
++		}
++		if (rc < 0)
++			goto err;
 +	}
 +
 +	handle->msg_callback = NULL;
-+	semanage_seuser_query(handle, key, &previous);
++	(void) semanage_seuser_query(handle, key, &previous);
 +	handle->msg_callback = callback;
-+	rc = dbase_modify(handle, dconfig, key, data);
-+	if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) 
++	rc = dbase_modify(handle, dconfig, key, new);
++	if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) 
 +		rc = -1;
++err:
 +	if (previous)
 +		semanage_seuser_free(previous);
++	semanage_seuser_free(new);
 +	return rc;
  }
  
diff --git a/libsemanage.spec b/libsemanage.spec
index 4ed2867..6162e54 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -7,7 +7,7 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.1.10
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: libsemanage-%{version}.tgz
@@ -179,8 +179,14 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif # if with_python3
 
 %changelog
+* Wed Oct 16 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-14
+- Cleanup handling of missing mls_range to fix problems with useradd -Z
+- Fix auditing of login record changes, roles were not working correctly.
+Resolves: #952237
+
 * Fri Oct 4 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-13
 - Fix errors found by coverity
+Resolves: #952237
 
 * Wed Sep 25 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-12
 - Do not fail on missing SELinux User Record when adding login record
