[libsemanage] Cleanup handling of missing mls_range to fix problems with useradd -Z
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 16 18:34:17 UTC 2013
commit ab84ace2a1f9ff8da6403f42d829a079c04f8f62
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Oct 16 14:34:13 2013 -0400
Cleanup handling of missing mls_range to fix problems with useradd -Z
- Fix auditing of login record changes, roles were not working correctly.
Resolves: #952237
libsemanage-rhat.patch | 88 ++++++++++++++++--------------------------------
libsemanage.spec | 8 ++++-
2 files changed, 36 insertions(+), 60 deletions(-)
---
diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 9f6cf94..dd66fa0 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -198,62 +198,11 @@ index 57ef49f..4b040c3 100644
free(storepath);
return retval;
}
-diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c
-index 8823b1e..cfcd039 100644
---- a/libsemanage/src/seuser_record.c
-+++ b/libsemanage/src/seuser_record.c
-@@ -140,19 +140,46 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser)
-
- hidden_def(semanage_seuser_get_sename)
-
-+#include <semanage/user_record.h>
-+#include <semanage/users_policy.h>
-+#include <errno.h>
- int semanage_seuser_set_sename(semanage_handle_t * handle,
- semanage_seuser_t * seuser, const char *sename)
- {
-
-+ semanage_user_t *u = NULL;
-+ const char *mls_range = semanage_seuser_get_mlsrange(seuser);
- char *tmp_sename = strdup(sename);
-+ int rc;
- if (!tmp_sename) {
- ERR(handle,
- "out of memory, could not set seuser (SELinux) name");
- return STATUS_ERR;
- }
-+ /* Default MLS_range if not set to the "sename" user record mls range */
-+ if (!mls_range && semanage_mls_enabled(handle)) {
-+ semanage_user_key_t *key = NULL;
-+
-+ rc = semanage_user_key_create(handle, sename, &key);
-+ if (rc < 0)
-+ goto err;
-+
-+ rc = semanage_user_query(handle, key, &u);
-+ semanage_user_key_free(key);
-+ if (rc == STATUS_ERR)
-+ goto err;
-+ else if (rc == STATUS_SUCCESS) {
-+ mls_range = semanage_user_get_mlsrange(u);
-+ semanage_seuser_set_mlsrange(handle, seuser, mls_range);
-+ semanage_user_free(u);
-+ }
-+ }
- free(seuser->sename);
- seuser->sename = tmp_sename;
- return STATUS_SUCCESS;
-+err:
-+ free(tmp_sename);
-+ return rc;
- }
-
- hidden_def(semanage_seuser_set_sename)
diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
-index e7cf12c..c9a9ab2 100644
+index e7cf12c..f379211 100644
--- a/libsemanage/src/seusers_local.c
+++ b/libsemanage/src/seusers_local.c
-@@ -8,27 +8,156 @@ typedef struct semanage_seuser record_t;
+@@ -8,27 +8,177 @@ typedef struct semanage_seuser record_t;
#include <sepol/policydb.h>
#include <sepol/context.h>
@@ -289,7 +238,7 @@ index e7cf12c..c9a9ab2 100644
+ strcpy(roles,roles_arr[0]);
+ for (i = 1; i<num_roles; i++) {
+ strcat(roles,",");
-+ strcat(roles,roles_arr[0]);
++ strcat(roles,roles_arr[i]);
+ }
+ }
+ }
@@ -376,23 +325,44 @@ index e7cf12c..c9a9ab2 100644
+ const char *sename = semanage_seuser_get_sename(data);
+ const char *mls_range = semanage_seuser_get_mlsrange(data);
+ semanage_seuser_t *previous = NULL;
++ semanage_seuser_t *new = NULL;
++
+ if (!sename) {
+ errno=EINVAL;
+ return -1;
+ }
++ if (semanage_seuser_clone(handle, data, &new) < 0) {
++ goto err;
++ }
++
+ if (!mls_range && semanage_mls_enabled(handle)) {
-+ errno=EINVAL;
-+ return -1;
++ semanage_user_key_t *ukey = NULL;
++ semanage_user_t *u = NULL;
++ rc = semanage_user_key_create(handle, sename, &ukey);
++ if (rc < 0)
++ goto err;
++
++ rc = semanage_user_query(handle, ukey, &u);
++ semanage_user_key_free(ukey);
++ if (rc >= 0 ) {
++ mls_range = semanage_user_get_mlsrange(u);
++ rc = semanage_seuser_set_mlsrange(handle, new, mls_range);
++ semanage_user_free(u);
++ }
++ if (rc < 0)
++ goto err;
+ }
+
+ handle->msg_callback = NULL;
-+ semanage_seuser_query(handle, key, &previous);
++ (void) semanage_seuser_query(handle, key, &previous);
+ handle->msg_callback = callback;
-+ rc = dbase_modify(handle, dconfig, key, data);
-+ if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
++ rc = dbase_modify(handle, dconfig, key, new);
++ if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
+ rc = -1;
++err:
+ if (previous)
+ semanage_seuser_free(previous);
++ semanage_seuser_free(new);
+ return rc;
}
diff --git a/libsemanage.spec b/libsemanage.spec
index 4ed2867..6162e54 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -7,7 +7,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.1.10
-Release: 13%{?dist}
+Release: 14%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: libsemanage-%{version}.tgz
@@ -179,8 +179,14 @@ rm -rf ${RPM_BUILD_ROOT}
%endif # if with_python3
%changelog
+* Wed Oct 16 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-14
+- Cleanup handling of missing mls_range to fix problems with useradd -Z
+- Fix auditing of login record changes, roles were not working correctly.
+Resolves: #952237
+
* Fri Oct 4 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-13
- Fix errors found by coverity
+Resolves: #952237
* Wed Sep 25 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-12
- Do not fail on missing SELinux User Record when adding login record
More information about the scm-commits
mailing list