[libsemanage/f20] Cleanup handling of missing mls_range to fix problems with useradd -Z
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 17 12:25:21 UTC 2013
commit 1f5f72b016c710283e56f5ae7d18b96ffcd71ce4
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 17 08:25:13 2013 -0400
Cleanup handling of missing mls_range to fix problems with useradd -Z
- Fix auditing of login record changes, roles were not working correctly.
Resolves: #952237
libsemanage-rhat.patch | 121 +++++++++++++++++++----------------------------
libsemanage.spec | 11 ++++-
2 files changed, 59 insertions(+), 73 deletions(-)
---
diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch
index 7f50fdc..dd66fa0 100644
--- a/libsemanage-rhat.patch
+++ b/libsemanage-rhat.patch
@@ -198,62 +198,11 @@ index 57ef49f..4b040c3 100644
free(storepath);
return retval;
}
-diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c
-index 8823b1e..cfcd039 100644
---- a/libsemanage/src/seuser_record.c
-+++ b/libsemanage/src/seuser_record.c
-@@ -140,19 +140,46 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser)
-
- hidden_def(semanage_seuser_get_sename)
-
-+#include <semanage/user_record.h>
-+#include <semanage/users_policy.h>
-+#include <errno.h>
- int semanage_seuser_set_sename(semanage_handle_t * handle,
- semanage_seuser_t * seuser, const char *sename)
- {
-
-+ semanage_user_t *u = NULL;
-+ const char *mls_range = semanage_seuser_get_mlsrange(seuser);
- char *tmp_sename = strdup(sename);
-+ int rc;
- if (!tmp_sename) {
- ERR(handle,
- "out of memory, could not set seuser (SELinux) name");
- return STATUS_ERR;
- }
-+ /* Default MLS_range if not set to the "sename" user record mls range */
-+ if (!mls_range && semanage_mls_enabled(handle)) {
-+ semanage_user_key_t *key = NULL;
-+
-+ rc = semanage_user_key_create(handle, sename, &key);
-+ if (rc < 0)
-+ goto err;
-+
-+ rc = semanage_user_query(handle, key, &u);
-+ semanage_user_key_free(key);
-+ if (rc == STATUS_ERR)
-+ goto err;
-+ else if (rc == STATUS_SUCCESS) {
-+ mls_range = semanage_user_get_mlsrange(u);
-+ semanage_seuser_set_mlsrange(handle, seuser, mls_range);
-+ semanage_user_free(u);
-+ }
-+ }
- free(seuser->sename);
- seuser->sename = tmp_sename;
- return STATUS_SUCCESS;
-+err:
-+ free(tmp_sename);
-+ return rc;
- }
-
- hidden_def(semanage_seuser_set_sename)
diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
-index e7cf12c..c77be73 100644
+index e7cf12c..f379211 100644
--- a/libsemanage/src/seusers_local.c
+++ b/libsemanage/src/seusers_local.c
-@@ -8,27 +8,149 @@ typedef struct semanage_seuser record_t;
+@@ -8,27 +8,177 @@ typedef struct semanage_seuser record_t;
#include <sepol/policydb.h>
#include <sepol/context.h>
@@ -289,7 +238,7 @@ index e7cf12c..c77be73 100644
+ strcpy(roles,roles_arr[0]);
+ for (i = 1; i<num_roles; i++) {
+ strcat(roles,",");
-+ strcat(roles,roles_arr[0]);
++ strcat(roles,roles_arr[i]);
+ }
+ }
+ }
@@ -314,8 +263,8 @@ index e7cf12c..c77be73 100644
+ char *proles = NULL;
+ char msg[1024];
+ const char *sep = "-";
-+
-+ strcpy(msg,"login");
++ int rc = -1;
++ strcpy(msg, "login");
+ if (seuser) {
+ name = semanage_seuser_get_name(seuser);
+ sename = semanage_seuser_get_sename(seuser);
@@ -328,17 +277,19 @@ index e7cf12c..c77be73 100644
+ proles = semanage_user_roles(handle, psename);
+ }
+ if (audit_type != AUDIT_ROLE_REMOVE) {
-+ if (!psename || strcmp(psename, sename) != 0) {
-+ sprintf(msg,"%s%s%s",msg, sep,"sename");
++ if (sename && (!psename || strcmp(psename, sename) != 0)) {
++ strcat(msg,sep);
++ strcat(msg,"sename");
+ sep = ",";
+ }
-+ if (!proles || strcmp(proles, roles) != 0) {
-+ sprintf(msg,"%s%s%s",msg, sep,"role");
++ if (roles && (!proles || strcmp(proles, roles) != 0)) {
++ strcat(msg,sep);
++ strcat(msg,"role");
+ sep = ",";
+ }
-+ if (!pmls || strcmp(pmls, mls) != 0) {
-+ sprintf(msg,"%s%s%s",msg, sep,"range");
-+ sep = ",";
++ if (mls && (!pmls || strcmp(pmls, mls) != 0)) {
++ strcat(msg,sep);
++ strcat(msg,"range");
+ }
+ }
+
@@ -346,15 +297,20 @@ index e7cf12c..c77be73 100644
+ if (fd < 0)
+ {
+ /* If kernel doesn't support audit, bail out */
-+ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
-+ return 0;
-+ return fd;
++ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) {
++ rc = 0;
++ goto err;
++ }
++ rc = fd;
++ goto err;
+ }
+ audit_log_semanage_message(fd, audit_type, NULL, msg, name, 0, sename, roles, mls, psename, proles, pmls, NULL, NULL,NULL, success);
++ rc = 0;
++err:
+ audit_close(fd);
+ free(roles);
+ free(proles);
-+ return 0;
++ return rc;
+}
int semanage_seuser_modify_local(semanage_handle_t * handle,
@@ -369,23 +325,44 @@ index e7cf12c..c77be73 100644
+ const char *sename = semanage_seuser_get_sename(data);
+ const char *mls_range = semanage_seuser_get_mlsrange(data);
+ semanage_seuser_t *previous = NULL;
++ semanage_seuser_t *new = NULL;
++
+ if (!sename) {
+ errno=EINVAL;
+ return -1;
+ }
++ if (semanage_seuser_clone(handle, data, &new) < 0) {
++ goto err;
++ }
++
+ if (!mls_range && semanage_mls_enabled(handle)) {
-+ errno=EINVAL;
-+ return -1;
++ semanage_user_key_t *ukey = NULL;
++ semanage_user_t *u = NULL;
++ rc = semanage_user_key_create(handle, sename, &ukey);
++ if (rc < 0)
++ goto err;
++
++ rc = semanage_user_query(handle, ukey, &u);
++ semanage_user_key_free(ukey);
++ if (rc >= 0 ) {
++ mls_range = semanage_user_get_mlsrange(u);
++ rc = semanage_seuser_set_mlsrange(handle, new, mls_range);
++ semanage_user_free(u);
++ }
++ if (rc < 0)
++ goto err;
+ }
+
+ handle->msg_callback = NULL;
-+ semanage_seuser_query(handle, key, &previous);
++ (void) semanage_seuser_query(handle, key, &previous);
+ handle->msg_callback = callback;
-+ rc = dbase_modify(handle, dconfig, key, data);
-+ if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
++ rc = dbase_modify(handle, dconfig, key, new);
++ if (semanage_seuser_audit(handle, new, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0)
+ rc = -1;
++err:
+ if (previous)
+ semanage_seuser_free(previous);
++ semanage_seuser_free(new);
+ return rc;
}
diff --git a/libsemanage.spec b/libsemanage.spec
index 358550b..6162e54 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -7,7 +7,7 @@
Summary: SELinux binary policy manipulation library
Name: libsemanage
Version: 2.1.10
-Release: 12%{?dist}
+Release: 14%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: libsemanage-%{version}.tgz
@@ -179,6 +179,15 @@ rm -rf ${RPM_BUILD_ROOT}
%endif # if with_python3
%changelog
+* Wed Oct 16 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-14
+- Cleanup handling of missing mls_range to fix problems with useradd -Z
+- Fix auditing of login record changes, roles were not working correctly.
+Resolves: #952237
+
+* Fri Oct 4 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-13
+- Fix errors found by coverity
+Resolves: #952237
+
* Wed Sep 25 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.10-12
- Do not fail on missing SELinux User Record when adding login record
More information about the scm-commits
mailing list