From 61427961fcae2eb7f14b3e14b76a30bb03ac3b2f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 17 2005 18:19:07 +0000 Subject: - --- diff --git a/.cvsignore b/.cvsignore index cfe9187..dd02f27 100644 --- a/.cvsignore +++ b/.cvsignore @@ -53,3 +53,4 @@ libselinux-1.27.4.tgz libselinux-1.27.6.tgz libselinux-1.27.7.tgz libselinux-1.27.9.tgz +libselinux-1.27.10.tgz diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index a06c700..ec309e4 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,264 +1,159 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.27.1/include/selinux/selinux.h ---- nsalibselinux/include/selinux/selinux.h 2005-09-01 11:17:40.000000000 -0400 -+++ libselinux-1.27.1/include/selinux/selinux.h 2005-09-29 14:46:48.000000000 -0400 -@@ -323,6 +323,7 @@ - extern const char *selinux_booleans_path(void); - extern const char *selinux_customizable_types_path(void); - extern const char *selinux_users_path(void); -+extern const char *selinux_usersconf_path(void); +diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/get_context_list.h libselinux-1.27.10/include/selinux/get_context_list.h +--- nsalibselinux/include/selinux/get_context_list.h 2005-09-19 13:36:06.000000000 -0400 ++++ libselinux-1.27.10/include/selinux/get_context_list.h 2005-10-17 13:48:00.000000000 -0400 +@@ -54,6 +54,15 @@ + security_context_t fromcon, + security_context_t *newcon); - /* Check a permission in the passwd class. - Return 0 if granted or -1 otherwise. */ -@@ -354,6 +355,12 @@ - extern int selinux_raw_to_trans_context(security_context_t raw, - security_context_t *transp); ++/* Same as get_default_context, but only return a context ++ that has the specified role and level. If no reachable context exists ++ for the user with that role, then return -1. */ ++int get_default_context_with_rolelevel(const char* user, ++ const char *level, ++ const char *role, ++ security_context_t fromcon, ++ security_context_t *newcon); ++ + /* Given a list of authorized security contexts for the user, + query the user to select one and set *newcon to refer to it. + Caller must free via freecon. +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_level.3 libselinux-1.27.10/man/man3/get_default_context_with_level.3 +--- nsalibselinux/man/man3/get_default_context_with_level.3 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-1.27.10/man/man3/get_default_context_with_level.3 2005-10-17 13:58:54.000000000 -0400 +@@ -0,0 +1 @@ ++.so man3/get_ordered_context_list.3 +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_rolelevel.3 libselinux-1.27.10/man/man3/get_default_context_with_rolelevel.3 +--- nsalibselinux/man/man3/get_default_context_with_rolelevel.3 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-1.27.10/man/man3/get_default_context_with_rolelevel.3 2005-10-17 13:58:41.000000000 -0400 +@@ -0,0 +1 @@ ++.so man3/get_ordered_context_list.3 +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list.3 libselinux-1.27.10/man/man3/get_ordered_context_list.3 +--- nsalibselinux/man/man3/get_ordered_context_list.3 2005-04-29 14:06:50.000000000 -0400 ++++ libselinux-1.27.10/man/man3/get_ordered_context_list.3 2005-10-17 13:57:48.000000000 -0400 +@@ -1,6 +1,6 @@ + .TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SE Linux" + .SH "NAME" +-get_ordered_context_list, get_default_context, get_default_context_with_role, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user sessions ++get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user sessions -+ -+/* the following functions are used to retrieve the SELinux user and their -+ security level via the Linux usernames selinux */ -+ -+extern int getseuserbyname(const char *name, char **seuser, char **level); -+ - #ifdef __cplusplus - } - #endif -diff --exclude-from=exclude -N -u -r nsalibselinux/man/Makefile libselinux-1.27.1/man/Makefile ---- nsalibselinux/man/Makefile 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.27.1/man/Makefile 2005-09-28 14:32:16.000000000 -0400 -@@ -8,3 +8,6 @@ - install -m 644 man3/*.3 $(MAN3DIR) - install -m 644 man8/*.8 $(MAN8DIR) - -+clean: -+ -rm -f *~ \#* -+ -rm -f man8/*~ man8/\#* -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getseuserbyname.3 libselinux-1.27.1/man/man3/getseuserbyname.3 ---- nsalibselinux/man/man3/getseuserbyname.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.27.1/man/man3/getseuserbyname.3 2005-09-29 15:09:57.000000000 -0400 -@@ -0,0 +1,21 @@ -+.TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SE Linux API documentation" -+.SH "NAME" -+getseuserbyname \- get SELinux user and level via Linux username -+.SH "SYNOPSIS" -+.B #include + .SH "SYNOPSIS" + .B #include +@@ -9,10 +9,16 @@ + .sp + .BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list ); + .sp ++.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t **" list ); +.sp -+.BI "int getseuserbyname(const char *" username ", char **" selinuxuser ", char **" level "); -+.SH "DESCRIPTION" -+.B getseuserbyname -+retrieves the SELinux Username and security level associated with username. -+ -+.br -+ -+The returned SELinux username and level should be free with free if non-NULL. -+.SH "RETURN VALUE" -+On success, 0 is returned indicating. -+On failure, \-1 is returned and errno is set appropriately. -+ -+The errors documented for the stat(2) system call are also applicable -+here. + .BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon ); + .sp ++.BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon ); ++.sp + .BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); + .sp ++.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); ++.sp + .BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon ); + .sp + .BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon ); +@@ -27,7 +33,7 @@ + .I user + that are reachable from the specified + .I fromcon +-context and then orders the resulting list based on the global ++context. The function then orders the resulting list based on the global + .B /etc/selinux//contexts/default_contexts + file and the per-user + .B /etc/selinux//contexts/users/ +@@ -39,13 +45,22 @@ + .B freeconary + function. + ++.B get_ordered_context_list_with_level ++invokes the get_ordered_context_list function and applies the specified level. + -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.27.1/src/selinux_config.c ---- nsalibselinux/src/selinux_config.c 2005-03-17 14:56:21.000000000 -0500 -+++ libselinux-1.27.1/src/selinux_config.c 2005-09-29 11:28:55.000000000 -0400 -@@ -11,6 +11,7 @@ + .B get_default_context + is the same as get_ordered_context_list but only returns a single context + which has to be freed with freecon. - #define SELINUXDIR "/etc/selinux/" - #define SELINUXCONFIG SELINUXDIR "config" -+#define SELINUXUSERS SELINUXDIR "seusers.conf" - #define SELINUXDEFAULT "targeted" - #define SELINUXTYPETAG "SELINUXTYPE=" - #define SELINUXTAG "SELINUX=" -@@ -252,5 +253,9 @@ - const char *selinux_users_path() { - return get_path(USERS_DIR); - } -+const char *selinux_usersconf_path() { -+ return SELINUXUSERS; -+} ++.B get_default_context_with_level ++invokes the get_default_context function and applies the specified level. + - hidden_def(selinux_users_path) + .B get_default_context_with_role + is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user. -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-1.27.1/src/selinux_internal.h ---- nsalibselinux/src/selinux_internal.h 2005-08-25 16:18:01.000000000 -0400 -+++ libselinux-1.27.1/src/selinux_internal.h 2005-09-29 14:49:43.000000000 -0400 -@@ -49,6 +49,7 @@ - hidden_proto(selinux_check_passwd_access) - hidden_proto(matchpathcon_init) - hidden_proto(selinux_users_path) -+hidden_proto(selinux_usersconf_path); ++.B get_default_context_with_rolelevel ++invokes the get_default_context_with_role function and applies the specified level. ++ + .B query_user_context + takes a list of contexts, queries the user via stdin/stdout as to which context + they want, and returns a new context as selected by the user (which has to be +@@ -58,9 +73,8 @@ + Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free. - extern int context_translations hidden; - extern int hidden trans_to_raw_context(char *trans, char **rawp); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-1.27.1/src/seusers.c ---- nsalibselinux/src/seusers.c 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.27.1/src/seusers.c 2005-09-29 14:51:47.000000000 -0400 -@@ -0,0 +1,138 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "selinux_internal.h" -+ -+/* Process line from seusers.conf. -+ Remove white space and set name do data before the "=" and sename to data -+ after it */ -+static int process_seusers(const char *buffer, char **r_username, char **r_seuser, char **r_level) { -+ char *username=NULL; -+ char *seuser=NULL; -+ char *level=NULL; -+ char *ptr; -+ int rc=-1; -+ char *tok; -+ char *newbuf=strdup(buffer); -+ if (!newbuf) return -1; -+ -+ tok=strtok_r(newbuf,":",&ptr); -+ if (!tok) goto err; -+ if ( tok[0]=='#' ) goto err; -+ username=strdup(tok); -+ if (!username) { -+ rc=-1; -+ goto err; -+ } -+ -+ tok=strtok_r(NULL,":",&ptr); -+ if (!tok) goto err; -+ while (isspace(*tok)) tok++; -+ if(strlen(tok)) -+ seuser=strdup(tok); -+ if (!seuser) { -+ free(username); -+ rc=-1; -+ goto err; -+ } -+ -+ tok=strtok_r(NULL,":",&ptr); -+ if (!tok) goto err; -+ while (isspace(*tok)) tok++; -+ if(strlen(tok)) -+ level=strdup(tok); -+ if (!level) { -+ free(username); -+ free(seuser); -+ rc=-1; -+ goto err; -+ } -+ -+ tok=strtok_r(NULL,":",&ptr); -+ if (tok) { -+ int len; -+ while (isspace(*tok)) tok++; -+ len=strlen(tok); -+ if(len) { -+ char *ptr=realloc(level, strlen(level) + len + 2); -+ if (ptr==NULL) { -+ free(username); -+ free(seuser); -+ free(level); -+ rc=-1; -+ goto err; -+ } -+ level=ptr; -+ strcat(level,":"); -+ strcat(level,tok); -+ } -+ } -+ -+ *r_username=username; -+ *r_seuser=seuser; -+ *r_level=level; -+ rc=0; -+err: -+ free(newbuf); -+ return rc; -+} -+ -+int getseuserbyname(const char *name, char **r_seuser, char **r_level) { -+ FILE *cfg=NULL; -+ size_t size=0; -+ char *buffer=NULL; -+ -+ char *username=NULL; -+ char *seuser=NULL; -+ char *level=NULL; -+ char *defaultseuser=NULL; -+ char *defaultlevel=NULL; -+ -+ cfg = fopen(selinux_usersconf_path(),"r"); -+ if (!cfg) return -1; + .SH "RETURN VALUE" +-get_ordered_context_list returns the number of contexts in the list upon +-success or -1 upon errors. ++get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors. + The other functions return 0 for success or -1 for errors. + + .SH "SEE ALSO" +-.BR freeconary "(3), " freecon "(3), " security_compute_av "(3)" ++.BR freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)" +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list_with_level.3 libselinux-1.27.10/man/man3/get_ordered_context_list_with_level.3 +--- nsalibselinux/man/man3/get_ordered_context_list_with_level.3 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-1.27.10/man/man3/get_ordered_context_list_with_level.3 2005-10-17 13:59:03.000000000 -0400 +@@ -0,0 +1 @@ ++.so man3/get_ordered_context_list.3 +diff --exclude-from=exclude -N -u -r nsalibselinux/src/get_context_list.c libselinux-1.27.10/src/get_context_list.c +--- nsalibselinux/src/get_context_list.c 2005-10-14 14:45:05.000000000 -0400 ++++ libselinux-1.27.10/src/get_context_list.c 2005-10-17 13:45:55.000000000 -0400 +@@ -48,6 +48,49 @@ + return rc; + } + ++int get_default_context_with_rolelevel(const char* user, ++ const char *role, ++ const char *level, ++ security_context_t fromcon, ++ security_context_t *newcon) ++{ + -+ while (getline(&buffer, &size, cfg) > 0) { -+ if(process_seusers(buffer, &username, &seuser, &level) == 0) { -+ if (strcmp(username, name)==0) -+ break; ++ int rc=0; ++ int freefrom = 0; ++ context_t con; ++ char *newfromcon; ++ if (!level) ++ return get_default_context_with_role(user, role, fromcon, newcon); ++ ++ if (!fromcon) { ++ rc = getcon(&fromcon); ++ if (rc < 0) ++ return rc; ++ freefrom = 1; ++ } ++ ++ rc = -1; ++ con=context_new(fromcon); ++ if (!con) ++ goto out; ++ ++ if (context_range_set(con, level)) ++ goto out; ++ ++ newfromcon = context_str(con); ++ if (!newfromcon) ++ goto out; ++ ++ rc = get_default_context_with_role(user, role, newfromcon, newcon); ++ ++out: ++ context_free(con); ++ if (freefrom) ++ freecon(fromcon); ++ return rc; + -+ if (strcmp(username,"default")==0) { -+ free(username); -+ if (defaultseuser) -+ free(defaultseuser); -+ if (defaultlevel) -+ free(defaultlevel); -+ defaultseuser=seuser; -+ defaultlevel=level; -+ } -+ else { -+ free(username); -+ free(seuser); -+ free(level); -+ } -+ seuser=NULL; -+ } -+ } -+ if (buffer) free(buffer); -+ fclose(cfg); -+ if (seuser) { -+ free(username); -+ free(defaultseuser); -+ free(defaultlevel); -+ *r_seuser=seuser; -+ *r_level=level; -+ return 0; -+ } -+ if (defaultseuser) { -+ *r_seuser=defaultseuser; -+ *r_level=defaultlevel; -+ return 0; -+ } -+ -+ return -1; +} -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getseuser.c libselinux-1.27.1/utils/getseuser.c ---- nsalibselinux/utils/getseuser.c 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.27.1/utils/getseuser.c 2005-09-29 14:46:06.000000000 -0400 -@@ -0,0 +1,27 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include + -+void usage(const char *progname) -+{ -+ fprintf(stderr, "usage: %s\n", progname); -+ exit(1); -+} -+int main(int argc, char **argv) { -+ char *seuser; -+ char *level; -+ if ( argc != 2 ) usage(argv[0]); -+ if (getseuserbyname(argv[1], &seuser, &level) == 0 ) { -+ printf("%s\n", argv[1]); -+ printf("%s\n", seuser); -+ printf("%s", level); -+ return 0; -+ } else { -+ printf("%s not found\n", argv[1]); -+ return -1; -+ } -+} + int get_default_context(const char* user, + security_context_t fromcon, + security_context_t *newcon) diff --git a/libselinux.spec b/libselinux.spec index 35c2a5e..68559b7 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,11 +1,13 @@ %define libsepolver 1.9.17-1 Summary: SELinux library and simple utilities Name: libselinux -Version: 1.27.9 -Release: 2 +Version: 1.27.10 +Release: 1 License: Public domain (uncopyrighted) Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz +Patch: libselinux-rhat.patch + Prereq: libsetrans Requires: libsepol >= %{libsepolver} @@ -37,6 +39,7 @@ needed for developing SELinux applications. %prep %setup -q +%patch -p1 -b .rhat %build make CFLAGS="-g %{optflags}" @@ -89,6 +92,9 @@ exit 0 %{_mandir}/man8/* %changelog +* Mon Oct 17 2005 Dan Walsh 1.27.10-1 +- + * Fri Oct 14 2005 Dan Walsh 1.27.9-2 - Tell init to reexec itself in post script diff --git a/sources b/sources index 74f5abf..d0a403a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ec7aa6371255e9ce58f84287184705cf libselinux-1.27.9.tgz +e88a9720a6eab17b1a6782caa8278673 libselinux-1.27.10.tgz