From b7bdc631f196d56cb56efd3f26ad5202f9113605 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 10 2006 15:34:47 +0000 Subject: - Fix translation return codes to return size of buffer --- diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 91300ea..f46b556 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,291 +1,35 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h ---- nsalibselinux/include/selinux/selinux.h 2006-06-16 15:08:24.000000000 -0400 -+++ libselinux-1.30.15/include/selinux/selinux.h 2006-06-21 15:26:36.000000000 -0400 -@@ -429,8 +429,19 @@ - Caller must free the returned strings via free. */ - extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); - -+/* This function compares two file context, ignoring the user component */ -+int selinux_file_context_cmp(const security_context_t a, const security_context_t b); -+ -+/* This function looks at the file context on disk and compares it to the -+system defaults, it returns 0 on match non 0 on failure */ -+int selinux_file_context_verify(const char *path, mode_t mode); -+ -+/* This function sets the file context on to the system defaults returns 0 on success */ -+int selinux_lsetfilecon_default(const char *path); -+ - #ifdef __cplusplus - } - #endif +diff --exclude-from=exclude -N -u -r nsalibselinux/src/fgetfilecon.c libselinux-1.30.22/src/fgetfilecon.c +--- nsalibselinux/src/fgetfilecon.c 2006-07-03 07:52:49.000000000 -0400 ++++ libselinux-1.30.22/src/fgetfilecon.c 2006-08-10 11:09:07.000000000 -0400 +@@ -58,5 +58,8 @@ + freecon(rcontext); + } - #endif ++ if (ret >= 0) ++ return strlen(*context); + -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8 ---- nsalibselinux/man/man8/matchpathcon.8 2006-05-15 09:43:24.000000000 -0400 -+++ libselinux-1.30.15/man/man8/matchpathcon.8 2006-06-21 15:26:36.000000000 -0400 -@@ -3,13 +3,25 @@ - matchpathcon \- get the default security context for the specified path from the file contexts configuration. - - .SH "SYNOPSIS" --.B matchpathcon [-n] filepath... -- -+.B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath... - .SH "DESCRIPTION" - .B matchpathcon - Prints the file path and the default security context associated with it. -+.SH OPTIONS -+.B \-n -+Do not display path. -+.br -+.B \-N -+Do not use translations. -+.br -+.B \-f file_context_file -+Use alternate file_context file -+.br -+.B \-p prefix -+Use prefix to speed translations - .br --If the -n option is given, do not display path. -+.B \-V -+Verify file context on disk matches defaults - - .SH AUTHOR - This manual page was written by Dan Walsh . -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c ---- nsalibselinux/src/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400 -+++ libselinux-1.30.15/src/matchpathcon.c 2006-06-21 15:37:18.000000000 -0400 -@@ -20,10 +20,12 @@ - #endif - default_printf(const char *fmt, ...) - { -+#ifdef DEBUG - va_list ap; - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); -+#endif - } - - static void -@@ -50,7 +52,7 @@ - static int default_canoncon(const char *path, unsigned lineno, char **context) - { - char *tmpcon; -- if (security_canonicalize_context(*context, &tmpcon) < 0) { -+ if (security_canonicalize_context_raw(*context, &tmpcon) < 0) { - if (errno == ENOENT) - return 0; - if (lineno) -@@ -74,7 +76,7 @@ - mycanoncon = &default_canoncon; + return ret; } - --static unsigned int myflags; -+static __thread unsigned int myflags; - - void set_matchpathcon_flags(unsigned int flags) - { -@@ -552,21 +554,6 @@ - - skip_type: - if (strcmp(context, "<>")) { -- char *tmpcon = NULL; -- -- if (myflags & MATCHPATHCON_NOTRANS) -- goto skip_trans; -- -- if (selinux_raw_to_trans_context(context, &tmpcon)) { -- myprintf("%s: line %u has invalid " -- "context %s\n", -- path, lineno, context); -- return 0; -- } -- free(context); -- context = tmpcon; -- --skip_trans: - if (myflags & MATCHPATHCON_VALIDATE) { - if (myinvalidcon) { - /* Old-style validation of context. */ -@@ -831,7 +818,12 @@ - spec_arr[i].context_valid = 1; +diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.30.22/src/getfilecon.c +--- nsalibselinux/src/getfilecon.c 2006-07-03 07:52:49.000000000 -0400 ++++ libselinux-1.30.22/src/getfilecon.c 2006-08-10 11:09:59.000000000 -0400 +@@ -57,6 +57,8 @@ + ret = selinux_raw_to_trans_context(rcontext, context); + freecon(rcontext); } ++ if (ret >= 0) ++ return strlen(*context); -- *con = strdup(spec_arr[i].context); -+ if (myflags & MATCHPATHCON_NOTRANS) { -+ *con = strdup(spec_arr[i].context); -+ } else { -+ if (selinux_raw_to_trans_context(spec_arr[i].context, con)) -+ return -1; -+ } - if (!(*con)) - return -1; - -@@ -877,3 +869,72 @@ - } - } + return ret; } -+ -+/* Compare two contexts to see if their differences are "significant", -+ * or whether the only difference is in the user. */ -+int selinux_file_context_cmp(const security_context_t a, const security_context_t b) -+{ -+ char *rest_a, *rest_b; /* Rest of the context after the user */ -+ if (!a && !b) return 0; -+ if (!a && b) return -1; -+ if (a && !b) return 1; -+ rest_a = strchr((char *)a, ':'); -+ rest_b = strchr((char *)b, ':'); -+ if (!rest_a && !rest_b) return 0; -+ if (!rest_a && rest_b) return -1; -+ if (rest_a && !rest_b) return 1; -+ return strcmp(rest_a, rest_b); -+} -+ -+int selinux_file_context_verify(const char *path, mode_t mode) -+{ -+ security_context_t con = NULL; -+ security_context_t fcontext = NULL; -+ unsigned int localflags=myflags; -+ int rc=0; -+ -+ rc = lgetfilecon_raw(path, &con); -+ if (rc == -1) { -+ if (errno != ENOTSUP) -+ return 1; -+ else -+ return 0; -+ } -+ -+ set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS); -+ if (matchpathcon(path,mode,&fcontext) != 0) { -+ if (errno != ENOENT) -+ rc = 1; -+ else -+ rc = 0; -+ } -+ else -+ rc = (selinux_file_context_cmp(fcontext, con) == 0); -+ set_matchpathcon_flags(localflags); -+ freecon(con); -+ freecon(fcontext); -+ return rc; -+} -+ -+ -+int selinux_lsetfilecon_default(const char *path) { -+ struct stat st; -+ int rc = -1; -+ security_context_t scontext=NULL; -+ unsigned int localflags=myflags; -+ if (lstat(path, &st) != 0) -+ return rc; -+ -+ set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS); -+ -+ /* If there's an error determining the context, or it has none, -+ return to allow default context */ -+ if (matchpathcon(path, st.st_mode, &scontext)) { -+ if (errno == ENOENT) rc = 0; -+ } else { -+ rc = lsetfilecon_raw(path, scontext); -+ freecon(scontext); -+ } -+ set_matchpathcon_flags(localflags); -+ return rc; -+} -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c ---- nsalibselinux/utils/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400 -+++ libselinux-1.30.15/utils/matchpathcon.c 2006-06-21 15:26:36.000000000 -0400 -@@ -12,19 +12,44 @@ - exit(1); - } - -+int printmatchpathcon(char *path, int header) { -+ char *buf; -+ int rc = matchpathcon(path, 0, &buf); -+ if (rc < 0) { -+ fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, strerror(errno)); -+ return 1; -+ } -+ if (header) -+ printf("%s\t%s\n", path, buf); -+ else -+ printf("%s\n", buf); -+ -+ freecon(buf); -+ return 0; -+} -+ - int main(int argc, char **argv) - { -- char *buf; -- int rc, i, init = 0; -+ int i, init = 0; - int header=1, opt; -+ int verify=0; -+ int notrans=0; -+ int error=0; - - if (argc < 2) usage(argv[0]); - -- while ((opt = getopt(argc, argv, "nf:p:")) > 0) { -+ while ((opt = getopt(argc, argv, "Nnf:p:V")) > 0) { - switch (opt) { - case 'n': - header=0; - break; -+ case 'V': -+ verify=1; -+ break; -+ case 'N': -+ notrans=1; -+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); -+ break; - case 'f': - if (init) { - fprintf(stderr, "%s: -f and -p are exclusive\n", argv[0]); -@@ -54,18 +79,30 @@ - } +diff --exclude-from=exclude -N -u -r nsalibselinux/src/lgetfilecon.c libselinux-1.30.22/src/lgetfilecon.c +--- nsalibselinux/src/lgetfilecon.c 2006-07-03 07:52:49.000000000 -0400 ++++ libselinux-1.30.22/src/lgetfilecon.c 2006-08-10 11:06:59.000000000 -0400 +@@ -58,5 +58,7 @@ + freecon(rcontext); } - for (i = optind; i < argc; i++) { -- rc = matchpathcon(argv[i], 0, &buf); -- if (rc < 0) { -- fprintf(stderr, "%s: matchpathcon(%s) failed\n", argv[0], argv[i]); -- return 2; -- } -- if (header) -- printf("%s\t%s\n", argv[i], buf); -- else -- printf("%s\n", buf); -+ if (verify) { -+ if (selinux_file_context_verify(argv[i], 0)) { -+ printf("%s verified.\n", argv[i]); -+ } else { -+ security_context_t con; -+ int rc; -+ if (notrans) -+ rc = lgetfilecon_raw(argv[i], &con); -+ else -+ rc = lgetfilecon(argv[i], &con); -- freecon(buf); -+ if (rc >= 0) { -+ printf("%s has context %s, should be ", argv[i], con); -+ error += printmatchpathcon(argv[i], 0); -+ freecon(con); -+ } else { -+ printf("actual context unknown: %s, should be ", strerror(errno)); -+ error += printmatchpathcon(argv[i], 0); -+ } -+ } -+ } else { -+ error += printmatchpathcon(argv[i], header); -+ } - } - matchpathcon_fini(); -- return 0; -+ return error; ++ if (ret >= 0) ++ return strlen(*context); + return ret; } diff --git a/libselinux.spec b/libselinux.spec index e11f523..3dc5c2e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -2,10 +2,12 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 1.30.22 -Release: 1 +Release: 2 License: Public domain (uncopyrighted) Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz +Patch: libselinux-rhat.patch + BuildRequires: libsepol-devel >= %{libsepolver} swig Requires: libsepol >= %{libsepolver} setransd BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -46,6 +48,7 @@ needed for developing SELinux applications. %prep %setup -q +%patch -p1 -b .rhat %build make clean @@ -115,6 +118,9 @@ exit 0 %{_libdir}/python*/site-packages/selinux.py* %changelog +* Wed Aug 9 2006 Dan Walsh - 1.30.22-2 +- Fix translation return codes to return size of buffer + * Tue Aug 1 2006 Dan Walsh - 1.30.22-1 - Upgrade to latest from NSA * Merged no-tls-direct-seg-refs patch from Jeremy Katz.