diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index cc26982..db38870 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,482 +1,12 @@ -Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ -diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h ---- nsalibselinux/include/selinux/selinux.h 2004-12-03 14:40:05.000000000 -0500 -+++ libselinux-1.20.1/include/selinux/selinux.h 2005-01-12 10:13:25.000000000 -0500 -@@ -226,6 +226,7 @@ - extern const char *selinux_media_context_path(void); - extern const char *selinux_contexts_path(void); - extern const char *selinux_booleans_path(void); -+extern const char *selinux_customizable_types_path(void); - - /* Check a permission in the passwd class. - Return 0 if granted or -1 otherwise. */ -@@ -242,6 +243,10 @@ - const char *filename, - char *const argv[], char *const envp[]); - -+/* Returns whether a file context is customizable, and should not -+ be relabeled . */ -+extern int is_context_customizable (security_context_t scontext); -+ - #ifdef __cplusplus - } - #endif -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3 ---- nsalibselinux/man/man3/is_context_customizable.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.20.1/man/man3/is_context_customizable.3 2005-01-12 10:13:25.000000000 -0500 -@@ -0,0 +1,22 @@ -+.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation" -+.SH "NAME" -+is_context_customizable \- check whether context type is customizable by the administrator. -+.SH "SYNOPSIS" -+.B #include -+.sp -+.B int is_context_customizable(security_context_t scon); -+ -+.SH "DESCRIPTION" -+.B is_context_customizable -+.br -+This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that -+administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place. -+ -+ -+.SH "RETURN VALUE" -+returns 1 if security context is customizable or 0 if it is not. -+returns -1 on error -+ -+.SH "FILE" -+/etc/selinux/SELINUXTYPE/context/customizable_types -+ -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3 ---- nsalibselinux/man/man3/security_load_booleans.3 2004-11-30 15:59:02.000000000 -0500 -+++ libselinux-1.20.1/man/man3/security_load_booleans.3 2005-01-18 17:24:31.326454550 -0500 -@@ -1,10 +1,8 @@ - .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" - .SH "NAME" - security_load_booleans, security_set_boolean, security_commit_booleans, --security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending --.sp --routines for manipulating SELinux boolean values -- -+security_get_boolean_names, security_get_boolean_active, -+security_get_boolean_pending \- routines for manipulating SELinux boolean values - .SH "SYNOPSIS" - .B #include - .sp -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 ---- nsalibselinux/man/man3/selinux_binary_policy_path.3 2004-11-30 15:59:02.000000000 -0500 -+++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 2005-01-18 17:24:31.344452529 -0500 -@@ -1,8 +1,10 @@ - .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" - .SH "NAME" --selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path --.sp --These functions return the paths to the active policy configuration -+selinux_policy_root, selinux_binary_policy_path, -+selinux_failsafe_context_path, selinux_removable_context_path, -+selinux_default_context_path, selinux_user_contexts_path, -+selinux_file_context_path, selinux_media_context_path, -+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration - directories and files. - - .SH "SYNOPSIS" -diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h ---- nsalibselinux/src/file_path_suffixes.h 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.20.1/src/file_path_suffixes.h 2005-01-12 10:13:25.000000000 -0500 -@@ -9,3 +9,4 @@ - S_(BOOLEANS, "/booleans") - S_(MEDIA_CONTEXTS, "/contexts/files/media") - S_(REMOVABLE_CONTEXT, "/contexts/removable_context") -+S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types") -diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c ---- nsalibselinux/src/is_customizable_type.c 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.20.1/src/is_customizable_type.c 2005-01-12 10:13:25.000000000 -0500 -@@ -0,0 +1,68 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+static int get_customizable_type_list (security_context_t **retlist) -+{ -+ FILE *fp; -+ char buf[4097]; -+ int ctr=0, i; -+ security_context_t *list=NULL; -+ -+ fp = fopen(selinux_customizable_types_path(), "r"); -+ if (!fp) -+ return -1; -+ -+ while (fgets_unlocked(buf, 4096, fp)) { -+ ctr++; -+ } -+ rewind(fp); -+ if (ctr) { -+ list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1); -+ if (list) { -+ i=0; -+ while (fgets_unlocked(buf, 4096, fp)) { -+ buf[strlen(buf)-1]=0; -+ list[i++]=(security_context_t) strdup(buf); -+ if (i>ctr) { -+ /* Should never happen */ -+ free(list); -+ list=NULL; -+ break; -+ } -+ } -+ } -+ } -+ fclose(fp); -+ if (!list) -+ return -1; -+ *retlist=list; -+ return 0; -+} -+ -+static security_context_t *customizable_list=NULL; -+ -+int is_context_customizable (security_context_t scontext) { -+ int i; -+ char *ptr; -+ if (! customizable_list) { -+ if (get_customizable_type_list(&customizable_list)!=0) -+ return -1; -+ } -+ -+ ptr=strrchr(scontext, ':'); -+ if (ptr) { -+ ptr++; -+ } else { -+ ptr=scontext; -+ } -+ for (i = 0; customizable_list[i]; i++) { -+ if (strcmp(customizable_list[i],ptr) == 0) return 1; -+ } -+ return 0; -+} -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c ---- nsalibselinux/src/matchpathcon.c 2004-12-29 11:51:23.000000000 -0500 -+++ libselinux-1.20.1/src/matchpathcon.c 2005-01-12 10:13:25.000000000 -0500 -@@ -207,15 +207,135 @@ - } - return; - } -- -+static int process_line( const char *path, char *line_buf, int pass, int lineno) { -+ int items, len, regerr; -+ char *buf_p; -+ char *regex, *type, *context; -+ char *anchored_regex; -+ len = strlen(line_buf); -+ if (line_buf[len - 1] != '\n') { -+ myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); -+ return 0; -+ } -+ line_buf[len - 1] = 0; -+ buf_p = line_buf; -+ while (isspace(*buf_p)) -+ buf_p++; -+ /* Skip comment lines and empty lines. */ -+ if (*buf_p == '#' || *buf_p == 0) -+ return 0; -+ items = -+ sscanf(line_buf, "%as %as %as", ®ex, &type, -+ &context); -+ if (items < 2) { -+ myprintf("%s: line %d is missing fields\n, skipping", path, lineno); -+ return 0; -+ } else if (items == 2) { -+ /* The type field is optional. */ -+ free(context); -+ context = type; -+ type = 0; -+ } -+ -+ if (pass == 1) { -+ /* On the second pass, compile and store the specification in spec. */ -+ const char *reg_buf = regex; -+ char *cp; -+ spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); -+ spec_arr[nspec].regex_str = regex; -+ -+ /* Anchor the regular expression. */ -+ len = strlen(reg_buf); -+ cp = anchored_regex = malloc(len + 3); -+ if (!anchored_regex) -+ return -1; -+ /* Create ^...$ regexp. */ -+ *cp++ = '^'; -+ cp = mempcpy(cp, reg_buf, len); -+ *cp++ = '$'; -+ *cp = '\0'; -+ -+ /* Compile the regular expression. */ -+ regerr = -+ regcomp(&spec_arr[nspec].regex, -+ anchored_regex, -+ REG_EXTENDED | REG_NOSUB); -+ free(anchored_regex); -+ if (regerr < 0) { -+ myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); -+ return 0; -+ } -+ -+ /* Convert the type string to a mode format */ -+ spec_arr[nspec].type_str = type; -+ spec_arr[nspec].mode = 0; -+ if (!type) -+ goto skip_type; -+ len = strlen(type); -+ if (type[0] != '-' || len != 2) { -+ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); -+ return 0; -+ } -+ switch (type[1]) { -+ case 'b': -+ spec_arr[nspec].mode = S_IFBLK; -+ break; -+ case 'c': -+ spec_arr[nspec].mode = S_IFCHR; -+ break; -+ case 'd': -+ spec_arr[nspec].mode = S_IFDIR; -+ break; -+ case 'p': -+ spec_arr[nspec].mode = S_IFIFO; -+ break; -+ case 'l': -+ spec_arr[nspec].mode = S_IFLNK; -+ break; -+ case 's': -+ spec_arr[nspec].mode = S_IFSOCK; -+ break; -+ case '-': -+ spec_arr[nspec].mode = S_IFREG; -+ break; -+ default: -+ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); -+ return 0; -+ } -+ -+ skip_type: -+ -+ spec_arr[nspec].context = context; -+ -+ if (strcmp(context, "<>")) { -+ if (security_check_context(context) < 0 && errno != ENOENT) { -+ myprintf("%s: line %d has invalid context %s\n", path, lineno, context); -+ return 0; -+ } -+ } -+ -+ /* Determine if specification has -+ * any meta characters in the RE */ -+ spec_hasMetaChars(&spec_arr[nspec]); -+ } -+ -+ nspec++; -+ if (pass == 0) { -+ free(regex); -+ if (type) -+ free(type); -+ free(context); -+ } -+ return 0; -+} - static int matchpathcon_init(void) - { - FILE *fp; - const char *path; -- char line_buf[BUFSIZ + 1], *buf_p; -- char *regex, *type, *context; -- char *anchored_regex; -- int items, len, lineno, pass, regerr, i, j; -+ FILE *localfp; -+ char local_path[PATH_MAX + 1]; -+ char line_buf[BUFSIZ + 1]; -+ int lineno, pass, i, j; - spec_t *spec_copy; - - /* Open the specification file. */ -@@ -223,6 +343,9 @@ - if ((fp = fopen(path, "r")) == NULL) - return -1; - -+ snprintf(local_path, sizeof(local_path), "%s.local", path); -+ localfp = fopen(local_path, "r"); -+ - /* - * Perform two passes over the specification file. - * The first pass counts the number of specifications and -@@ -235,123 +358,15 @@ - lineno = 0; - nspec = 0; - while (fgets_unlocked(line_buf, sizeof line_buf, fp)) { -- lineno++; -- len = strlen(line_buf); -- if (line_buf[len - 1] != '\n') { -- myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); -- continue; -- } -- line_buf[len - 1] = 0; -- buf_p = line_buf; -- while (isspace(*buf_p)) -- buf_p++; -- /* Skip comment lines and empty lines. */ -- if (*buf_p == '#' || *buf_p == 0) -- continue; -- items = -- sscanf(line_buf, "%as %as %as", ®ex, &type, -- &context); -- if (items < 2) { -- myprintf("%s: line %d is missing fields\n, skipping", path, lineno); -- continue; -- } else if (items == 2) { -- /* The type field is optional. */ -- free(context); -- context = type; -- type = 0; -- } -- -- if (pass == 1) { -- /* On the second pass, compile and store the specification in spec. */ -- const char *reg_buf = regex; -- char *cp; -- spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); -- spec_arr[nspec].regex_str = regex; -- -- /* Anchor the regular expression. */ -- len = strlen(reg_buf); -- cp = anchored_regex = malloc(len + 3); -- if (!anchored_regex) -+ if (process_line(path, line_buf, pass, ++lineno) != 0) -+ return -1; -+ } -+ if (localfp) -+ while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) { -+ if (process_line(local_path, line_buf, pass, ++lineno) != 0) - return -1; -- /* Create ^...$ regexp. */ -- *cp++ = '^'; -- cp = mempcpy(cp, reg_buf, len); -- *cp++ = '$'; -- *cp = '\0'; -- -- /* Compile the regular expression. */ -- regerr = -- regcomp(&spec_arr[nspec].regex, -- anchored_regex, -- REG_EXTENDED | REG_NOSUB); -- free(anchored_regex); -- if (regerr < 0) { -- myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); -- continue; -- } -- -- /* Convert the type string to a mode format */ -- spec_arr[nspec].type_str = type; -- spec_arr[nspec].mode = 0; -- if (!type) -- goto skip_type; -- len = strlen(type); -- if (type[0] != '-' || len != 2) { -- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); -- continue; -- } -- switch (type[1]) { -- case 'b': -- spec_arr[nspec].mode = S_IFBLK; -- break; -- case 'c': -- spec_arr[nspec].mode = S_IFCHR; -- break; -- case 'd': -- spec_arr[nspec].mode = S_IFDIR; -- break; -- case 'p': -- spec_arr[nspec].mode = S_IFIFO; -- break; -- case 'l': -- spec_arr[nspec].mode = S_IFLNK; -- break; -- case 's': -- spec_arr[nspec].mode = S_IFSOCK; -- break; -- case '-': -- spec_arr[nspec].mode = S_IFREG; -- break; -- default: -- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); -- continue; -- } -- -- skip_type: -- -- spec_arr[nspec].context = context; -- -- if (strcmp(context, "<>")) { -- if (security_check_context(context) < 0 && errno != ENOENT) { -- myprintf("%s: line %d has invalid context %s\n", path, lineno, context); -- continue; -- } -- } -- -- /* Determine if specification has -- * any meta characters in the RE */ -- spec_hasMetaChars(&spec_arr[nspec]); - } - -- nspec++; -- if (pass == 0) { -- free(regex); -- if (type) -- free(type); -- free(context); -- } -- } -- - if (pass == 0) { - if (nspec == 0) - return 0; -@@ -360,9 +375,11 @@ - return -1; - memset(spec_arr, '\0', sizeof(spec_t) * nspec); - rewind(fp); -+ if (localfp) rewind(localfp); - } - } - fclose(fp); -+ if (localfp) fclose(localfp); - - /* Move exact pathname specifications to the end. */ - spec_copy = malloc(sizeof(spec_t) * nspec); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c ---- nsalibselinux/src/selinux_config.c 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.20.1/src/selinux_config.c 2005-01-12 10:13:25.000000000 -0500 -@@ -26,7 +26,8 @@ - #define BOOLEANS 7 - #define MEDIA_CONTEXTS 8 - #define REMOVABLE_CONTEXT 9 --#define NEL 10 -+#define CUSTOMIZABLE_TYPES 10 -+#define NEL 11 - - /* New layout is relative to SELINUXDIR/policytype. */ - static char *file_paths[NEL]; -@@ -211,6 +212,10 @@ - return get_path(MEDIA_CONTEXTS); - } - -+const char *selinux_customizable_types_path() { -+ return get_path(CUSTOMIZABLE_TYPES); -+} -+ - const char *selinux_contexts_path() { - return get_path(CONTEXTS_DIR); - } +diff --exclude-from=exclude -N -u -r nsalibselinux/utils/avcstat.c libselinux-1.21.1/utils/avcstat.c +--- nsalibselinux/utils/avcstat.c 2005-01-20 16:05:24.000000000 -0500 ++++ libselinux-1.21.1/utils/avcstat.c 2005-01-21 15:52:50.111732000 -0500 +@@ -68,7 +68,7 @@ + printf("program will loop, displaying updated statistics every \'interval\' seconds.\n"); + printf("Relative values are displayed by default. Use the -c option to specify the\n"); + printf("display of cumulative values. The -f option specifies the location of the\n"); +- printf("AVC statistics file, defaulting to \'%s\%s\'.\n\n", selinux_mnt, DEF_STAT_FILE); ++ printf("AVC statistics file, defaulting to \'%s%s\'.\n\n", selinux_mnt, DEF_STAT_FILE); + } + + static void set_window_rows(void) diff --git a/libselinux.spec b/libselinux.spec index 31117bd..3aa0419 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,10 +1,11 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 1.21.1 -Release: 1 +Release: 2 License: Public domain (uncopyrighted) Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz +Patch: libselinux-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot @@ -34,6 +35,7 @@ needed for developing SELinux applications. %prep %setup -q +%patch -p1 -b .rhat %build make CFLAGS="-g %{optflags}" @@ -84,6 +86,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/* %changelog +* Fri Jan 20 2005 Dan Walsh 1.21.1-2 +- fix printf in avcstat + * Thu Jan 20 2005 Dan Walsh 1.21.1-1 - Update from NSA