diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index accd679..91300ea 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,17 +1,16 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.30.15/include/selinux/selinux.h --- nsalibselinux/include/selinux/selinux.h 2006-06-16 15:08:24.000000000 -0400 -+++ libselinux-1.30.15/include/selinux/selinux.h 2006-06-20 15:48:14.000000000 -0400 -@@ -429,8 +429,20 @@ ++++ libselinux-1.30.15/include/selinux/selinux.h 2006-06-21 15:26:36.000000000 -0400 +@@ -429,8 +429,19 @@ Caller must free the returned strings via free. */ extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); -+/* This function allows you to compare two security context, it will ignore the -+user component */ -+int selinux_context_cmp(const security_context_t a, const security_context_t b); ++/* This function compares two file context, ignoring the user component */ ++int selinux_file_context_cmp(const security_context_t a, const security_context_t b); + +/* This function looks at the file context on disk and compares it to the -+system defaults, it returns 1 on match non 0 on failure */ -+int selinux_verify_file_context(const char *path, mode_t mode); ++system defaults, it returns 0 on match non 0 on failure */ ++int selinux_file_context_verify(const char *path, mode_t mode); + +/* This function sets the file context on to the system defaults returns 0 on success */ +int selinux_lsetfilecon_default(const char *path); @@ -24,7 +23,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib + diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libselinux-1.30.15/man/man8/matchpathcon.8 --- nsalibselinux/man/man8/matchpathcon.8 2006-05-15 09:43:24.000000000 -0400 -+++ libselinux-1.30.15/man/man8/matchpathcon.8 2006-06-20 10:56:07.000000000 -0400 ++++ libselinux-1.30.15/man/man8/matchpathcon.8 2006-06-21 15:26:36.000000000 -0400 @@ -3,13 +3,25 @@ matchpathcon \- get the default security context for the specified path from the file contexts configuration. @@ -56,8 +55,8 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/matchpathcon.8 libse This manual page was written by Dan Walsh . diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.30.15/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400 -+++ libselinux-1.30.15/src/matchpathcon.c 2006-06-21 14:31:19.000000000 -0400 -@@ -20,12 +20,16 @@ ++++ libselinux-1.30.15/src/matchpathcon.c 2006-06-21 15:37:18.000000000 -0400 +@@ -20,10 +20,12 @@ #endif default_printf(const char *fmt, ...) { @@ -69,58 +68,69 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux +#endif } -+static unsigned int myflags; -+ static void - #ifdef __GNUC__ - __attribute__ ((format (printf, 1, 2))) -@@ -50,7 +54,12 @@ +@@ -50,7 +52,7 @@ static int default_canoncon(const char *path, unsigned lineno, char **context) { char *tmpcon; - if (security_canonicalize_context(*context, &tmpcon) < 0) { -+ int rc; -+ if (myflags & MATCHPATHCON_NOTRANS) -+ rc = security_canonicalize_context_raw(*context, &tmpcon); -+ else -+ rc = security_canonicalize_context(*context, &tmpcon); -+ if ( rc < 0) { ++ if (security_canonicalize_context_raw(*context, &tmpcon) < 0) { if (errno == ENOENT) return 0; if (lineno) -@@ -74,8 +83,6 @@ +@@ -74,7 +76,7 @@ mycanoncon = &default_canoncon; } -static unsigned int myflags; -- ++static __thread unsigned int myflags; + void set_matchpathcon_flags(unsigned int flags) { - myflags = flags; -@@ -580,7 +587,6 @@ - spec_arr[nspec].context_valid = 1; - } - } -- - spec_arr[nspec].context = context; +@@ -552,21 +554,6 @@ - /* Determine if specification has -@@ -797,7 +803,6 @@ - errno = ENOENT; - return -1; - } + skip_type: + if (strcmp(context, "<>")) { +- char *tmpcon = NULL; +- +- if (myflags & MATCHPATHCON_NOTRANS) +- goto skip_trans; - - spec_arr[i].matches++; +- if (selinux_raw_to_trans_context(context, &tmpcon)) { +- myprintf("%s: line %u has invalid " +- "context %s\n", +- path, lineno, context); +- return 0; +- } +- free(context); +- context = tmpcon; +- +-skip_trans: + if (myflags & MATCHPATHCON_VALIDATE) { + if (myinvalidcon) { + /* Old-style validation of context. */ +@@ -831,7 +818,12 @@ + spec_arr[i].context_valid = 1; + } + +- *con = strdup(spec_arr[i].context); ++ if (myflags & MATCHPATHCON_NOTRANS) { ++ *con = strdup(spec_arr[i].context); ++ } else { ++ if (selinux_raw_to_trans_context(spec_arr[i].context, con)) ++ return -1; ++ } + if (!(*con)) + return -1; - return i; -@@ -877,3 +882,73 @@ +@@ -877,3 +869,72 @@ } } } + +/* Compare two contexts to see if their differences are "significant", + * or whether the only difference is in the user. */ -+int selinux_context_cmp(const security_context_t a, const security_context_t b) ++int selinux_file_context_cmp(const security_context_t a, const security_context_t b) +{ + char *rest_a, *rest_b; /* Rest of the context after the user */ + if (!a && !b) return 0; @@ -134,16 +144,14 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux + return strcmp(rest_a, rest_b); +} + -+int selinux_verify_file_context(const char *path, mode_t mode) ++int selinux_file_context_verify(const char *path, mode_t mode) +{ + security_context_t con = NULL; + security_context_t fcontext = NULL; ++ unsigned int localflags=myflags; + int rc=0; + -+ if (myflags & MATCHPATHCON_NOTRANS) -+ rc = lgetfilecon_raw(path, &con); -+ else -+ rc = lgetfilecon(path, &con); ++ rc = lgetfilecon_raw(path, &con); + if (rc == -1) { + if (errno != ENOTSUP) + return 1; @@ -151,14 +159,16 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux + return 0; + } + ++ set_matchpathcon_flags(myflags | MATCHPATHCON_NOTRANS); + if (matchpathcon(path,mode,&fcontext) != 0) { -+ if (fcontext == NULL && errno != ENOENT) ++ if (errno != ENOENT) + rc = 1; + else + rc = 0; + } + else -+ rc = (selinux_context_cmp(fcontext, con) == 0); ++ rc = (selinux_file_context_cmp(fcontext, con) == 0); ++ set_matchpathcon_flags(localflags); + freecon(con); + freecon(fcontext); + return rc; @@ -178,8 +188,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux + /* If there's an error determining the context, or it has none, + return to allow default context */ + if (matchpathcon(path, st.st_mode, &scontext)) { -+ if (scontext == NULL && errno != ENOENT) -+ rc =0; ++ if (errno == ENOENT) rc = 0; + } else { + rc = lsetfilecon_raw(path, scontext); + freecon(scontext); @@ -189,7 +198,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux +} diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-1.30.15/utils/matchpathcon.c --- nsalibselinux/utils/matchpathcon.c 2006-05-18 12:11:17.000000000 -0400 -+++ libselinux-1.30.15/utils/matchpathcon.c 2006-06-21 09:05:20.000000000 -0400 ++++ libselinux-1.30.15/utils/matchpathcon.c 2006-06-21 15:26:36.000000000 -0400 @@ -12,19 +12,44 @@ exit(1); } @@ -252,7 +261,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselin - else - printf("%s\n", buf); + if (verify) { -+ if (selinux_verify_file_context(argv[i], 0)) { ++ if (selinux_file_context_verify(argv[i], 0)) { + printf("%s verified.\n", argv[i]); + } else { + security_context_t con;