diff --git libsemanage-2.6/src/Makefile libsemanage-2.6/src/Makefile
index 68aab72..913fc0a 100644
--- libsemanage-2.6/src/Makefile
+++ libsemanage-2.6/src/Makefile
@@ -2,7 +2,7 @@
# runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build
# targets with "PYPREFIX":
PYTHON ?= python
-PYPREFIX ?= $(notdir $(PYTHON))
+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])')
RUBY ?= ruby
RUBYPREFIX ?= $(notdir $(RUBY))
PKG_CONFIG ?= pkg-config
@@ -14,11 +14,12 @@ SHLIBDIR ?= $(DESTDIR)/lib
INCLUDEDIR ?= $(PREFIX)/include
PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
-PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
-RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
-RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
-RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER))
-RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
+PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
+PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])')
+PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
+RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
+RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"')
+RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
LIBBASE=$(shell basename $(LIBDIR))
@@ -81,10 +82,10 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
$(SWIGSO): $(SWIGLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage -L$(LIBDIR)
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage $(PYLIBS) -L$(LIBDIR)
$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lsemanage -L$(LIBDIR)
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lsemanage $(RUBYLIBS) -L$(LIBDIR)
$(LIBA): $(OBJS)
$(AR) rcs $@ $^
@@ -98,7 +99,7 @@ $(LIBPC): $(LIBPC).in ../VERSION
sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
semanageswig_python_exception.i: ../include/semanage/semanage.h
- bash exception.sh > $@
+ bash -e exception.sh > $@ || (rm -f $@ ; false)
conf-scan.c: conf-scan.l conf-parse.h
$(LEX) $(LFLAGS) -t $< > $@
@@ -145,9 +146,9 @@ install: all
cd $(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
install-pywrap: pywrap
- test -d $(PYLIBDIR)/site-packages || install -m 755 -d $(PYLIBDIR)/site-packages
- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_semanage.so
- install -m 755 semanage.py $(PYLIBDIR)/site-packages
+ test -d $(PYSITEDIR) || install -m 755 -d $(PYSITEDIR)
+ install -m 755 $(SWIGSO) $(PYSITEDIR)/_semanage$(PYCEXT)
+ install -m 644 semanage.py $(PYSITEDIR)
install-rubywrap: rubywrap
diff --git libsemanage-2.6/src/direct_api.c libsemanage-2.6/src/direct_api.c
index e5c72cd..9c3149b 100644
--- libsemanage-2.6/src/direct_api.c
+++ libsemanage-2.6/src/direct_api.c
@@ -146,9 +146,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
if (semanage_create_store(sh, 1))
goto err;
- if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
- goto err;
-
sh->u.direct.translock_file_fd = -1;
sh->u.direct.activelock_file_fd = -1;
@@ -345,10 +342,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
static int semanage_direct_begintrans(semanage_handle_t * sh)
{
-
- if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
- return -1;
- }
if (semanage_get_trans_lock(sh) < 0) {
return -1;
}
@@ -617,13 +610,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c
}
if (size > 0) {
+ /*
+ * Write the users_extra entries from CIL modules.
+ * This file is used as our baseline when we do not require
+ * re-linking.
+ */
+ ofilename = semanage_path(SEMANAGE_TMP,
+ SEMANAGE_USERS_EXTRA_LINKED);
+ if (ofilename == NULL) {
+ retval = -1;
+ goto cleanup;
+ }
+ retval = write_file(sh, ofilename, data, size);
+ if (retval < 0)
+ goto cleanup;
+
+ /*
+ * Write the users_extra file; users_extra.local
+ * will be merged into this file.
+ */
ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA);
if (ofilename == NULL) {
- return retval;
+ retval = -1;
+ goto cleanup;
}
retval = write_file(sh, ofilename, data, size);
if (retval < 0)
- return retval;
+ goto cleanup;
pusers_extra->dtable->drop_cache(pusers_extra->dbase);
@@ -652,11 +665,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
}
if (size > 0) {
+ /*
+ * Write the seusers entries from CIL modules.
+ * This file is used as our baseline when we do not require
+ * re-linking.
+ */
+ ofilename = semanage_path(SEMANAGE_TMP,
+ SEMANAGE_SEUSERS_LINKED);
+ if (ofilename == NULL) {
+ retval = -1;
+ goto cleanup;
+ }
+ retval = write_file(sh, ofilename, data, size);
+ if (retval < 0)
+ goto cleanup;
+
+ /*
+ * Write the seusers file; seusers.local will be merged into
+ * this file.
+ */
ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
if (ofilename == NULL) {
- return -1;
+ retval = -1;
+ goto cleanup;
}
retval = write_file(sh, ofilename, data, size);
+ if (retval < 0)
+ goto cleanup;
pseusers->dtable->drop_cache(pseusers->dbase);
} else {
@@ -1095,21 +1130,18 @@ static int semanage_direct_commit(semanage_handle_t * sh)
size_t fc_buffer_len = 0;
const char *ofilename = NULL;
const char *path;
- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0,
- missing_seusers = 0, missing_fc = 0, missing = 0;
+ int retval = -1, num_modinfos = 0, i;
sepol_policydb_t *out = NULL;
struct cil_db *cildb = NULL;
semanage_module_info_t *modinfos = NULL;
- /* Declare some variables */
- int modified = 0, fcontexts_modified, ports_modified,
- seusers_modified, users_extra_modified, dontaudit_modified,
- preserve_tunables_modified, bools_modified = 0,
+ int do_rebuild, do_write_kernel, do_install;
+ int fcontexts_modified, ports_modified, seusers_modified,
disable_dontaudit, preserve_tunables;
dbase_config_t *users = semanage_user_dbase_local(sh);
dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
- dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh);
+ dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh);
dbase_config_t *ports = semanage_port_dbase_local(sh);
dbase_config_t *pports = semanage_port_dbase_policy(sh);
dbase_config_t *bools = semanage_bool_dbase_local(sh);
@@ -1121,13 +1153,22 @@ static int semanage_direct_commit(semanage_handle_t * sh)
dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh);
dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
+ dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh);
+
+ /* Modified flags that we need to use more than once. */
+ ports_modified = ports->dtable->is_modified(ports->dbase);
+ seusers_modified = seusers->dtable->is_modified(seusers->dbase);
+ fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase);
+
+ /* Rebuild if explicitly requested or any module changes occurred. */
+ do_rebuild = sh->do_rebuild | sh->modules_modified;
/* Create or remove the disable_dontaudit flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_DISABLE_DONTAUDIT);
if (access(path, F_OK) == 0)
- dontaudit_modified = !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
+ do_rebuild |= !(sepol_get_disable_dontaudit(sh->sepolh) == 1);
else
- dontaudit_modified = (sepol_get_disable_dontaudit(sh->sepolh) == 1);
+ do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
FILE *touch;
touch = fopen(path, "w");
@@ -1150,9 +1191,9 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* Create or remove the preserve_tunables flag file. */
path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
if (access(path, F_OK) == 0)
- preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
+ do_rebuild |= !(sepol_get_preserve_tunables(sh->sepolh) == 1);
else
- preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
+ do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
FILE *touch;
touch = fopen(path, "w");
@@ -1180,54 +1221,75 @@ static int semanage_direct_commit(semanage_handle_t * sh)
goto cleanup;
}
- /* Decide if anything was modified */
- fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase);
- seusers_modified = seusers->dtable->is_modified(seusers->dbase);
- users_extra_modified =
- users_extra->dtable->is_modified(users_extra->dbase);
- ports_modified = ports->dtable->is_modified(ports->dbase);
- bools_modified = bools->dtable->is_modified(bools->dbase);
-
- modified = sh->modules_modified;
- modified |= seusers_modified;
- modified |= users_extra_modified;
- modified |= ports_modified;
- modified |= users->dtable->is_modified(users_base->dbase);
- modified |= ifaces->dtable->is_modified(ifaces->dbase);
- modified |= nodes->dtable->is_modified(nodes->dbase);
- modified |= dontaudit_modified;
- modified |= preserve_tunables_modified;
-
- /* This is for systems that have already migrated with an older version
- * of semanage_migrate_store. The older version did not copy policy.kern so
- * the policy binary must be rebuilt here.
+ /*
+ * This is for systems that have already migrated with an older version
+ * of semanage_migrate_store. The older version did not copy
+ * policy.kern so the policy binary must be rebuilt here.
+ * This also ensures that any linked files that are required
+ * in order to skip re-linking are present; otherwise, we force
+ * a rebuild.
*/
- if (!sh->do_rebuild && !modified) {
+ if (!do_rebuild) {
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
-
if (access(path, F_OK) != 0) {
- missing_policy_kern = 1;
+ do_rebuild = 1;
+ goto rebuild;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
-
if (access(path, F_OK) != 0) {
- missing_fc = 1;
+ do_rebuild = 1;
+ goto rebuild;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
+ if (access(path, F_OK) != 0) {
+ do_rebuild = 1;
+ goto rebuild;
+ }
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED);
if (access(path, F_OK) != 0) {
- missing_seusers = 1;
+ do_rebuild = 1;
+ goto rebuild;
}
- }
- missing |= missing_policy_kern;
- missing |= missing_fc;
- missing |= missing_seusers;
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
+ if (access(path, F_OK) != 0) {
+ do_rebuild = 1;
+ goto rebuild;
+ }
+
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
+ if (access(path, F_OK) != 0) {
+ do_rebuild = 1;
+ goto rebuild;
+ }
+ }
- /* If there were policy changes, or explicitly requested, rebuild the policy */
- if (sh->do_rebuild || modified || missing) {
+rebuild:
+ /*
+ * Now that we know whether or not a rebuild is required,
+ * we can determine what else needs to be done.
+ * We need to write the kernel policy if we are rebuilding
+ * or if any other policy component that lives in the kernel
+ * policy has been modified.
+ * We need to install the policy files if any of the managed files
+ * that live under /etc/selinux (kernel policy, seusers, file contexts)
+ * will be modified.
+ */
+ do_write_kernel = do_rebuild | ports_modified |
+ bools->dtable->is_modified(bools->dbase) |
+ ifaces->dtable->is_modified(ifaces->dbase) |
+ nodes->dtable->is_modified(nodes->dbase) |
+ users->dtable->is_modified(users_base->dbase);
+ do_install = do_write_kernel | seusers_modified | fcontexts_modified;
+
+ /*
+ * If there were policy changes, or explicitly requested, or
+ * any required files are missing, rebuild the policy.
+ */
+ if (do_rebuild) {
/* =================== Module expansion =============== */
retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
@@ -1316,43 +1378,72 @@ static int semanage_direct_commit(semanage_handle_t * sh)
goto cleanup;
cil_db_destroy(&cildb);
-
+
+ /* Write the linked policy before merging local changes. */
+ retval = semanage_write_policydb(sh, out,
+ SEMANAGE_LINKED);
+ if (retval < 0)
+ goto cleanup;
} else {
- /* Load already linked policy */
+ /* Load the existing linked policy, w/o local changes */
retval = sepol_policydb_create(&out);
if (retval < 0)
goto cleanup;
- retval = semanage_read_policydb(sh, out);
+ retval = semanage_read_policydb(sh, out, SEMANAGE_LINKED);
if (retval < 0)
goto cleanup;
- }
- if (sh->do_rebuild || modified || bools_modified) {
- /* Attach to policy databases that work with a policydb. */
- dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out);
- dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
- dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
- dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
- dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS_LINKED);
+ if (access(path, F_OK) == 0) {
+ retval = semanage_copy_file(path,
+ semanage_path(SEMANAGE_TMP,
+ SEMANAGE_STORE_SEUSERS),
+ sh->conf->file_mode);
+ if (retval < 0)
+ goto cleanup;
+ pseusers->dtable->drop_cache(pseusers->dbase);
+ } else {
+ pseusers->dtable->clear(sh, pseusers->dbase);
+ }
+
+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED);
+ if (access(path, F_OK) == 0) {
+ retval = semanage_copy_file(path,
+ semanage_path(SEMANAGE_TMP,
+ SEMANAGE_USERS_EXTRA),
+ sh->conf->file_mode);
+ if (retval < 0)
+ goto cleanup;
+ pusers_extra->dtable->drop_cache(pusers_extra->dbase);
+ } else {
+ pusers_extra->dtable->clear(sh, pusers_extra->dbase);
+ }
+ }
- /* ============= Apply changes, and verify =============== */
+ /* Attach our databases to the policydb we just created or loaded. */
+ dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
- retval = semanage_base_merge_components(sh);
- if (retval < 0)
- goto cleanup;
+ /* Merge local changes */
+ retval = semanage_base_merge_components(sh);
+ if (retval < 0)
+ goto cleanup;
- retval = semanage_write_policydb(sh, out);
+ if (do_write_kernel) {
+ /* Write new kernel policy. */
+ retval = semanage_write_policydb(sh, out,
+ SEMANAGE_STORE_KERNEL);
if (retval < 0)
goto cleanup;
+ /* Run the kernel policy verifier, if any. */
retval = semanage_verify_kernel(sh);
if (retval < 0)
goto cleanup;
- } else {
- retval = semanage_base_merge_components(sh);
- if (retval < 0)
- goto cleanup;
}
/* ======= Post-process: Validate non-policydb components ===== */
@@ -1361,21 +1452,21 @@ static int semanage_direct_commit(semanage_handle_t * sh)
* Note: those are still cached, even though they've been
* merged into the main file_contexts. We won't check the
* large file_contexts - checked at compile time */
- if (sh->do_rebuild || modified || fcontexts_modified) {
+ if (do_rebuild || fcontexts_modified) {
retval = semanage_fcontext_validate_local(sh, out);
if (retval < 0)
goto cleanup;
}
/* Validate local seusers against policy */
- if (sh->do_rebuild || modified || seusers_modified) {
+ if (do_rebuild || seusers_modified) {
retval = semanage_seuser_validate_local(sh, out);
if (retval < 0)
goto cleanup;
}
/* Validate local ports for overlap */
- if (sh->do_rebuild || modified || ports_modified) {
+ if (do_rebuild || ports_modified) {
retval = semanage_port_validate_local(sh);
if (retval < 0)
goto cleanup;
@@ -1396,33 +1487,27 @@ static int semanage_direct_commit(semanage_handle_t * sh)
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
- if (access(path, F_OK) == 0) {
- retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
- sh->conf->file_mode);
- if (retval < 0) {
- goto cleanup;
- }
+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
+ sh->conf->file_mode);
+ if (retval < 0 && errno != ENOENT) {
+ goto cleanup;
}
/* run genhomedircon if its enabled, this should be the last operation
@@ -1444,9 +1529,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
sepol_policydb_free(out);
out = NULL;
- if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
+ if (do_install)
retval = semanage_install_sandbox(sh);
- }
cleanup:
for (i = 0; i < num_modinfos; i++) {
@@ -1458,14 +1542,12 @@ cleanup:
free(mod_filenames[i]);
}
- if (modified || bools_modified) {
- /* Detach from policydb, so it can be freed */
- dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
- }
+ /* Detach from policydb, so it can be freed */
+ dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
free(mod_filenames);
sepol_policydb_free(out);
@@ -1981,7 +2063,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh)
if (retval < 0)
goto cleanup;
- retval = semanage_read_policydb(sh, p);
+ retval = semanage_read_policydb(sh, p, SEMANAGE_STORE_KERNEL);
if (retval < 0)
goto cleanup;
diff --git libsemanage-2.6/src/semanage_store.c libsemanage-2.6/src/semanage_store.c
index ca29257..4b87d67 100644
--- libsemanage-2.6/src/semanage_store.c
+++ libsemanage-2.6/src/semanage_store.c
@@ -95,7 +95,7 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = {
static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"",
"/modules",
- "/base.linked",
+ "/policy.linked",
"/homedir_template",
"/file_contexts.template",
"/commit_num",
@@ -104,8 +104,10 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
"/nodes.local",
"/booleans.local",
"/seusers.local",
+ "/seusers.linked",
"/users.local",
"/users_extra.local",
+ "/users_extra.linked",
"/users_extra",
"/disable_dontaudit",
"/preserve_tunables",
@@ -533,7 +535,6 @@ char *semanage_conf_path(void)
int semanage_create_store(semanage_handle_t * sh, int create)
{
struct stat sb;
- int mode_mask = R_OK | W_OK | X_OK;
const char *path = semanage_files[SEMANAGE_ROOT];
int fd;
@@ -552,9 +553,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store at %s, or it is not a directory.",
+ "Module store at %s is not a directory.",
path);
return -1;
}
@@ -575,9 +576,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active subdirectory at %s, or it is not a directory.",
+ "Module store active subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -598,9 +599,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
+ if (!S_ISDIR(sb.st_mode)) {
ERR(sh,
- "Could not access module store active modules subdirectory at %s, or it is not a directory.",
+ "Module store active modules subdirectory at %s is not a directory.",
path);
return -1;
}
@@ -619,8 +620,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
return -1;
}
} else {
- if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
- ERR(sh, "Could not access lock file at %s.", path);
+ if (!S_ISREG(sb.st_mode)) {
+ ERR(sh, "Lock file at %s missing.", path);
return -1;
}
}
@@ -1158,7 +1159,7 @@ cleanup:
free(all_modinfos);
if (status != 0) {
- for (i = 0; i < j; j++) {
+ for (i = 0; i < j; i++) {
semanage_module_info_destroy(sh, &(*modinfo)[i]);
}
free(*modinfo);
@@ -2037,9 +2038,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename
*/
/**
- * Read the policy from the sandbox (kernel)
+ * Read the policy from the sandbox (linked or kernel)
*/
-int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in,
+ enum semanage_sandbox_defs file)
{
int retval = STATUS_ERR;
@@ -2048,7 +2050,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
FILE *infile = NULL;
if ((kernel_filename =
- semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) {
+ semanage_path(SEMANAGE_ACTIVE, file)) == NULL) {
goto cleanup;
}
if ((infile = fopen(kernel_filename, "r")) == NULL) {
@@ -2078,9 +2080,10 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
return retval;
}
/**
- * Writes the final policy to the sandbox (kernel)
+ * Writes the policy to the sandbox (linked or kernel)
*/
-int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
+int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
+ enum semanage_sandbox_defs file)
{
int retval = STATUS_ERR;
@@ -2089,7 +2092,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
FILE *outfile = NULL;
if ((kernel_filename =
- semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) {
+ semanage_path(SEMANAGE_TMP, file)) == NULL) {
goto cleanup;
}
if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
diff --git libsemanage-2.6/src/semanage_store.h libsemanage-2.6/src/semanage_store.h
index c5b33c8..0b96fbe 100644
--- libsemanage-2.6/src/semanage_store.h
+++ libsemanage-2.6/src/semanage_store.h
@@ -49,8 +49,10 @@ enum semanage_sandbox_defs {
SEMANAGE_NODES_LOCAL,
SEMANAGE_BOOLEANS_LOCAL,
SEMANAGE_SEUSERS_LOCAL,
+ SEMANAGE_SEUSERS_LINKED,
SEMANAGE_USERS_BASE_LOCAL,
SEMANAGE_USERS_EXTRA_LOCAL,
+ SEMANAGE_USERS_EXTRA_LINKED,
SEMANAGE_USERS_EXTRA,
SEMANAGE_DISABLE_DONTAUDIT,
SEMANAGE_PRESERVE_TUNABLES,
@@ -129,10 +131,12 @@ int semanage_load_files(semanage_handle_t * sh,
cil_db_t *cildb, char **filenames, int num_modules);
int semanage_read_policydb(semanage_handle_t * sh,
- sepol_policydb_t * policydb);
+ sepol_policydb_t * policydb,
+ enum semanage_sandbox_defs file);
int semanage_write_policydb(semanage_handle_t * sh,
- sepol_policydb_t * policydb);
+ sepol_policydb_t * policydb,
+ enum semanage_sandbox_defs file);
int semanage_install_sandbox(semanage_handle_t * sh);
diff --git libsemanage-2.6/src/seuser_record.c libsemanage-2.6/src/seuser_record.c
index 8823b1e..1ed4594 100644
--- libsemanage-2.6/src/seuser_record.c
+++ libsemanage-2.6/src/seuser_record.c
@@ -33,7 +33,7 @@ struct semanage_seuser {
struct semanage_seuser_key {
/* This user's name */
- const char *name;
+ char *name;
};
int semanage_seuser_key_create(semanage_handle_t * handle,
@@ -48,7 +48,12 @@ int semanage_seuser_key_create(semanage_handle_t * handle,
ERR(handle, "out of memory, could not create seuser key");
return STATUS_ERR;
}
- tmp_key->name = name;
+ tmp_key->name = strdup(name);
+ if (!tmp_key->name) {
+ ERR(handle, "out of memory, could not create seuser key");
+ free(tmp_key);
+ return STATUS_ERR;
+ }
*key_ptr = tmp_key;
return STATUS_SUCCESS;
@@ -75,7 +80,7 @@ hidden_def(semanage_seuser_key_extract)
void semanage_seuser_key_free(semanage_seuser_key_t * key)
{
-
+ free(key->name);
free(key);
}