From 313692bb8eb62ffcde3ed0513a11785f0cf797cc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 10 2008 14:37:31 +0000 Subject: - Additional fixes for Don't rebuild on fcontext or seuser modifications --- diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch index 799f919..884a543 100644 --- a/libsemanage-rhat.patch +++ b/libsemanage-rhat.patch @@ -1,7 +1,82 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c ---- nsalibsemanage/src/direct_api.c 2008-06-12 23:25:16.000000000 -0400 -+++ libsemanage-2.0.27/src/direct_api.c 2008-08-26 10:25:38.000000000 -0400 -@@ -489,12 +489,6 @@ +--- nsalibsemanage/src/direct_api.c 2008-08-28 09:34:24.000000000 -0400 ++++ libsemanage-2.0.27/src/direct_api.c 2008-09-10 10:22:42.000000000 -0400 +@@ -430,6 +430,58 @@ + } + return 0; + } ++static int semanage_direct_update_user_extra(semanage_handle_t * sh, sepol_module_package_t *base ) { ++ const char *ofilename = NULL; ++ int retval = -1; ++ ++ dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh); ++ ++ if (sepol_module_package_get_user_extra_len(base)) { ++ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA); ++ if (ofilename == NULL) { ++ return retval; ++ } ++ retval = write_file(sh, ofilename, ++ sepol_module_package_get_user_extra(base), ++ sepol_module_package_get_user_extra_len(base)); ++ if (retval < 0) ++ return retval; ++ ++ pusers_extra->dtable->drop_cache(pusers_extra->dbase); ++ ++ } else { ++ retval = pusers_extra->dtable->clear(sh, pusers_extra->dbase); ++ } ++ ++ return retval; ++} ++ ++ ++static int semanage_direct_update_seuser(semanage_handle_t * sh, sepol_module_package_t *base ) { ++ ++ const char *ofilename = NULL; ++ int retval = -1; ++ ++ dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh); ++ ++ if (sepol_module_package_get_seusers_len(base)) { ++ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS); ++ if (ofilename == NULL) { ++ return -1; ++ } ++ retval = write_file(sh, ofilename, ++ sepol_module_package_get_seusers(base), ++ sepol_module_package_get_seusers_len(base)); ++ if (retval < 0) ++ return retval; ++ ++ pseusers->dtable->drop_cache(pseusers->dbase); ++ ++ } else { ++ retval = pseusers->dtable->clear(sh, pseusers->dbase); ++ } ++ return retval; ++} + + /********************* direct API functions ********************/ + +@@ -453,7 +505,6 @@ + dbase_config_t *users_base = semanage_user_base_dbase_local(sh); + dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh); + dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh); +- dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh); + dbase_config_t *ports = semanage_port_dbase_local(sh); + dbase_config_t *pports = semanage_port_dbase_policy(sh); + dbase_config_t *bools = semanage_bool_dbase_local(sh); +@@ -465,7 +516,6 @@ + dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh); + dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh); + dbase_config_t *seusers = semanage_seuser_dbase_local(sh); +- dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh); + + /* Before we do anything else, flush the join to its component parts. + * This *does not* flush to disk automatically */ +@@ -489,12 +539,6 @@ modified |= ifaces->dtable->is_modified(ifaces->dbase); modified |= nodes->dtable->is_modified(nodes->dbase); @@ -14,7 +89,60 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage /* If there were policy changes, or explicitly requested, rebuild the policy */ if (sh->do_rebuild || modified) { -@@ -667,11 +661,33 @@ +@@ -575,46 +619,13 @@ + + pfcontexts->dtable->drop_cache(pfcontexts->dbase); + +- /* Seusers */ +- if (sepol_module_package_get_seusers_len(base)) { +- ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS); +- if (ofilename == NULL) { +- retval = -1; +- goto cleanup; +- } +- retval = write_file(sh, ofilename, +- sepol_module_package_get_seusers(base), +- sepol_module_package_get_seusers_len(base)); +- if (retval < 0) +- goto cleanup; +- +- pseusers->dtable->drop_cache(pseusers->dbase); +- +- } else { +- retval = pseusers->dtable->clear(sh, pseusers->dbase); +- if (retval < 0) +- goto cleanup; +- } +- +- /* Users_extra */ +- if (sepol_module_package_get_user_extra_len(base)) { +- ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA); +- if (ofilename == NULL) { +- retval = -1; +- goto cleanup; +- } +- retval = write_file(sh, ofilename, +- sepol_module_package_get_user_extra(base), +- sepol_module_package_get_user_extra_len(base)); +- if (retval < 0) +- goto cleanup; +- pusers_extra->dtable->drop_cache(pusers_extra->dbase); ++ retval = semanage_direct_update_seuser(sh, base ); ++ if (retval < 0) ++ goto cleanup; + +- } else { +- retval = pusers_extra->dtable->clear(sh, pusers_extra->dbase); +- if (retval < 0) +- goto cleanup; +- } ++ retval = semanage_direct_update_user_extra(sh, base ); ++ if (retval < 0) ++ goto cleanup; + + /* Netfilter Contexts */ + /* Sort the netfilter contexts. */ +@@ -667,11 +678,41 @@ retval = semanage_verify_kernel(sh); if (retval < 0) goto cleanup; @@ -23,35 +151,43 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage + retval = sepol_policydb_create(&out); + if (retval < 0) + goto cleanup; -+ ++ + retval = semanage_read_policydb(sh, out); + if (retval < 0) + goto cleanup; + -+ /* dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out); -+ dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); -+ dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); -+ dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); -+ dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); -+ */ -+ if (seusers_modified) { -+ retval = pseusers->dtable->clear(sh, pseusers->dbase); ++ if (seusers_modified || users_extra_modified) { ++ retval = semanage_link_base(sh, &base); + if (retval < 0) + goto cleanup; -+ } ++ ++ if (seusers_modified) { ++ retval = semanage_direct_update_seuser(sh, base ); ++ if (retval < 0) ++ goto cleanup; ++ } ++ if (users_extra_modified) { ++ /* Users_extra */ ++ retval = semanage_direct_update_user_extra(sh, base ); ++ if (retval < 0) ++ goto cleanup; ++ } - /* FIXME: else if !modified, but seusers_modified, - * load the existing policy instead of rebuilding */ ++ sepol_module_package_free(base); ++ base = NULL; ++ } + + retval = semanage_base_merge_components(sh); + if (retval < 0) + goto cleanup; - -+ /* Seusers */ ++ + } /* ======= Post-process: Validate non-policydb components ===== */ /* Validate local modifications to file contexts. -@@ -724,7 +740,8 @@ +@@ -724,7 +765,8 @@ sepol_policydb_free(out); out = NULL; @@ -61,7 +197,7 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage retval = semanage_install_sandbox(sh); } -@@ -733,12 +750,14 @@ +@@ -733,12 +775,14 @@ free(mod_filenames[i]); } @@ -83,8 +219,8 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage free(mod_filenames); sepol_policydb_free(out); diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c ---- nsalibsemanage/src/genhomedircon.c 2008-08-05 09:57:28.000000000 -0400 -+++ libsemanage-2.0.27/src/genhomedircon.c 2008-08-26 10:30:30.000000000 -0400 +--- nsalibsemanage/src/genhomedircon.c 2008-08-28 09:34:24.000000000 -0400 ++++ libsemanage-2.0.27/src/genhomedircon.c 2008-09-10 10:22:42.000000000 -0400 @@ -487,7 +487,6 @@ const char *role_prefix) { @@ -102,8 +238,8 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libseman }; Ustr *line = USTR_NULL; diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf ---- nsalibsemanage/src/semanage.conf 2008-06-12 23:25:16.000000000 -0400 -+++ libsemanage-2.0.27/src/semanage.conf 2008-08-14 14:53:32.000000000 -0400 +--- nsalibsemanage/src/semanage.conf 2008-08-28 09:34:24.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage.conf 2008-09-10 10:22:42.000000000 -0400 @@ -35,4 +35,4 @@ # given in . Change this setting if a different # version is necessary. @@ -111,9 +247,51 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanag - +expand-check=0 diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c ---- nsalibsemanage/src/semanage_store.c 2008-06-12 23:25:16.000000000 -0400 -+++ libsemanage-2.0.27/src/semanage_store.c 2008-08-14 14:53:32.000000000 -0400 -@@ -1648,6 +1648,47 @@ +--- nsalibsemanage/src/semanage_store.c 2008-08-28 09:34:24.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage_store.c 2008-09-10 10:24:12.000000000 -0400 +@@ -1608,6 +1608,41 @@ + return retval; + } + ++/* Links only the base module within the sandbox into the base module. ++ * '*base' will point to the module package that contains everything ++ * linked together (caller must call sepol_module_package_destroy() on ++ * it afterwards). '*base' will be set to NULL upon entering this ++ * function. Returns 0 on success, -1 on error. ++ */ ++int semanage_link_base(semanage_handle_t * sh, ++ sepol_module_package_t ** base) ++{ ++ const char *base_filename = NULL; ++ int retval = -1; ++ ++ *base = NULL; ++ ++ /* first make sure that base module is readable */ ++ if ((base_filename = ++ semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) { ++ goto cleanup; ++ } ++ if (access(base_filename, R_OK) == -1) { ++ ERR(sh, "Could not access sandbox base file %s.", ++ base_filename); ++ goto cleanup; ++ } ++ ++ if (semanage_load_module(sh, base_filename, base) == -1) { ++ goto cleanup; ++ } ++ ++ retval = 0; ++ ++ cleanup: ++ return retval; ++} ++ + /* + * Expands the policy contained within *base + */ +@@ -1648,6 +1683,47 @@ } /** @@ -162,9 +340,16 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsema */ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h ---- nsalibsemanage/src/semanage_store.h 2008-06-12 23:25:16.000000000 -0400 -+++ libsemanage-2.0.27/src/semanage_store.h 2008-08-14 14:53:32.000000000 -0400 -@@ -97,6 +97,9 @@ +--- nsalibsemanage/src/semanage_store.h 2008-08-28 09:34:24.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage_store.h 2008-09-10 10:22:42.000000000 -0400 +@@ -93,10 +93,16 @@ + int semanage_link_sandbox(semanage_handle_t * sh, + sepol_module_package_t ** base); + ++int semanage_link_base(semanage_handle_t * sh, ++ sepol_module_package_t ** base); ++ + int semanage_expand_sandbox(semanage_handle_t * sh, sepol_module_package_t * base, sepol_policydb_t ** policydb); @@ -176,7 +361,7 @@ diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsema diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c --- nsalibsemanage/tests/test_fcontext.c 1969-12-31 19:00:00.000000000 -0500 -+++ libsemanage-2.0.27/tests/test_fcontext.c 2008-08-15 10:59:48.000000000 -0400 ++++ libsemanage-2.0.27/tests/test_fcontext.c 2008-09-10 10:22:42.000000000 -0400 @@ -0,0 +1,72 @@ +#include +#include diff --git a/libsemanage.spec b/libsemanage.spec index a021269..abbf26d 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -3,7 +3,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.0.27 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz @@ -89,7 +89,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python*/site-packages/* %changelog -* Tue Aug 5 2008 Dan Walsh - 2.0.27-2 +* Wed Sep 10 2008 Dan Walsh - 2.0.27-3 +- Additional fixes for Don't rebuild on fcontext or seuser modifications + +* Tue Sep 2 2008 Dan Walsh - 2.0.27-2 - Don't rebuild on fcontext or seuser modifications * Tue Aug 5 2008 Dan Walsh - 2.0.27-1