From 44b396895f7ecad854c2a9da30229d1b58117929 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Dec 14 2017 09:06:42 +0000 Subject: libsemanage-2.7-2.fc27 - free genhomedircon fallback user - Add support for listing fcontext.homedirs file - Keep copy of file_contexts.homedirs in policy store --- diff --git a/libsemanage-fedora.patch b/libsemanage-fedora.patch index 426772e..19b0470 100644 --- a/libsemanage-fedora.patch +++ b/libsemanage-fedora.patch @@ -1,5 +1,18 @@ +diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h +index a50db2b..199a1e1 100644 +--- libsemanage-2.7/include/semanage/fcontexts_policy.h ++++ libsemanage-2.7/include/semanage/fcontexts_policy.h +@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle, + semanage_fcontext_t *** records, + unsigned int *count); + ++extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle, ++ semanage_fcontext_t *** records, ++ unsigned int *count); ++ + #endif diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c -index 65842df..ed11a7c 100644 +index 65842df..31fcada 100644 --- libsemanage-2.7/src/direct_api.c +++ libsemanage-2.7/src/direct_api.c @@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh) @@ -12,7 +25,28 @@ index 65842df..ed11a7c 100644 sh->u.direct.translock_file_fd = -1; sh->u.direct.activelock_file_fd = -1; -@@ -373,10 +370,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) +@@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh) + semanage_fcontext_dbase_local(sh)) < 0) + goto err; + ++ if (fcontext_file_dbase_init(sh, ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), ++ semanage_fcontext_dbase_homedirs(sh)) < 0) ++ goto err; ++ + if (seuser_file_dbase_init(sh, + semanage_path(SEMANAGE_ACTIVE, + SEMANAGE_SEUSERS_LOCAL), +@@ -349,6 +352,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) + iface_file_dbase_release(semanage_iface_dbase_local(sh)); + bool_file_dbase_release(semanage_bool_dbase_local(sh)); + fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh)); ++ fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh)); + seuser_file_dbase_release(semanage_seuser_dbase_local(sh)); + node_file_dbase_release(semanage_node_dbase_local(sh)); + +@@ -373,10 +377,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) static int semanage_direct_begintrans(semanage_handle_t * sh) { @@ -23,7 +57,7 @@ index 65842df..ed11a7c 100644 if (semanage_get_trans_lock(sh) < 0) { return -1; } -@@ -1545,33 +1538,27 @@ rebuild: +@@ -1545,43 +1545,46 @@ rebuild: } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); @@ -72,11 +106,131 @@ index 65842df..ed11a7c 100644 } /* run genhomedircon if its enabled, this should be the last operation + * which requires the out policydb */ + if (!sh->conf->disable_genhomedircon) { +- if (out && (retval = +- semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) { +- ERR(sh, "semanage_genhomedircon returned error code %d.", +- retval); +- goto cleanup; ++ if (out){ ++ if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd, ++ sh->conf->ignoredirs)) != 0) { ++ ERR(sh, "semanage_genhomedircon returned error code %d.", retval); ++ goto cleanup; ++ } ++ /* file_contexts.homedirs was created in SEMANAGE_TMP store */ ++ retval = semanage_copy_file( ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS), ++ sh->conf->file_mode); ++ if (retval < 0) { ++ goto cleanup; ++ } + } + } else { + WARN(sh, "WARNING: genhomedircon is disabled. \ +diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c +index 0b063b1..98490ab 100644 +--- libsemanage-2.7/src/fcontexts_policy.c ++++ libsemanage-2.7/src/fcontexts_policy.c +@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle, + dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle); + return dbase_list(handle, dconfig, records, count); + } ++ ++int semanage_fcontext_list_homedirs(semanage_handle_t * handle, ++ semanage_fcontext_t *** records, unsigned int *count) ++{ ++ ++ dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle); ++ return dbase_list(handle, dconfig, records, count); ++} +diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c +index b9a74b7..d09d82f 100644 +--- libsemanage-2.7/src/genhomedircon.c ++++ libsemanage-2.7/src/genhomedircon.c +@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh, + + s.homedir_template_path = + semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL); +- s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC_HOMEDIRS); ++ s.fcfilepath = ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS); + + s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t)); + if (s.fallback == NULL) { +@@ -1385,7 +1385,9 @@ done: + if (out != NULL) + fclose(out); + +- pop_user_entry(&(s.fallback)); ++ while (s.fallback) ++ pop_user_entry(&(s.fallback)); ++ + ignore_free(); + + return retval; +diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h +index 889871d..1780ac8 100644 +--- libsemanage-2.7/src/handle.h ++++ libsemanage-2.7/src/handle.h +@@ -79,7 +79,7 @@ struct semanage_handle { + struct semanage_policy_table *funcs; + + /* Object databases */ +-#define DBASE_COUNT 23 ++#define DBASE_COUNT 24 + + /* Local modifications */ + #define DBASE_LOCAL_USERS_BASE 0 +@@ -102,13 +102,14 @@ struct semanage_handle { + #define DBASE_POLICY_INTERFACES 15 + #define DBASE_POLICY_BOOLEANS 16 + #define DBASE_POLICY_FCONTEXTS 17 +-#define DBASE_POLICY_SEUSERS 18 +-#define DBASE_POLICY_NODES 19 +-#define DBASE_POLICY_IBPKEYS 20 +-#define DBASE_POLICY_IBENDPORTS 21 ++#define DBASE_POLICY_FCONTEXTS_H 18 ++#define DBASE_POLICY_SEUSERS 19 ++#define DBASE_POLICY_NODES 20 ++#define DBASE_POLICY_IBPKEYS 21 ++#define DBASE_POLICY_IBENDPORTS 22 + + /* Active kernel policy */ +-#define DBASE_ACTIVE_BOOLEANS 22 ++#define DBASE_ACTIVE_BOOLEANS 23 + dbase_config_t dbase[DBASE_COUNT]; + }; + +@@ -236,6 +237,12 @@ static inline + } + + static inline ++ dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle) ++{ ++ return &handle->dbase[DBASE_POLICY_FCONTEXTS_H]; ++} ++ ++static inline + dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle) + { + return &handle->dbase[DBASE_POLICY_SEUSERS]; diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c -index 6158d08..d2d7e3e 100644 +index 6158d08..320fa7b 100644 --- libsemanage-2.7/src/semanage_store.c +++ libsemanage-2.7/src/semanage_store.c -@@ -537,7 +537,6 @@ char *semanage_conf_path(void) +@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { + "/modules/disabled", + "/policy.kern", + "/file_contexts.local", ++ "/file_contexts.homedirs", + "/file_contexts", + "/seusers" + }; +@@ -537,7 +538,6 @@ char *semanage_conf_path(void) int semanage_create_store(semanage_handle_t * sh, int create) { struct stat sb; @@ -84,7 +238,7 @@ index 6158d08..d2d7e3e 100644 const char *path = semanage_files[SEMANAGE_ROOT]; int fd; -@@ -556,9 +555,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -96,7 +250,7 @@ index 6158d08..d2d7e3e 100644 path); return -1; } -@@ -579,9 +578,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -108,7 +262,7 @@ index 6158d08..d2d7e3e 100644 path); return -1; } -@@ -602,9 +601,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -120,7 +274,7 @@ index 6158d08..d2d7e3e 100644 path); return -1; } -@@ -623,8 +622,8 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -131,3 +285,15 @@ index 6158d08..d2d7e3e 100644 return -1; } } +diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h +index fcaa505..34bf852 100644 +--- libsemanage-2.7/src/semanage_store.h ++++ libsemanage-2.7/src/semanage_store.h +@@ -61,6 +61,7 @@ enum semanage_sandbox_defs { + SEMANAGE_MODULES_DISABLED, + SEMANAGE_STORE_KERNEL, + SEMANAGE_STORE_FC_LOCAL, ++ SEMANAGE_STORE_FC_HOMEDIRS, + SEMANAGE_STORE_FC, + SEMANAGE_STORE_SEUSERS, + SEMANAGE_STORE_NUM_PATHS diff --git a/libsemanage.spec b/libsemanage.spec index 7672135..dab7b78 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -1,20 +1,21 @@ %global with_python3 1 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib(1))")} -%define libsepolver 2.7-1 -%define libselinuxver 2.7-1 +%define libsepolver 2.7-2 +%define libselinuxver 2.7-3 Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.7 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libsemanage-2.7.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: -# $ VERSION=2.7 ./make-fedora-selinux-patch.sh libsemanage -# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9 +# $ VERSION=2.7 BRANCH=f27 ./make-fedora-selinux-patch.sh libsemanage +# HEAD https://github.com/fedora-selinux/selinux/commit/e5a6540888e254b245d42b7cecf0b895d64ddc43 + Patch1: libsemanage-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -195,6 +196,11 @@ rm -rf ${RPM_BUILD_ROOT} %endif # if with_python3 %changelog +* Fri Nov 24 2017 Petr Lautrbach - 2.7-2 +- free genhomedircon fallback user +- Add support for listing fcontext.homedirs file +- Keep copy of file_contexts.homedirs in policy store + * Mon Aug 07 2017 Petr Lautrbach - 2.7-1 - Update to upstream release 2017-08-04 - Use 'sefcontext_compile -r' when it's run during SELinux policy build