From 00e063e5f5fef6f6658b22cbf2a2b42fdfeae278 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Aug 18 2011 11:09:51 +0000 Subject: Update to upstream 2.1.4 2011-0817 * mapping fix for invalid class/perms after selinux_set_mapping * audit2why: work around python bug not defining * resolv symlinks and dot directories before matching --- diff --git a/.gitignore b/.gitignore index bd63dec..2f655e6 100644 --- a/.gitignore +++ b/.gitignore @@ -185,3 +185,4 @@ libselinux-2.0.96.tgz /libselinux-2.0.101.tgz /libselinux-2.0.102.tgz /libselinux-2.1.0.tgz +/libselinux-2.1.4.tgz diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index c4a846e..842423b 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,197 +1,212 @@ -diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8 -new file mode 100644 -index 0000000..6482d74 ---- /dev/null -+++ b/libselinux/man/man8/selinuxexeccon.8 -@@ -0,0 +1,24 @@ -+.TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation" +diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h +index f110dcf..d29b0c1 100644 +--- a/libselinux/include/selinux/selinux.h ++++ b/libselinux/include/selinux/selinux.h +@@ -566,7 +566,7 @@ extern int selinux_file_context_cmp(const security_context_t a, + + /* + * Verify the context of the file 'path' against policy. +- * Return 0 if correct. ++ * Return 1 if match, 0 if not and -1 on error. + */ + extern int selinux_file_context_verify(const char *path, mode_t mode); + +diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3 +index 51e8c20..cd67188 100644 +--- a/libselinux/man/man3/selinux_file_context_cmp.3 ++++ b/libselinux/man/man3/selinux_file_context_cmp.3 +@@ -1,25 +1,75 @@ +-.TH "selinux_file_context_cmp" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" ++.TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation" ++ + .SH "NAME" +-selinux_file_context_cmp, selinux_file_context_verify \- comparison of two file contexts. ++selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component. + + .SH "SYNOPSIS" + .B #include + .sp +- +-.BI "int selinux_file_context_cmp(const security_context_t " a ", const security_context_t " b ");" +- +-.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");" ++.BI "int selinux_file_context_cmp(const security_context_t " a ", " ++.RS ++.BI "const security_context_t " b ");" ++.RE + + .SH "DESCRIPTION" + .B selinux_file_context_cmp +-compares two file contexts to see if their differences are "significant", the function runs the strcmp function ignoring the user componant of the file context. +-.sp +-.B selinux_file_context_verify +-compares the file context on disk to the system default. ++compares two context strings excluding the user component with ++.B strcmp(3) ++as shown in the ++.B EXAMPLE ++section. + .sp ++This is useful as for most object contexts, the user component is not relevant. + + .SH "RETURN VALUE" +-Returns zero on success or \-1 otherwise. ++The return values follow the ++.B strcmp(3) ++function, where: ++.RS ++0 if they are equal. ++.RE ++.RS ++1 if ++.I a ++is greater than ++.I b ++.RE ++.RS ++\-1 if ++.I a ++is less than ++.I b ++.RE ++ ++.SH "ERRORS" ++None. ++ ++.SH "NOTES" ++The contexts being compared do not specifically need to be file contexts. ++ ++.SH "EXAMPLE" ++If context ++.I a ++is: ++.RS ++user_u:user_r:user_t:s0 ++.RE ++.sp ++and context ++.I b ++is: ++.RS ++root:user_r:user_t:s0 ++.RE ++.sp ++then the actual strings compared are: ++.RS ++:user_r:user_t:s0 and :user_r:user_t:s0 ++.RE ++.sp ++Therefore they will match and ++.B selinux_file_context_cmp ++will return zero. + + .SH "SEE ALSO" +-.BR selinux "(8), " selinux_lsetfilecon "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" ++.BR selinux "(8)" +diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3 +index d777547..e22be70 100644 +--- a/libselinux/man/man3/selinux_file_context_verify.3 ++++ b/libselinux/man/man3/selinux_file_context_verify.3 +@@ -1 +1,98 @@ +-.so man3/selinux_file_context_cmp.3 ++.TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation" ++ +.SH "NAME" -+selinuxexeccon \- report SELinux context used for this executable ++selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file. + +.SH "SYNOPSIS" -+.B selinuxexeccon command [ fromcon] o ++.B #include ++.sp ++.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");" + +.SH "DESCRIPTION" -+.B selinuxexeccon -+reports the SELinux process context for the specified command from the specified context or the current context. -+ -+.SH EXAMPLE -+# selinuxexeccon /usr/bin/passwd -+staff_u:staff_r:passwd_t:s0-s0:c0.c1023 -+ -+.br -+# selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0 -+system_u:system_r:system_mail_t:s0 -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . ++.B selinux_file_context_verify ++compares the context of the specified ++.I path ++that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files. ++.sp ++The ++.I mode ++may be zero. ++.sp ++Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the ++.B EXAMPLE ++section. ++ ++.SH "RETURN VALUE" ++If the contexts significantly match, 1 (one) is returned. ++.sp ++If the contexts do not match 0 (zero) is returned and ++.I errno ++is set to either ++.B ENOENT ++or ++.B EINVAL ++for the reasons listed in the ++.B ERRORS ++section, or if ++.I errno ++= 0 then the contexts did not match. ++.sp ++On failure \-1 is returned and ++.I errno ++set appropriately. ++ ++.SH "ERRORS" ++.TP ++.B ENOTSUP ++if extended attributes are not supported by the file system. ++.TP ++.B ENOENT ++if there is no entry in the file contexts series of files or ++.I path ++does not exist. ++.TP ++.B EINVAL ++if the entry in the file contexts series of files or ++.I path ++are invalid, or the returned context fails validation. ++.TP ++.B ENOMEM ++if attempt to allocate memory failed. ++ ++.SH "FILES" ++The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the ++.I path ++default context: ++.sp ++.RS ++contexts/files/file_contexts - This file must exist. ++.sp ++contexts/files/file_contexts.local - If exists has local customizations. ++.sp ++contexts/files/file_contexts.homedirs - If exists has users home directory customizations. ++.sp ++contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files. ++.RE ++ ++.SH "EXAMPLE" ++If the files context is: ++.RS ++unconfined_u:object_r:admin_home_t:s0 ++.RE ++.sp ++and the default context defined in the file contexts file is: ++.RS ++system_u:object_r:admin_home_t:s0 ++.RE ++.sp ++then the actual strings compared are: ++.RS ++:object_r:admin_home_t:s0 and :object_r:admin_home_t:s0 ++.RE ++.sp ++Therefore they will match and ++.B selinux_file_context_verify ++will return 1. + +.SH "SEE ALSO" -+secon(8) -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index bf665ab..ccd08ae 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -1,10 +1,11 @@ - # Installation directories. -+PYTHON ?= python - PREFIX ?= $(DESTDIR)/usr - LIBDIR ?= $(PREFIX)/lib - SHLIBDIR ?= $(DESTDIR)/lib - INCLUDEDIR ?= $(PREFIX)/include --PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') --PYINC ?= /usr/include/$(PYLIBVER) -+PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') -+PYINC ?= $(shell pkg-config --cflags `basename $(PYTHON)`) - PYLIB ?= /usr/lib/$(PYLIBVER) - PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) - RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') -@@ -23,13 +24,13 @@ SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i - SWIGRUBYIF= selinuxswig_ruby.i - SWIGCOUT= selinuxswig_wrap.c - SWIGRUBYCOUT= selinuxswig_ruby_wrap.c --SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) -+SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT)) - SWIGRUBYLOBJ:= $(patsubst %.c,%.lo,$(SWIGRUBYCOUT)) --SWIGSO=_selinux.so -+SWIGSO=$(PYPREFIX)_selinux.so - SWIGFILES=$(SWIGSO) selinux.py selinuxswig_python_exception.i - SWIGRUBYSO=_rubyselinux.so - LIBSO=$(TARGET).$(LIBVERSION) --AUDIT2WHYSO=audit2why.so -+AUDIT2WHYSO=$(PYPREFIX)audit2why.so - - ifeq ($(DISABLE_AVC),y) - UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c mapping.c stringrep.c checkAccess.c -@@ -70,7 +71,7 @@ $(LIBA): $(OBJS) - $(RANLIB) $@ - - $(SWIGLOBJ): $(SWIGCOUT) -- $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< -+ $(CC) $(filter-out -Werror,$(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< - - $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) - $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< -@@ -91,10 +92,10 @@ $(LIBPC): $(LIBPC).in - selinuxswig_python_exception.i: ../include/selinux/selinux.h - bash exception.sh > $@ - --audit2why.lo: audit2why.c -- $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< -+$(PYPREFIX)audit2why.lo: audit2why.c -+ $(CC) $(CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< - --$(AUDIT2WHYSO): audit2why.lo -+$(AUDIT2WHYSO): $(PYPREFIX)audit2why.lo - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux ${LIBDIR}/libsepol.a -L$(LIBDIR) -Wl,-soname,$@ - - %.o: %.c policy.h -@@ -123,8 +124,8 @@ install: all - - install-pywrap: pywrap - test -d $(PYTHONLIBDIR)/site-packages/selinux || install -m 755 -d $(PYTHONLIBDIR)/site-packages/selinux -- install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages/selinux -- install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux -+ install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages/selinux/_selinux.so -+ install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux/audit2why.so - install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init__.py - - install-rubywrap: rubywrap -diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index 691bc67..12e8614 100644 ---- a/libselinux/src/audit2why.c -+++ b/libselinux/src/audit2why.c -@@ -1,3 +1,6 @@ -+/* Workaround for http://bugs.python.org/issue4835 */ -+#define SIZEOF_SOCKET_T SIZEOF_INT -+ - #include - #include - #include -@@ -255,6 +258,8 @@ static int __policy_init(const char *init_path) - fclose(fp); - sepol_set_policydb(&avc->policydb->p); - avc->handle = sepol_handle_create(); -+ /* Turn off messages */ -+ sepol_msg_set_callback(avc->handle, NULL, NULL); - - rc = sepol_bool_count(avc->handle, - avc->policydb, &cnt); -@@ -287,8 +292,10 @@ static int __policy_init(const char *init_path) - static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { - int result; - char *init_path=NULL; -- if (PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) -- result = __policy_init(init_path); -+ if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) { -+ return NULL; -+ } -+ result = __policy_init(init_path); - return Py_BuildValue("i", result); - } - -@@ -353,7 +360,11 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - strObj = PyList_GetItem(listObj, i); /* Can't fail */ - - /* make it a string */ -+#if PY_MAJOR_VERSION >= 3 -+ permstr = _PyUnicode_AsString( strObj ); -+#else - permstr = PyString_AsString( strObj ); -+#endif - - perm = string_to_av_perm(tclass, permstr); - if (!perm) { -@@ -423,10 +434,39 @@ static PyMethodDef audit2whyMethods[] = { - {NULL, NULL, 0, NULL} /* Sentinel */ - }; - -+#if PY_MAJOR_VERSION >= 3 -+/* Module-initialization logic specific to Python 3 */ -+struct module_state { -+ /* empty for now */ -+}; -+static struct PyModuleDef moduledef = { -+ PyModuleDef_HEAD_INIT, -+ "audit2why", -+ NULL, -+ sizeof(struct module_state), -+ audit2whyMethods, -+ NULL, -+ NULL, -+ NULL, -+ NULL -+}; -+ -+PyMODINIT_FUNC -+PyInit_audit2why(void) -+#else - PyMODINIT_FUNC - initaudit2why(void) -+#endif - { -- PyObject *m = Py_InitModule("audit2why", audit2whyMethods); -+ PyObject *m; -+#if PY_MAJOR_VERSION >= 3 -+ m = PyModule_Create(&moduledef); -+ if (m == NULL) { -+ return NULL; -+ } -+#else -+ m = Py_InitModule("audit2why", audit2whyMethods); -+#endif - PyModule_AddIntConstant(m,"UNKNOWN", UNKNOWN); - PyModule_AddIntConstant(m,"BADSCON", BADSCON); - PyModule_AddIntConstant(m,"BADTCON", BADTCON); -@@ -440,4 +480,8 @@ initaudit2why(void) - PyModule_AddIntConstant(m,"BOOLEAN", BOOLEAN); - PyModule_AddIntConstant(m,"CONSTRAINT", CONSTRAINT); - PyModule_AddIntConstant(m,"RBAC", RBAC); -+ -+#if PY_MAJOR_VERSION >= 3 -+ return m; -+#endif - } ++.BR selinux "(8)" diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c index b245364..7c47222 100644 --- a/libselinux/src/callbacks.c @@ -204,222 +219,11 @@ index b245364..7c47222 100644 va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); -diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c -index b3c8c47..018c787 100644 ---- a/libselinux/src/enabled.c -+++ b/libselinux/src/enabled.c -@@ -11,10 +11,6 @@ - - int is_selinux_enabled(void) - { -- char *buf=NULL; -- FILE *fp; -- ssize_t num; -- size_t len; - int enabled = 0; - security_context_t con; - -@@ -32,37 +28,8 @@ int is_selinux_enabled(void) - enabled = 0; - freecon(con); - } -- return enabled; - } - -- /* Drop back to detecting it the long way. */ -- fp = fopen("/proc/filesystems", "r"); -- if (!fp) -- return -1; -- -- __fsetlocking(fp, FSETLOCKING_BYCALLER); -- while ((num = getline(&buf, &len, fp)) != -1) { -- if (strstr(buf, "selinuxfs")) { -- enabled = 1; -- break; -- } -- } -- -- if (num < 0) -- goto out; -- -- /* Since an selinux file system is available, we consider -- * selinux enabled. If getcon_raw fails, selinux is still -- * enabled. We only consider it disabled if no policy is loaded. */ -- if (getcon_raw(&con) == 0) { -- if (!strcmp(con, "kernel")) -- enabled = 0; -- freecon(con); -- } -- -- out: -- free(buf); -- fclose(fp); - return enabled; - } - -diff --git a/libselinux/src/init.c b/libselinux/src/init.c -index a948920..dd03559 100644 ---- a/libselinux/src/init.c -+++ b/libselinux/src/init.c -@@ -7,6 +7,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -20,12 +21,41 @@ char *selinux_mnt = NULL; - int selinux_page_size = 0; - int obj_class_compat = 1; - -+/* Verify the mount point for selinux file system has a selinuxfs. -+ If the file system: -+ * Exist, -+ * Is mounted with an selinux file system, -+ * The file system is read/write -+ * then set this as the default file system. -+*/ -+static int verify_selinuxmnt(char *mnt) -+{ -+ struct statfs sfbuf; -+ int rc; -+ -+ do { -+ rc = statfs(mnt, &sfbuf); -+ } while (rc < 0 && errno == EINTR); -+ if (rc == 0) { -+ if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) { -+ struct statvfs vfsbuf; -+ rc = statvfs(mnt, &vfsbuf); -+ if (rc == 0) { -+ if (!(vfsbuf.f_flag & ST_RDONLY)) { -+ set_selinuxmnt(mnt); -+ } -+ return 0; -+ } -+ } -+ } -+ -+ return -1; -+} -+ - static void init_selinuxmnt(void) - { - char *buf=NULL, *p; - FILE *fp=NULL; -- struct statfs sfbuf; -- int rc; - size_t len; - ssize_t num; - int exists = 0; -@@ -33,17 +63,9 @@ static void init_selinuxmnt(void) - if (selinux_mnt) - return; - -- /* We check to see if the preferred mount point for selinux file -- * system has a selinuxfs. */ -- do { -- rc = statfs(SELINUXMNT, &sfbuf); -- } while (rc < 0 && errno == EINTR); -- if (rc == 0) { -- if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) { -- selinux_mnt = strdup(SELINUXMNT); -- return; -- } -- } -+ if (verify_selinuxmnt(SELINUXMNT) == 0) return; -+ -+ if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return; - - /* Drop back to detecting it the long way. */ - fp = fopen("/proc/filesystems", "r"); -@@ -52,7 +74,7 @@ static void init_selinuxmnt(void) - - __fsetlocking(fp, FSETLOCKING_BYCALLER); - while ((num = getline(&buf, &len, fp)) != -1) { -- if (strstr(buf, "selinuxfs")) { -+ if (strstr(buf, SELINUXFS)) { - exists = 1; - break; - } -@@ -79,7 +101,7 @@ static void init_selinuxmnt(void) - tmp = strchr(p, ' '); - if (!tmp) - goto out; -- if (!strncmp(tmp + 1, "selinuxfs ", 10)) { -+ if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) { - *tmp = '\0'; - break; - } -@@ -87,7 +109,7 @@ static void init_selinuxmnt(void) - - /* If we found something, dup it */ - if (num > 0) -- selinux_mnt = strdup(p); -+ verify_selinuxmnt(p); - - out: - free(buf); -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 937e509..112af1f 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -473,7 +473,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, - pass, ++lineno) != 0) - goto finish; - } -- if (pass == 1) { -+ if (pass == 1 && rec->validating) { - status = nodups_specs(data, path); - if (status) - goto finish; -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 83d2143..0961912 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce) - * Check for the existence of SELinux via selinuxfs, and - * mount it if present for use in the calls below. - */ -- if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) { -+ char *mntpoint = NULL; -+ if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) { -+ mntpoint = SELINUXMNT; -+ } else { -+ /* check old mountpoint */ -+ if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) { -+ mntpoint = OLDSELINUXMNT; -+ } -+ } -+ -+ if (! mntpoint ) { - if (errno == ENODEV) { - /* - * SELinux was disabled in the kernel, either -@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce) - - goto noload; - } -- set_selinuxmnt(SELINUXMNT); -+ set_selinuxmnt(mntpoint); - - /* - * Note: The following code depends on having selinuxfs -@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce) - rc = security_disable(); - if (rc == 0) { - /* Successfully disabled, so umount selinuxfs too. */ -- umount(SELINUXMNT); -+ umount(selinux_mnt); - fini_selinuxmnt(); - } - /* diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index 5fd8fe4..da5cab9 100644 +index 5fd8fe4..410dd9d 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c -@@ -2,6 +2,7 @@ +@@ -2,9 +2,11 @@ #include #include #include @@ -427,7 +231,11 @@ index 5fd8fe4..da5cab9 100644 #include "selinux_internal.h" #include "label_internal.h" #include "callbacks.h" -@@ -61,7 +62,7 @@ static void ++#include + + static __thread struct selabel_handle *hnd; + +@@ -61,7 +63,7 @@ static void { va_list ap; va_start(ap, fmt); @@ -436,1400 +244,234 @@ index 5fd8fe4..da5cab9 100644 va_end(ap); } -diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h -index 10e8712..bf270b5 100644 ---- a/libselinux/src/policy.h -+++ b/libselinux/src/policy.h -@@ -9,11 +9,15 @@ - /* Initial length guess for getting contexts. */ - #define INITCONTEXTLEN 255 - -+/* selinux file system type */ -+#define SELINUXFS "selinuxfs" -+ - /* selinuxfs magic number */ - #define SELINUX_MAGIC 0xf97cff8c - - /* Preferred selinux mount location */ --#define SELINUXMNT "/selinux" -+#define SELINUXMNT "/sys/fs/selinux" -+#define OLDSELINUXMNT "/selinux" - - /* selinuxfs mount point */ - extern char *selinux_mnt; -diff --git a/libselinux/src/selinux.py b/libselinux/src/selinux.py -index fd63a4f..248048a 100644 ---- a/libselinux/src/selinux.py -+++ b/libselinux/src/selinux.py -@@ -1,5 +1,5 @@ - # This file was automatically generated by SWIG (http://www.swig.org). --# Version 1.3.40 -+# Version 2.0.1 - # - # Do not make changes to this file unless you know what you are doing--modify - # the SWIG interface file instead. -@@ -70,8 +70,14 @@ import shutil, os, stat - - def restorecon(path, recursive=False): - """ Restore SELinux context on a given path """ -- mode = os.lstat(path)[stat.ST_MODE] -- status, context = matchpathcon(path, mode) -+ try: -+ mode = os.lstat(path)[stat.ST_MODE] -+ status, context = matchpathcon(path, mode) -+ except OSError: -+ path = os.path.realpath(os.path.expanduser(path)) -+ mode = os.lstat(path)[stat.ST_MODE] -+ status, context = matchpathcon(path, mode) -+ - if status == 0: - lsetfilecon(path, context) - if recursive: -@@ -79,6 +85,14 @@ def restorecon(path, recursive=False): - map(restorecon, [os.path.join(dirname, fname) - for fname in fnames]), None) - -+def chcon(path, context, recursive=False): -+ """ Set the SELinux context on a given path """ -+ lsetfilecon(path, context) -+ if recursive: -+ for root, dirs, files in os.walk(path): -+ for name in files + dirs: -+ lsetfilecon(os.path.join(root,name), context) -+ - def copytree(src, dest): - """ An SELinux-friendly shutil.copytree method """ - shutil.copytree(src, dest) -@@ -1588,6 +1602,7 @@ get_default_type = _selinux.get_default_type - SELABEL_CTX_FILE = _selinux.SELABEL_CTX_FILE - SELABEL_CTX_MEDIA = _selinux.SELABEL_CTX_MEDIA - SELABEL_CTX_X = _selinux.SELABEL_CTX_X -+SELABEL_CTX_DB = _selinux.SELABEL_CTX_DB - SELABEL_OPT_UNUSED = _selinux.SELABEL_OPT_UNUSED - SELABEL_OPT_VALIDATE = _selinux.SELABEL_OPT_VALIDATE - SELABEL_OPT_BASEONLY = _selinux.SELABEL_OPT_BASEONLY -@@ -1621,6 +1636,15 @@ SELABEL_X_EVENT = _selinux.SELABEL_X_EVENT - SELABEL_X_SELN = _selinux.SELABEL_X_SELN - SELABEL_X_POLYPROP = _selinux.SELABEL_X_POLYPROP - SELABEL_X_POLYSELN = _selinux.SELABEL_X_POLYSELN -+SELABEL_DB_DATABASE = _selinux.SELABEL_DB_DATABASE -+SELABEL_DB_SCHEMA = _selinux.SELABEL_DB_SCHEMA -+SELABEL_DB_TABLE = _selinux.SELABEL_DB_TABLE -+SELABEL_DB_COLUMN = _selinux.SELABEL_DB_COLUMN -+SELABEL_DB_SEQUENCE = _selinux.SELABEL_DB_SEQUENCE -+SELABEL_DB_VIEW = _selinux.SELABEL_DB_VIEW -+SELABEL_DB_PROCEDURE = _selinux.SELABEL_DB_PROCEDURE -+SELABEL_DB_BLOB = _selinux.SELABEL_DB_BLOB -+SELABEL_DB_TUPLE = _selinux.SELABEL_DB_TUPLE - - def is_selinux_enabled(): - return _selinux.is_selinux_enabled() -@@ -2201,6 +2225,10 @@ def selinux_x_context_path(): - return _selinux.selinux_x_context_path() - selinux_x_context_path = _selinux.selinux_x_context_path - -+def selinux_sepgsql_context_path(): -+ return _selinux.selinux_sepgsql_context_path() -+selinux_sepgsql_context_path = _selinux.selinux_sepgsql_context_path -+ - def selinux_contexts_path(): - return _selinux.selinux_contexts_path() - selinux_contexts_path = _selinux.selinux_contexts_path -diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i -index dea0e80..12fba6d 100644 ---- a/libselinux/src/selinuxswig_python.i -+++ b/libselinux/src/selinuxswig_python.i -@@ -12,8 +12,15 @@ import shutil, os, stat - - def restorecon(path, recursive=False): - """ Restore SELinux context on a given path """ -- mode = os.lstat(path)[stat.ST_MODE] -- status, context = matchpathcon(path, mode) -+ -+ try: -+ mode = os.lstat(path)[stat.ST_MODE] -+ status, context = matchpathcon(path, mode) -+ except OSError: -+ path = os.path.realpath(os.path.expanduser(path)) -+ mode = os.lstat(path)[stat.ST_MODE] -+ status, context = matchpathcon(path, mode) -+ - if status == 0: - lsetfilecon(path, context) - if recursive: -@@ -45,7 +52,7 @@ def install(src, dest): - PyObject* list = PyList_New(*$2); - int i; - for (i = 0; i < *$2; i++) { -- PyList_SetItem(list, i, PyString_FromString((*$1)[i])); -+ PyList_SetItem(list, i, PyBytes_FromString((*$1)[i])); +@@ -337,14 +339,82 @@ void matchpathcon_fini(void) } - $result = SWIG_Python_AppendOutput($result, list); } -@@ -74,7 +81,9 @@ def install(src, dest): - len++; - plist = PyList_New(len); - for (i = 0; i < len; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*$1)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -91,7 +100,9 @@ def install(src, dest): - if (*$1) { - plist = PyList_New(result); - for (i = 0; i < result; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*$1)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -144,16 +155,20 @@ def install(src, dest): - $1 = (char**) malloc(size + 1); - for(i = 0; i < size; i++) { -- if (!PyString_Check(PySequence_GetItem($input, i))) { -- PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); -+ if (!PyBytes_Check(PySequence_GetItem($input, i))) { -+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); +-int matchpathcon(const char *name, mode_t mode, security_context_t * con) ++/* ++ * We do not want to resolve a symlink to a real path if it is the final ++ * component of the name. Thus we split the pathname on the last "/" and ++ * determine a real path component of the first portion. We then have to ++ * copy the last part back on to get the final real path. Wheww. ++ */ ++static int symlink_realpath(const char *name, char *resolved_path) ++{ ++ char *last_component; ++ char *tmp_path, *p; ++ size_t len = 0; ++ int rc = 0; + - return NULL; - } ++ tmp_path = strdup(name); ++ if (!tmp_path) { ++ fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n", ++ name, strerror(errno)); ++ rc = -1; ++ goto out; ++ } + - } - - for(i = 0; i < size; i++) { - s = PySequence_GetItem($input, i); -- $1[i] = (char*) malloc(PyString_Size(s) + 1); -- strcpy($1[i], PyString_AsString(s)); ++ last_component = strrchr(tmp_path, '/'); + -+ $1[i] = (char*) malloc(PyBytes_Size(s) + 1); -+ strcpy($1[i], PyBytes_AsString(s)); ++ if (last_component == tmp_path) { ++ last_component++; ++ p = strcpy(resolved_path, "/"); ++ } else if (last_component) { ++ *last_component = '\0'; ++ last_component++; ++ p = realpath(tmp_path, resolved_path); ++ } else { ++ last_component = tmp_path; ++ p = realpath("./", resolved_path); ++ } + - } - $1[size] = NULL; - } -diff --git a/libselinux/src/selinuxswig_wrap.c b/libselinux/src/selinuxswig_wrap.c -index e0884f6..b131d2e 100644 ---- a/libselinux/src/selinuxswig_wrap.c -+++ b/libselinux/src/selinuxswig_wrap.c -@@ -1,6 +1,6 @@ - /* ---------------------------------------------------------------------------- - * This file was automatically generated by SWIG (http://www.swig.org). -- * Version 1.3.40 -+ * Version 2.0.1 - * - * This file is not intended to be easily readable and contains a number of - * coding conventions designed to improve portability and efficiency. Do not make -@@ -177,7 +177,7 @@ - /* - Flags/methods for returning states. - -- The SWIG conversion methods, as ConvertPtr, return and integer -+ The SWIG conversion methods, as ConvertPtr, return an integer - that tells if the conversion was successful or not. And if not, - an error code can be returned (see swigerrors.swg for the codes). - -@@ -1064,9 +1064,6 @@ SWIGRUNTIME PyObject* SWIG_PyInstanceMethod_New(PyObject *self, PyObject *func) - - - /* ----------------------------------------------------------------------------- -- * See the LICENSE file for information on copyright, usage and redistribution -- * of SWIG, and the README file for authors - http://www.swig.org/release.html. -- * - * pyrun.swg - * - * This file contains the runtime support for Python modules -@@ -1113,8 +1110,18 @@ SWIGRUNTIME PyObject* SWIG_PyInstanceMethod_New(PyObject *self, PyObject *func) - #define SWIG_SetErrorMsg SWIG_Python_SetErrorMsg - #define SWIG_ErrorType(code) SWIG_Python_ErrorType(code) - #define SWIG_Error(code, msg) SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) --#define SWIG_fail goto fail -+#define SWIG_fail goto fail - -+/* -+ * Python 2.7 and newer and Python 3.1 and newer should use Capsules API instead of -+ * CObjects API. -+ */ -+#if ((PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION > 6) || \ -+ (PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION > 0)) -+#define USE_CAPSULES -+#define TYPE_POINTER_NAME \ -+ ((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION ".type_pointer_capsule" SWIG_TYPE_TABLE_NAME) -+#endif - - /* Runtime API implementation */ - -@@ -2047,10 +2054,13 @@ _SWIG_This(void) - return SWIG_Python_str_FromChar("this"); - } - -+static PyObject *swig_this = NULL; ++ if (!p) { ++ fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n", ++ name, strerror(errno)); ++ rc = -1; ++ goto out; ++ } + - SWIGRUNTIME PyObject * - SWIG_This(void) - { -- static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This(); -+ if (swig_this == NULL) -+ swig_this = _SWIG_This(); - return swig_this; - } - -@@ -2154,7 +2164,7 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int - int newmemory = 0; - *ptr = SWIG_TypeCast(tc,vptr,&newmemory); - if (newmemory == SWIG_CAST_NEW_MEMORY) { -- assert(own); -+ assert(own); /* badly formed typemap which will lead to a memory leak - it must set and use own to delete *ptr */ - if (own) - *own = *own | SWIG_CAST_NEW_MEMORY; - } -@@ -2424,8 +2434,12 @@ SWIG_Python_GetModule(void) { - #ifdef SWIG_LINK_RUNTIME - type_pointer = SWIG_ReturnGlobalTypeList((void *)0); - #else -+#ifdef USE_CAPSULES -+ type_pointer = PyCapsule_Import(TYPE_POINTER_NAME, 0); -+#else - type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION, - (char*)"type_pointer" SWIG_TYPE_TABLE_NAME); -+#endif - if (PyErr_Occurred()) { - PyErr_Clear(); - type_pointer = (void *)0; -@@ -2470,9 +2484,14 @@ PyModule_AddObject(PyObject *m, char *name, PyObject *o) - SWIGRUNTIME void - SWIG_Python_DestroyModule(void *vptr) - { -+ size_t i; -+#ifdef USE_CAPSULES -+ swig_module_info *swig_module = -+ (swig_module_info *) PyCapsule_GetPointer((PyObject *)vptr, TYPE_POINTER_NAME); -+#else - swig_module_info *swig_module = (swig_module_info *) vptr; -+#endif - swig_type_info **types = swig_module->types; -- size_t i; - for (i =0; i < swig_module->size; ++i) { - swig_type_info *ty = types[i]; - if (ty->owndata) { -@@ -2481,6 +2500,7 @@ SWIG_Python_DestroyModule(void *vptr) - } - } - Py_DECREF(SWIG_This()); -+ swig_this = NULL; - } - - SWIGRUNTIME void -@@ -2494,9 +2514,18 @@ SWIG_Python_SetModule(swig_module_info *swig_module) { - PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION, - swig_empty_runtime_method_table); - #endif -+#ifdef USE_CAPSULES -+ PyObject *pointer = PyCapsule_New((void *)swig_module, TYPE_POINTER_NAME, -+ (PyCapsule_Destructor)SWIG_Python_DestroyModule); -+#else - PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule); -+#endif - if (pointer && module) { -+#ifdef USE_CAPSULES -+ PyModule_AddObject(module, (char*)"type_pointer_capsule" SWIG_TYPE_TABLE_NAME, pointer); -+#else - PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer); -+#endif - } else { - Py_XDECREF(pointer); - } -@@ -2517,12 +2546,20 @@ SWIG_Python_TypeQuery(const char *type) - PyObject *obj = PyDict_GetItem(cache, key); - swig_type_info *descriptor; - if (obj) { -+#ifdef USE_CAPSULES -+ descriptor = (swig_type_info *) PyCapsule_GetPointer(obj, type); -+#else - descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj); -+#endif - } else { - swig_module_info *swig_module = SWIG_Python_GetModule(); - descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type); - if (descriptor) { -+#ifdef USE_CAPSULES -+ obj = PyCapsule_New(descriptor, type, NULL); -+#else - obj = PyCObject_FromVoidPtr(descriptor, NULL); -+#endif - PyDict_SetItem(cache, key, obj); - Py_DECREF(obj); - } -@@ -2717,7 +2754,7 @@ static swig_module_info swig_module = {swig_types, 34, 0, 0, 0, 0}; - #endif - #define SWIG_name "_selinux" - --#define SWIGVERSION 0x010340 -+#define SWIGVERSION 0x020001 - #define SWIG_VERSION SWIGVERSION - - -@@ -3345,7 +3382,7 @@ fail: - - SWIGINTERN PyObject *_wrap_avc_context_to_sid(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_id_t *arg2 = (security_id_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -3360,7 +3397,7 @@ SWIGINTERN PyObject *_wrap_avc_context_to_sid(PyObject *SWIGUNUSEDPARM(self), Py - if (!PyArg_ParseTuple(args,(char *)"O:avc_context_to_sid",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "avc_context_to_sid" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "avc_context_to_sid" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - result = (int)avc_context_to_sid(arg1,arg2); -@@ -3383,7 +3420,7 @@ fail: - - SWIGINTERN PyObject *_wrap_avc_context_to_sid_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_id_t *arg2 = (security_id_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -3398,7 +3435,7 @@ SWIGINTERN PyObject *_wrap_avc_context_to_sid_raw(PyObject *SWIGUNUSEDPARM(self) - if (!PyArg_ParseTuple(args,(char *)"O:avc_context_to_sid_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "avc_context_to_sid_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "avc_context_to_sid_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - result = (int)avc_context_to_sid_raw(arg1,arg2); -@@ -5641,7 +5678,9 @@ SWIGINTERN PyObject *_wrap_get_ordered_context_list(PyObject *SWIGUNUSEDPARM(sel - if (*arg3) { - plist = PyList_New(result); - for (i = 0; i < result; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*arg3)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*arg3)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -5714,7 +5753,9 @@ SWIGINTERN PyObject *_wrap_get_ordered_context_list_with_level(PyObject *SWIGUNU - if (*arg4) { - plist = PyList_New(result); - for (i = 0; i < result; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*arg4)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*arg4)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -6390,7 +6431,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setcon(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6400,7 +6441,7 @@ SWIGINTERN PyObject *_wrap_setcon(PyObject *SWIGUNUSEDPARM(self), PyObject *args - if (!PyArg_ParseTuple(args,(char *)"O:setcon",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setcon" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setcon" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6421,7 +6462,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setcon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6431,7 +6472,7 @@ SWIGINTERN PyObject *_wrap_setcon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject * - if (!PyArg_ParseTuple(args,(char *)"O:setcon_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setcon_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setcon_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6650,7 +6691,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setexeccon(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6660,7 +6701,7 @@ SWIGINTERN PyObject *_wrap_setexeccon(PyObject *SWIGUNUSEDPARM(self), PyObject * - if (!PyArg_ParseTuple(args,(char *)"O:setexeccon",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setexeccon" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setexeccon" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6681,7 +6722,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setexeccon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6691,7 +6732,7 @@ SWIGINTERN PyObject *_wrap_setexeccon_raw(PyObject *SWIGUNUSEDPARM(self), PyObje - if (!PyArg_ParseTuple(args,(char *)"O:setexeccon_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setexeccon_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setexeccon_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6772,7 +6813,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setfscreatecon(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6782,7 +6823,7 @@ SWIGINTERN PyObject *_wrap_setfscreatecon(PyObject *SWIGUNUSEDPARM(self), PyObje - if (!PyArg_ParseTuple(args,(char *)"O:setfscreatecon",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setfscreatecon" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setfscreatecon" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6803,7 +6844,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setfscreatecon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6813,7 +6854,7 @@ SWIGINTERN PyObject *_wrap_setfscreatecon_raw(PyObject *SWIGUNUSEDPARM(self), Py - if (!PyArg_ParseTuple(args,(char *)"O:setfscreatecon_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setfscreatecon_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setfscreatecon_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6894,7 +6935,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setkeycreatecon(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6904,7 +6945,7 @@ SWIGINTERN PyObject *_wrap_setkeycreatecon(PyObject *SWIGUNUSEDPARM(self), PyObj - if (!PyArg_ParseTuple(args,(char *)"O:setkeycreatecon",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setkeycreatecon" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setkeycreatecon" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -6925,7 +6966,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setkeycreatecon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -6935,7 +6976,7 @@ SWIGINTERN PyObject *_wrap_setkeycreatecon_raw(PyObject *SWIGUNUSEDPARM(self), P - if (!PyArg_ParseTuple(args,(char *)"O:setkeycreatecon_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setkeycreatecon_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setkeycreatecon_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -7016,7 +7057,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setsockcreatecon(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -7026,7 +7067,7 @@ SWIGINTERN PyObject *_wrap_setsockcreatecon(PyObject *SWIGUNUSEDPARM(self), PyOb - if (!PyArg_ParseTuple(args,(char *)"O:setsockcreatecon",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setsockcreatecon" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setsockcreatecon" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -7047,7 +7088,7 @@ fail: - - SWIGINTERN PyObject *_wrap_setsockcreatecon_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -7057,7 +7098,7 @@ SWIGINTERN PyObject *_wrap_setsockcreatecon_raw(PyObject *SWIGUNUSEDPARM(self), - if (!PyArg_ParseTuple(args,(char *)"O:setsockcreatecon_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setsockcreatecon_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "setsockcreatecon_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -8514,8 +8555,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_av(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - access_vector_t arg4 ; - struct av_decision *arg5 = (struct av_decision *) 0 ; -@@ -8541,12 +8582,12 @@ SWIGINTERN PyObject *_wrap_security_compute_av(PyObject *SWIGUNUSEDPARM(self), P - if (!PyArg_ParseTuple(args,(char *)"OOOOO:security_compute_av",&obj0,&obj1,&obj2,&obj3,&obj4)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8584,8 +8625,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_av_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - access_vector_t arg4 ; - struct av_decision *arg5 = (struct av_decision *) 0 ; -@@ -8611,12 +8652,12 @@ SWIGINTERN PyObject *_wrap_security_compute_av_raw(PyObject *SWIGUNUSEDPARM(self - if (!PyArg_ParseTuple(args,(char *)"OOOOO:security_compute_av_raw",&obj0,&obj1,&obj2,&obj3,&obj4)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_raw" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_raw" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8654,8 +8695,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_av_flags(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - access_vector_t arg4 ; - struct av_decision *arg5 = (struct av_decision *) 0 ; -@@ -8681,12 +8722,12 @@ SWIGINTERN PyObject *_wrap_security_compute_av_flags(PyObject *SWIGUNUSEDPARM(se - if (!PyArg_ParseTuple(args,(char *)"OOOOO:security_compute_av_flags",&obj0,&obj1,&obj2,&obj3,&obj4)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_flags" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_flags" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_flags" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_flags" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8724,8 +8765,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_av_flags_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - access_vector_t arg4 ; - struct av_decision *arg5 = (struct av_decision *) 0 ; -@@ -8751,12 +8792,12 @@ SWIGINTERN PyObject *_wrap_security_compute_av_flags_raw(PyObject *SWIGUNUSEDPAR - if (!PyArg_ParseTuple(args,(char *)"OOOOO:security_compute_av_flags_raw",&obj0,&obj1,&obj2,&obj3,&obj4)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_flags_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_av_flags_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_flags_raw" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_av_flags_raw" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8794,8 +8835,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_create(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -8816,12 +8857,12 @@ SWIGINTERN PyObject *_wrap_security_compute_create(PyObject *SWIGUNUSEDPARM(self - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_create",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_create" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_create" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_create" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_create" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8857,8 +8898,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_create_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -8879,12 +8920,12 @@ SWIGINTERN PyObject *_wrap_security_compute_create_raw(PyObject *SWIGUNUSEDPARM( - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_create_raw",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_create_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_create_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_create_raw" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_create_raw" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8920,8 +8961,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_relabel(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -8942,12 +8983,12 @@ SWIGINTERN PyObject *_wrap_security_compute_relabel(PyObject *SWIGUNUSEDPARM(sel - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_relabel",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_relabel" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_relabel" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_relabel" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_relabel" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -8983,8 +9024,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_relabel_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -9005,12 +9046,12 @@ SWIGINTERN PyObject *_wrap_security_compute_relabel_raw(PyObject *SWIGUNUSEDPARM - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_relabel_raw",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_relabel_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_relabel_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_relabel_raw" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_relabel_raw" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -9046,8 +9087,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_member(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -9068,12 +9109,12 @@ SWIGINTERN PyObject *_wrap_security_compute_member(PyObject *SWIGUNUSEDPARM(self - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_member",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_member" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_member" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_member" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_member" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -9109,8 +9150,8 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_member_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -- security_context_t arg2 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; -+ security_context_t arg2 = (security_context_t) (security_context_t)0 ; - security_class_t arg3 ; - security_context_t *arg4 = (security_context_t *) 0 ; - int res1 ; -@@ -9131,12 +9172,12 @@ SWIGINTERN PyObject *_wrap_security_compute_member_raw(PyObject *SWIGUNUSEDPARM( - if (!PyArg_ParseTuple(args,(char *)"OOO:security_compute_member_raw",&obj0,&obj1,&obj2)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_member_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_member_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); - if (!SWIG_IsOK(res2)) { -- SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_member_raw" "', argument " "2"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "security_compute_member_raw" "', argument " "2"" of type '" "security_context_t const""'"); - } - arg2 = (security_context_t)(buf2); - ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3); -@@ -9172,7 +9213,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_user(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - char *arg2 = (char *) 0 ; - security_context_t **arg3 = (security_context_t **) 0 ; - int res1 ; -@@ -9192,7 +9233,7 @@ SWIGINTERN PyObject *_wrap_security_compute_user(PyObject *SWIGUNUSEDPARM(self), - if (!PyArg_ParseTuple(args,(char *)"OO:security_compute_user",&obj0,&obj1)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_user" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_user" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); -@@ -9217,7 +9258,9 @@ SWIGINTERN PyObject *_wrap_security_compute_user(PyObject *SWIGUNUSEDPARM(self), - len++; - plist = PyList_New(len); - for (i = 0; i < len; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*arg3)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*arg3)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -9243,7 +9286,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_compute_user_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - char *arg2 = (char *) 0 ; - security_context_t **arg3 = (security_context_t **) 0 ; - int res1 ; -@@ -9263,7 +9306,7 @@ SWIGINTERN PyObject *_wrap_security_compute_user_raw(PyObject *SWIGUNUSEDPARM(se - if (!PyArg_ParseTuple(args,(char *)"OO:security_compute_user_raw",&obj0,&obj1)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_user_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_compute_user_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2); -@@ -9288,7 +9331,9 @@ SWIGINTERN PyObject *_wrap_security_compute_user_raw(PyObject *SWIGUNUSEDPARM(se - len++; - plist = PyList_New(len); - for (i = 0; i < len; i++) { -- PyList_SetItem(plist, i, PyString_FromString((*arg3)[i])); -+ PyList_SetItem(plist, i, -+ PyBytes_FromString((*arg3)[i]) -+ ); - } - } else { - plist = PyList_New(0); -@@ -9721,7 +9766,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_check_context(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -9731,7 +9776,7 @@ SWIGINTERN PyObject *_wrap_security_check_context(PyObject *SWIGUNUSEDPARM(self) - if (!PyArg_ParseTuple(args,(char *)"O:security_check_context",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_check_context" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_check_context" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -9752,7 +9797,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_check_context_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -9762,7 +9807,7 @@ SWIGINTERN PyObject *_wrap_security_check_context_raw(PyObject *SWIGUNUSEDPARM(s - if (!PyArg_ParseTuple(args,(char *)"O:security_check_context_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_check_context_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_check_context_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -9783,7 +9828,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_canonicalize_context(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_context_t *arg2 = (security_context_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -9796,7 +9841,7 @@ SWIGINTERN PyObject *_wrap_security_canonicalize_context(PyObject *SWIGUNUSEDPAR - if (!PyArg_ParseTuple(args,(char *)"O:security_canonicalize_context",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_canonicalize_context" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_canonicalize_context" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -9825,7 +9870,7 @@ fail: - - SWIGINTERN PyObject *_wrap_security_canonicalize_context_raw(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_context_t *arg2 = (security_context_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -9838,7 +9883,7 @@ SWIGINTERN PyObject *_wrap_security_canonicalize_context_raw(PyObject *SWIGUNUSE - if (!PyArg_ParseTuple(args,(char *)"O:security_canonicalize_context_raw",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_canonicalize_context_raw" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "security_canonicalize_context_raw" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -9994,7 +10039,7 @@ SWIGINTERN PyObject *_wrap_security_get_boolean_names(PyObject *SWIGUNUSEDPARM(s - PyObject* list = PyList_New(*arg2); - int i; - for (i = 0; i < *arg2; i++) { -- PyList_SetItem(list, i, PyString_FromString((*arg1)[i])); -+ PyList_SetItem(list, i, PyBytes_FromString((*arg1)[i])); - } - resultobj = SWIG_Python_AppendOutput(resultobj, list); - } -@@ -11129,6 +11174,19 @@ fail: - } - - -+SWIGINTERN PyObject *_wrap_selinux_sepgsql_context_path(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { -+ PyObject *resultobj = 0; -+ char *result = 0 ; -+ -+ if (!PyArg_ParseTuple(args,(char *)":selinux_sepgsql_context_path")) SWIG_fail; -+ result = (char *)selinux_sepgsql_context_path(); -+ resultobj = SWIG_FromCharPtr((const char *)result); -+ return resultobj; -+fail: -+ return NULL; ++ len = strlen(p); ++ if (len + strlen(last_component) + 1 > PATH_MAX) { ++ fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n", ++ name); ++ rc = -1; ++ goto out; ++ } ++ ++ resolved_path += len; ++ strcpy(resolved_path, last_component); ++out: ++ free(tmp_path); ++ return rc; +} + ++int matchpathcon(const char *path, mode_t mode, security_context_t * con) + { ++ char stackpath[PATH_MAX + 1]; ++ char *p = NULL; + if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) + return -1; + ++ if (S_ISLNK(mode)) { ++ if (!symlink_realpath(path, stackpath)) ++ path = stackpath; ++ } else { ++ p = realpath(path, stackpath); ++ if (p) ++ path = p; ++ } + - SWIGINTERN PyObject *_wrap_selinux_contexts_path(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; - char *result = 0 ; -@@ -11317,7 +11375,7 @@ fail: - - SWIGINTERN PyObject *_wrap_selinux_check_securetty_context(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -11327,7 +11385,7 @@ SWIGINTERN PyObject *_wrap_selinux_check_securetty_context(PyObject *SWIGUNUSEDP - if (!PyArg_ParseTuple(args,(char *)"O:selinux_check_securetty_context",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_check_securetty_context" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_check_securetty_context" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -11412,16 +11470,20 @@ SWIGINTERN PyObject *_wrap_rpm_execcon(PyObject *SWIGUNUSEDPARM(self), PyObject - arg3 = (char**) malloc(size + 1); - - for(i = 0; i < size; i++) { -- if (!PyString_Check(PySequence_GetItem(obj2, i))) { -- PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); -+ if (!PyBytes_Check(PySequence_GetItem(obj2, i))) { -+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); -+ - return NULL; - } -+ - } - - for(i = 0; i < size; i++) { - s = PySequence_GetItem(obj2, i); -- arg3[i] = (char*) malloc(PyString_Size(s) + 1); -- strcpy(arg3[i], PyString_AsString(s)); -+ -+ arg3[i] = (char*) malloc(PyBytes_Size(s) + 1); -+ strcpy(arg3[i], PyBytes_AsString(s)); -+ - } - arg3[size] = NULL; - } -@@ -11439,16 +11501,20 @@ SWIGINTERN PyObject *_wrap_rpm_execcon(PyObject *SWIGUNUSEDPARM(self), PyObject - arg4 = (char**) malloc(size + 1); - - for(i = 0; i < size; i++) { -- if (!PyString_Check(PySequence_GetItem(obj3, i))) { -- PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); -+ if (!PyBytes_Check(PySequence_GetItem(obj3, i))) { -+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); -+ - return NULL; - } -+ - } - - for(i = 0; i < size; i++) { - s = PySequence_GetItem(obj3, i); -- arg4[i] = (char*) malloc(PyString_Size(s) + 1); -- strcpy(arg4[i], PyString_AsString(s)); -+ -+ arg4[i] = (char*) malloc(PyBytes_Size(s) + 1); -+ strcpy(arg4[i], PyBytes_AsString(s)); -+ - } - arg4[size] = NULL; - } -@@ -11502,7 +11568,7 @@ fail: - - SWIGINTERN PyObject *_wrap_is_context_customizable(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - int res1 ; - char *buf1 = 0 ; - int alloc1 = 0 ; -@@ -11512,7 +11578,7 @@ SWIGINTERN PyObject *_wrap_is_context_customizable(PyObject *SWIGUNUSEDPARM(self - if (!PyArg_ParseTuple(args,(char *)"O:is_context_customizable",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "is_context_customizable" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "is_context_customizable" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -11533,7 +11599,7 @@ fail: - - SWIGINTERN PyObject *_wrap_selinux_trans_to_raw_context(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_context_t *arg2 = (security_context_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -11546,7 +11612,7 @@ SWIGINTERN PyObject *_wrap_selinux_trans_to_raw_context(PyObject *SWIGUNUSEDPARM - if (!PyArg_ParseTuple(args,(char *)"O:selinux_trans_to_raw_context",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_trans_to_raw_context" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_trans_to_raw_context" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -11575,7 +11641,7 @@ fail: + return notrans ? +- selabel_lookup_raw(hnd, con, name, mode) : +- selabel_lookup(hnd, con, name, mode); ++ selabel_lookup_raw(hnd, con, path, mode) : ++ selabel_lookup(hnd, con, path, mode); + } - SWIGINTERN PyObject *_wrap_selinux_raw_to_trans_context(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - security_context_t *arg2 = (security_context_t *) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -11588,7 +11654,7 @@ SWIGINTERN PyObject *_wrap_selinux_raw_to_trans_context(PyObject *SWIGUNUSEDPARM - if (!PyArg_ParseTuple(args,(char *)"O:selinux_raw_to_trans_context",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_raw_to_trans_context" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_raw_to_trans_context" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -11617,7 +11683,7 @@ fail: + int matchpathcon_index(const char *name, mode_t mode, security_context_t * con) +@@ -394,7 +464,7 @@ int selinux_file_context_verify(const char *path, mode_t mode) + rc = lgetfilecon_raw(path, &con); + if (rc == -1) { + if (errno != ENOTSUP) +- return 1; ++ return -1; + else + return 0; + } +@@ -404,11 +474,18 @@ int selinux_file_context_verify(const char *path, mode_t mode) + + if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) { + if (errno != ENOENT) +- rc = 1; ++ rc = -1; + else + rc = 0; +- } else ++ } else { ++ /* ++ * Need to set errno to 0 as it can be set to ENOENT if the ++ * file_contexts.subs file does not exist (see selabel_open in ++ * label.c), thus causing confusion if errno is checked on return. ++ */ ++ errno = 0; + rc = (selinux_file_context_cmp(fcontext, con) == 0); ++ } - SWIGINTERN PyObject *_wrap_selinux_raw_context_to_color(PyObject *SWIGUNUSEDPARM(self), PyObject *args) { - PyObject *resultobj = 0; -- security_context_t arg1 = (security_context_t) 0 ; -+ security_context_t arg1 = (security_context_t) (security_context_t)0 ; - char **arg2 = (char **) 0 ; - int res1 ; - char *buf1 = 0 ; -@@ -11630,7 +11696,7 @@ SWIGINTERN PyObject *_wrap_selinux_raw_context_to_color(PyObject *SWIGUNUSEDPARM - if (!PyArg_ParseTuple(args,(char *)"O:selinux_raw_context_to_color",&obj0)) SWIG_fail; - res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1); - if (!SWIG_IsOK(res1)) { -- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_raw_context_to_color" "', argument " "1"" of type '" "security_context_t""'"); -+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "selinux_raw_context_to_color" "', argument " "1"" of type '" "security_context_t const""'"); - } - arg1 = (security_context_t)(buf1); - { -@@ -12172,6 +12238,7 @@ static PyMethodDef SwigMethods[] = { - { (char *)"selinux_virtual_domain_context_path", _wrap_selinux_virtual_domain_context_path, METH_VARARGS, NULL}, - { (char *)"selinux_virtual_image_context_path", _wrap_selinux_virtual_image_context_path, METH_VARARGS, NULL}, - { (char *)"selinux_x_context_path", _wrap_selinux_x_context_path, METH_VARARGS, NULL}, -+ { (char *)"selinux_sepgsql_context_path", _wrap_selinux_sepgsql_context_path, METH_VARARGS, NULL}, - { (char *)"selinux_contexts_path", _wrap_selinux_contexts_path, METH_VARARGS, NULL}, - { (char *)"selinux_securetty_types_path", _wrap_selinux_securetty_types_path, METH_VARARGS, NULL}, - { (char *)"selinux_booleans_path", _wrap_selinux_booleans_path, METH_VARARGS, NULL}, -@@ -12185,7 +12252,7 @@ static PyMethodDef SwigMethods[] = { - { (char *)"selinux_check_passwd_access", _wrap_selinux_check_passwd_access, METH_VARARGS, NULL}, - { (char *)"checkPasswdAccess", _wrap_checkPasswdAccess, METH_VARARGS, NULL}, - { (char *)"selinux_check_securetty_context", _wrap_selinux_check_securetty_context, METH_VARARGS, NULL}, -- { (char *)"set_selinuxmnt", _wrap_set_selinuxmnt, METH_VARARGS, NULL}, -+ { (char *)"set_selinuxmnto", _wrap_set_selinuxmnt, METH_VARARGS, NULL}, - { (char *)"rpm_execcon", _wrap_rpm_execcon, METH_VARARGS, NULL}, - { (char *)"is_context_customizable", _wrap_is_context_customizable, METH_VARARGS, NULL}, - { (char *)"selinux_trans_to_raw_context", _wrap_selinux_trans_to_raw_context, METH_VARARGS, NULL}, -@@ -12868,15 +12935,15 @@ extern "C" { - } - } - if (ci) { -- size_t shift = (ci->ptype) - types; -- swig_type_info *ty = types_initial[shift]; -- size_t ldoc = (c - methods[i].ml_doc); -- size_t lptr = strlen(ty->name)+2*sizeof(void*)+2; -- char *ndoc = (char*)malloc(ldoc + lptr + 10); -- if (ndoc) { -- char *buff = ndoc; -- void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0; -- if (ptr) { -+ void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0; -+ if (ptr) { -+ size_t shift = (ci->ptype) - types; -+ swig_type_info *ty = types_initial[shift]; -+ size_t ldoc = (c - methods[i].ml_doc); -+ size_t lptr = strlen(ty->name)+2*sizeof(void*)+2; -+ char *ndoc = (char*)malloc(ldoc + lptr + 10); -+ if (ndoc) { -+ char *buff = ndoc; - strncpy(buff, methods[i].ml_doc, ldoc); - buff += ldoc; - strncpy(buff, "swig_ptr: ", 10); -@@ -14079,6 +14146,7 @@ SWIG_init(void) { - SWIG_Python_SetConstant(d, "SELABEL_CTX_FILE",SWIG_From_int((int)(0))); - SWIG_Python_SetConstant(d, "SELABEL_CTX_MEDIA",SWIG_From_int((int)(1))); - SWIG_Python_SetConstant(d, "SELABEL_CTX_X",SWIG_From_int((int)(2))); -+ SWIG_Python_SetConstant(d, "SELABEL_CTX_DB",SWIG_From_int((int)(3))); - SWIG_Python_SetConstant(d, "SELABEL_OPT_UNUSED",SWIG_From_int((int)(0))); - SWIG_Python_SetConstant(d, "SELABEL_OPT_VALIDATE",SWIG_From_int((int)(1))); - SWIG_Python_SetConstant(d, "SELABEL_OPT_BASEONLY",SWIG_From_int((int)(2))); -@@ -14092,6 +14160,15 @@ SWIG_init(void) { - SWIG_Python_SetConstant(d, "SELABEL_X_SELN",SWIG_From_int((int)(5))); - SWIG_Python_SetConstant(d, "SELABEL_X_POLYPROP",SWIG_From_int((int)(6))); - SWIG_Python_SetConstant(d, "SELABEL_X_POLYSELN",SWIG_From_int((int)(7))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_DATABASE",SWIG_From_int((int)(1))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_SCHEMA",SWIG_From_int((int)(2))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_TABLE",SWIG_From_int((int)(3))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_COLUMN",SWIG_From_int((int)(4))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_SEQUENCE",SWIG_From_int((int)(5))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_VIEW",SWIG_From_int((int)(6))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_PROCEDURE",SWIG_From_int((int)(7))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_BLOB",SWIG_From_int((int)(8))); -+ SWIG_Python_SetConstant(d, "SELABEL_DB_TUPLE",SWIG_From_int((int)(9))); - SWIG_Python_SetConstant(d, "SELINUX_AVD_FLAGS_PERMISSIVE",SWIG_From_int((int)(0x0001))); - SWIG_Python_SetConstant(d, "SELINUX_CB_LOG",SWIG_From_int((int)(0))); - SWIG_Python_SetConstant(d, "SELINUX_CB_AUDIT",SWIG_From_int((int)(1))); + freecon(con); + freecon(fcontext); diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c -index 4453a88..f1fe506 100644 +index 3ecd52f..5f0a4c2 100644 --- a/libselinux/utils/matchpathcon.c +++ b/libselinux/utils/matchpathcon.c -@@ -8,6 +8,49 @@ - #include - #include - #include -+#include -+#include -+ -+ -+static int symlink_realpath(char *name, char *path) -+{ -+ char *p = NULL, *file_sep; -+ char *tmp_path = strdupa(name); -+ size_t len = 0; -+ -+ if (!tmp_path) { -+ fprintf(stderr, "strdupa on %s failed: %s\n", name, -+ strerror(errno)); -+ return -1; -+ } -+ file_sep = strrchr(tmp_path, '/'); -+ if (file_sep == tmp_path) { -+ file_sep++; -+ p = strcpy(path, ""); -+ } else if (file_sep) { -+ *file_sep = 0; -+ file_sep++; -+ p = realpath(tmp_path, path); -+ } else { -+ file_sep = tmp_path; -+ p = realpath("./", path); -+ } -+ if (p) -+ len = strlen(p); -+ if (!p || len + strlen(file_sep) + 2 > PATH_MAX) { -+ fprintf(stderr, "symlink_realpath(%s) failed %s\n", name, -+ strerror(errno)); -+ return -1; -+ } -+ p += len; -+ /* ensure trailing slash of directory name */ -+ if (len == 0 || *(p - 1) != '/') { -+ *p = '/'; -+ p++; -+ } -+ strcpy(p, file_sep); -+ return 0; -+} +@@ -43,63 +43,6 @@ int printmatchpathcon(char *path, int header, int mode) + return 0; + } - void usage(const char *progname) +-/* +- * We do not want to resolve a symlink to a real path if it is the final +- * component of the name. Thus we split the pathname on the last "/" and +- * determine a real path component of the first portion. We then have to +- * copy the last part back on to get the final real path. Wheww. +- */ +-static int symlink_realpath(char *name, char *resolved_path) +-{ +- char *last_component; +- char *tmp_path, *p; +- size_t len = 0; +- int rc = 0; +- +- tmp_path = strdup(name); +- if (!tmp_path) { +- fprintf(stderr, "symlink_realpath(%s) strdup() failed: %s\n", +- name, strerror(errno)); +- rc = -1; +- goto out; +- } +- +- last_component = strrchr(tmp_path, '/'); +- +- if (last_component == tmp_path) { +- last_component++; +- p = strcpy(resolved_path, "/"); +- } else if (last_component) { +- *last_component = '\0'; +- last_component++; +- p = realpath(tmp_path, resolved_path); +- } else { +- last_component = tmp_path; +- p = realpath("./", resolved_path); +- } +- +- if (!p) { +- fprintf(stderr, "symlink_realpath(%s) realpath() failed: %s\n", +- name, strerror(errno)); +- rc = -1; +- goto out; +- } +- +- len = strlen(p); +- if (len + strlen(last_component) + 1 > PATH_MAX) { +- fprintf(stderr, "symlink_realpath(%s) failed: Filename too long \n", +- name); +- rc = -1; +- goto out; +- } +- +- resolved_path += len; +- strcpy(resolved_path, last_component); +-out: +- free(tmp_path); +- return rc; +-} +- + int main(int argc, char **argv) { -@@ -103,49 +146,66 @@ int main(int argc, char **argv) - } - } + int i, init = 0; +@@ -166,8 +109,7 @@ int main(int argc, char **argv) for (i = optind; i < argc; i++) { -+ char lnkpath[PATH_MAX + 1]; - int mode = 0; + int rc, mode = 0; struct stat buf; -+ char *newpath = NULL; -+ char *path; - int len = strlen(argv[i]); - if (len > 1 && argv[i][len - 1 ] == '/') { - argv[i][len - 1 ] = '\0'; - } - -- if (lstat(argv[i], &buf) == 0) -+ if (lstat(argv[i], &buf) == 0) { +- char *p, *path = argv[i]; +- char stackpath[PATH_MAX + 1]; ++ char *path = argv[i]; + int len = strlen(path); + if (len > 1 && path[len - 1 ] == '/') + path[len - 1 ] = '\0'; +@@ -175,31 +117,23 @@ int main(int argc, char **argv) + if (lstat(path, &buf) == 0) mode = buf.st_mode; -+ } -+ -+ path = argv[i]; -+ if (S_ISLNK(mode)) { -+ int rc = symlink_realpath(argv[i], lnkpath); -+ if (rc >= 0) { -+ path = lnkpath; -+ } -+ } else { -+ if ((newpath = realpath(argv[i], NULL))) { -+ path = newpath; -+ } -+ } +- if (S_ISLNK(mode)) { +- rc = symlink_realpath(path, stackpath); +- if (!rc) +- path = stackpath; +- } else { +- p = realpath(path, stackpath); +- if (p) +- path = p; +- } +- if (verify) { + rc = selinux_file_context_verify(path, mode); + if (quiet) { -- if (selinux_file_context_verify(argv[i], mode)) -+ if (selinux_file_context_verify(path, mode)) +- if (rc) ++ if (rc == 1) continue; else exit(1); } -- if (selinux_file_context_verify(argv[i], mode)) { -- printf("%s verified.\n", argv[i]); -+ if (selinux_file_context_verify(path, mode)) { -+ printf("%s verified.\n", path); + +- if (rc) { ++ if (rc == -1) { ++ printf("%s error: %s\n", path, strerror(errno)); ++ exit(1); ++ } else if (rc == 1) { + printf("%s verified.\n", path); } else { security_context_t con; - int rc; +- int rc; error = 1; if (notrans) -- rc = lgetfilecon_raw(argv[i], &con); -+ rc = lgetfilecon_raw(path, &con); - else -- rc = lgetfilecon(argv[i], &con); -+ rc = lgetfilecon(path, &con); - - if (rc >= 0) { - printf("%s has context %s, should be ", - argv[i], con); -- printmatchpathcon(argv[i], 0, mode); -+ printmatchpathcon(path, 0, mode); - freecon(con); - } else { - printf - ("actual context unknown: %s, should be ", - strerror(errno)); -- printmatchpathcon(argv[i], 0, mode); -+ printmatchpathcon(path, 0, mode); - } - } - } else { -- error |= printmatchpathcon(argv[i], header, mode); -+ error |= printmatchpathcon(path, header, mode); - } -+ free(newpath); newpath = NULL; - } - matchpathcon_fini(); - return error; -diff --git a/libselinux/utils/selinuxexeccon.c b/libselinux/utils/selinuxexeccon.c -new file mode 100644 -index 0000000..c55fde9 ---- /dev/null -+++ b/libselinux/utils/selinuxexeccon.c -@@ -0,0 +1,60 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+void usage(char *name, char *detail, int rc) -+{ -+ fprintf(stderr, "usage: %s command [ fromcon ]\n", name); -+ if (detail) -+ fprintf(stderr, "%s: %s\n", name, detail); -+ exit(rc); -+} -+ -+static security_context_t get_selinux_proc_context(const char *command, security_context_t execcon) { -+ security_context_t fcon = NULL, newcon = NULL; -+ -+ int ret = getfilecon(command, &fcon); -+ if (ret < 0) goto err; -+ ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon); -+ if (ret < 0) goto err; -+ -+err: -+ freecon(fcon); -+ return newcon; -+} -+ -+int main(int argc, char **argv) -+{ -+ int ret = -1; -+ security_context_t proccon = NULL, con = NULL; -+ if (argc < 2 || argc > 3) -+ usage(argv[0], "Invalid number of arguments", -1); -+ -+ if (argc == 2) { -+ if (getcon(&con) < 0) { -+ perror(argv[0]); -+ return -1; -+ } -+ } else { -+ con = strdup(argv[2]); -+ } -+ -+ proccon = get_selinux_proc_context(argv[1], con); -+ if (proccon) { -+ printf("%s\n", proccon); -+ ret = 0; -+ } else { -+ perror(argv[0]); -+ } -+ -+ free(proccon); -+ free(con); -+ return ret; -+} + rc = lgetfilecon_raw(path, &con); diff --git a/libselinux.spec b/libselinux.spec index a958e0d..3a0215e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,12 +1,12 @@ %global with_python3 1 %define ruby_sitearch %(ruby -rrbconfig -e "puts Config::CONFIG['sitearchdir']") -%define libsepolver 2.0.44-2 +%define libsepolver 2.1.0-1 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux -Version: 2.1.0 +Version: 2.1.4 Release: 1%{?dist} License: Public Domain Group: System Environment/Libraries @@ -235,6 +235,33 @@ exit 0 %{ruby_sitearch}/selinux.so %changelog +* Thu Aug 18 2011 Dan Walsh - 2.1.4-1 +-Update to upstream +2.1.4 2011-0817 + * mapping fix for invalid class/perms after selinux_set_mapping + * audit2why: work around python bug not defining + * resolv symlinks and dot directories before matching + +2.1.2 2011-0803 + * audit2allow: do not print statistics + * make python bindings for restorecon work on relative path + * fix python audit2why binding error + * support new python3 functions + * do not check fcontext duplicates on use + * Patch for python3 for libselinux + +2.1.1 2011-08-02 + * move .gitignore into utils + * new setexecon utility + * selabel_open fix processing of substitution files + * mountpoint changing patch. + * simplify SRCS in Makefile + +2.1.1 2011-08-01 + * Remove generated files, introduce more .gitignore + + + * Thu Jul 28 2011 Dan Walsh - 2.1.0-1 -Update to upstream * Release, minor version bump diff --git a/sources b/sources index 9df4551..1197224 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -148de887b85cbe1e1da46af360a911f0 libselinux-2.0.102.tgz -44e3f59aab9cd1009fa2bfd5d4045b63 libselinux-2.1.0.tgz +d908f2816d00111c222ccd081e7de80d libselinux-2.1.4.tgz