From 1021fcbc45cc58fb282054e243a983f97bd67706 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Feb 07 2013 18:41:45 +0000 Subject: Update to upstream * Add sefcontext_compile to compile regex everytime policy is rebuilt * Cleanup/fix enable/disable/remove module. * redo genhomedircon minuid * fixes from coverity * semanage_store: do not leak memory in semanage_exec_prog * genhomedircon: remove useless conditional in get_home_dirs * genhomedircon: double free in get_home_dirs * fcontext_record: do not leak on error in semanage_fcontext_key_create * genhomedircon: do not leak on failure in write_gen_home_dir_context * semanage_store: do not leak fd * genhomedircon: do not leak shells list * semanage_store: do not leak on strdup failure * semanage_store: rewrite for readability --- diff --git a/.gitignore b/.gitignore index 672d5c0..f6797d0 100644 --- a/.gitignore +++ b/.gitignore @@ -128,3 +128,4 @@ libsemanage-2.0.45.tgz /libsemanage-2.1.7.tgz /libsemanage-2.1.8.tgz /libsemanage-2.1.9.tgz +/libsemanage-2.1.10.tgz diff --git a/libsemanage-rhat.patch b/libsemanage-rhat.patch index 30c8500..780d533 100644 --- a/libsemanage-rhat.patch +++ b/libsemanage-rhat.patch @@ -1,370 +1,3 @@ -diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y -index bbdac1d..80d08ec 100644 ---- a/libsemanage/src/conf-parse.y -+++ b/libsemanage/src/conf-parse.y -@@ -58,7 +58,7 @@ static int parse_errors; - } - - %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED --%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS -+%token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS - %token BZIP_BLOCKSIZE BZIP_SMALL - %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END - %token PROG_PATH PROG_ARGS -@@ -230,6 +230,14 @@ command_start: - YYABORT; - } - } -+ | SEFCONTEXT_COMPILE_START { -+ semanage_conf_external_prog_destroy(current_conf->sefcontext_compile); -+ current_conf->sefcontext_compile = NULL; -+ if (new_external_prog(¤t_conf->sefcontext_compile) == -1) { -+ parse_errors++; -+ YYABORT; -+ } -+ } - ; - - verify_block: verify_start external_opts BLOCK_END { -@@ -308,6 +316,20 @@ static int semanage_conf_init(semanage_conf_t * conf) - return -1; - } - -+ if ((conf->sefcontext_compile = -+ calloc(1, sizeof(*(current_conf->sefcontext_compile)))) == NULL) { -+ return -1; -+ } -+ if (access("/sbin/sefcontext_compile", X_OK) == 0) { -+ conf->sefcontext_compile->path = strdup("/sbin/sefcontext_compile"); -+ } else { -+ conf->sefcontext_compile->path = strdup("/usr/sbin/sefcontext_compile"); -+ } -+ if ((conf->sefcontext_compile->path == NULL) || -+ (conf->sefcontext_compile->args = strdup("$@")) == NULL) { -+ return -1; -+ } -+ - return 0; - } - -@@ -363,6 +385,7 @@ void semanage_conf_destroy(semanage_conf_t * conf) - free(conf->ignoredirs); - semanage_conf_external_prog_destroy(conf->load_policy); - semanage_conf_external_prog_destroy(conf->setfiles); -+ semanage_conf_external_prog_destroy(conf->sefcontext_compile); - semanage_conf_external_prog_destroy(conf->mod_prog); - semanage_conf_external_prog_destroy(conf->linked_prog); - semanage_conf_external_prog_destroy(conf->kernel_prog); -diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l -index 7ef4154..41ba044 100644 ---- a/libsemanage/src/conf-scan.l -+++ b/libsemanage/src/conf-scan.l -@@ -53,6 +53,7 @@ bzip-blocksize return BZIP_BLOCKSIZE; - bzip-small return BZIP_SMALL; - "[load_policy]" return LOAD_POLICY_START; - "[setfiles]" return SETFILES_START; -+"[sefcontext_compile]" return SEFCONTEXT_COMPILE_START; - "[verify module]" return VERIFY_MOD_START; - "[verify linked]" return VERIFY_LINKED_START; - "[verify kernel]" return VERIFY_KERNEL_START; -diff --git a/libsemanage/src/database_llist.c b/libsemanage/src/database_llist.c -index 5f0c147..53583d4 100644 ---- a/libsemanage/src/database_llist.c -+++ b/libsemanage/src/database_llist.c -@@ -369,9 +369,11 @@ int dbase_llist_list(semanage_handle_t * handle, - ERR(handle, "out of memory"); - - err: -- for (; i >= 0; i--) -- dbase->rtable->free(tmp_records[i]); -- free(tmp_records); -+ if (tmp_records) { -+ for (; i >= 0; i--) -+ dbase->rtable->free(tmp_records[i]); -+ free(tmp_records); -+ } - ERR(handle, "could not allocate record array"); - return STATUS_ERR; - } -diff --git a/libsemanage/src/database_policydb.c b/libsemanage/src/database_policydb.c -index 94850b7..dbb23b2 100644 ---- a/libsemanage/src/database_policydb.c -+++ b/libsemanage/src/database_policydb.c -@@ -462,9 +462,11 @@ static int dbase_policydb_list(semanage_handle_t * handle, - ERR(handle, "out of memory"); - - err: -- for (; list_arg.pos >= 0; list_arg.pos--) -- dbase->rtable->free(tmp_records[list_arg.pos]); -- free(tmp_records); -+ if (tmp_records) { -+ for (; list_arg.pos >= 0; list_arg.pos--) -+ dbase->rtable->free(tmp_records[list_arg.pos]); -+ free(tmp_records); -+ } - ERR(handle, "could not list records"); - return STATUS_ERR; - } -diff --git a/libsemanage/src/debug.c b/libsemanage/src/debug.c -index 90d4b4e..ea51ffb 100644 ---- a/libsemanage/src/debug.c -+++ b/libsemanage/src/debug.c -@@ -62,11 +62,12 @@ void hidden semanage_msg_default_handler(void *varg __attribute__ ((unused)), - switch (semanage_msg_get_level(handle)) { - - case SEMANAGE_MSG_ERR: -+ stream = stderr; - errsv = errno; -+ break; - case SEMANAGE_MSG_WARN: - stream = stderr; - break; -- case SEMANAGE_MSG_INFO: - default: - stream = stdout; - break; -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 4f919a6..64dc7d9 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1306,80 +1306,67 @@ static int semanage_direct_install_base_file(semanage_handle_t * sh, - return retval; - } - --/* Enables a module from the sandbox. Returns 0 on success, -1 if out -- * of memory, -2 if module not found or could not be enabled. */ --static int semanage_direct_enable(semanage_handle_t * sh, char *module_name) --{ -- int i, retval = -1; -- char **module_filenames = NULL; -- int num_mod_files; -- size_t name_len = strlen(module_name); -- if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) == -- -1) { -- return -1; -+static int get_module_name(semanage_handle_t * sh, char *modulefile, char **module_name) { -+ FILE *fp = NULL; -+ int retval = -1; -+ char *data = NULL; -+ char *version = NULL; -+ ssize_t size; -+ int type; -+ struct sepol_policy_file *pf = NULL; -+ -+ if (sepol_policy_file_create(&pf)) { -+ ERR(sh, "Out of memory!"); -+ goto cleanup; - } -- for (i = 0; i < num_mod_files; i++) { -- char *base = strrchr(module_filenames[i], '/'); -- if (base == NULL) { -- ERR(sh, "Could not read module names."); -- retval = -2; -- goto cleanup; -- } -- base++; -- if (memcmp(module_name, base, name_len) == 0) { -+ sepol_policy_file_set_handle(pf, sh->sepolh); - -- if (semanage_enable_module(module_filenames[i]) < 0) { -- ERR(sh, "Could not enable module %s.", module_name); -- retval = -2; -- goto cleanup; -- } -- retval = 0; -- goto cleanup; -- } -+ if ((fp = fopen(modulefile, "rb")) == NULL) { -+ goto cleanup; - } -- ERR(sh, "Module %s was not found.", module_name); -- retval = -2; /* module not found */ -- cleanup: -- for (i = 0; module_filenames != NULL && i < num_mod_files; i++) { -- free(module_filenames[i]); -+ if ((size = bunzip(sh, fp, &data)) > 0) { -+ sepol_policy_file_set_mem(pf, data, size); -+ } else { -+ rewind(fp); -+ __fsetlocking(fp, FSETLOCKING_BYCALLER); -+ sepol_policy_file_set_fp(pf, fp); - } -- free(module_filenames); -+ retval = sepol_module_package_info(pf, &type, module_name, &version); -+ -+cleanup: -+ sepol_policy_file_free(pf); -+ if (fp) -+ fclose(fp); -+ free(data); -+ free(version); - return retval; - } - --/* Disables a module from the sandbox. Returns 0 on success, -1 if out -- * of memory, -2 if module not found or could not be enabled. */ --static int semanage_direct_disable(semanage_handle_t * sh, char *module_name) --{ -+static int get_module_file_by_name(semanage_handle_t * sh, const char *module_name, char **module_file) { - int i, retval = -1; - char **module_filenames = NULL; -+ char *name = NULL; - int num_mod_files; -- size_t name_len = strlen(module_name); - if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) == - -1) { - return -1; - } - for (i = 0; i < num_mod_files; i++) { -- char *base = strrchr(module_filenames[i], '/'); -- if (base == NULL) { -- ERR(sh, "Could not read module names."); -- retval = -2; -- goto cleanup; -- } -- base++; -- if ((memcmp(module_name, base, name_len) == 0) && -- (strcmp(base + name_len, ".pp") == 0)) { -- if (semanage_disable_module(module_filenames[i]) < 0) { -- retval = -2; -- goto cleanup; -- } -- retval=0; -+ int rc = get_module_name(sh, module_filenames[i], &name); -+ if (rc < 0) -+ continue; -+ if (strcmp(module_name, name) == 0) { -+ *module_file = strdup(module_filenames[i]); -+ if (*module_file) -+ retval = 0; - goto cleanup; - } -+ free(name); name = NULL; - } - ERR(sh, "Module %s was not found.", module_name); - retval = -2; /* module not found */ - cleanup: -+ free(name); - for (i = 0; module_filenames != NULL && i < num_mod_files; i++) { - free(module_filenames[i]); - } -@@ -1387,44 +1374,57 @@ static int semanage_direct_disable(semanage_handle_t * sh, char *module_name) - return retval; - } - -+/* Enables a module from the sandbox. Returns 0 on success, -1 if out -+ * of memory, -2 if module not found or could not be enabled. */ -+static int semanage_direct_enable(semanage_handle_t * sh, char *module_name) -+{ -+ char *module_filename = NULL; -+ int retval = get_module_file_by_name(sh, module_name, &module_filename); -+ if (retval < 0) -+ return -1; /* module not found */ -+ retval = semanage_enable_module(module_filename); -+ if (retval < 0) { -+ ERR(sh, "Could not enable module file %s.", -+ module_filename); -+ retval = -2; -+ } -+ free(module_filename); -+ return retval; -+} -+ -+/* Disables a module from the sandbox. Returns 0 on success, -1 if out -+ * of memory, -2 if module not found or could not be enabled. */ -+static int semanage_direct_disable(semanage_handle_t * sh, char *module_name) -+{ -+ char *module_filename = NULL; -+ int retval = get_module_file_by_name(sh, module_name, &module_filename); if (retval < 0) -+ return -1; /* module not found */ -+ retval = semanage_disable_module(module_filename); -+ if (retval < 0) { -+ ERR(sh, "Could not disable module file %s.", -+ module_filename); -+ retval = -2; -+ } -+ free(module_filename); -+ return retval; -+} -+ - /* Removes a module from the sandbox. Returns 0 on success, -1 if out - * of memory, -2 if module not found or could not be removed. */ - static int semanage_direct_remove(semanage_handle_t * sh, char *module_name) - { -- int i, retval = -1; -- char **module_filenames = NULL; -- int num_mod_files; -- size_t name_len = strlen(module_name); -- if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) == -- -1) { -- return -1; -- } -- for (i = 0; i < num_mod_files; i++) { -- char *base = strrchr(module_filenames[i], '/'); -- if (base == NULL) { -- ERR(sh, "Could not read module names."); -- retval = -2; -- goto cleanup; -- } -- base++; -- if (memcmp(module_name, base, name_len) == 0) { -- semanage_enable_module(module_filenames[i]); -- if (unlink(module_filenames[i]) == -1) { -- ERR(sh, "Could not remove module file %s.", -- module_filenames[i]); -- retval = -2; -- } -- retval = 0; -- goto cleanup; -- } -- } -- ERR(sh, "Module %s was not found.", module_name); -- retval = -2; /* module not found */ -- cleanup: -- for (i = 0; module_filenames != NULL && i < num_mod_files; i++) { -- free(module_filenames[i]); -- } -- free(module_filenames); -+ char *module_filename = NULL; -+ int retval = get_module_file_by_name(sh, module_name, &module_filename); -+ if (retval < 0) -+ return -1; /* module not found */ -+ (void) semanage_enable_module(module_filename); /* Don't care if this fails */ -+ retval = unlink(module_filename); -+ if (retval < 0) { -+ ERR(sh, "Could not remove module file %s.", -+ module_filename); -+ retval = -2; -+ } -+ free(module_filename); - return retval; - } - -diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c -index 15bca6c..26f6dd8 100644 ---- a/libsemanage/src/genhomedircon.c -+++ b/libsemanage/src/genhomedircon.c -@@ -283,7 +283,7 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) - char *rbuf = NULL; - char *path = NULL; - long rbuflen; -- uid_t temp, minuid = 0; -+ uid_t temp, minuid = 500; - int minuid_set = 0; - struct passwd pwstorage, *pwbuf; - struct stat buf; -@@ -346,11 +346,6 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) - free(path); - path = NULL; - -- if (!minuid_set) { -- minuid = 500; -- minuid_set = 1; -- } -- - rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX); - if (rbuflen <= 0) - goto fail; diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c index 7fcd2b4..6aa9057 100644 --- a/libsemanage/src/handle.c @@ -424,59 +57,11 @@ index 7fcd2b4..6aa9057 100644 } const char *semanage_usersconf_path() { -diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h -index 95f8ec3..9b7852c 100644 ---- a/libsemanage/src/semanage_conf.h -+++ b/libsemanage/src/semanage_conf.h -@@ -46,6 +46,7 @@ typedef struct semanage_conf { - char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */ - struct external_prog *load_policy; - struct external_prog *setfiles; -+ struct external_prog *sefcontext_compile; - struct external_prog *mod_prog, *linked_prog, *kernel_prog; - } semanage_conf_t; - diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index cd7ce68..66f37ec 100644 +index 57ef49f..7ddaff9 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c -@@ -448,7 +448,7 @@ int semanage_enable_module(const char *file) { - char path[PATH_MAX]; - int n = snprintf(path, PATH_MAX, "%s.%s", file, DISABLESTR); - if (n < 0 || n >= PATH_MAX) -- return 1; -+ return -1; - - if ((unlink(path) < 0) && (errno != ENOENT)) - return -1; -@@ -1061,7 +1061,7 @@ int semanage_split_fc(semanage_handle_t * sh) - } - hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL), - O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); -- if (!hd) { -+ if (hd < 0) { - ERR(sh, "Could not open %s for writing.", - semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL)); - goto cleanup; -@@ -1100,6 +1100,17 @@ int semanage_split_fc(semanage_handle_t * sh) - - } - -+static int sefcontext_compile(semanage_handle_t * sh, const char *path) { -+ -+ int r; -+ if ((r = semanage_exec_prog(sh, sh->conf->sefcontext_compile, path, "")) != 0) { -+ ERR(sh, "sefcontext_compile returned error code %d. Compiling %s", r, path); -+ return -1; -+ } -+ -+ return 0; -+} -+ - /* Actually load the contents of the current active directory into the - * kernel. Return 0 on success, -3 on error. */ - static int semanage_install_active(semanage_handle_t * sh) -@@ -1145,8 +1156,7 @@ static int semanage_install_active(semanage_handle_t * sh) +@@ -1134,8 +1134,7 @@ static int semanage_install_active(semanage_handle_t * sh) if (asprintf(&storepath, "%s%s", semanage_selinux_path(), sh->conf->store_path) < 0) return retval; @@ -486,32 +71,3 @@ index cd7ce68..66f37ec 100644 if (semanage_copy_file(active_kernel, store_pol, sh->conf->file_mode) == -1) { ERR(sh, "Could not copy %s to %s.", active_kernel, store_pol); -@@ -1233,6 +1243,16 @@ static int semanage_install_active(semanage_handle_t * sh) - goto cleanup; - } - -+ if (sefcontext_compile(sh, store_fc) != 0) { -+ goto cleanup; -+ } -+ if (sefcontext_compile(sh, store_fc_loc) != 0) { -+ goto cleanup; -+ } -+ if (sefcontext_compile(sh, store_fc_hd) != 0) { -+ goto cleanup; -+ } -+ - retval = 0; - cleanup: - free(storepath); -@@ -1371,6 +1391,11 @@ int semanage_install_sandbox(semanage_handle_t * sh) - goto cleanup; - } - -+ if (sh->conf->sefcontext_compile == NULL) { -+ ERR(sh, "No sefcontext_compile program specified in configuration file."); -+ goto cleanup; -+ } -+ - if ((commit_num = semanage_commit_sandbox(sh)) < 0) { - retval = commit_num; - goto cleanup; diff --git a/libsemanage.spec b/libsemanage.spec index dabd26e..7acd2b7 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -4,13 +4,13 @@ %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib(1))")} %endif -%define libsepolver 2.1.8-5 -%define libselinuxver 2.1.12-10 +%define libsepolver 2.1.9-1 +%define libselinuxver 2.1.13-1 Summary: SELinux binary policy manipulation library Name: libsemanage -Version: 2.1.9 -Release: 4%{?dist} +Version: 2.1.10 +Release: 1%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: libsemanage-%{version}.tgz @@ -181,6 +181,22 @@ rm -rf ${RPM_BUILD_ROOT} %endif # if with_python3 %changelog +* Thu Feb 7 2013 Dan Walsh - 2.1.10-1 +- Update to upstream + * Add sefcontext_compile to compile regex everytime policy is rebuilt + * Cleanup/fix enable/disable/remove module. + * redo genhomedircon minuid + * fixes from coverity + * semanage_store: do not leak memory in semanage_exec_prog + * genhomedircon: remove useless conditional in get_home_dirs + * genhomedircon: double free in get_home_dirs + * fcontext_record: do not leak on error in semanage_fcontext_key_create + * genhomedircon: do not leak on failure in write_gen_home_dir_context + * semanage_store: do not leak fd + * genhomedircon: do not leak shells list + * semanage_store: do not leak on strdup failure + * semanage_store: rewrite for readability + * Wed Jan 16 2013 Dan Walsh 2.1.9-4 - Add selinux-policy as a requires to get /etc/selinux owned @@ -487,12 +503,12 @@ invoking the appropriate config tool (or by hardcoding the old value for * Modify genhomedircon to skip groupname entries. Ultimately we need to expand them to the list of users to support per-role homedir labeling when using the groupname syntax. -* Wed Jul 29 2008 Dan Walsh - 2.0.26-1 +* Tue Jul 29 2008 Dan Walsh - 2.0.26-1 - Update to upstream * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. Strip any trailing slash before appending /*$. -* Thu Jun 17 2008 Dan Walsh - 2.0.25-3 +* Tue Jun 17 2008 Dan Walsh - 2.0.25-3 - Another fix for genhomedircon * Wed May 28 2008 Tom "spot" Callaway - 2.0.25-2 @@ -862,14 +878,14 @@ invoking the appropriate config tool (or by hardcoding the old value for bug noticed by Steve Grubb. * Merged cleanups after add/set removal patch from Ivan Gyurdiev. -* Fri Jan 7 2006 Dan Walsh 1.5.9-1 +* Sat Jan 7 2006 Dan Walsh 1.5.9-1 - Upgrade to latest from NSA * Merged const in APIs patch from Ivan Gyurdiev. * Merged validation of local file contexts patch from Ivan Gyurdiev. * Merged compare2 function patch from Ivan Gyurdiev. * Merged hidden def/proto update patch from Ivan Gyurdiev. -* Thu Jan 6 2006 Dan Walsh 1.5.8-1 +* Fri Jan 6 2006 Dan Walsh 1.5.8-1 - Upgrade to latest from NSA * Re-applied string and file optimization patch from Russell Coker, with bug fix. @@ -877,7 +893,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Clarified error messages from parse_module_headers and parse_base_headers for base/module mismatches. -* Thu Jan 6 2006 Dan Walsh 1.5.6-1 +* Fri Jan 6 2006 Dan Walsh 1.5.6-1 - Upgrade to latest from NSA * Clarified error messages from parse_module_headers and parse_base_headers for base/module mismatches. @@ -890,10 +906,10 @@ invoking the appropriate config tool (or by hardcoding the old value for * Merged man pages for dbase functions patch from Ivan Gyurdiev. * Merged pywrap tests patch from Ivan Gyurdiev. -* Wed Jan 5 2006 Dan Walsh 1.5.4-2 +* Thu Jan 5 2006 Dan Walsh 1.5.4-2 - Patch to fix add -* Wed Jan 5 2006 Dan Walsh 1.5.4-1 +* Thu Jan 5 2006 Dan Walsh 1.5.4-1 - Upgrade to latest from NSA * Merged patch series from Ivan Gyurdiev. This includes patches to: @@ -970,7 +986,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Wed Nov 23 2005 Dan Walsh 1.3.56-2 - Add additional swig objects -* Fri Nov 16 2005 Dan Walsh 1.3.56-1 +* Wed Nov 16 2005 Dan Walsh 1.3.56-1 - Upgrade to latest from NSA * Fixed free->key_free bug. * Merged clear obsolete patch from Ivan Gyurdiev. diff --git a/sources b/sources index 9b2666f..b22be83 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -eae2f9c81be857032efde81504b9e82a libsemanage-2.1.9.tgz +e5ddf9fad55e74b3eb20b5352540d323 libsemanage-2.1.10.tgz