From 958b6d498271529681a21ac47d7fd96b1951b857 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 18 2005 22:27:57 +0000 Subject: - Modify matchpathcon to also process file_contexts.local if it exists --- diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index a9b83f7..cc26982 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,6 +1,7 @@ +Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h --- nsalibselinux/include/selinux/selinux.h 2004-12-03 14:40:05.000000000 -0500 -+++ libselinux-1.20.1/include/selinux/selinux.h 2005-01-10 17:30:01.615342019 -0500 ++++ libselinux-1.20.1/include/selinux/selinux.h 2005-01-12 10:13:25.000000000 -0500 @@ -226,6 +226,7 @@ extern const char *selinux_media_context_path(void); extern const char *selinux_contexts_path(void); @@ -22,7 +23,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib #endif diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3 --- nsalibselinux/man/man3/is_context_customizable.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.20.1/man/man3/is_context_customizable.3 2005-01-10 17:30:01.617341793 -0500 ++++ libselinux-1.20.1/man/man3/is_context_customizable.3 2005-01-12 10:13:25.000000000 -0500 @@ -0,0 +1,22 @@ +.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation" +.SH "NAME" @@ -46,9 +47,42 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customiza +.SH "FILE" +/etc/selinux/SELINUXTYPE/context/customizable_types + +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3 +--- nsalibselinux/man/man3/security_load_booleans.3 2004-11-30 15:59:02.000000000 -0500 ++++ libselinux-1.20.1/man/man3/security_load_booleans.3 2005-01-18 17:24:31.326454550 -0500 +@@ -1,10 +1,8 @@ + .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" + .SH "NAME" + security_load_booleans, security_set_boolean, security_commit_booleans, +-security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending +-.sp +-routines for manipulating SELinux boolean values +- ++security_get_boolean_names, security_get_boolean_active, ++security_get_boolean_pending \- routines for manipulating SELinux boolean values + .SH "SYNOPSIS" + .B #include + .sp +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 +--- nsalibselinux/man/man3/selinux_binary_policy_path.3 2004-11-30 15:59:02.000000000 -0500 ++++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 2005-01-18 17:24:31.344452529 -0500 +@@ -1,8 +1,10 @@ + .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" + .SH "NAME" +-selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path +-.sp +-These functions return the paths to the active policy configuration ++selinux_policy_root, selinux_binary_policy_path, ++selinux_failsafe_context_path, selinux_removable_context_path, ++selinux_default_context_path, selinux_user_contexts_path, ++selinux_file_context_path, selinux_media_context_path, ++selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration + directories and files. + + .SH "SYNOPSIS" diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h --- nsalibselinux/src/file_path_suffixes.h 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.20.1/src/file_path_suffixes.h 2005-01-10 17:30:01.618341680 -0500 ++++ libselinux-1.20.1/src/file_path_suffixes.h 2005-01-12 10:13:25.000000000 -0500 @@ -9,3 +9,4 @@ S_(BOOLEANS, "/booleans") S_(MEDIA_CONTEXTS, "/contexts/files/media") @@ -56,7 +90,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libs +S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types") diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c --- nsalibselinux/src/is_customizable_type.c 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.20.1/src/is_customizable_type.c 2005-01-10 17:47:59.567648626 -0500 ++++ libselinux-1.20.1/src/is_customizable_type.c 2005-01-12 10:13:25.000000000 -0500 @@ -0,0 +1,68 @@ +#include +#include @@ -126,9 +160,305 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c li + } + return 0; +} +diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c +--- nsalibselinux/src/matchpathcon.c 2004-12-29 11:51:23.000000000 -0500 ++++ libselinux-1.20.1/src/matchpathcon.c 2005-01-12 10:13:25.000000000 -0500 +@@ -207,15 +207,135 @@ + } + return; + } +- ++static int process_line( const char *path, char *line_buf, int pass, int lineno) { ++ int items, len, regerr; ++ char *buf_p; ++ char *regex, *type, *context; ++ char *anchored_regex; ++ len = strlen(line_buf); ++ if (line_buf[len - 1] != '\n') { ++ myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); ++ return 0; ++ } ++ line_buf[len - 1] = 0; ++ buf_p = line_buf; ++ while (isspace(*buf_p)) ++ buf_p++; ++ /* Skip comment lines and empty lines. */ ++ if (*buf_p == '#' || *buf_p == 0) ++ return 0; ++ items = ++ sscanf(line_buf, "%as %as %as", ®ex, &type, ++ &context); ++ if (items < 2) { ++ myprintf("%s: line %d is missing fields\n, skipping", path, lineno); ++ return 0; ++ } else if (items == 2) { ++ /* The type field is optional. */ ++ free(context); ++ context = type; ++ type = 0; ++ } ++ ++ if (pass == 1) { ++ /* On the second pass, compile and store the specification in spec. */ ++ const char *reg_buf = regex; ++ char *cp; ++ spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); ++ spec_arr[nspec].regex_str = regex; ++ ++ /* Anchor the regular expression. */ ++ len = strlen(reg_buf); ++ cp = anchored_regex = malloc(len + 3); ++ if (!anchored_regex) ++ return -1; ++ /* Create ^...$ regexp. */ ++ *cp++ = '^'; ++ cp = mempcpy(cp, reg_buf, len); ++ *cp++ = '$'; ++ *cp = '\0'; ++ ++ /* Compile the regular expression. */ ++ regerr = ++ regcomp(&spec_arr[nspec].regex, ++ anchored_regex, ++ REG_EXTENDED | REG_NOSUB); ++ free(anchored_regex); ++ if (regerr < 0) { ++ myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); ++ return 0; ++ } ++ ++ /* Convert the type string to a mode format */ ++ spec_arr[nspec].type_str = type; ++ spec_arr[nspec].mode = 0; ++ if (!type) ++ goto skip_type; ++ len = strlen(type); ++ if (type[0] != '-' || len != 2) { ++ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); ++ return 0; ++ } ++ switch (type[1]) { ++ case 'b': ++ spec_arr[nspec].mode = S_IFBLK; ++ break; ++ case 'c': ++ spec_arr[nspec].mode = S_IFCHR; ++ break; ++ case 'd': ++ spec_arr[nspec].mode = S_IFDIR; ++ break; ++ case 'p': ++ spec_arr[nspec].mode = S_IFIFO; ++ break; ++ case 'l': ++ spec_arr[nspec].mode = S_IFLNK; ++ break; ++ case 's': ++ spec_arr[nspec].mode = S_IFSOCK; ++ break; ++ case '-': ++ spec_arr[nspec].mode = S_IFREG; ++ break; ++ default: ++ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); ++ return 0; ++ } ++ ++ skip_type: ++ ++ spec_arr[nspec].context = context; ++ ++ if (strcmp(context, "<>")) { ++ if (security_check_context(context) < 0 && errno != ENOENT) { ++ myprintf("%s: line %d has invalid context %s\n", path, lineno, context); ++ return 0; ++ } ++ } ++ ++ /* Determine if specification has ++ * any meta characters in the RE */ ++ spec_hasMetaChars(&spec_arr[nspec]); ++ } ++ ++ nspec++; ++ if (pass == 0) { ++ free(regex); ++ if (type) ++ free(type); ++ free(context); ++ } ++ return 0; ++} + static int matchpathcon_init(void) + { + FILE *fp; + const char *path; +- char line_buf[BUFSIZ + 1], *buf_p; +- char *regex, *type, *context; +- char *anchored_regex; +- int items, len, lineno, pass, regerr, i, j; ++ FILE *localfp; ++ char local_path[PATH_MAX + 1]; ++ char line_buf[BUFSIZ + 1]; ++ int lineno, pass, i, j; + spec_t *spec_copy; + + /* Open the specification file. */ +@@ -223,6 +343,9 @@ + if ((fp = fopen(path, "r")) == NULL) + return -1; + ++ snprintf(local_path, sizeof(local_path), "%s.local", path); ++ localfp = fopen(local_path, "r"); ++ + /* + * Perform two passes over the specification file. + * The first pass counts the number of specifications and +@@ -235,123 +358,15 @@ + lineno = 0; + nspec = 0; + while (fgets_unlocked(line_buf, sizeof line_buf, fp)) { +- lineno++; +- len = strlen(line_buf); +- if (line_buf[len - 1] != '\n') { +- myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno); +- continue; +- } +- line_buf[len - 1] = 0; +- buf_p = line_buf; +- while (isspace(*buf_p)) +- buf_p++; +- /* Skip comment lines and empty lines. */ +- if (*buf_p == '#' || *buf_p == 0) +- continue; +- items = +- sscanf(line_buf, "%as %as %as", ®ex, &type, +- &context); +- if (items < 2) { +- myprintf("%s: line %d is missing fields\n, skipping", path, lineno); +- continue; +- } else if (items == 2) { +- /* The type field is optional. */ +- free(context); +- context = type; +- type = 0; +- } +- +- if (pass == 1) { +- /* On the second pass, compile and store the specification in spec. */ +- const char *reg_buf = regex; +- char *cp; +- spec_arr[nspec].stem_id = find_stem_from_spec(®_buf); +- spec_arr[nspec].regex_str = regex; +- +- /* Anchor the regular expression. */ +- len = strlen(reg_buf); +- cp = anchored_regex = malloc(len + 3); +- if (!anchored_regex) ++ if (process_line(path, line_buf, pass, ++lineno) != 0) ++ return -1; ++ } ++ if (localfp) ++ while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) { ++ if (process_line(local_path, line_buf, pass, ++lineno) != 0) + return -1; +- /* Create ^...$ regexp. */ +- *cp++ = '^'; +- cp = mempcpy(cp, reg_buf, len); +- *cp++ = '$'; +- *cp = '\0'; +- +- /* Compile the regular expression. */ +- regerr = +- regcomp(&spec_arr[nspec].regex, +- anchored_regex, +- REG_EXTENDED | REG_NOSUB); +- free(anchored_regex); +- if (regerr < 0) { +- myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex); +- continue; +- } +- +- /* Convert the type string to a mode format */ +- spec_arr[nspec].type_str = type; +- spec_arr[nspec].mode = 0; +- if (!type) +- goto skip_type; +- len = strlen(type); +- if (type[0] != '-' || len != 2) { +- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); +- continue; +- } +- switch (type[1]) { +- case 'b': +- spec_arr[nspec].mode = S_IFBLK; +- break; +- case 'c': +- spec_arr[nspec].mode = S_IFCHR; +- break; +- case 'd': +- spec_arr[nspec].mode = S_IFDIR; +- break; +- case 'p': +- spec_arr[nspec].mode = S_IFIFO; +- break; +- case 'l': +- spec_arr[nspec].mode = S_IFLNK; +- break; +- case 's': +- spec_arr[nspec].mode = S_IFSOCK; +- break; +- case '-': +- spec_arr[nspec].mode = S_IFREG; +- break; +- default: +- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type); +- continue; +- } +- +- skip_type: +- +- spec_arr[nspec].context = context; +- +- if (strcmp(context, "<>")) { +- if (security_check_context(context) < 0 && errno != ENOENT) { +- myprintf("%s: line %d has invalid context %s\n", path, lineno, context); +- continue; +- } +- } +- +- /* Determine if specification has +- * any meta characters in the RE */ +- spec_hasMetaChars(&spec_arr[nspec]); + } + +- nspec++; +- if (pass == 0) { +- free(regex); +- if (type) +- free(type); +- free(context); +- } +- } +- + if (pass == 0) { + if (nspec == 0) + return 0; +@@ -360,9 +375,11 @@ + return -1; + memset(spec_arr, '\0', sizeof(spec_t) * nspec); + rewind(fp); ++ if (localfp) rewind(localfp); + } + } + fclose(fp); ++ if (localfp) fclose(localfp); + + /* Move exact pathname specifications to the end. */ + spec_copy = malloc(sizeof(spec_t) * nspec); diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c --- nsalibselinux/src/selinux_config.c 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.20.1/src/selinux_config.c 2005-01-10 17:30:01.838316846 -0500 ++++ libselinux-1.20.1/src/selinux_config.c 2005-01-12 10:13:25.000000000 -0500 @@ -26,7 +26,8 @@ #define BOOLEANS 7 #define MEDIA_CONTEXTS 8 diff --git a/libselinux.spec b/libselinux.spec index 2d69cd9..86593b1 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 1.20.1 -Release: 2 +Release: 3 License: Public domain (uncopyrighted) Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz @@ -86,6 +86,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/* %changelog +* Wed Jan 12 2005 Dan Walsh 1.20.1-3 +- Modify matchpathcon to also process file_contexts.local if it exists + * Wed Jan 12 2005 Dan Walsh 1.20.1-2 - Add is_customizable_types function call