diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 227ac07..2157f0f 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -21,6 +21,13 @@ index 6b9089d..aba6e33 100644 extern const char *selinux_failsafe_context_path(void); extern const char *selinux_removable_context_path(void); extern const char *selinux_default_context_path(void); +diff --git a/libselinux/man/man3/mode_to_security_class.3 b/libselinux/man/man3/mode_to_security_class.3 +new file mode 100644 +index 0000000..bda9daf +--- /dev/null ++++ b/libselinux/man/man3/mode_to_security_class.3 +@@ -0,0 +1 @@ ++.so man3/security_class_to_string.3 diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3 index 140737e..e82e1d8 100644 --- a/libselinux/man/man3/security_class_to_string.3 @@ -207,7 +214,7 @@ index 825f295..d11c8dc 100644 - S_(BOOLEAN_SUBS, "/booleans.subs") + S_(BOOLEAN_SUBS, "/booleans.subs_dist") diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 02b3cd2..fad8bbd 100644 +index 02b3cd2..301e4d6 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -8,6 +8,7 @@ @@ -231,7 +238,7 @@ index 02b3cd2..fad8bbd 100644 #include #include #include -@@ -229,6 +235,167 @@ static int process_line(struct selabel_handle *rec, +@@ -229,6 +235,173 @@ static int process_line(struct selabel_handle *rec, return 0; } @@ -254,21 +261,27 @@ index 02b3cd2..fad8bbd 100644 + if (rc >= sizeof(mmap_path)) + return -1; + -+ mmapfd = open(mmap_path, O_RDONLY); ++ mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC); + if (!mmapfd) + return -1; + + rc = fstat(mmapfd, &mmap_stat); -+ if (rc < 0) ++ if (rc < 0) { ++ close(mmapfd); + return -1; ++ } + + /* if mmap is old, ignore it */ -+ if (mmap_stat.st_mtime < stat->st_mtime) ++ if (mmap_stat.st_mtime < stat->st_mtime) { ++ close(mmapfd); + return -1; ++ } + + if (mmap_stat.st_mtime == stat->st_mtime && -+ mmap_stat.st_mtim.tv_nsec < stat->st_mtim.tv_nsec) ++ mmap_stat.st_mtim.tv_nsec < stat->st_mtim.tv_nsec) { ++ close(mmapfd); + return -1; ++ } + + /* ok, read it in... */ + len = mmap_stat.st_size; @@ -399,7 +412,7 @@ index 02b3cd2..fad8bbd 100644 static int process_file(const char *path, const char *suffix, struct selabel_handle *rec, const char *prefix) { FILE *fp; -@@ -261,6 +428,10 @@ static int process_file(const char *path, const char *suffix, struct selabel_han +@@ -261,6 +434,10 @@ static int process_file(const char *path, const char *suffix, struct selabel_han return -1; } @@ -410,7 +423,7 @@ index 02b3cd2..fad8bbd 100644 /* * The do detailed validation of the input and fill the spec array */ -@@ -270,6 +441,7 @@ static int process_file(const char *path, const char *suffix, struct selabel_han +@@ -270,6 +447,7 @@ static int process_file(const char *path, const char *suffix, struct selabel_han if (rc) return rc; } @@ -418,7 +431,7 @@ index 02b3cd2..fad8bbd 100644 free(line_buf); fclose(fp); -@@ -357,6 +529,8 @@ static void closef(struct selabel_handle *rec) +@@ -357,6 +535,8 @@ static void closef(struct selabel_handle *rec) for (i = 0; i < data->nspec; i++) { spec = &data->spec_arr[i]; @@ -427,7 +440,7 @@ index 02b3cd2..fad8bbd 100644 free(spec->regex_str); free(spec->type_str); free(spec->lr.ctx_raw); -@@ -369,6 +543,8 @@ static void closef(struct selabel_handle *rec) +@@ -369,6 +549,8 @@ static void closef(struct selabel_handle *rec) for (i = 0; i < (unsigned int)data->num_stems; i++) { stem = &data->stem_arr[i]; diff --git a/libselinux.spec b/libselinux.spec index 9ece3f0..43a057e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -10,7 +10,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.1.12 -Release: 6%{?dist} +Release: 7%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz @@ -241,6 +241,9 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Thu Nov 1 2012 Dan Walsh - 2.1.12-7 +- Apply patch from eparis to fix leaked file descriptor in new labeling code + * Fri Oct 19 2012 Dan Walsh - 2.1.12-6 - Add new function mode_to_security_class which takes mode instead of a string. - Possibly will be used with coreutils.