Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h

--- nsalibselinux/include/selinux/selinux.h	2004-12-03 14:40:05.000000000 -0500

+++ libselinux-1.20.1/include/selinux/selinux.h	2005-01-12 10:13:25.000000000 -0500

@@ -226,6 +226,7 @@

 extern const char *selinux_media_context_path(void);

 extern const char *selinux_contexts_path(void);

 extern const char *selinux_booleans_path(void);

+extern const char *selinux_customizable_types_path(void);

 /* Check a permission in the passwd class.

    Return 0 if granted or -1 otherwise. */

@@ -242,6 +243,10 @@

 		       const char *filename, 

 		       char *const argv[], char *const envp[]);

+/* Returns whether a file context is customizable, and should not 

+   be relabeled . */

+extern int is_context_customizable (security_context_t scontext);

+

 #ifdef __cplusplus

 }

 #endif

diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3

--- nsalibselinux/man/man3/is_context_customizable.3	1969-12-31 19:00:00.000000000 -0500

+++ libselinux-1.20.1/man/man3/is_context_customizable.3	2005-01-12 10:13:25.000000000 -0500

@@ -0,0 +1,22 @@

+.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"

+.SH "NAME"

+is_context_customizable \- check whether context type is customizable by the administrator.

+.SH "SYNOPSIS"

+.B #include <selinux/selinux.h>

+.sp

+.B int is_context_customizable(security_context_t scon);

+

+.SH "DESCRIPTION"

+.B is_context_customizable

+.br

+This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file.  A customizable type is a file context type that

+administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.

+

+ 

+.SH "RETURN VALUE"

+returns 1 if security context is customizable or 0 if it is not. 

+returns -1 on error

+

+.SH "FILE"

+/etc/selinux/SELINUXTYPE/context/customizable_types

+

diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3

--- nsalibselinux/man/man3/security_load_booleans.3	2004-11-30 15:59:02.000000000 -0500

+++ libselinux-1.20.1/man/man3/security_load_booleans.3	2005-01-18 17:24:31.326454550 -0500

@@ -1,10 +1,8 @@

 .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"

 .SH "NAME"

 security_load_booleans, security_set_boolean, security_commit_booleans, 

-security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending 

-.sp

-routines for manipulating SELinux boolean values

-

+security_get_boolean_names, security_get_boolean_active,

+security_get_boolean_pending \- routines for manipulating SELinux boolean values

 .SH "SYNOPSIS"

 .B #include <selinux/selinux.h>

 .sp

diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3

--- nsalibselinux/man/man3/selinux_binary_policy_path.3	2004-11-30 15:59:02.000000000 -0500

+++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3	2005-01-18 17:24:31.344452529 -0500

@@ -1,8 +1,10 @@

 .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"

 .SH "NAME"

-selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path

-.sp

-These functions return the paths to the active policy configuration

+selinux_policy_root, selinux_binary_policy_path,

+selinux_failsafe_context_path, selinux_removable_context_path,

+selinux_default_context_path, selinux_user_contexts_path,

+selinux_file_context_path, selinux_media_context_path,

+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration

 directories and files.

 .SH "SYNOPSIS"

diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h

--- nsalibselinux/src/file_path_suffixes.h	2004-10-20 16:31:36.000000000 -0400

+++ libselinux-1.20.1/src/file_path_suffixes.h	2005-01-12 10:13:25.000000000 -0500

@@ -9,3 +9,4 @@

 S_(BOOLEANS, "/booleans")

 S_(MEDIA_CONTEXTS, "/contexts/files/media")

 S_(REMOVABLE_CONTEXT, "/contexts/removable_context")

+S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types")

diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c

--- nsalibselinux/src/is_customizable_type.c	1969-12-31 19:00:00.000000000 -0500

+++ libselinux-1.20.1/src/is_customizable_type.c	2005-01-12 10:13:25.000000000 -0500

@@ -0,0 +1,68 @@

+#include <unistd.h>

+#include <errno.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <ctype.h>

+#include <pwd.h>

+#include <selinux/selinux.h>

+

+static int get_customizable_type_list (security_context_t **retlist)

+{

+	FILE *fp;

+	char buf[4097];

+	int ctr=0, i;

+	security_context_t *list=NULL;

+

+	fp = fopen(selinux_customizable_types_path(), "r");

+	if (!fp)

+		return -1;

+

+	while (fgets_unlocked(buf, 4096, fp)) {

+		ctr++;

+	}

+	rewind(fp);

+	if (ctr) {

+		list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1);

+		if (list) {

+		  i=0;

+		  while (fgets_unlocked(buf, 4096, fp)) {

+		    buf[strlen(buf)-1]=0;

+		    list[i++]=(security_context_t) strdup(buf);

+		    if (i>ctr) { 

+		      /* Should never happen */

+		      free(list);

+		      list=NULL;

+		      break;

+		    }

+		  }

+		}

+	}

+	fclose(fp);

+	if (!list)

+		return -1;

+	*retlist=list;

+	return 0;

+}

+

+static security_context_t *customizable_list=NULL;

+

+int is_context_customizable (security_context_t scontext) {

+  int i;

+  char *ptr;

+  if (! customizable_list) {

+    if (get_customizable_type_list(&customizable_list)!=0) 

+      return -1;

+  }

+  

+  ptr=strrchr(scontext, ':');

+  if (ptr) {

+	  ptr++;

+  } else {

+	  ptr=scontext;

+  }

+  for (i = 0; customizable_list[i]; i++) {

+    if (strcmp(customizable_list[i],ptr) == 0) return 1;

+  }

+  return 0;

+}

diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c

--- nsalibselinux/src/matchpathcon.c	2004-12-29 11:51:23.000000000 -0500

+++ libselinux-1.20.1/src/matchpathcon.c	2005-01-12 10:13:25.000000000 -0500

@@ -207,15 +207,135 @@

 	}

 	return;

 }

-

+static int process_line( const char *path, char *line_buf, int pass, int lineno) {

+	int items, len, regerr;

+	char *buf_p;

+	char *regex, *type, *context;

+	char *anchored_regex;

+	len = strlen(line_buf);

+	if (line_buf[len - 1] != '\n') {

+		myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 

+		return 0;

+	}

+	line_buf[len - 1] = 0;

+	buf_p = line_buf;

+	while (isspace(*buf_p))

+		buf_p++;

+	/* Skip comment lines and empty lines. */

+	if (*buf_p == '#' || *buf_p == 0)

+		return 0;

+	items =

+		sscanf(line_buf, "%as %as %as", &regex, &type,

+		       &context);

+	if (items < 2) {

+		myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 

+		return 0;

+	} else if (items == 2) {

+		/* The type field is optional. */

+		free(context);

+		context = type;

+		type = 0;

+	}

+	

+	if (pass == 1) {

+		/* On the second pass, compile and store the specification in spec. */

+		const char *reg_buf = regex;

+		char *cp;

+		spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);

+		spec_arr[nspec].regex_str = regex;

+		

+		/* Anchor the regular expression. */

+		len = strlen(reg_buf);

+		cp = anchored_regex = malloc(len + 3);

+		if (!anchored_regex)

+			return -1;

+		/* Create ^...$ regexp.  */

+		*cp++ = '^';

+		cp = mempcpy(cp, reg_buf, len);

+		*cp++ = '$';

+		*cp = '\0';

+		

+		/* Compile the regular expression. */

+		regerr =

+			regcomp(&spec_arr[nspec].regex,

+				anchored_regex,

+				REG_EXTENDED | REG_NOSUB);

+		free(anchored_regex);

+		if (regerr < 0) {

+			myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 

+			return 0;

+		}

+		

+		/* Convert the type string to a mode format */

+		spec_arr[nspec].type_str = type;

+		spec_arr[nspec].mode = 0;

+		if (!type)

+			goto skip_type;

+		len = strlen(type);

+		if (type[0] != '-' || len != 2) {

+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 

+			return 0;

+		}

+		switch (type[1]) {

+		case 'b':

+			spec_arr[nspec].mode = S_IFBLK;

+			break;

+		case 'c':

+			spec_arr[nspec].mode = S_IFCHR;

+			break;

+		case 'd':

+			spec_arr[nspec].mode = S_IFDIR;

+			break;

+		case 'p':

+			spec_arr[nspec].mode = S_IFIFO;

+			break;

+		case 'l':

+			spec_arr[nspec].mode = S_IFLNK;

+			break;

+		case 's':

+			spec_arr[nspec].mode = S_IFSOCK;

+			break;

+		case '-':

+			spec_arr[nspec].mode = S_IFREG;

+			break;

+		default:

+			myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 

+			return 0;

+		}

+		

+	skip_type:

+		

+		spec_arr[nspec].context = context;

+		

+		if (strcmp(context, "<<none>>")) {

+			if (security_check_context(context) < 0 && errno != ENOENT) {

+				myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 

+				return 0;

+			}

+		}

+		

+		/* Determine if specification has 

+		 * any meta characters in the RE */

+		spec_hasMetaChars(&spec_arr[nspec]);

+	}

+	

+	nspec++;

+	if (pass == 0) {

+		free(regex);

+		if (type)

+			free(type);

+		free(context);

+	}

+	return 0;

+}

 static int matchpathcon_init(void)

 {

 	FILE *fp;

 	const char *path;

-	char line_buf[BUFSIZ + 1], *buf_p;

-	char *regex, *type, *context;

-	char *anchored_regex;

-	int items, len, lineno, pass, regerr, i, j;

+	FILE *localfp;

+	char local_path[PATH_MAX + 1];

+	char line_buf[BUFSIZ + 1];

+	int lineno, pass, i, j;

 	spec_t *spec_copy;

 	/* Open the specification file. */

@@ -223,6 +343,9 @@

 	if ((fp = fopen(path, "r")) == NULL)

 		return -1;

+	snprintf(local_path, sizeof(local_path), "%s.local", path);

+	localfp = fopen(local_path, "r");

+

 	/* 

 	 * Perform two passes over the specification file.

 	 * The first pass counts the number of specifications and

@@ -235,123 +358,15 @@

 		lineno = 0;

 		nspec = 0;

 		while (fgets_unlocked(line_buf, sizeof line_buf, fp)) {

-			lineno++;

-			len = strlen(line_buf);

-			if (line_buf[len - 1] != '\n') {

-				myprintf("%s:  line %d is too long, would be truncated, skipping\n", path, lineno); 

-				continue;

-			}

-			line_buf[len - 1] = 0;

-			buf_p = line_buf;

-			while (isspace(*buf_p))

-				buf_p++;

-			/* Skip comment lines and empty lines. */

-			if (*buf_p == '#' || *buf_p == 0)

-				continue;

-			items =

-			    sscanf(line_buf, "%as %as %as", &regex, &type,

-				   &context);

-			if (items < 2) {

-				myprintf("%s:  line %d is missing fields\n, skipping", path, lineno); 

-				continue;

-			} else if (items == 2) {

-				/* The type field is optional. */

-				free(context);

-				context = type;

-				type = 0;

-			}

-

-			if (pass == 1) {

-				/* On the second pass, compile and store the specification in spec. */

-				const char *reg_buf = regex;

-				char *cp;

-				spec_arr[nspec].stem_id = find_stem_from_spec(&reg_buf);

-				spec_arr[nspec].regex_str = regex;

-

-				/* Anchor the regular expression. */

-				len = strlen(reg_buf);

-				cp = anchored_regex = malloc(len + 3);

-				if (!anchored_regex)

+			if (process_line(path, line_buf, pass, ++lineno) != 0)

+				return -1;

+		}

+		if (localfp) 

+			while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) {

+				if (process_line(local_path, line_buf, pass, ++lineno) != 0)

 					return -1;

-				/* Create ^...$ regexp.  */

-				*cp++ = '^';

-				cp = mempcpy(cp, reg_buf, len);

-				*cp++ = '$';

-				*cp = '\0';

-

-				/* Compile the regular expression. */

-				regerr =

-				    regcomp(&spec_arr[nspec].regex,

-					    anchored_regex,

-					    REG_EXTENDED | REG_NOSUB);

-				free(anchored_regex);

-				if (regerr < 0) {

-					myprintf("%s:  line %d has invalid regex %s\n", path, lineno, anchored_regex); 

-					continue;

-				}

-

-				/* Convert the type string to a mode format */

-				spec_arr[nspec].type_str = type;

-				spec_arr[nspec].mode = 0;

-				if (!type)

-					goto skip_type;

-				len = strlen(type);

-				if (type[0] != '-' || len != 2) {

-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 

-					continue;

-				}

-				switch (type[1]) {

-				case 'b':

-					spec_arr[nspec].mode = S_IFBLK;

-					break;

-				case 'c':

-					spec_arr[nspec].mode = S_IFCHR;

-					break;

-				case 'd':

-					spec_arr[nspec].mode = S_IFDIR;

-					break;

-				case 'p':

-					spec_arr[nspec].mode = S_IFIFO;

-					break;

-				case 'l':

-					spec_arr[nspec].mode = S_IFLNK;

-					break;

-				case 's':

-					spec_arr[nspec].mode = S_IFSOCK;

-					break;

-				case '-':

-					spec_arr[nspec].mode = S_IFREG;

-					break;

-				default:

-					myprintf("%s:  line %d has invalid file type %s\n", path, lineno, type); 

-					continue;

-				}

-

-			      skip_type:

-

-				spec_arr[nspec].context = context;

-

-				if (strcmp(context, "<<none>>")) {

-					if (security_check_context(context) < 0 && errno != ENOENT) {

-						myprintf("%s:  line %d has invalid context %s\n", path, lineno, context); 

-						continue;

-					}

-				}

-

-				/* Determine if specification has 

-				 * any meta characters in the RE */

-				spec_hasMetaChars(&spec_arr[nspec]);

 			}

-			nspec++;

-			if (pass == 0) {

-				free(regex);

-				if (type)

-					free(type);

-				free(context);

-			}

-		}

-

 		if (pass == 0) {

 			if (nspec == 0)

 				return 0;

@@ -360,9 +375,11 @@

 				return -1;

 			memset(spec_arr, '\0', sizeof(spec_t) * nspec);

 			rewind(fp);

+			if (localfp) rewind(localfp);

 		}

 	}

 	fclose(fp);

+	if (localfp) fclose(localfp);

 	/* Move exact pathname specifications to the end. */

 	spec_copy = malloc(sizeof(spec_t) * nspec);

diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c

--- nsalibselinux/src/selinux_config.c	2004-10-20 16:31:36.000000000 -0400

+++ libselinux-1.20.1/src/selinux_config.c	2005-01-12 10:13:25.000000000 -0500

@@ -26,7 +26,8 @@

 #define BOOLEANS          7

 #define MEDIA_CONTEXTS    8

 #define REMOVABLE_CONTEXT 9

-#define NEL               10

+#define CUSTOMIZABLE_TYPES    10

+#define NEL               11

 /* New layout is relative to SELINUXDIR/policytype. */

 static char *file_paths[NEL];

@@ -211,6 +212,10 @@

   return get_path(MEDIA_CONTEXTS);

 }

+const char *selinux_customizable_types_path() {

+  return get_path(CUSTOMIZABLE_TYPES);

+}

+

 const char *selinux_contexts_path() {

   return get_path(CONTEXTS_DIR);

 }