Binary files nsalibselinux/debugsources.list and libselinux-1.20.1/debugsources.list differ
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.20.1/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h 2004-12-03 14:40:05.000000000 -0500
+++ libselinux-1.20.1/include/selinux/selinux.h 2005-01-12 10:13:25.000000000 -0500
@@ -226,6 +226,7 @@
extern const char *selinux_media_context_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_booleans_path(void);
+extern const char *selinux_customizable_types_path(void);
/* Check a permission in the passwd class.
Return 0 if granted or -1 otherwise. */
@@ -242,6 +243,10 @@
const char *filename,
char *const argv[], char *const envp[]);
+/* Returns whether a file context is customizable, and should not
+ be relabeled . */
+extern int is_context_customizable (security_context_t scontext);
+
#ifdef __cplusplus
}
#endif
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_context_customizable.3 libselinux-1.20.1/man/man3/is_context_customizable.3
--- nsalibselinux/man/man3/is_context_customizable.3 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/man/man3/is_context_customizable.3 2005-01-12 10:13:25.000000000 -0500
@@ -0,0 +1,22 @@
+.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+is_context_customizable \- check whether context type is customizable by the administrator.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int is_context_customizable(security_context_t scon);
+
+.SH "DESCRIPTION"
+.B is_context_customizable
+.br
+This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that
+administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
+
+
+.SH "RETURN VALUE"
+returns 1 if security context is customizable or 0 if it is not.
+returns -1 on error
+
+.SH "FILE"
+/etc/selinux/SELINUXTYPE/context/customizable_types
+
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.20.1/man/man3/security_load_booleans.3
--- nsalibselinux/man/man3/security_load_booleans.3 2004-11-30 15:59:02.000000000 -0500
+++ libselinux-1.20.1/man/man3/security_load_booleans.3 2005-01-18 17:24:31.326454550 -0500
@@ -1,10 +1,8 @@
.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
.SH "NAME"
security_load_booleans, security_set_boolean, security_commit_booleans,
-security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending
-.sp
-routines for manipulating SELinux boolean values
-
+security_get_boolean_names, security_get_boolean_active,
+security_get_boolean_pending \- routines for manipulating SELinux boolean values
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.20.1/man/man3/selinux_binary_policy_path.3
--- nsalibselinux/man/man3/selinux_binary_policy_path.3 2004-11-30 15:59:02.000000000 -0500
+++ libselinux-1.20.1/man/man3/selinux_binary_policy_path.3 2005-01-18 17:24:31.344452529 -0500
@@ -1,8 +1,10 @@
.TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
.SH "NAME"
-selinux_policy_root, selinux_binary_policy_path, selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path
-.sp
-These functions return the paths to the active policy configuration
+selinux_policy_root, selinux_binary_policy_path,
+selinux_failsafe_context_path, selinux_removable_context_path,
+selinux_default_context_path, selinux_user_contexts_path,
+selinux_file_context_path, selinux_media_context_path,
+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration
directories and files.
.SH "SYNOPSIS"
diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-1.20.1/src/file_path_suffixes.h
--- nsalibselinux/src/file_path_suffixes.h 2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/file_path_suffixes.h 2005-01-12 10:13:25.000000000 -0500
@@ -9,3 +9,4 @@
S_(BOOLEANS, "/booleans")
S_(MEDIA_CONTEXTS, "/contexts/files/media")
S_(REMOVABLE_CONTEXT, "/contexts/removable_context")
+S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types")
diff --exclude-from=exclude -N -u -r nsalibselinux/src/is_customizable_type.c libselinux-1.20.1/src/is_customizable_type.c
--- nsalibselinux/src/is_customizable_type.c 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.20.1/src/is_customizable_type.c 2005-01-12 10:13:25.000000000 -0500
@@ -0,0 +1,68 @@
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <selinux/selinux.h>
+
+static int get_customizable_type_list (security_context_t **retlist)
+{
+ FILE *fp;
+ char buf[4097];
+ int ctr=0, i;
+ security_context_t *list=NULL;
+
+ fp = fopen(selinux_customizable_types_path(), "r");
+ if (!fp)
+ return -1;
+
+ while (fgets_unlocked(buf, 4096, fp)) {
+ ctr++;
+ }
+ rewind(fp);
+ if (ctr) {
+ list=(security_context_t *) calloc(sizeof(security_context_t *), ctr+1);
+ if (list) {
+ i=0;
+ while (fgets_unlocked(buf, 4096, fp)) {
+ buf[strlen(buf)-1]=0;
+ list[i++]=(security_context_t) strdup(buf);
+ if (i>ctr) {
+ /* Should never happen */
+ free(list);
+ list=NULL;
+ break;
+ }
+ }
+ }
+ }
+ fclose(fp);
+ if (!list)
+ return -1;
+ *retlist=list;
+ return 0;
+}
+
+static security_context_t *customizable_list=NULL;
+
+int is_context_customizable (security_context_t scontext) {
+ int i;
+ char *ptr;
+ if (! customizable_list) {
+ if (get_customizable_type_list(&customizable_list)!=0)
+ return -1;
+ }
+
+ ptr=strrchr(scontext, ':');
+ if (ptr) {
+ ptr++;
+ } else {
+ ptr=scontext;
+ }
+ for (i = 0; customizable_list[i]; i++) {
+ if (strcmp(customizable_list[i],ptr) == 0) return 1;
+ }
+ return 0;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-1.20.1/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c 2004-12-29 11:51:23.000000000 -0500
+++ libselinux-1.20.1/src/matchpathcon.c 2005-01-12 10:13:25.000000000 -0500
@@ -207,15 +207,135 @@
}
return;
}
-
+static int process_line( const char *path, char *line_buf, int pass, int lineno) {
+ int items, len, regerr;
+ char *buf_p;
+ char *regex, *type, *context;
+ char *anchored_regex;
+ len = strlen(line_buf);
+ if (line_buf[len - 1] != '\n') {
+ myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno);
+ return 0;
+ }
+ line_buf[len - 1] = 0;
+ buf_p = line_buf;
+ while (isspace(*buf_p))
+ buf_p++;
+ /* Skip comment lines and empty lines. */
+ if (*buf_p == '#' || *buf_p == 0)
+ return 0;
+ items =
+ sscanf(line_buf, "%as %as %as", ®ex, &type,
+ &context);
+ if (items < 2) {
+ myprintf("%s: line %d is missing fields\n, skipping", path, lineno);
+ return 0;
+ } else if (items == 2) {
+ /* The type field is optional. */
+ free(context);
+ context = type;
+ type = 0;
+ }
+
+ if (pass == 1) {
+ /* On the second pass, compile and store the specification in spec. */
+ const char *reg_buf = regex;
+ char *cp;
+ spec_arr[nspec].stem_id = find_stem_from_spec(®_buf);
+ spec_arr[nspec].regex_str = regex;
+
+ /* Anchor the regular expression. */
+ len = strlen(reg_buf);
+ cp = anchored_regex = malloc(len + 3);
+ if (!anchored_regex)
+ return -1;
+ /* Create ^...$ regexp. */
+ *cp++ = '^';
+ cp = mempcpy(cp, reg_buf, len);
+ *cp++ = '$';
+ *cp = '\0';
+
+ /* Compile the regular expression. */
+ regerr =
+ regcomp(&spec_arr[nspec].regex,
+ anchored_regex,
+ REG_EXTENDED | REG_NOSUB);
+ free(anchored_regex);
+ if (regerr < 0) {
+ myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex);
+ return 0;
+ }
+
+ /* Convert the type string to a mode format */
+ spec_arr[nspec].type_str = type;
+ spec_arr[nspec].mode = 0;
+ if (!type)
+ goto skip_type;
+ len = strlen(type);
+ if (type[0] != '-' || len != 2) {
+ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type);
+ return 0;
+ }
+ switch (type[1]) {
+ case 'b':
+ spec_arr[nspec].mode = S_IFBLK;
+ break;
+ case 'c':
+ spec_arr[nspec].mode = S_IFCHR;
+ break;
+ case 'd':
+ spec_arr[nspec].mode = S_IFDIR;
+ break;
+ case 'p':
+ spec_arr[nspec].mode = S_IFIFO;
+ break;
+ case 'l':
+ spec_arr[nspec].mode = S_IFLNK;
+ break;
+ case 's':
+ spec_arr[nspec].mode = S_IFSOCK;
+ break;
+ case '-':
+ spec_arr[nspec].mode = S_IFREG;
+ break;
+ default:
+ myprintf("%s: line %d has invalid file type %s\n", path, lineno, type);
+ return 0;
+ }
+
+ skip_type:
+
+ spec_arr[nspec].context = context;
+
+ if (strcmp(context, "<<none>>")) {
+ if (security_check_context(context) < 0 && errno != ENOENT) {
+ myprintf("%s: line %d has invalid context %s\n", path, lineno, context);
+ return 0;
+ }
+ }
+
+ /* Determine if specification has
+ * any meta characters in the RE */
+ spec_hasMetaChars(&spec_arr[nspec]);
+ }
+
+ nspec++;
+ if (pass == 0) {
+ free(regex);
+ if (type)
+ free(type);
+ free(context);
+ }
+ return 0;
+}
static int matchpathcon_init(void)
{
FILE *fp;
const char *path;
- char line_buf[BUFSIZ + 1], *buf_p;
- char *regex, *type, *context;
- char *anchored_regex;
- int items, len, lineno, pass, regerr, i, j;
+ FILE *localfp;
+ char local_path[PATH_MAX + 1];
+ char line_buf[BUFSIZ + 1];
+ int lineno, pass, i, j;
spec_t *spec_copy;
/* Open the specification file. */
@@ -223,6 +343,9 @@
if ((fp = fopen(path, "r")) == NULL)
return -1;
+ snprintf(local_path, sizeof(local_path), "%s.local", path);
+ localfp = fopen(local_path, "r");
+
/*
* Perform two passes over the specification file.
* The first pass counts the number of specifications and
@@ -235,123 +358,15 @@
lineno = 0;
nspec = 0;
while (fgets_unlocked(line_buf, sizeof line_buf, fp)) {
- lineno++;
- len = strlen(line_buf);
- if (line_buf[len - 1] != '\n') {
- myprintf("%s: line %d is too long, would be truncated, skipping\n", path, lineno);
- continue;
- }
- line_buf[len - 1] = 0;
- buf_p = line_buf;
- while (isspace(*buf_p))
- buf_p++;
- /* Skip comment lines and empty lines. */
- if (*buf_p == '#' || *buf_p == 0)
- continue;
- items =
- sscanf(line_buf, "%as %as %as", ®ex, &type,
- &context);
- if (items < 2) {
- myprintf("%s: line %d is missing fields\n, skipping", path, lineno);
- continue;
- } else if (items == 2) {
- /* The type field is optional. */
- free(context);
- context = type;
- type = 0;
- }
-
- if (pass == 1) {
- /* On the second pass, compile and store the specification in spec. */
- const char *reg_buf = regex;
- char *cp;
- spec_arr[nspec].stem_id = find_stem_from_spec(®_buf);
- spec_arr[nspec].regex_str = regex;
-
- /* Anchor the regular expression. */
- len = strlen(reg_buf);
- cp = anchored_regex = malloc(len + 3);
- if (!anchored_regex)
+ if (process_line(path, line_buf, pass, ++lineno) != 0)
+ return -1;
+ }
+ if (localfp)
+ while (fgets_unlocked(line_buf, sizeof line_buf, localfp)) {
+ if (process_line(local_path, line_buf, pass, ++lineno) != 0)
return -1;
- /* Create ^...$ regexp. */
- *cp++ = '^';
- cp = mempcpy(cp, reg_buf, len);
- *cp++ = '$';
- *cp = '\0';
-
- /* Compile the regular expression. */
- regerr =
- regcomp(&spec_arr[nspec].regex,
- anchored_regex,
- REG_EXTENDED | REG_NOSUB);
- free(anchored_regex);
- if (regerr < 0) {
- myprintf("%s: line %d has invalid regex %s\n", path, lineno, anchored_regex);
- continue;
- }
-
- /* Convert the type string to a mode format */
- spec_arr[nspec].type_str = type;
- spec_arr[nspec].mode = 0;
- if (!type)
- goto skip_type;
- len = strlen(type);
- if (type[0] != '-' || len != 2) {
- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type);
- continue;
- }
- switch (type[1]) {
- case 'b':
- spec_arr[nspec].mode = S_IFBLK;
- break;
- case 'c':
- spec_arr[nspec].mode = S_IFCHR;
- break;
- case 'd':
- spec_arr[nspec].mode = S_IFDIR;
- break;
- case 'p':
- spec_arr[nspec].mode = S_IFIFO;
- break;
- case 'l':
- spec_arr[nspec].mode = S_IFLNK;
- break;
- case 's':
- spec_arr[nspec].mode = S_IFSOCK;
- break;
- case '-':
- spec_arr[nspec].mode = S_IFREG;
- break;
- default:
- myprintf("%s: line %d has invalid file type %s\n", path, lineno, type);
- continue;
- }
-
- skip_type:
-
- spec_arr[nspec].context = context;
-
- if (strcmp(context, "<<none>>")) {
- if (security_check_context(context) < 0 && errno != ENOENT) {
- myprintf("%s: line %d has invalid context %s\n", path, lineno, context);
- continue;
- }
- }
-
- /* Determine if specification has
- * any meta characters in the RE */
- spec_hasMetaChars(&spec_arr[nspec]);
}
- nspec++;
- if (pass == 0) {
- free(regex);
- if (type)
- free(type);
- free(context);
- }
- }
-
if (pass == 0) {
if (nspec == 0)
return 0;
@@ -360,9 +375,11 @@
return -1;
memset(spec_arr, '\0', sizeof(spec_t) * nspec);
rewind(fp);
+ if (localfp) rewind(localfp);
}
}
fclose(fp);
+ if (localfp) fclose(localfp);
/* Move exact pathname specifications to the end. */
spec_copy = malloc(sizeof(spec_t) * nspec);
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-1.20.1/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c 2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.20.1/src/selinux_config.c 2005-01-12 10:13:25.000000000 -0500
@@ -26,7 +26,8 @@
#define BOOLEANS 7
#define MEDIA_CONTEXTS 8
#define REMOVABLE_CONTEXT 9
-#define NEL 10
+#define CUSTOMIZABLE_TYPES 10
+#define NEL 11
/* New layout is relative to SELINUXDIR/policytype. */
static char *file_paths[NEL];
@@ -211,6 +212,10 @@
return get_path(MEDIA_CONTEXTS);
}
+const char *selinux_customizable_types_path() {
+ return get_path(CUSTOMIZABLE_TYPES);
+}
+
const char *selinux_contexts_path() {
return get_path(CONTEXTS_DIR);
}