From 5ad771ed687d0ab8fc998fd07693a5d27cbea143 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Oct 04 2016 06:23:03 +0000 Subject: libselinux-2.5-12 - Fix -Wsign-compare warnings - Drop unused stdio_ext.h header file - Kill logging check for selinux_enabled() - Drop usage of _D_ALLOC_NAMLEN - Add openrc_contexts functions - Fix redefinition of XATTR_NAME_SELINUX - Correct error path to always try text - Clean up process_file() - Handle NULL pcre study data - Fix in tree compilation of utils that depend on libsepol --- diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index 6f38f15..2aa9e47 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -1,8 +1,18 @@ diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog -index 24673dd..6588189 100644 +index 24673dd..bc68bed 100644 --- libselinux-2.5/ChangeLog +++ libselinux-2.5/ChangeLog -@@ -1,3 +1,19 @@ +@@ -1,3 +1,29 @@ ++ * Fix -Wsign-compare warnings, from Nicolas Iooss. ++ * Drop unused stdio_ext.h header file, from William Roberts. ++ * Kill logging check for selinux_enabled(), from William Roberts. ++ * Drop usage of _D_ALLOC_NAMLEN, from William Roberts. ++ * Add openrc_contexts functions, from Jason Zaman. ++ * Fix redefinition of XATTR_NAME_SELINUX, from William Roberts. ++ * Correct error path to always try text, from William Roberts. ++ * Clean up process_file(), from William Roberts. ++ * Handle NULL pcre study data, from Stephen Smalley. ++ * Fix in tree compilation of utils that depend on libsepol, from Laurent Bigonville. + * Change the location of _selinux.so, from Petr Lautrbach. + * Clarify is_selinux_mls_enabled() description, from David King. + * Explain how to free policy type from selinux_getpolicytype(), from David King. @@ -494,12 +504,14 @@ index 0000000..fed6de8 + selinux.Test() +} diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h -index 2262086..3d8673f 100644 +index 2262086..45dd6ca 100644 --- libselinux-2.5/include/selinux/selinux.h +++ libselinux-2.5/include/selinux/selinux.h -@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void); +@@ -543,7 +543,9 @@ extern const char *selinux_virtual_image_context_path(void); + extern const char *selinux_lxc_contexts_path(void); extern const char *selinux_x_context_path(void); extern const char *selinux_sepgsql_context_path(void); ++extern const char *selinux_openrc_contexts_path(void); extern const char *selinux_openssh_contexts_path(void); +extern const char *selinux_snapperd_contexts_path(void); extern const char *selinux_systemd_contexts_path(void); @@ -755,6 +767,36 @@ index 9669264..c775430 100644 *sid = NULL; hvalue = sidtab_hash(ctx); +diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c +index 4b39a28..c438af1 100644 +--- libselinux-2.5/src/booleans.c ++++ libselinux-2.5/src/booleans.c +@@ -63,12 +63,11 @@ int security_get_boolean_names(char ***names, int *len) + } + + for (i = 0; i < *len; i++) { +- n[i] = (char *)malloc(_D_ALLOC_NAMLEN(namelist[i])); ++ n[i] = strdup(namelist[i]->d_name); + if (!n[i]) { + rc = -1; + goto bad_freen; + } +- strcpy(n[i], namelist[i]->d_name); + } + rc = 0; + *names = n; +diff --git libselinux-2.5/src/callbacks.c libselinux-2.5/src/callbacks.c +index cdf7b63..c3cf98b 100644 +--- libselinux-2.5/src/callbacks.c ++++ libselinux-2.5/src/callbacks.c +@@ -16,7 +16,6 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...) + { + int rc; + va_list ap; +- if (is_selinux_enabled() == 0) return 0; + va_start(ap, fmt); + rc = vfprintf(stderr, fmt, ap); + va_end(ap); diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c index 7cf3139..364a746 100644 --- libselinux-2.5/src/canonicalize_context.c @@ -880,12 +922,14 @@ index b7cff7e..a58bf3f 100755 for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux -.o diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h -index d1f9b48..95b228b 100644 +index d1f9b48..2d3ca49 100644 --- libselinux-2.5/src/file_path_suffixes.h +++ libselinux-2.5/src/file_path_suffixes.h -@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy") +@@ -23,7 +23,9 @@ S_(BINPOLICY, "/policy/policy") + S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context") S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") S_(LXC_CONTEXTS, "/contexts/lxc_contexts") ++ S_(OPENRC_CONTEXTS, "/contexts/openrc_contexts") S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts") + S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts") S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts") @@ -911,7 +955,7 @@ index 52707d0..0cbe12d 100644 char * ccontext = NULL; int err = errno; diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c -index 3db4de0..3c687a2 100644 +index 3db4de0..ddf91f8 100644 --- libselinux-2.5/src/init.c +++ libselinux-2.5/src/init.c @@ -11,7 +11,6 @@ @@ -922,7 +966,15 @@ index 3db4de0..3c687a2 100644 #include "dso.h" #include "policy.h" -@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt) +@@ -20,7 +19,6 @@ + + char *selinux_mnt = NULL; + int selinux_page_size = 0; +-int obj_class_compat = 1; + + int has_selinux_config = 0; + +@@ -57,20 +55,15 @@ static int verify_selinuxmnt(const char *mnt) int selinuxfs_exists(void) { @@ -946,7 +998,7 @@ index 3db4de0..3c687a2 100644 __fsetlocking(fp, FSETLOCKING_BYCALLER); num = getline(&buf, &len, fp); -@@ -84,14 +78,6 @@ int selinuxfs_exists(void) +@@ -84,14 +77,6 @@ int selinuxfs_exists(void) free(buf); fclose(fp); @@ -961,6 +1013,583 @@ index 3db4de0..3c687a2 100644 return exists; } hidden_def(selinuxfs_exists) +diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c +index 071d902..c243c67 100644 +--- libselinux-2.5/src/label_file.c ++++ libselinux-2.5/src/label_file.c +@@ -10,7 +10,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -97,62 +96,42 @@ static int nodups_specs(struct saved_data *data, const char *path) + return rc; + } + +-static int load_mmap(struct selabel_handle *rec, const char *path, +- struct stat *sb, bool isbinary, +- struct selabel_digest *digest) ++static int process_text_file(FILE *fp, const char *prefix, ++ struct selabel_handle *rec, const char *path) ++{ ++ int rc; ++ size_t line_len; ++ unsigned int lineno = 0; ++ char *line_buf = NULL; ++ ++ while (getline(&line_buf, &line_len, fp) > 0) { ++ rc = process_line(rec, path, prefix, line_buf, ++lineno); ++ if (rc) ++ goto out; ++ } ++ rc = 0; ++out: ++ free(line_buf); ++ return rc; ++} ++ ++static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, ++ const char *path) + { + struct saved_data *data = (struct saved_data *)rec->data; +- char mmap_path[PATH_MAX + 1]; +- int mmapfd; + int rc; +- struct stat mmap_stat; + char *addr, *str_buf; +- size_t len; + int *stem_map; + struct mmap_area *mmap_area; + uint32_t i, magic, version; + uint32_t entry_len, stem_map_len, regex_array_len; + +- if (isbinary) { +- len = strlen(path); +- if (len >= sizeof(mmap_path)) +- return -1; +- strcpy(mmap_path, path); +- } else { +- rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path); +- if (rc >= (int)sizeof(mmap_path)) +- return -1; +- } +- +- mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC); +- if (mmapfd < 0) +- return -1; +- +- rc = fstat(mmapfd, &mmap_stat); +- if (rc < 0) { +- close(mmapfd); +- return -1; +- } +- +- /* if mmap is old, ignore it */ +- if (mmap_stat.st_mtime < sb->st_mtime) { +- close(mmapfd); +- return -1; +- } +- +- /* ok, read it in... */ +- len = mmap_stat.st_size; +- len += (sysconf(_SC_PAGE_SIZE) - 1); +- len &= ~(sysconf(_SC_PAGE_SIZE) - 1); +- + mmap_area = malloc(sizeof(*mmap_area)); + if (!mmap_area) { +- close(mmapfd); + return -1; + } + +- addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0); +- close(mmapfd); ++ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, fileno(fp), 0); + if (addr == MAP_FAILED) { + free(mmap_area); + perror("mmap"); +@@ -227,7 +206,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(&stem_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !stem_len) { + rc = -1; +- goto err; ++ goto out; + } + + /* Check for stem_len wrap around. */ +@@ -236,15 +215,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + /* Check if over-run before null check. */ + rc = next_entry(NULL, mmap_area, (stem_len + 1)); + if (rc < 0) +- goto err; ++ goto out; + + if (buf[stem_len] != '\0') { + rc = -1; +- goto err; ++ goto out; + } + } else { + rc = -1; +- goto err; ++ goto out; + } + + /* store the mapping between old and new */ +@@ -253,7 +232,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + newid = store_stem(data, buf, stem_len); + if (newid < 0) { + rc = newid; +- goto err; ++ goto out; + } + data->stem_arr[newid].from_mmap = 1; + } +@@ -264,7 +243,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(®ex_array_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !regex_array_len) { + rc = -1; +- goto err; ++ goto out; + } + + for (i = 0; i < regex_array_len; i++) { +@@ -274,7 +253,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + + rc = grow_specs(data); + if (rc < 0) +- goto err; ++ goto out; + + spec = &data->spec_arr[data->nspec]; + spec->from_mmap = 1; +@@ -284,30 +263,31 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !entry_len) { + rc = -1; +- goto err; ++ goto out; + } + + str_buf = malloc(entry_len); + if (!str_buf) { + rc = -1; +- goto err; ++ goto out; + } + rc = next_entry(str_buf, mmap_area, entry_len); + if (rc < 0) +- goto err; ++ goto out; + + if (str_buf[entry_len - 1] != '\0') { + free(str_buf); + rc = -1; +- goto err; ++ goto out; + } + spec->lr.ctx_raw = str_buf; + + if (strcmp(spec->lr.ctx_raw, "<>") && rec->validating) { + if (selabel_validate(rec, &spec->lr) < 0) { + selinux_log(SELINUX_ERROR, +- "%s: context %s is invalid\n", mmap_path, spec->lr.ctx_raw); +- goto err; ++ "%s: context %s is invalid\n", ++ path, spec->lr.ctx_raw); ++ goto out; + } + } + +@@ -315,17 +295,17 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !entry_len) { + rc = -1; +- goto err; ++ goto out; + } + + spec->regex_str = (char *)mmap_area->next_addr; + rc = next_entry(NULL, mmap_area, entry_len); + if (rc < 0) +- goto err; ++ goto out; + + if (spec->regex_str[entry_len - 1] != '\0') { + rc = -1; +- goto err; ++ goto out; + } + + /* Process mode */ +@@ -334,14 +314,14 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + else + rc = next_entry(&mode, mmap_area, sizeof(mode_t)); + if (rc < 0) +- goto err; ++ goto out; + + spec->mode = mode; + + /* map the stem id from the mmap file to the data->stem_arr */ + rc = next_entry(&stem_id, mmap_area, sizeof(int32_t)); + if (rc < 0) +- goto err; ++ goto out; + + if (stem_id < 0 || stem_id >= (int32_t)stem_map_len) + spec->stem_id = -1; +@@ -351,7 +331,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + /* retrieve the hasMetaChars bit */ + rc = next_entry(&meta_chars, mmap_area, sizeof(uint32_t)); + if (rc < 0) +- goto err; ++ goto out; + + spec->hasMetaChars = meta_chars; + /* and prefix length for use by selabel_lookup_best_match */ +@@ -359,7 +339,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(&prefix_len, mmap_area, + sizeof(uint32_t)); + if (rc < 0) +- goto err; ++ goto out; + + spec->prefix_len = prefix_len; + } +@@ -368,143 +348,207 @@ static int load_mmap(struct selabel_handle *rec, const char *path, + rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !entry_len) { + rc = -1; +- goto err; ++ goto out; + } + spec->regex = (pcre *)mmap_area->next_addr; + rc = next_entry(NULL, mmap_area, entry_len); + if (rc < 0) +- goto err; ++ goto out; + + /* Check that regex lengths match. pcre_fullinfo() + * also validates its magic number. */ + rc = pcre_fullinfo(spec->regex, NULL, PCRE_INFO_SIZE, &len); + if (rc < 0 || len != entry_len) { + rc = -1; +- goto err; ++ goto out; + } + + rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); + if (rc < 0 || !entry_len) { + rc = -1; +- goto err; ++ goto out; + } +- spec->lsd.study_data = (void *)mmap_area->next_addr; +- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; +- rc = next_entry(NULL, mmap_area, entry_len); +- if (rc < 0) +- goto err; + +- /* Check that study data lengths match. */ +- rc = pcre_fullinfo(spec->regex, &spec->lsd, +- PCRE_INFO_STUDYSIZE, &len); +- if (rc < 0 || len != entry_len) { +- rc = -1; +- goto err; ++ if (entry_len) { ++ spec->lsd.study_data = (void *)mmap_area->next_addr; ++ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; ++ rc = next_entry(NULL, mmap_area, entry_len); ++ if (rc < 0) ++ goto out; ++ ++ /* Check that study data lengths match. */ ++ rc = pcre_fullinfo(spec->regex, &spec->lsd, ++ PCRE_INFO_STUDYSIZE, &len); ++ if (rc < 0 || len != entry_len) { ++ rc = -1; ++ goto out; ++ } + } + + data->nspec++; + } + +- rc = digest_add_specfile(digest, NULL, addr, mmap_stat.st_size, +- mmap_path); +- if (rc) +- goto err; +- +-err: ++ rc = 0; ++out: + free(stem_map); + + return rc; + } + +-static int process_file(const char *path, const char *suffix, +- struct selabel_handle *rec, +- const char *prefix, struct selabel_digest *digest) +-{ +- FILE *fp; ++struct file_details { ++ const char *suffix; + struct stat sb; +- unsigned int lineno; +- size_t line_len = 0; +- char *line_buf = NULL; +- int rc; +- char stack_path[PATH_MAX + 1]; +- bool isbinary = false; ++}; ++ ++static char *rolling_append(char *current, const char *suffix, size_t max) ++{ ++ size_t size; ++ size_t suffix_size; ++ size_t current_size; ++ ++ if (!suffix) ++ return current; ++ ++ current_size = strlen(current); ++ suffix_size = strlen(suffix); ++ ++ size = current_size + suffix_size; ++ if (size < current_size || size < suffix_size) ++ return NULL; ++ ++ /* ensure space for the '.' and the '\0' characters. */ ++ if (size >= (SIZE_MAX - 2)) ++ return NULL; ++ ++ size += 2; ++ ++ if (size > max) ++ return NULL; ++ ++ /* Append any given suffix */ ++ char *to = current + current_size; ++ *to++ = '.'; ++ strcpy(to, suffix); ++ ++ return current; ++} ++ ++static bool fcontext_is_binary(FILE *fp) ++{ + uint32_t magic; + +- /* append the path suffix if we have one */ +- if (suffix) { +- rc = snprintf(stack_path, sizeof(stack_path), +- "%s.%s", path, suffix); +- if (rc >= (int)sizeof(stack_path)) { +- errno = ENAMETOOLONG; +- return -1; +- } +- path = stack_path; ++ size_t len = fread(&magic, sizeof(magic), 1, fp); ++ rewind(fp); ++ ++ return (len && (magic == SELINUX_MAGIC_COMPILED_FCONTEXT)); ++} ++ ++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++ ++static FILE *open_file(const char *path, const char *suffix, ++ char *save_path, size_t len, struct stat *sb, bool open_oldest) ++{ ++ unsigned int i; ++ int rc; ++ char stack_path[len]; ++ struct file_details *found = NULL; ++ ++ /* ++ * Rolling append of suffix. Try to open with path.suffix then the ++ * next as path.suffix.suffix and so forth. ++ */ ++ struct file_details fdetails[2] = { ++ { .suffix = suffix }, ++ { .suffix = "bin" } ++ }; ++ ++ rc = snprintf(stack_path, sizeof(stack_path), "%s", path); ++ if (rc >= (int) sizeof(stack_path)) { ++ errno = ENAMETOOLONG; ++ return NULL; + } + +- /* Open the specification file. */ +- fp = fopen(path, "r"); +- if (fp) { +- __fsetlocking(fp, FSETLOCKING_BYCALLER); ++ for (i = 0; i < ARRAY_SIZE(fdetails); i++) { + +- if (fstat(fileno(fp), &sb) < 0) +- return -1; +- if (!S_ISREG(sb.st_mode)) { +- errno = EINVAL; +- return -1; +- } ++ /* This handles the case if suffix is null */ ++ path = rolling_append(stack_path, fdetails[i].suffix, ++ sizeof(stack_path)); ++ if (!path) ++ return NULL; + +- magic = 0; +- if (fread(&magic, sizeof magic, 1, fp) != 1) { +- if (ferror(fp)) { +- errno = EINVAL; +- fclose(fp); +- return -1; +- } +- clearerr(fp); +- } ++ rc = stat(path, &fdetails[i].sb); ++ if (rc) ++ continue; + +- if (magic == SELINUX_MAGIC_COMPILED_FCONTEXT) { +- /* file_contexts.bin format */ +- fclose(fp); +- fp = NULL; +- isbinary = true; +- } else { +- rewind(fp); ++ /* first file thing found, just take it */ ++ if (!found) { ++ strcpy(save_path, path); ++ found = &fdetails[i]; ++ continue; + } +- } else { ++ + /* +- * Text file does not exist, so clear the timestamp +- * so that we will always pass the timestamp comparison +- * with the bin file in load_mmap(). ++ * Keep picking the newest file found. Where "newest" ++ * includes equality. This provides a precedence on ++ * secondary suffixes even when the timestamp is the ++ * same. Ie choose file_contexts.bin over file_contexts ++ * even if the time stamp is the same. Invert this logic ++ * on open_oldest set to true. The idea is that if the ++ * newest file failed to process, we can attempt to ++ * process the oldest. The logic here is subtle and depends ++ * on the array ordering in fdetails for the case when time ++ * stamps are the same. + */ +- sb.st_mtime = 0; ++ if (open_oldest ^ ++ (fdetails[i].sb.st_mtime >= found->sb.st_mtime)) { ++ found = &fdetails[i]; ++ strcpy(save_path, path); ++ } + } + +- rc = load_mmap(rec, path, &sb, isbinary, digest); +- if (rc == 0) +- goto out; ++ if (!found) { ++ errno = ENOENT; ++ return NULL; ++ } ++ ++ memcpy(sb, &found->sb, sizeof(*sb)); ++ return fopen(save_path, "r"); ++} + +- if (!fp) +- return -1; /* no text or bin file */ ++static int process_file(const char *path, const char *suffix, ++ struct selabel_handle *rec, ++ const char *prefix, struct selabel_digest *digest) ++{ ++ int rc; ++ unsigned int i; ++ struct stat sb; ++ FILE *fp = NULL; ++ char found_path[PATH_MAX]; + + /* +- * Then do detailed validation of the input and fill the spec array ++ * On the first pass open the newest modified file. If it fails to ++ * process, then the second pass shall open the oldest file. If both ++ * passes fail, then it's a fatal error. + */ +- lineno = 0; +- rc = 0; +- while (getline(&line_buf, &line_len, fp) > 0) { +- rc = process_line(rec, path, prefix, line_buf, ++lineno); +- if (rc) +- goto out; +- } ++ for (i = 0; i < 2; i++) { ++ fp = open_file(path, suffix, found_path, sizeof(found_path), ++ &sb, i > 0); ++ if (fp == NULL) ++ return -1; + +- rc = digest_add_specfile(digest, fp, NULL, sb.st_size, path); ++ rc = fcontext_is_binary(fp) ? ++ load_mmap(fp, sb.st_size, rec, found_path) : ++ process_text_file(fp, prefix, rec, found_path); ++ if (!rc) ++ rc = digest_add_specfile(digest, fp, NULL, sb.st_size, ++ found_path); + +-out: +- free(line_buf); +- if (fp) + fclose(fp); +- return rc; ++ ++ if (!rc) ++ return 0; ++ } ++ return -1; + } + + static void closef(struct selabel_handle *rec); +diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h +index 72fed1f..6d1e890 100644 +--- libselinux-2.5/src/label_file.h ++++ libselinux-2.5/src/label_file.h +@@ -80,9 +80,12 @@ struct saved_data { + + static inline pcre_extra *get_pcre_extra(struct spec *spec) + { +- if (spec->from_mmap) +- return &spec->lsd; +- else ++ if (spec->from_mmap) { ++ if (spec->lsd.study_data) ++ return &spec->lsd; ++ else ++ return NULL; ++ } else + return spec->sd; + } + +diff --git libselinux-2.5/src/label_internal.h libselinux-2.5/src/label_internal.h +index aa48fff..0827ef6 100644 +--- libselinux-2.5/src/label_internal.h ++++ libselinux-2.5/src/label_internal.h +@@ -124,7 +124,7 @@ selabel_validate(struct selabel_handle *rec, + */ + extern int myprintf_compat; + extern void __attribute__ ((format(printf, 1, 2))) +-(*myprintf) (const char *fmt, ...); ++(*myprintf) (const char *fmt, ...) hidden; + + #define COMPAT_LOG(type, fmt...) if (myprintf_compat) \ + myprintf(fmt); \ diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c index 21ee58b..4f39fc7 100644 --- libselinux-2.5/src/load_policy.c @@ -1065,6 +1694,25 @@ index 5b495a0..a2f2c3e 100644 rc = lgetfilecon_raw(path, &con); if (rc == -1) { +diff --git libselinux-2.5/src/policy.h libselinux-2.5/src/policy.h +index bf270b5..f6d7242 100644 +--- libselinux-2.5/src/policy.h ++++ libselinux-2.5/src/policy.h +@@ -3,8 +3,13 @@ + + /* Private definitions used internally by libselinux. */ + +-/* xattr name for SELinux attributes. */ ++/* ++ * xattr name for SELinux attributes. ++ * This may have been exported via Kernel uapi header. ++ */ ++#ifndef XATTR_NAME_SELINUX + #define XATTR_NAME_SELINUX "security.selinux" ++#endif + + /* Initial length guess for getting contexts. */ + #define INITCONTEXTLEN 255 diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c index 527a0a5..eee4612 100644 --- libselinux-2.5/src/procattr.c @@ -1116,20 +1764,35 @@ index 527a0a5..eee4612 100644 all_selfattr_def(con, current) diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c -index bec5f3b..c519a77 100644 +index bec5f3b..88bcc85 100644 --- libselinux-2.5/src/selinux_config.c +++ libselinux-2.5/src/selinux_config.c -@@ -50,7 +50,8 @@ +@@ -50,7 +50,9 @@ #define BOOLEAN_SUBS 27 #define OPENSSH_CONTEXTS 28 #define SYSTEMD_CONTEXTS 29 -#define NEL 30 +#define SNAPPERD_CONTEXTS 30 -+#define NEL 31 ++#define OPENRC_CONTEXTS 31 ++#define NEL 32 /* Part of one-time lazy init */ static pthread_once_t once = PTHREAD_ONCE_INIT; -@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void) +@@ -492,6 +494,13 @@ const char *selinux_lxc_contexts_path(void) + + hidden_def(selinux_lxc_contexts_path) + ++const char *selinux_openrc_contexts_path(void) ++{ ++ return get_path(OPENRC_CONTEXTS); ++} ++ ++hidden_def(selinux_openrc_contexts_path) ++ + const char *selinux_openssh_contexts_path(void) + { + return get_path(OPENSSH_CONTEXTS); +@@ -499,6 +508,13 @@ const char *selinux_openssh_contexts_path(void) hidden_def(selinux_openssh_contexts_path) @@ -1144,12 +1807,14 @@ index bec5f3b..c519a77 100644 { return get_path(SYSTEMD_CONTEXTS); diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h -index 46566f6..9b9145c 100644 +index 46566f6..3d5c9fb 100644 --- libselinux-2.5/src/selinux_internal.h +++ libselinux-2.5/src/selinux_internal.h -@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy) +@@ -83,7 +83,9 @@ hidden_proto(selinux_mkload_policy) + hidden_proto(selinux_media_context_path) hidden_proto(selinux_x_context_path) hidden_proto(selinux_sepgsql_context_path) ++ hidden_proto(selinux_openrc_contexts_path) hidden_proto(selinux_openssh_contexts_path) + hidden_proto(selinux_snapperd_contexts_path) hidden_proto(selinux_systemd_contexts_path) @@ -1191,3 +1856,63 @@ index 060eaab..ed3bf0b 100644 selinuxenabled selinuxexeccon setenforce +diff --git libselinux-2.5/utils/Makefile libselinux-2.5/utils/Makefile +index cf7af52..8497cb4 100644 +--- libselinux-2.5/utils/Makefile ++++ libselinux-2.5/utils/Makefile +@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr + LIBDIR ?= $(PREFIX)/lib + USRBINDIR ?= $(PREFIX)/sbin + SBINDIR ?= $(DESTDIR)/sbin ++INCLUDEDIR ?= $(PREFIX)/include + + MAX_STACK_SIZE=8192 + CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ +@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi + -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ + -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ + -Werror -Wno-aggregate-return -Wno-redundant-decls +-override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS) ++override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) + LDLIBS += -L../src -lselinux -L$(LIBDIR) + + TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c +index d2578b6..fd6fb78 100644 +--- libselinux-2.5/utils/sefcontext_compile.c ++++ libselinux-2.5/utils/sefcontext_compile.c +@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd) + if (len != to_write) + goto err; + +- /* determine the size of the pcre study info */ +- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); +- if (rc < 0) +- goto err; ++ if (sd) { ++ /* determine the size of the pcre study info */ ++ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); ++ if (rc < 0) ++ goto err; ++ } else ++ size = 0; + + /* write the number of bytes in the pcre study data */ + to_write = size; +@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd) + if (len != 1) + goto err; + +- /* write the actual pcre study data as a char array */ +- len = fwrite(sd->study_data, 1, to_write, bin_file); +- if (len != to_write) +- goto err; ++ if (sd) { ++ /* write the actual pcre study data as a char array */ ++ len = fwrite(sd->study_data, 1, to_write, bin_file); ++ if (len != to_write) ++ goto err; ++ } + } + + rc = 0; diff --git a/libselinux.spec b/libselinux.spec index 4fdd4b1..fbccaea 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,13 +3,13 @@ %endif %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 2.5-9 +%define libsepolver 2.5-10 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux Version: 2.5 -Release: 11%{?dist} +Release: 12%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336 +# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b Patch1: libselinux-fedora.patch BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel %if 0%{?with_python3} @@ -256,6 +256,18 @@ rm -rf %{buildroot} %{ruby_vendorarchdir}/selinux.so %changelog +* Mon Oct 03 2016 Petr Lautrbach 2.5-12 +- Fix -Wsign-compare warnings +- Drop unused stdio_ext.h header file +- Kill logging check for selinux_enabled() +- Drop usage of _D_ALLOC_NAMLEN +- Add openrc_contexts functions +- Fix redefinition of XATTR_NAME_SELINUX +- Correct error path to always try text +- Clean up process_file() +- Handle NULL pcre study data +- Fix in tree compilation of utils that depend on libsepol + * Mon Aug 01 2016 Petr Lautrbach 2.5-11 - Rebuilt with libsepol-2.5-9