From cc63ca70add906fae0455684abd05c80c74ffe7a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 01 2004 01:31:34 +0000 Subject: - Upgrade to upstream --- diff --git a/.cvsignore b/.cvsignore index 1fdec9f..3670511 100644 --- a/.cvsignore +++ b/.cvsignore @@ -8,3 +8,4 @@ libselinux-1.17.15.tgz libselinux-1.17.16.tgz libselinux-1.18.1.tgz libselinux-1.19.1.tgz +libselinux-1.19.2.tgz diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 2489bc4..4ced1ca 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,6 +1,5 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.19.1/include/selinux/selinux.h ---- nsalibselinux/include/selinux/selinux.h 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/include/selinux/selinux.h 2004-11-18 15:27:00.994561786 -0500 +--- libselinux-1.19.1/include/selinux/selinux.h.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/include/selinux/selinux.h 2004-11-19 11:21:37.514236820 -0500 @@ -176,7 +176,7 @@ /* Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. @@ -10,116 +9,277 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib security_context_t *con); /* -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/checkPasswdAccess.3 libselinux-1.19.1/man/man3/checkPasswdAccess.3 ---- nsalibselinux/man/man3/checkPasswdAccess.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/checkPasswdAccess.3 2004-11-18 15:27:00.995561673 -0500 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_free.3 libselinux-1.19.1/man/man3/context_free.3 ---- nsalibselinux/man/man3/context_free.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_free.3 2004-11-18 15:27:00.996561560 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_new.3 libselinux-1.19.1/man/man3/context_new.3 ---- nsalibselinux/man/man3/context_new.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_new.3 2004-11-18 15:27:00.997561447 -0500 -@@ -0,0 +1,53 @@ -+.TH "context_new" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation" -+.SH "NAME" -+context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts +--- libselinux-1.19.1/utils/setsebool.c.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/utils/setsebool.c 2004-11-19 11:21:37.560231630 -0500 +@@ -35,6 +35,8 @@ + + if (strcmp(argv[1], "-P") == 0) { + permanent = 1; ++ if (argc < 3) ++ usage(); + start = 2; + } + else +--- libselinux-1.19.1/utils/getsebool.c.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/utils/getsebool.c 2004-11-19 11:21:37.559231743 -0500 +@@ -83,8 +83,14 @@ + rc = -1; + goto out; + } +- printf("%s --> active: %d pending: %d\n", names[i], +- active, pending); ++ if (pending != active) { ++ printf("%s --> %s pending: %s\n", names[i], ++ ( active ? "active" : "inactive"), ++ ( pending ? "active" : "inactive")); ++ } else { ++ printf("%s --> %s\n", names[i], ++ ( active ? "active" : "inactive")); ++ } + } + + out: +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/utils/avcstat.c 2004-11-19 11:21:37.558231856 -0500 +@@ -0,0 +1,224 @@ ++/* ++ * avcstat - Display SELinux avc statistics. ++ * ++ * Copyright (C) 2004 Red Hat, Inc., James Morris ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, ++ * as published by the Free Software Foundation. ++ * ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include + -+.SH "SYNOPSIS" -+.B #include -+.br -+.B "context_t context_new(const char *" context_str ); -+.br -+.B "const char * context_str(context_t " con ); -+.br -+.B "void context_free(context_t " con ); -+.br -+.B "const char * context_type_get(context_t " con ); -+.br -+.B "const char * context_range_get(context_t " con ); -+.br -+.B "const char * context_role_get(context_t " con ); -+.br -+.B "const char * context_user_get(context_t " con ); -+.br -+.B "const char * context_type_set(context_t " con ", const char* " type); -+.br -+.B "const char * context_range_set(context_t " con ", const char* " range); -+.br -+.B "const char * context_role_set(context_t " con ", const char* " role ); -+.br -+.B "const char * context_user_set(context_t " con ", const char* " user ); ++#define DEF_STAT_FILE "/avc/cache_stats" ++#define DEF_BUF_SIZE 8192 ++#define HEADERS "lookups hits misses allocations reclaims frees" + -+.SH "DESCRIPTION" -+ Functions to deal with security contexts in user space. ++struct avc_cache_stats { ++ unsigned int lookups; ++ unsigned int hits; ++ unsigned int misses; ++ unsigned int allocations; ++ unsigned int reclaims; ++ unsigned int frees; ++}; + -+context_new -+ Return a new context initialized to a context string ++static int interval; ++static int rows; ++static char *progname; ++static char buf[DEF_BUF_SIZE]; + -+context_str -+Return a pointer to the string value of the context_t -+Valid until the next call to context_str or context_free -+for the same context_t* ++/* selinuxfs mount point */ ++extern char *selinux_mnt; + -+context_free -+Free the storage used by a context + -+context_type_get, context_range_get, context_role_get, context_user_get -+Get a pointer to the string value of a context component ++static void die(const char *msg, ...) ++{ ++ va_list args; ++ ++ fputs("ERROR: ", stderr); ++ ++ va_start(args, msg); ++ vfprintf(stderr, msg, args); ++ va_end(args); ++ ++ if (errno) ++ fprintf(stderr, ": %s", strerror(errno)); ++ ++ fputc('\n', stderr); ++ exit(1); ++} + -+context_type_set, context_range_set, context_role_set, context_user_set -+Set a context component ++static void usage(void) ++{ ++ printf("\nUsage: %s [-c] [-f status_file] [interval]\n\n", progname); ++ printf("Display SELinux AVC statistics. If the interval parameter is specified, the\n"); ++ printf("program will loop, displaying updated statistics every \'interval\' seconds.\n"); ++ printf("Relative values are displayed by default. Use the -c option to specify the\n"); ++ printf("display of cumulative values. The -f option specifies the location of the\n"); ++ printf("AVC statistics file, defaulting to \'%s\%s\'.\n\n", selinux_mnt, DEF_STAT_FILE); ++} + -+.SH "RETURN VALUE" -+On success, zero is returned. On failure, -1 is returned and errno is -+set appropriately. ++static void set_window_rows(void) ++{ ++ int ret; ++ struct winsize ws; ++ ++ ret = ioctl(fileno(stdout), TIOCGWINSZ, &ws); ++ if (ret < 0 || ws.ws_row < 3) ++ ws.ws_row = 24; ++ rows = ws.ws_row; ++} + -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_range_get.3 libselinux-1.19.1/man/man3/context_range_get.3 ---- nsalibselinux/man/man3/context_range_get.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_range_get.3 2004-11-18 15:27:00.998561335 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_range_set.3 libselinux-1.19.1/man/man3/context_range_set.3 ---- nsalibselinux/man/man3/context_range_set.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_range_set.3 2004-11-18 15:27:00.999561222 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_role_get.3 libselinux-1.19.1/man/man3/context_role_get.3 ---- nsalibselinux/man/man3/context_role_get.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_role_get.3 2004-11-18 15:27:01.035557160 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_role_set.3 libselinux-1.19.1/man/man3/context_role_set.3 ---- nsalibselinux/man/man3/context_role_set.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_role_set.3 2004-11-18 15:27:01.036557048 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_type_get.3 libselinux-1.19.1/man/man3/context_type_get.3 ---- nsalibselinux/man/man3/context_type_get.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_type_get.3 2004-11-18 15:27:01.037556935 -0500 -@@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_type_set.3 libselinux-1.19.1/man/man3/context_type_set.3 ---- nsalibselinux/man/man3/context_type_set.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_type_set.3 2004-11-18 15:27:01.038556822 -0500 ++static void sighandler(int num) ++{ ++ if (num == SIGWINCH) ++ set_window_rows(); ++} ++ ++int main(int argc, char **argv) ++{ ++ int fd, i, cumulative = 0; ++ struct sigaction sa; ++ char avcstatfile[PATH_MAX]; ++ snprintf(avcstatfile, sizeof avcstatfile, "%s%s", selinux_mnt, DEF_STAT_FILE); ++ progname = basename(argv[0]); ++ ++ while((i = getopt(argc, argv, "cf:h?-")) != -1) { ++ switch (i) { ++ case 'c': ++ cumulative = 1; ++ break; ++ case 'f': ++ strncpy(avcstatfile, optarg, sizeof avcstatfile); ++ break; ++ case 'h': ++ case '-': ++ usage(); ++ exit(0); ++ default: ++ usage(); ++ die("unrecognized parameter", i); ++ } ++ } ++ ++ if (optind < argc) { ++ char *arg = argv[optind]; ++ unsigned int n = strtoul(arg, NULL, 10); ++ ++ if (errno == ERANGE) { ++ usage(); ++ die("invalid interval \'%s\'", arg); ++ } ++ if (n == 0) { ++ usage(); ++ exit (0); ++ } ++ interval = n; ++ } ++ ++ sa.sa_handler = sighandler; ++ sa.sa_flags = SA_RESTART; ++ ++ i = sigaction(SIGWINCH, &sa, NULL); ++ if (i < 0) ++ die("sigaction"); ++ ++ set_window_rows(); ++ fd = open(avcstatfile, O_RDONLY); ++ if (fd < 0) ++ die("open: \'%s\'", avcstatfile); ++ ++ for (i = 0;; i++) { ++ char *line; ++ ssize_t ret, parsed = 0; ++ struct avc_cache_stats tot, rel, last; ++ ++ memset(buf, 0, DEF_BUF_SIZE); ++ ret = read(fd, buf, DEF_BUF_SIZE); ++ if (ret < 0) ++ die("read"); ++ ++ if (ret == 0) ++ die("read: \'%s\': unexpected end of file", avcstatfile); ++ ++ line = strtok(buf, "\n"); ++ if (!line) ++ die("unable to parse \'%s\': end of line not found", avcstatfile); ++ ++ if (strcmp(line, HEADERS)) ++ die("unable to parse \'%s\': invalid headers", avcstatfile); ++ ++ if (!i || !(i % (rows - 2))) ++ printf("%10s %10s %10s %10s %10s %10s\n", "lookups", ++ "hits", "misses", "allocs", "reclaims", "frees"); ++ ++ memset(&tot, 0, sizeof(tot)); ++ ++ while ((line = strtok(NULL, "\n"))) { ++ struct avc_cache_stats tmp; ++ ++ ret = sscanf(line, "%u %u %u %u %u %u", ++ &tmp.lookups, ++ &tmp.hits, ++ &tmp.misses, ++ &tmp.allocations, ++ &tmp.reclaims, ++ &tmp.frees); ++ if (ret != 6) ++ die("unable to parse \'%s\': scan error", avcstatfile); ++ ++ tot.lookups += tmp.lookups; ++ tot.hits += tmp.hits; ++ tot.misses += tmp.misses; ++ tot.allocations += tmp.allocations; ++ tot.reclaims += tmp.reclaims; ++ tot.frees += tmp.frees; ++ parsed = 1; ++ } ++ ++ if (!parsed) ++ die("unable to parse \'%s\': no data", avcstatfile); ++ ++ if (cumulative || (!cumulative && !i)) ++ printf("%10u %10u %10u %10u %10u %10u\n", ++ tot.lookups, tot.hits, tot.misses, ++ tot.allocations, tot.reclaims, tot.frees); ++ else { ++ rel.lookups = tot.lookups - last.lookups; ++ rel.hits = tot.hits - last.hits; ++ rel.misses = tot.misses - last.misses; ++ rel.allocations = tot.allocations - last.allocations; ++ rel.reclaims = tot.reclaims - last.reclaims; ++ rel.frees = tot.frees - last.frees; ++ printf("%10u %10u %10u %10u %10u %10u\n", ++ rel.lookups, rel.hits, rel.misses, ++ rel.allocations, rel.reclaims, rel.frees); ++ } ++ ++ if (!interval) ++ break; ++ ++ memcpy(&last, &tot, sizeof(last)); ++ sleep(interval); ++ ++ ret = lseek(fd, 0, 0); ++ if (ret < 0) ++ die("lseek"); ++ } ++ ++ close(fd); ++ return 0; ++} +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/rpm_execcon.3 2004-11-19 11:21:37.534234563 -0500 @@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_user_get.3 libselinux-1.19.1/man/man3/context_user_get.3 ---- nsalibselinux/man/man3/context_user_get.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_user_get.3 2004-11-18 15:27:01.040556596 -0500 ++.so man3/getexeccon.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_media_context_path.3 2004-11-19 11:21:37.551232645 -0500 @@ -0,0 +1 @@ -+.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_user_set.3 libselinux-1.19.1/man/man3/context_user_set.3 ---- nsalibselinux/man/man3/context_user_set.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/context_user_set.3 2004-11-18 15:27:01.041556483 -0500 ++.so man3/selinux_binary_policy_path.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_user_get.3 2004-11-19 11:21:37.524235691 -0500 @@ -0,0 +1 @@ +.so man3/context_new.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getcon.3 libselinux-1.19.1/man/man3/getcon.3 ---- nsalibselinux/man/man3/getcon.3 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/man/man3/getcon.3 2004-11-18 15:27:01.042556371 -0500 +--- libselinux-1.19.1/man/man3/getcon.3.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man3/getcon.3 2004-11-19 11:21:37.526235466 -0500 @@ -8,7 +8,9 @@ .br .BI "int getprevcon(security_context_t *" context ); @@ -141,151 +301,220 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getcon.3 libselinux- .SH "RETURN VALUE" On error -1 is returned. On success 0 is returned. -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_role.3 libselinux-1.19.1/man/man3/get_default_context_with_role.3 ---- nsalibselinux/man/man3/get_default_context_with_role.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/get_default_context_with_role.3 2004-11-18 15:27:01.043556258 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_user_set.3 2004-11-19 11:21:37.525235579 -0500 @@ -0,0 +1 @@ -+.so man3/get_ordered_context_list.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getexeccon.3 libselinux-1.19.1/man/man3/getexeccon.3 ---- nsalibselinux/man/man3/getexeccon.3 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/man/man3/getexeccon.3 2004-11-18 15:27:01.044556145 -0500 -@@ -8,6 +8,8 @@ - .BI "int getexeccon(security_context_t *" context ); - .br - .BI "int setexeccon(security_context_t "context ); -+.br -+.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); - - .SH "DESCRIPTION" - .B getexeccon -@@ -31,6 +33,11 @@ - - Note: Signal handlers that perform an execve must take care to - save, reset, and restore the exec context to avoid unexpected behaviors. -+.br -+ -+.B rpm_execcon -+Execute a helper for rpm in an appropriate security context. -+ - .SH "RETURN VALUE" - On error -1 is returned. - -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list.3 libselinux-1.19.1/man/man3/get_ordered_context_list.3 ---- nsalibselinux/man/man3/get_ordered_context_list.3 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/man/man3/get_ordered_context_list.3 2004-11-18 15:27:01.045556032 -0500 ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/getpeercon.3 2004-11-19 11:21:37.530235014 -0500 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_type_set.3 2004-11-19 11:21:37.523235804 -0500 +@@ -0,0 +1 @@ ++.so man3/context_new.3 +--- libselinux-1.19.1/man/man3/get_ordered_context_list.3.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man3/get_ordered_context_list.3 2004-11-19 11:29:45.211209677 -0500 @@ -1,6 +1,6 @@ .TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation" .SH "NAME" -get_ordered_context_list, get_default_context, query_user_context \- determine context(s) for user login sessions -+get_ordered_context_list, get_default_context, query_user_context, manual_user_enter_context, get_default_context_with_role, get_default_role \- determine context(s) for user login sessions ++get_ordered_context_list, get_default_context, get_default_context_with_role, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user login sessions .SH "SYNOPSIS" .B #include -@@ -14,7 +14,10 @@ +@@ -11,10 +11,13 @@ + .sp + .BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon ); + .sp ++.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); ++.sp .BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon ); .sp .BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon ); - +.sp +.BI "int get_default_type(const char *" role ", char **" type ); -+.sp -+.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); .SH "DESCRIPTION" .B get_ordered_context_list -@@ -40,6 +43,15 @@ - allows the user to manually enter a context as a fallback if a list of - authorized contexts could not be obtained. Caller must free via freecon. +@@ -31,14 +34,26 @@ + is the same as get_ordered_context_list but only returns a single context + which has to be freed with freecon. + ++.B get_default_context_with_role ++Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it, which has to be freed with freecon. ++ ++NOTE get_default_context_with_role is the same as get_default_context ++except that it only returns a context with the specified role, returning ++-1 if no such context is reachable for that user. ++ + .B query_user_context + takes a list of contexts, queries the user via stdin/stdout as to which context + they want, and returns a new context as selected by the user (which has to be + freed with freecon). + .B manual_user_enter_context +-allows the user to manually enter a context as a fallback if a list of +-authorized contexts could not be obtained. Caller must free via freecon. ++allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. ++ +.B get_default_type -+Get the default type (domain) for 'role' and set 'type' to refer to it. -+ Caller must free via free(). ++Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free. + +.B get_default_context_with_role -+Given a list of authorized security contexts for the user, -+ query the user to select one and set *newcon to refer to it. -+ Caller must free via freecon. -+ ++Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it, which has to be freed with freecon. + .SH "RETURN VALUE" 0 for success and on error -1 is returned. +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_free.3 2004-11-19 11:21:37.515236707 -0500 +@@ -0,0 +1 @@ ++.so man3/context_new.3 +--- libselinux-1.19.1/man/man3/getexeccon.3.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man3/getexeccon.3 2004-11-19 11:21:37.528235240 -0500 +@@ -8,6 +8,8 @@ + .BI "int getexeccon(security_context_t *" context ); + .br + .BI "int setexeccon(security_context_t "context ); ++.br ++.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); + + .SH "DESCRIPTION" + .B getexeccon +@@ -31,6 +33,11 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getpeercon.3 libselinux-1.19.1/man/man3/getpeercon.3 ---- nsalibselinux/man/man3/getpeercon.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/getpeercon.3 2004-11-18 15:27:01.046555919 -0500 + Note: Signal handlers that perform an execve must take care to + save, reset, and restore the exec context to avoid unexpected behaviors. ++.br ++ ++.B rpm_execcon ++Execute a helper for rpm in an appropriate security context. ++ + .SH "RETURN VALUE" + On error -1 is returned. + +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_range_set.3 2004-11-19 11:21:37.519236255 -0500 @@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/matchmediacon.3 libselinux-1.19.1/man/man3/matchmediacon.3 ---- nsalibselinux/man/man3/matchmediacon.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/matchmediacon.3 2004-11-18 15:27:01.047555807 -0500 -@@ -0,0 +1,26 @@ -+.TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SE Linux API documentation" ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_commit_booleans.3 2004-11-19 11:21:37.535234450 -0500 +@@ -0,0 +1 @@ ++.so man3/security_load_booleans.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_set_boolean.3 2004-11-19 11:21:37.542233661 -0500 +@@ -0,0 +1 @@ ++.so man3/security_load_booleans.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_failsafe_context_path.3 2004-11-19 11:21:37.549232871 -0500 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_get_boolean_pending.3 2004-11-19 11:21:37.540233886 -0500 +@@ -0,0 +1 @@ ++.so man3/security_load_booleans.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_role_set.3 2004-11-19 11:21:37.521236030 -0500 +@@ -0,0 +1 @@ ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_range_get.3 2004-11-19 11:21:37.518236368 -0500 +@@ -0,0 +1 @@ ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_role_get.3 2004-11-19 11:21:37.520236143 -0500 +@@ -0,0 +1 @@ ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_get_boolean_active.3 2004-11-19 11:21:37.537234225 -0500 +@@ -0,0 +1 @@ ++.so man3/security_load_booleans.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_removable_context_path.3 2004-11-19 11:21:37.552232532 -0500 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/set_matchpathcon_printf.3 2004-11-19 11:21:37.555232194 -0500 +@@ -0,0 +1 @@ ++.so man3/matchpathcon.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_new.3 2004-11-19 11:23:54.697758320 -0500 +@@ -0,0 +1,56 @@ ++.TH "context_new" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation" +.SH "NAME" -+matchmediacon \- get the default security context for the specified mediatype from the policy. ++context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts + +.SH "SYNOPSIS" -+.B #include -+.sp -+.BI "int matchmediacon(const char *" media ", security_context_t *" con);" ++.B #include ++.br ++.B "context_t context_new(const char *" context_str ); +.br ++.B "const char * context_str(context_t " con ); ++.br ++.B "void context_free(context_t " con ); ++.br ++.B "const char * context_type_get(context_t " con ); ++.br ++.B "const char * context_range_get(context_t " con ); ++.br ++.B "const char * context_role_get(context_t " con ); ++.br ++.B "const char * context_user_get(context_t " con ); ++.br ++.B "const char * context_type_set(context_t " con ", const char* " type); ++.br ++.B "const char * context_range_set(context_t " con ", const char* " range); ++.br ++.B "const char * context_role_set(context_t " con ", const char* " role ); ++.br ++.B "const char * context_user_set(context_t " con ", const char* " user ); + +.SH "DESCRIPTION" -+.br -+.B matchmediacon -+matches the specified media type with the file contexts configuration and sets the security context "con" to refer to the resulting context. -+.sp -+.br -+.B Note: -+ Caller must free returned security context "con" using freecon. -+.SH "RETURN VALUE" -+Returns 0 on success or -1 otherwise. ++ Functions to deal with security contexts in user space. + -+.SH Files -+/etc/selinux/POLICYTYPE/contexts/files/media ++context_new ++ Return a new context initialized to a context string + -+.SH "SEE ALSO" -+.BR freecon "(3) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/matchpathcon.3 libselinux-1.19.1/man/man3/matchpathcon.3 ---- nsalibselinux/man/man3/matchpathcon.3 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/man/man3/matchpathcon.3 2004-11-18 15:27:01.049555581 -0500 -@@ -5,17 +5,22 @@ - .SH "SYNOPSIS" - .B #include - .sp --.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);" -+.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con); - .br -+.BI "void set_matchpathcon_printf(void (*f)(const char *fmt, ...));" - - .SH "DESCRIPTION" - .br - .B matchpathcon - matches the specified pathname and mode against the file contexts configuration and sets the security context "con" to refer to the resulting context. "mode" can be 0 to disable mode matching, but should be provided whenever possible, as it may affect the matching. --.sp --.br - .B Note: - Caller must free returned security context "con" using freecon. ++context_str ++Return a pointer to the string value of the context_t ++Valid until the next call to context_str or context_free ++for the same context_t* ++ ++context_free ++Free the storage used by a context ++ ++context_type_get, context_range_get, context_role_get, context_user_get ++Get a pointer to the string value of a context component ++ ++NOTE: Values returned by the get functions are only valid until the next call ++to a set function or context_free() for the same context_t structure. ++ ++context_type_set, context_range_set, context_role_set, context_user_set ++Set a context component + -+.B set_matchpathcon_printf ++.SH "RETURN VALUE" ++On success, zero is returned. On failure, -1 is returned and errno is ++set appropriately. + -+Set the function used by matchpathcon when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). -+.sp -+.br - .SH "RETURN VALUE" - Returns 0 on success or -1 otherwise. - -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/rpm_execcon.3 libselinux-1.19.1/man/man3/rpm_execcon.3 ---- nsalibselinux/man/man3/rpm_execcon.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/rpm_execcon.3 2004-11-18 15:27:01.050555468 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/context_type_get.3 2004-11-19 11:21:37.522235917 -0500 @@ -0,0 +1 @@ -+.so man3/getexeccon.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_commit_booleans.3 libselinux-1.19.1/man/man3/security_commit_booleans.3 ---- nsalibselinux/man/man3/security_commit_booleans.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_commit_booleans.3 2004-11-18 15:27:01.051555355 -0500 ++.so man3/context_new.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_get_boolean_names.3 2004-11-19 11:21:37.539233999 -0500 @@ -0,0 +1 @@ +.so man3/security_load_booleans.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_compute_av.3 libselinux-1.19.1/man/man3/security_compute_av.3 ---- nsalibselinux/man/man3/security_compute_av.3 2004-10-20 16:31:36.000000000 -0400 -+++ libselinux-1.19.1/man/man3/security_compute_av.3 2004-11-18 15:27:01.052555242 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_booleans_path.3 2004-11-19 11:21:37.545233322 -0500 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/checkPasswdAccess.3 2004-11-19 11:21:37.514236820 -0500 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +--- libselinux-1.19.1/man/man3/security_compute_av.3.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man3/security_compute_av.3 2004-11-19 11:32:59.943237946 -0500 @@ -15,6 +15,8 @@ .BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); .sp @@ -300,107 +529,13 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_compute_av. .B get_ordered_context_list. +.B checkPasswdAccess -+This functions is a helper functions that allows you to check for a permission in the passwd class. ++This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts. + .SH "RETURN VALUE" 0 for success and on error -1 is returned. -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_active.3 libselinux-1.19.1/man/man3/security_get_boolean_active.3 ---- nsalibselinux/man/man3/security_get_boolean_active.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_get_boolean_active.3 2004-11-18 15:27:01.053555130 -0500 -@@ -0,0 +1 @@ -+.so man3/security_load_booleans.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_names.3 libselinux-1.19.1/man/man3/security_get_boolean_names.3 ---- nsalibselinux/man/man3/security_get_boolean_names.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_get_boolean_names.3 2004-11-18 15:27:01.055554904 -0500 -@@ -0,0 +1 @@ -+.so man3/security_load_booleans.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_pending.3 libselinux-1.19.1/man/man3/security_get_boolean_pending.3 ---- nsalibselinux/man/man3/security_get_boolean_pending.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_get_boolean_pending.3 2004-11-18 15:27:01.056554791 -0500 -@@ -0,0 +1 @@ -+.so man3/security_load_booleans.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.19.1/man/man3/security_load_booleans.3 ---- nsalibselinux/man/man3/security_load_booleans.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_load_booleans.3 2004-11-18 15:27:01.057554678 -0500 -@@ -0,0 +1,69 @@ -+.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" -+.SH "NAME" -+security_load_booleans, security_set_boolean, security_commit_booleans, -+security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending -+.sp -+routines for manipulating SELinux boolean values -+ -+.SH "SYNOPSIS" -+.B #include -+.sp -+extern int security_load_booleans(char *path); -+.br -+extern int security_get_boolean_names(char ***names, int *len); -+.br -+extern int security_get_boolean_pending(const char *name); -+.br -+extern int security_get_boolean_active(const char *name); -+.br -+extern int security_set_boolean(const char *name, int value); -+.br -+extern int security_commit_booleans(void); -+ -+ -+.SH "DESCRIPTION" -+ -+The SELinux policy can include conditional rules that are enabled or -+disabled based on the current values of a set of policy booleans. -+These policy booleans allow runtime modification of the security -+policy without having to load a new policy. -+ -+The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once. -+ -+security_load_booleans -+.br -+Load policy boolean settings. -+ Path may be NULL, in which case the booleans are loaded from -+ the active policy boolean configuration file. -+ -+security_get_boolean_names -+.br -+Returns a list of boolean names, currently supported by the loaded policy. -+ -+security_get_boolean_pending -+.br -+Return pending value for boolean -+ -+security_get_boolean_active -+.br -+Return active value for boolean -+ -+security_set_boolean -+.br -+Set the pending value for the boolean -+ -+security_commit_booleans -+.br -+Commit all pending values for the booleans. -+ -+security_set_boolean -+.br -+sets the current state of a particular SELinux boolean or a list of booleans -+to a given value. The value may be 1 or true to enable the boolean, or 0 or -+false to disable it. -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+getsebool(8), booleans(8), togglesebool(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_set_boolean.3 libselinux-1.19.1/man/man3/security_set_boolean.3 ---- nsalibselinux/man/man3/security_set_boolean.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/security_set_boolean.3 2004-11-18 15:27:01.059554453 -0500 -@@ -0,0 +1 @@ -+.so man3/security_load_booleans.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.19.1/man/man3/selinux_binary_policy_path.3 ---- nsalibselinux/man/man3/selinux_binary_policy_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_binary_policy_path.3 2004-11-18 15:27:01.060554340 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_binary_policy_path.3 2004-11-19 11:21:37.544233435 -0500 @@ -0,0 +1,75 @@ +.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" +.SH "NAME" @@ -477,362 +612,196 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_polic +.SH AUTHOR +This manual page was written by Dan Walsh . + -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_booleans_path.3 libselinux-1.19.1/man/man3/selinux_booleans_path.3 ---- nsalibselinux/man/man3/selinux_booleans_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_booleans_path.3 2004-11-18 15:27:01.061554227 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_contexts_path.3 libselinux-1.19.1/man/man3/selinux_contexts_path.3 ---- nsalibselinux/man/man3/selinux_contexts_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_contexts_path.3 2004-11-18 15:27:01.062554114 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_default_context_path.3 libselinux-1.19.1/man/man3/selinux_default_context_path.3 ---- nsalibselinux/man/man3/selinux_default_context_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_default_context_path.3 2004-11-18 15:27:01.064553889 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_failsafe_context_path.3 libselinux-1.19.1/man/man3/selinux_failsafe_context_path.3 ---- nsalibselinux/man/man3/selinux_failsafe_context_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_failsafe_context_path.3 2004-11-18 15:27:01.065553776 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_file_context_path.3 libselinux-1.19.1/man/man3/selinux_file_context_path.3 ---- nsalibselinux/man/man3/selinux_file_context_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_file_context_path.3 2004-11-18 15:27:01.066553663 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_media_context_path.3 libselinux-1.19.1/man/man3/selinux_media_context_path.3 ---- nsalibselinux/man/man3/selinux_media_context_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_media_context_path.3 2004-11-18 15:27:01.067553550 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_contexts_path.3 2004-11-19 11:21:37.546233209 -0500 @@ -0,0 +1 @@ +.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_removable_context_path.3 libselinux-1.19.1/man/man3/selinux_removable_context_path.3 ---- nsalibselinux/man/man3/selinux_removable_context_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_removable_context_path.3 2004-11-18 15:27:01.072552986 -0500 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_file_context_path.3 2004-11-19 11:21:37.550232758 -0500 @@ -0,0 +1 @@ +.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_user_contexts_path.3 libselinux-1.19.1/man/man3/selinux_user_contexts_path.3 ---- nsalibselinux/man/man3/selinux_user_contexts_path.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/selinux_user_contexts_path.3 2004-11-18 15:27:01.073552873 -0500 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/set_matchpathcon_printf.3 libselinux-1.19.1/man/man3/set_matchpathcon_printf.3 ---- nsalibselinux/man/man3/set_matchpathcon_printf.3 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man3/set_matchpathcon_printf.3 2004-11-18 15:27:01.075552648 -0500 -@@ -0,0 +1 @@ -+.so man3/matchpathcon.3 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/avcstat.8 libselinux-1.19.1/man/man8/avcstat.8 ---- nsalibselinux/man/man8/avcstat.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/man/man8/avcstat.8 2004-11-18 16:28:55.008507362 -0500 -@@ -0,0 +1,28 @@ -+.TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/matchmediacon.3 2004-11-19 11:32:02.685698348 -0500 +@@ -0,0 +1,26 @@ ++.TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SE Linux API documentation" +.SH "NAME" -+avcstat \- Display SELinux AVC statistics ++matchmediacon \- get the default security context for the specified mediatype from the policy. + +.SH "SYNOPSIS" -+.B avcstat -+.I [-c] [-f status_file] [interval] ++.B #include ++.sp ++.BI "int matchmediacon(const char *" media ", security_context_t *" con);" ++.br + +.SH "DESCRIPTION" -+.B avcstat -+ -+Display SELinux AVC statistics. If the interval parameter is specified, the -+program will loop, displaying updated statistics every 'interval' seconds. -+Relative values are displayed by default. -+ -+.SH OPTIONS -+.TP -+.B \-c -+Display the cumulative values. -+ -+.TP -+.B \-f -+Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'. ++.br ++.B matchmediacon ++matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context. ++.sp ++.br ++.B Note: ++ Caller must free returned security context "con" using freecon. ++.SH "RETURN VALUE" ++Returns 0 on success or -1 otherwise. + -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+The program was written by James Morris . ++.SH Files ++/etc/selinux/POLICYTYPE/contexts/files/media + -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/getsebool.8 libselinux-1.19.1/man/man8/getsebool.8 ---- nsalibselinux/man/man8/getsebool.8 2004-11-02 14:26:19.000000000 -0500 -+++ libselinux-1.19.1/man/man8/getsebool.8 2004-11-18 15:27:01.076552535 -0500 -@@ -8,13 +8,12 @@ ++.SH "SEE ALSO" ++.BR freecon "(3) +--- libselinux-1.19.1/man/man3/matchpathcon.3.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man3/matchpathcon.3 2004-11-19 11:21:37.533234676 -0500 +@@ -5,17 +5,22 @@ + .SH "SYNOPSIS" + .B #include + .sp +-.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);" ++.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con); + .br ++.BI "void set_matchpathcon_printf(void (*f)(const char *fmt, ...));" .SH "DESCRIPTION" - .B getsebool --reports the current state of either a particular SELinux boolean or --all SELinux booleans. The state consists of two values, the active --value and the pending value. The active value indicates the value --that is presently applied to the policy. The pending value indicates -+reports where a particular SELinux boolean or -+all SELinux booleans are active or inactive. -+In certain situations a boolean can be in one state with a pending -+change to the other state. getsebool will report this as a pending change. -+The pending value indicates - the value that will be applied upon the next boolean commit. --Typically, these values will be the same; they only differ when in the --middle of a boolean change transaction. - - The setting of boolean values occurs in two stages; first the pending - value is changed, then the booleans are committed, causing their -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/avcstat.c libselinux-1.19.1/utils/avcstat.c ---- nsalibselinux/utils/avcstat.c 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-1.19.1/utils/avcstat.c 2004-11-18 16:19:13.230149764 -0500 -@@ -0,0 +1,224 @@ -+/* -+ * avcstat - Display SELinux avc statistics. -+ * -+ * Copyright (C) 2004 Red Hat, Inc., James Morris -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2, -+ * as published by the Free Software Foundation. -+ * -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define DEF_STAT_FILE "/avc/cache_stats" -+#define DEF_BUF_SIZE 8192 -+#define HEADERS "lookups hits misses allocations reclaims frees" -+ -+struct avc_cache_stats { -+ unsigned int lookups; -+ unsigned int hits; -+ unsigned int misses; -+ unsigned int allocations; -+ unsigned int reclaims; -+ unsigned int frees; -+}; -+ -+static int interval; -+static int rows; -+static char *progname; -+static char buf[DEF_BUF_SIZE]; -+ -+/* selinuxfs mount point */ -+extern char *selinux_mnt; -+ -+ -+static void die(const char *msg, ...) -+{ -+ va_list args; -+ -+ fputs("ERROR: ", stderr); -+ -+ va_start(args, msg); -+ vfprintf(stderr, msg, args); -+ va_end(args); -+ -+ if (errno) -+ fprintf(stderr, ": %s", strerror(errno)); -+ -+ fputc('\n', stderr); -+ exit(1); -+} + .br + .B matchpathcon + matches the specified pathname and mode against the file contexts configuration and sets the security context "con" to refer to the resulting context. "mode" can be 0 to disable mode matching, but should be provided whenever possible, as it may affect the matching. +-.sp +-.br + .B Note: + Caller must free returned security context "con" using freecon. + -+static void usage(void) -+{ -+ printf("\nUsage: %s [-c] [-f status_file] [interval]\n\n", progname); -+ printf("Display SELinux AVC statistics. If the interval parameter is specified, the\n"); -+ printf("program will loop, displaying updated statistics every \'interval\' seconds.\n"); -+ printf("Relative values are displayed by default. Use the -c option to specify the\n"); -+ printf("display of cumulative values. The -f option specifies the location of the\n"); -+ printf("AVC statistics file, defaulting to \'%s\%s\'.\n\n", selinux_mnt, DEF_STAT_FILE); -+} ++.B set_matchpathcon_printf + -+static void set_window_rows(void) -+{ -+ int ret; -+ struct winsize ws; -+ -+ ret = ioctl(fileno(stdout), TIOCGWINSZ, &ws); -+ if (ret < 0 || ws.ws_row < 3) -+ ws.ws_row = 24; -+ rows = ws.ws_row; -+} ++Set the function used by matchpathcon when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). ++.sp ++.br + .SH "RETURN VALUE" + Returns 0 on success or -1 otherwise. + +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/security_load_booleans.3 2004-11-19 11:35:47.204365772 -0500 +@@ -0,0 +1,61 @@ ++.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" ++.SH "NAME" ++security_load_booleans, security_set_boolean, security_commit_booleans, ++security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending ++.sp ++routines for manipulating SELinux boolean values + -+static void sighandler(int num) -+{ -+ if (num == SIGWINCH) -+ set_window_rows(); -+} ++.SH "SYNOPSIS" ++.B #include ++.sp ++extern int security_load_booleans(char *path); ++.br ++extern int security_get_boolean_names(char ***names, int *len); ++.br ++extern int security_get_boolean_pending(const char *name); ++.br ++extern int security_get_boolean_active(const char *name); ++.br ++extern int security_set_boolean(const char *name, int value); ++.br ++extern int security_commit_booleans(void); + -+int main(int argc, char **argv) -+{ -+ int fd, i, cumulative = 0; -+ struct sigaction sa; -+ char avcstatfile[PATH_MAX]; -+ snprintf(avcstatfile, sizeof avcstatfile, "%s%s", selinux_mnt, DEF_STAT_FILE); -+ progname = basename(argv[0]); -+ -+ while((i = getopt(argc, argv, "cf:h?-")) != -1) { -+ switch (i) { -+ case 'c': -+ cumulative = 1; -+ break; -+ case 'f': -+ strncpy(avcstatfile, optarg, sizeof avcstatfile); -+ break; -+ case 'h': -+ case '-': -+ usage(); -+ exit(0); -+ default: -+ usage(); -+ die("unrecognized parameter", i); -+ } -+ } + -+ if (optind < argc) { -+ char *arg = argv[optind]; -+ unsigned int n = strtoul(arg, NULL, 10); -+ -+ if (errno == ERANGE) { -+ usage(); -+ die("invalid interval \'%s\'", arg); -+ } -+ if (n == 0) { -+ usage(); -+ exit (0); -+ } -+ interval = n; -+ } -+ -+ sa.sa_handler = sighandler; -+ sa.sa_flags = SA_RESTART; ++.SH "DESCRIPTION" + -+ i = sigaction(SIGWINCH, &sa, NULL); -+ if (i < 0) -+ die("sigaction"); -+ -+ set_window_rows(); -+ fd = open(avcstatfile, O_RDONLY); -+ if (fd < 0) -+ die("open: \'%s\'", avcstatfile); -+ -+ for (i = 0;; i++) { -+ char *line; -+ ssize_t ret, parsed = 0; -+ struct avc_cache_stats tot, rel, last; -+ -+ memset(buf, 0, DEF_BUF_SIZE); -+ ret = read(fd, buf, DEF_BUF_SIZE); -+ if (ret < 0) -+ die("read"); -+ -+ if (ret == 0) -+ die("read: \'%s\': unexpected end of file", avcstatfile); ++The SELinux policy can include conditional rules that are enabled or ++disabled based on the current values of a set of policy booleans. ++These policy booleans allow runtime modification of the security ++policy without having to load a new policy. + -+ line = strtok(buf, "\n"); -+ if (!line) -+ die("unable to parse \'%s\': end of line not found", avcstatfile); ++The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once. + -+ if (strcmp(line, HEADERS)) -+ die("unable to parse \'%s\': invalid headers", avcstatfile); ++security_load_booleans ++.br ++Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. + -+ if (!i || !(i % (rows - 2))) -+ printf("%10s %10s %10s %10s %10s %10s\n", "lookups", -+ "hits", "misses", "allocs", "reclaims", "frees"); ++security_get_boolean_names ++.br ++Returns a list of boolean names, currently supported by the loaded policy. + -+ memset(&tot, 0, sizeof(tot)); -+ -+ while ((line = strtok(NULL, "\n"))) { -+ struct avc_cache_stats tmp; -+ -+ ret = sscanf(line, "%u %u %u %u %u %u", -+ &tmp.lookups, -+ &tmp.hits, -+ &tmp.misses, -+ &tmp.allocations, -+ &tmp.reclaims, -+ &tmp.frees); -+ if (ret != 6) -+ die("unable to parse \'%s\': scan error", avcstatfile); -+ -+ tot.lookups += tmp.lookups; -+ tot.hits += tmp.hits; -+ tot.misses += tmp.misses; -+ tot.allocations += tmp.allocations; -+ tot.reclaims += tmp.reclaims; -+ tot.frees += tmp.frees; -+ parsed = 1; -+ } ++security_set_boolean ++.br ++Sets the pending value for boolean + -+ if (!parsed) -+ die("unable to parse \'%s\': no data", avcstatfile); ++security_get_boolean_pending ++.br ++Return pending value for boolean + -+ if (cumulative || (!cumulative && !i)) -+ printf("%10u %10u %10u %10u %10u %10u\n", -+ tot.lookups, tot.hits, tot.misses, -+ tot.allocations, tot.reclaims, tot.frees); -+ else { -+ rel.lookups = tot.lookups - last.lookups; -+ rel.hits = tot.hits - last.hits; -+ rel.misses = tot.misses - last.misses; -+ rel.allocations = tot.allocations - last.allocations; -+ rel.reclaims = tot.reclaims - last.reclaims; -+ rel.frees = tot.frees - last.frees; -+ printf("%10u %10u %10u %10u %10u %10u\n", -+ rel.lookups, rel.hits, rel.misses, -+ rel.allocations, rel.reclaims, rel.frees); -+ } -+ -+ if (!interval) -+ break; ++security_get_boolean_active ++.br ++Return active value for boolean + -+ memcpy(&last, &tot, sizeof(last)); -+ sleep(interval); ++security_commit_booleans ++.br ++Commit all pending values for the booleans. + -+ ret = lseek(fd, 0, 0); -+ if (ret < 0) -+ die("lseek"); -+ } ++.SH AUTHOR ++This manual page was written by Dan Walsh . + -+ close(fd); -+ return 0; -+} -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getsebool.c libselinux-1.19.1/utils/getsebool.c ---- nsalibselinux/utils/getsebool.c 2004-11-09 09:13:54.000000000 -0500 -+++ libselinux-1.19.1/utils/getsebool.c 2004-11-18 15:27:01.077552422 -0500 -@@ -83,8 +83,14 @@ - rc = -1; - goto out; - } -- printf("%s --> active: %d pending: %d\n", names[i], -- active, pending); -+ if (pending != active) { -+ printf("%s --> %s pending: %s\n", names[i], -+ ( active ? "active" : "inactive"), -+ ( pending ? "active" : "inactive")); -+ } else { -+ printf("%s --> %s\n", names[i], -+ ( active ? "active" : "inactive")); -+ } - } ++.SH "SEE ALSO" ++getsebool(8), booleans(8), togglesebool(8) +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_default_context_path.3 2004-11-19 11:21:37.547233097 -0500 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/get_default_context_with_role.3 2004-11-19 11:21:37.527235353 -0500 +@@ -0,0 +1 @@ ++.so man3/get_ordered_context_list.3 +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man3/selinux_user_contexts_path.3 2004-11-19 11:21:37.554232307 -0500 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 +--- libselinux-1.19.1/man/man8/getsebool.8.rhat 2004-11-09 09:14:24.000000000 -0500 ++++ libselinux-1.19.1/man/man8/getsebool.8 2004-11-19 11:21:37.557231968 -0500 +@@ -8,13 +8,12 @@ - out: -diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setsebool.c libselinux-1.19.1/utils/setsebool.c ---- nsalibselinux/utils/setsebool.c 2004-11-09 09:13:54.000000000 -0500 -+++ libselinux-1.19.1/utils/setsebool.c 2004-11-18 15:27:01.078552309 -0500 -@@ -35,6 +35,8 @@ + .SH "DESCRIPTION" + .B getsebool +-reports the current state of either a particular SELinux boolean or +-all SELinux booleans. The state consists of two values, the active +-value and the pending value. The active value indicates the value +-that is presently applied to the policy. The pending value indicates ++reports where a particular SELinux boolean or ++all SELinux booleans are active or inactive. ++In certain situations a boolean can be in one state with a pending ++change to the other state. getsebool will report this as a pending change. ++The pending value indicates + the value that will be applied upon the next boolean commit. +-Typically, these values will be the same; they only differ when in the +-middle of a boolean change transaction. - if (strcmp(argv[1], "-P") == 0) { - permanent = 1; -+ if (argc < 3) -+ usage(); - start = 2; - } - else + The setting of boolean values occurs in two stages; first the pending + value is changed, then the booleans are committed, causing their +--- /dev/null 2004-11-19 04:10:22.696886456 -0500 ++++ libselinux-1.19.1/man/man8/avcstat.8 2004-11-19 11:21:37.556232081 -0500 +@@ -0,0 +1,28 @@ ++.TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++avcstat \- Display SELinux AVC statistics ++ ++.SH "SYNOPSIS" ++.B avcstat ++.I [-c] [-f status_file] [interval] ++ ++.SH "DESCRIPTION" ++.B avcstat ++ ++Display SELinux AVC statistics. If the interval parameter is specified, the ++program will loop, displaying updated statistics every 'interval' seconds. ++Relative values are displayed by default. ++ ++.SH OPTIONS ++.TP ++.B \-c ++Display the cumulative values. ++ ++.TP ++.B \-f ++Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'. ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++The program was written by James Morris . ++ diff --git a/libselinux.spec b/libselinux.spec index 8bc6a0c..28df417 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,11 +1,10 @@ Summary: SELinux library and simple utilities Name: libselinux -Version: 1.19.1 -Release: 6 +Version: 1.19.2 +Release: 1 License: Public domain (uncopyrighted) Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libselinux-%{version}.tgz -Patch: libselinux-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot %description @@ -34,7 +33,6 @@ needed for developing SELinux applications. %prep %setup -q -%patch -p1 -b .rhat %build make CFLAGS="-g %{optflags}" @@ -85,6 +83,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/* %changelog +* Tue Nov 30 2004 Dan Walsh 1.19.2-1 +- Upgrade to upstream + * Thu Nov 18 2004 Dan Walsh 1.19.1-6 - Add avcstat program diff --git a/sources b/sources index 8e8c422..3ededc6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ffdf7eda6f78662350c0ceb632290657 libselinux-1.19.1.tgz +365d9d8936b12b501421cf99f1aaae7a libselinux-1.19.2.tgz