diff --git a/.gitignore b/.gitignore index 57332b4..37c9e44 100644 --- a/.gitignore +++ b/.gitignore @@ -203,3 +203,4 @@ libselinux-2.0.96.tgz /libselinux-2.4.tar.gz /libselinux-2.5-rc1.tar.gz /libselinux-2.5.tar.gz +/libselinux-2.6.tar.gz diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index 1d949b8..faf2e99 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -1,52 +1,18 @@ -diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog -index 24673dd..bc68bed 100644 ---- libselinux-2.5/ChangeLog -+++ libselinux-2.5/ChangeLog -@@ -1,3 +1,29 @@ -+ * Fix -Wsign-compare warnings, from Nicolas Iooss. -+ * Drop unused stdio_ext.h header file, from William Roberts. -+ * Kill logging check for selinux_enabled(), from William Roberts. -+ * Drop usage of _D_ALLOC_NAMLEN, from William Roberts. -+ * Add openrc_contexts functions, from Jason Zaman. -+ * Fix redefinition of XATTR_NAME_SELINUX, from William Roberts. -+ * Correct error path to always try text, from William Roberts. -+ * Clean up process_file(), from William Roberts. -+ * Handle NULL pcre study data, from Stephen Smalley. -+ * Fix in tree compilation of utils that depend on libsepol, from Laurent Bigonville. -+ * Change the location of _selinux.so, from Petr Lautrbach. -+ * Clarify is_selinux_mls_enabled() description, from David King. -+ * Explain how to free policy type from selinux_getpolicytype(), from David King. -+ * Compare absolute pathname in matchpathcon -V, from Petr Lautrbach. -+ * Add selinux_snapperd_contexts_path(), from Petr Lautrbach. -+ * Modify audit2why analyze function to use loaded policy, from Joshua Brindle. -+ * Sort object files for deterministic linking order, from Laurent Bigonville. -+ * Respect CC and PKG_CONFIG environment variable, from Julien Pivotto. -+ * Avoid mounting /proc outside of selinux_init_load_policy(), from Stephen Smalley. -+ * Fix multiple spelling errors, from Laurent Bigonville. -+ * Fix typo in sefcontext_compile.8, from Petr Lautrbach and Milos Malik -+ * Fix location of selinuxfs mount point, from Dan Walsh. -+ * Only mount /proc if necessary, from Stephen Smalley. -+ * procattr: return einval for <= 0 pid args, from Daniel Cashman. -+ * procattr: return error on invalid pid_t input, from Daniel Cashman. -+ - 2.5 2016-02-23 - * selinux_restorecon.3 man page corrections, from Richard Haines. - * Add selinux_restorecon function, from Richard Haines. -diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile -index 6142b60..bdf9de8 100644 ---- libselinux-2.5/Makefile -+++ libselinux-2.5/Makefile +diff --git libselinux-2.6/Makefile libselinux-2.6/Makefile +index baa0db3..b2fbff3 100644 +--- libselinux-2.6/Makefile ++++ libselinux-2.6/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = src include utils man +SUBDIRS = src include utils man golang - DISABLE_AVC ?= n DISABLE_SETRANS ?= n -diff --git libselinux-2.5/golang/Makefile libselinux-2.5/golang/Makefile + DISABLE_RPM ?= n +diff --git libselinux-2.6/golang/Makefile libselinux-2.6/golang/Makefile new file mode 100644 index 0000000..b75677b --- /dev/null -+++ libselinux-2.5/golang/Makefile ++++ libselinux-2.6/golang/Makefile @@ -0,0 +1,22 @@ +# Installation directories. +PREFIX ?= $(DESTDIR)/usr @@ -70,11 +36,11 @@ index 0000000..b75677b +indent: + +relabel: -diff --git libselinux-2.5/golang/selinux.go libselinux-2.5/golang/selinux.go +diff --git libselinux-2.6/golang/selinux.go libselinux-2.6/golang/selinux.go new file mode 100644 index 0000000..34bf6bb --- /dev/null -+++ libselinux-2.5/golang/selinux.go ++++ libselinux-2.6/golang/selinux.go @@ -0,0 +1,412 @@ +package selinux + @@ -488,11 +454,11 @@ index 0000000..34bf6bb + fmt.Println(Getfscreatecon()) + fmt.Println(Getpidcon(1)) +} -diff --git libselinux-2.5/golang/test.go libselinux-2.5/golang/test.go +diff --git libselinux-2.6/golang/test.go libselinux-2.6/golang/test.go new file mode 100644 index 0000000..fed6de8 --- /dev/null -+++ libselinux-2.5/golang/test.go ++++ libselinux-2.6/golang/test.go @@ -0,0 +1,9 @@ +package main + @@ -503,168 +469,10 @@ index 0000000..fed6de8 +func main() { + selinux.Test() +} -diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h -index 2262086..45dd6ca 100644 ---- libselinux-2.5/include/selinux/selinux.h -+++ libselinux-2.5/include/selinux/selinux.h -@@ -543,7 +543,9 @@ extern const char *selinux_virtual_image_context_path(void); - extern const char *selinux_lxc_contexts_path(void); - extern const char *selinux_x_context_path(void); - extern const char *selinux_sepgsql_context_path(void); -+extern const char *selinux_openrc_contexts_path(void); - extern const char *selinux_openssh_contexts_path(void); -+extern const char *selinux_snapperd_contexts_path(void); - extern const char *selinux_systemd_contexts_path(void); - extern const char *selinux_contexts_path(void); - extern const char *selinux_securetty_types_path(void); -diff --git libselinux-2.5/man/man3/avc_add_callback.3 libselinux-2.5/man/man3/avc_add_callback.3 -index dbfe72d..bdbbadf 100644 ---- libselinux-2.5/man/man3/avc_add_callback.3 -+++ libselinux-2.5/man/man3/avc_add_callback.3 -@@ -57,7 +57,7 @@ and will cause any SID to match. - .I callback - is the callback function provided by the userspace object manager. The - .I event --argument indicates the security event which occured; the remaining arguments -+argument indicates the security event which occurred; the remaining arguments - are interpreted according to the event as described below. The return value - of the callback should be zero on success, \-1 on error with - .I errno -@@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks registered via - may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See - .BR avc_init (3). - --Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is -+Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets exercised is - .BR AVC_CALLBACK_RESET . - . - .SH "AUTHOR" -diff --git libselinux-2.5/man/man3/avc_has_perm.3 libselinux-2.5/man/man3/avc_has_perm.3 -index 7353952..3e9fca8 100644 ---- libselinux-2.5/man/man3/avc_has_perm.3 -+++ libselinux-2.5/man/man3/avc_has_perm.3 -@@ -108,7 +108,7 @@ for the first time. - Using an uninitialized structure will produce undefined behavior. - . - .SH "RETURN VALUE" --If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and -+If requested permissions are granted, zero is returned. If requested permissions are denied or an error occurred, \-1 is returned and - .I errno - is set appropriately. - -diff --git libselinux-2.5/man/man3/is_selinux_enabled.3 libselinux-2.5/man/man3/is_selinux_enabled.3 -index f02052c..df62c22 100644 ---- libselinux-2.5/man/man3/is_selinux_enabled.3 -+++ libselinux-2.5/man/man3/is_selinux_enabled.3 -@@ -3,7 +3,7 @@ - is_selinux_enabled \- check whether SELinux is enabled - . - .SH "NAME" --is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS -+is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS - . - .SH "SYNOPSIS" - .B #include -@@ -18,7 +18,9 @@ returns 1 if SELinux is running or 0 if it is not. - On error, \-1 is returned. - - .BR is_selinux_mls_enabled () --returns 1 if SELinux is running in MLS mode or 0 if it is not. -+returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To -+determine the policy in use on the system, use -+.BR selinux_getpolicytype (3). - . - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git libselinux-2.5/man/man3/security_disable.3 libselinux-2.5/man/man3/security_disable.3 -index c75ce0d..072923c 100644 ---- libselinux-2.5/man/man3/security_disable.3 -+++ libselinux-2.5/man/man3/security_disable.3 -@@ -12,7 +12,7 @@ security_disable \- disable the SELinux kernel code at runtime - disables the SELinux kernel code, unregisters selinuxfs from - .IR /proc/filesystems , - and then unmounts --.IR /selinux . -+.IR /sys/fs/selinux . - .sp - This function can only be called at runtime and prior to the initial policy - load. After the initial policy load, the SELinux kernel code cannot be disabled, -diff --git libselinux-2.5/man/man3/selinux_getpolicytype.3 libselinux-2.5/man/man3/selinux_getpolicytype.3 -index c947e2c..b219d42 100644 ---- libselinux-2.5/man/man3/selinux_getpolicytype.3 -+++ libselinux-2.5/man/man3/selinux_getpolicytype.3 -@@ -13,7 +13,10 @@ Reads the contents of the - .I /etc/selinux/config - file to determine the SELinux policy used on the system, and sets - .I \%policytype --accordinly. -+accordingly. Free -+.I \%policytype -+with -+.BR free (3). - . - .SH "RETURN VALUE" - On success, zero is returned. -diff --git libselinux-2.5/man/man3/selinux_status_open.3 libselinux-2.5/man/man3/selinux_status_open.3 -index f779dd9..2d44be5 100644 ---- libselinux-2.5/man/man3/selinux_status_open.3 -+++ libselinux-2.5/man/man3/selinux_status_open.3 -@@ -23,7 +23,7 @@ without invocation of system calls - .SH "DESCRIPTION" - Linux 2.6.37 or later provides a SELinux kernel status page; being mostly - placed on --.I /selinux/status -+.I /sys/fs/selinux/status - entry. It enables userspace applications to mmap this page with read-only - mode, then it informs some status without system call invocations. - .sp -@@ -38,7 +38,7 @@ without system-call invocation or worker thread for monitoring. - .BR selinux_status_open () - tries to - .BR open (2) --.I /selinux/status -+.I /sys/fs/selinux/status - and - .BR mmap (2) - it in read-only mode. The file-descriptor and pointer to the page shall -diff --git libselinux-2.5/man/man8/avcstat.8 libselinux-2.5/man/man8/avcstat.8 -index 204687d..2c4bce1 100644 ---- libselinux-2.5/man/man8/avcstat.8 -+++ libselinux-2.5/man/man8/avcstat.8 -@@ -25,7 +25,7 @@ Display the cumulative values. - .TP - .B \-f - Specifies the location of the AVC statistics file, defaulting to --.IR /selinux/avc/cache_stats . -+.IR /sys/fs/selinux/avc/cache_stats . - . - .SH AUTHOR - This manual page was written by Dan Walsh . -diff --git libselinux-2.5/man/man8/sefcontext_compile.8 libselinux-2.5/man/man8/sefcontext_compile.8 -index b77ff3a..4eae173 100644 ---- libselinux-2.5/man/man8/sefcontext_compile.8 -+++ libselinux-2.5/man/man8/sefcontext_compile.8 -@@ -13,14 +13,14 @@ sefcontext_compile \- compile file context regular expression files - .SH "DESCRIPTION" - .B sefcontext_compile - is used to compile file context regular expressions into --.BR prce (3) -+.BR pcre (3) - format. - .sp - The compiled file is used by libselinux file labeling functions. - .sp - By default - .B sefcontext_compile --writes the compiled prce file with the -+writes the compiled pcre file with the - .B .bin - suffix appended (e.g. \fIinputfile\fB.bin\fR). - .SH OPTIONS -diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8 +diff --git libselinux-2.6/man/man8/selinux.8 libselinux-2.6/man/man8/selinux.8 index 6f1034b..c9f188c 100644 ---- libselinux-2.5/man/man8/selinux.8 -+++ libselinux-2.5/man/man8/selinux.8 +--- libselinux-2.6/man/man8/selinux.8 ++++ libselinux-2.6/man/man8/selinux.8 @@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . .BR sepolicy (8), .BR system-config-selinux (8), @@ -681,80 +489,10 @@ index 6f1034b..c9f188c 100644 Every confined service on the system has a man page in the following format: .br -diff --git libselinux-2.5/src/Makefile libselinux-2.5/src/Makefile -index d0021ae..37d01af 100644 ---- libselinux-2.5/src/Makefile -+++ libselinux-2.5/src/Makefile -@@ -5,6 +5,7 @@ PYTHON ?= python - PYPREFIX ?= $(notdir $(PYTHON)) - RUBY ?= ruby - RUBYPREFIX ?= $(notdir $(RUBY)) -+PKG_CONFIG ?= pkg-config - - # Installation directories. - PREFIX ?= $(DESTDIR)/usr -@@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib - SHLIBDIR ?= $(DESTDIR)/lib - INCLUDEDIR ?= $(PREFIX)/include - PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') --PYINC ?= $(shell pkg-config --cflags $(PYPREFIX)) -+PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) - PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) - RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') - RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') --RUBYINC ?= $(shell pkg-config --cflags ruby) -+RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby) - RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) - LIBBASE ?= $(shell basename $(LIBDIR)) - -@@ -48,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y) - endif - - GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i --SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c)) -+SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) - - MAX_STACK_SIZE=32768 - -@@ -155,7 +156,7 @@ install: all - - install-pywrap: pywrap - test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux -- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so -+ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so - install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so - install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py - -diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c -index 12745b3..abe1701 100644 ---- libselinux-2.5/src/audit2why.c -+++ libselinux-2.5/src/audit2why.c -@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - if (rc < 0) - RETURN(BADTCON) - -- tclass = string_to_security_class(tclassstr); -- if (!tclass) -+ rc = sepol_string_to_security_class(tclassstr, &tclass); -+ if (rc < 0) - RETURN(BADTCLASS) - - /* Convert the permission list to an AV. */ -@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - permstr = PyString_AsString( strObj ); - #endif - -- perm = string_to_av_perm(tclass, permstr); -- if (!perm) -+ rc = sepol_string_to_av_perm(tclass, permstr, &perm); -+ if (rc < 0) - RETURN(BADPERM) - - av |= perm; -diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c +diff --git libselinux-2.6/src/avc_sidtab.c libselinux-2.6/src/avc_sidtab.c index 9669264..c775430 100644 ---- libselinux-2.5/src/avc_sidtab.c -+++ libselinux-2.5/src/avc_sidtab.c +--- libselinux-2.6/src/avc_sidtab.c ++++ libselinux-2.6/src/avc_sidtab.c @@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, int hvalue, rc = 0; struct sidtab_node *cur; @@ -767,40 +505,10 @@ index 9669264..c775430 100644 *sid = NULL; hvalue = sidtab_hash(ctx); -diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c -index 4b39a28..c438af1 100644 ---- libselinux-2.5/src/booleans.c -+++ libselinux-2.5/src/booleans.c -@@ -63,12 +63,11 @@ int security_get_boolean_names(char ***names, int *len) - } - - for (i = 0; i < *len; i++) { -- n[i] = (char *)malloc(_D_ALLOC_NAMLEN(namelist[i])); -+ n[i] = strdup(namelist[i]->d_name); - if (!n[i]) { - rc = -1; - goto bad_freen; - } -- strcpy(n[i], namelist[i]->d_name); - } - rc = 0; - *names = n; -diff --git libselinux-2.5/src/callbacks.c libselinux-2.5/src/callbacks.c -index cdf7b63..c3cf98b 100644 ---- libselinux-2.5/src/callbacks.c -+++ libselinux-2.5/src/callbacks.c -@@ -16,7 +16,6 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...) - { - int rc; - va_list ap; -- if (is_selinux_enabled() == 0) return 0; - va_start(ap, fmt); - rc = vfprintf(stderr, fmt, ap); - va_end(ap); -diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c +diff --git libselinux-2.6/src/canonicalize_context.c libselinux-2.6/src/canonicalize_context.c index 7cf3139..364a746 100644 ---- libselinux-2.5/src/canonicalize_context.c -+++ libselinux-2.5/src/canonicalize_context.c +--- libselinux-2.6/src/canonicalize_context.c ++++ libselinux-2.6/src/canonicalize_context.c @@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, size_t size; int fd, ret; @@ -813,10 +521,10 @@ index 7cf3139..364a746 100644 if (!selinux_mnt) { errno = ENOENT; return -1; -diff --git libselinux-2.5/src/check_context.c libselinux-2.5/src/check_context.c +diff --git libselinux-2.6/src/check_context.c libselinux-2.6/src/check_context.c index 52063fa..234749c 100644 ---- libselinux-2.5/src/check_context.c -+++ libselinux-2.5/src/check_context.c +--- libselinux-2.6/src/check_context.c ++++ libselinux-2.6/src/check_context.c @@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) char path[PATH_MAX]; int fd, ret; @@ -829,10 +537,10 @@ index 52063fa..234749c 100644 if (!selinux_mnt) { errno = ENOENT; return -1; -diff --git libselinux-2.5/src/compute_av.c libselinux-2.5/src/compute_av.c +diff --git libselinux-2.6/src/compute_av.c libselinux-2.6/src/compute_av.c index 937e5c3..35ace7f 100644 ---- libselinux-2.5/src/compute_av.c -+++ libselinux-2.5/src/compute_av.c +--- libselinux-2.6/src/compute_av.c ++++ libselinux-2.6/src/compute_av.c @@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon, return -1; } @@ -845,10 +553,10 @@ index 937e5c3..35ace7f 100644 snprintf(path, sizeof path, "%s/access", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) -diff --git libselinux-2.5/src/compute_create.c libselinux-2.5/src/compute_create.c +diff --git libselinux-2.6/src/compute_create.c libselinux-2.6/src/compute_create.c index 9559d42..14a65d1 100644 ---- libselinux-2.5/src/compute_create.c -+++ libselinux-2.5/src/compute_create.c +--- libselinux-2.6/src/compute_create.c ++++ libselinux-2.6/src/compute_create.c @@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, return -1; } @@ -861,10 +569,10 @@ index 9559d42..14a65d1 100644 snprintf(path, sizeof path, "%s/create", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) -diff --git libselinux-2.5/src/compute_member.c libselinux-2.5/src/compute_member.c +diff --git libselinux-2.6/src/compute_member.c libselinux-2.6/src/compute_member.c index 1fc7e41..065d996 100644 ---- libselinux-2.5/src/compute_member.c -+++ libselinux-2.5/src/compute_member.c +--- libselinux-2.6/src/compute_member.c ++++ libselinux-2.6/src/compute_member.c @@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, return -1; } @@ -877,10 +585,10 @@ index 1fc7e41..065d996 100644 snprintf(path, sizeof path, "%s/member", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) -diff --git libselinux-2.5/src/compute_relabel.c libselinux-2.5/src/compute_relabel.c +diff --git libselinux-2.6/src/compute_relabel.c libselinux-2.6/src/compute_relabel.c index 4615aee..cc77f36 100644 ---- libselinux-2.5/src/compute_relabel.c -+++ libselinux-2.5/src/compute_relabel.c +--- libselinux-2.6/src/compute_relabel.c ++++ libselinux-2.6/src/compute_relabel.c @@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, return -1; } @@ -893,10 +601,10 @@ index 4615aee..cc77f36 100644 snprintf(path, sizeof path, "%s/relabel", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) -diff --git libselinux-2.5/src/compute_user.c libselinux-2.5/src/compute_user.c +diff --git libselinux-2.6/src/compute_user.c libselinux-2.6/src/compute_user.c index b37c5d3..7703c26 100644 ---- libselinux-2.5/src/compute_user.c -+++ libselinux-2.5/src/compute_user.c +--- libselinux-2.6/src/compute_user.c ++++ libselinux-2.6/src/compute_user.c @@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, return -1; } @@ -909,36 +617,10 @@ index b37c5d3..7703c26 100644 snprintf(path, sizeof path, "%s/user", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) -diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh -index b7cff7e..a58bf3f 100755 ---- libselinux-2.5/src/exception.sh -+++ libselinux-2.5/src/exception.sh -@@ -15,6 +15,6 @@ echo " - ;; - esac - } --gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h -+${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h - for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done - rm -f -- temp.aux -.o -diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h -index d1f9b48..2d3ca49 100644 ---- libselinux-2.5/src/file_path_suffixes.h -+++ libselinux-2.5/src/file_path_suffixes.h -@@ -23,7 +23,9 @@ S_(BINPOLICY, "/policy/policy") - S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context") - S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context") - S_(LXC_CONTEXTS, "/contexts/lxc_contexts") -+ S_(OPENRC_CONTEXTS, "/contexts/openrc_contexts") - S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts") -+ S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts") - S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts") - S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") - S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist") -diff --git libselinux-2.5/src/fsetfilecon.c libselinux-2.5/src/fsetfilecon.c +diff --git libselinux-2.6/src/fsetfilecon.c libselinux-2.6/src/fsetfilecon.c index 52707d0..0cbe12d 100644 ---- libselinux-2.5/src/fsetfilecon.c -+++ libselinux-2.5/src/fsetfilecon.c +--- libselinux-2.6/src/fsetfilecon.c ++++ libselinux-2.6/src/fsetfilecon.c @@ -9,8 +9,12 @@ int fsetfilecon_raw(int fd, const char * context) @@ -954,691 +636,10 @@ index 52707d0..0cbe12d 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c -index 3db4de0..ddf91f8 100644 ---- libselinux-2.5/src/init.c -+++ libselinux-2.5/src/init.c -@@ -11,7 +11,6 @@ - #include - #include - #include --#include - - #include "dso.h" - #include "policy.h" -@@ -20,7 +19,6 @@ - - char *selinux_mnt = NULL; - int selinux_page_size = 0; --int obj_class_compat = 1; - - int has_selinux_config = 0; - -@@ -57,20 +55,15 @@ static int verify_selinuxmnt(const char *mnt) - - int selinuxfs_exists(void) - { -- int exists = 0, mnt_rc = 0; -+ int exists = 0; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - -- mnt_rc = mount("proc", "/proc", "proc", 0, 0); -- - fp = fopen("/proc/filesystems", "r"); -- if (!fp) { -- exists = 1; /* Fail as if it exists */ -- goto out; -- } -- -+ if (!fp) -+ return 1; /* Fail as if it exists */ - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - num = getline(&buf, &len, fp); -@@ -84,14 +77,6 @@ int selinuxfs_exists(void) - - free(buf); - fclose(fp); -- --out: --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (mnt_rc == 0) -- umount2("/proc", MNT_DETACH); -- - return exists; - } - hidden_def(selinuxfs_exists) -diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c -index 071d902..c243c67 100644 ---- libselinux-2.5/src/label_file.c -+++ libselinux-2.5/src/label_file.c -@@ -10,7 +10,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -97,62 +96,42 @@ static int nodups_specs(struct saved_data *data, const char *path) - return rc; - } - --static int load_mmap(struct selabel_handle *rec, const char *path, -- struct stat *sb, bool isbinary, -- struct selabel_digest *digest) -+static int process_text_file(FILE *fp, const char *prefix, -+ struct selabel_handle *rec, const char *path) -+{ -+ int rc; -+ size_t line_len; -+ unsigned int lineno = 0; -+ char *line_buf = NULL; -+ -+ while (getline(&line_buf, &line_len, fp) > 0) { -+ rc = process_line(rec, path, prefix, line_buf, ++lineno); -+ if (rc) -+ goto out; -+ } -+ rc = 0; -+out: -+ free(line_buf); -+ return rc; -+} -+ -+static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, -+ const char *path) - { - struct saved_data *data = (struct saved_data *)rec->data; -- char mmap_path[PATH_MAX + 1]; -- int mmapfd; - int rc; -- struct stat mmap_stat; - char *addr, *str_buf; -- size_t len; - int *stem_map; - struct mmap_area *mmap_area; - uint32_t i, magic, version; - uint32_t entry_len, stem_map_len, regex_array_len; - -- if (isbinary) { -- len = strlen(path); -- if (len >= sizeof(mmap_path)) -- return -1; -- strcpy(mmap_path, path); -- } else { -- rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path); -- if (rc >= (int)sizeof(mmap_path)) -- return -1; -- } -- -- mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC); -- if (mmapfd < 0) -- return -1; -- -- rc = fstat(mmapfd, &mmap_stat); -- if (rc < 0) { -- close(mmapfd); -- return -1; -- } -- -- /* if mmap is old, ignore it */ -- if (mmap_stat.st_mtime < sb->st_mtime) { -- close(mmapfd); -- return -1; -- } -- -- /* ok, read it in... */ -- len = mmap_stat.st_size; -- len += (sysconf(_SC_PAGE_SIZE) - 1); -- len &= ~(sysconf(_SC_PAGE_SIZE) - 1); -- - mmap_area = malloc(sizeof(*mmap_area)); - if (!mmap_area) { -- close(mmapfd); - return -1; - } - -- addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0); -- close(mmapfd); -+ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, fileno(fp), 0); - if (addr == MAP_FAILED) { - free(mmap_area); - perror("mmap"); -@@ -227,7 +206,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(&stem_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !stem_len) { - rc = -1; -- goto err; -+ goto out; - } - - /* Check for stem_len wrap around. */ -@@ -236,15 +215,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - /* Check if over-run before null check. */ - rc = next_entry(NULL, mmap_area, (stem_len + 1)); - if (rc < 0) -- goto err; -+ goto out; - - if (buf[stem_len] != '\0') { - rc = -1; -- goto err; -+ goto out; - } - } else { - rc = -1; -- goto err; -+ goto out; - } - - /* store the mapping between old and new */ -@@ -253,7 +232,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - newid = store_stem(data, buf, stem_len); - if (newid < 0) { - rc = newid; -- goto err; -+ goto out; - } - data->stem_arr[newid].from_mmap = 1; - } -@@ -264,7 +243,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(®ex_array_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !regex_array_len) { - rc = -1; -- goto err; -+ goto out; - } - - for (i = 0; i < regex_array_len; i++) { -@@ -274,7 +253,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - - rc = grow_specs(data); - if (rc < 0) -- goto err; -+ goto out; - - spec = &data->spec_arr[data->nspec]; - spec->from_mmap = 1; -@@ -284,30 +263,31 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !entry_len) { - rc = -1; -- goto err; -+ goto out; - } - - str_buf = malloc(entry_len); - if (!str_buf) { - rc = -1; -- goto err; -+ goto out; - } - rc = next_entry(str_buf, mmap_area, entry_len); - if (rc < 0) -- goto err; -+ goto out; - - if (str_buf[entry_len - 1] != '\0') { - free(str_buf); - rc = -1; -- goto err; -+ goto out; - } - spec->lr.ctx_raw = str_buf; - - if (strcmp(spec->lr.ctx_raw, "<>") && rec->validating) { - if (selabel_validate(rec, &spec->lr) < 0) { - selinux_log(SELINUX_ERROR, -- "%s: context %s is invalid\n", mmap_path, spec->lr.ctx_raw); -- goto err; -+ "%s: context %s is invalid\n", -+ path, spec->lr.ctx_raw); -+ goto out; - } - } - -@@ -315,17 +295,17 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !entry_len) { - rc = -1; -- goto err; -+ goto out; - } - - spec->regex_str = (char *)mmap_area->next_addr; - rc = next_entry(NULL, mmap_area, entry_len); - if (rc < 0) -- goto err; -+ goto out; - - if (spec->regex_str[entry_len - 1] != '\0') { - rc = -1; -- goto err; -+ goto out; - } - - /* Process mode */ -@@ -334,14 +314,14 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - else - rc = next_entry(&mode, mmap_area, sizeof(mode_t)); - if (rc < 0) -- goto err; -+ goto out; - - spec->mode = mode; - - /* map the stem id from the mmap file to the data->stem_arr */ - rc = next_entry(&stem_id, mmap_area, sizeof(int32_t)); - if (rc < 0) -- goto err; -+ goto out; - - if (stem_id < 0 || stem_id >= (int32_t)stem_map_len) - spec->stem_id = -1; -@@ -351,7 +331,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - /* retrieve the hasMetaChars bit */ - rc = next_entry(&meta_chars, mmap_area, sizeof(uint32_t)); - if (rc < 0) -- goto err; -+ goto out; - - spec->hasMetaChars = meta_chars; - /* and prefix length for use by selabel_lookup_best_match */ -@@ -359,7 +339,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(&prefix_len, mmap_area, - sizeof(uint32_t)); - if (rc < 0) -- goto err; -+ goto out; - - spec->prefix_len = prefix_len; - } -@@ -368,143 +348,207 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !entry_len) { - rc = -1; -- goto err; -+ goto out; - } - spec->regex = (pcre *)mmap_area->next_addr; - rc = next_entry(NULL, mmap_area, entry_len); - if (rc < 0) -- goto err; -+ goto out; - - /* Check that regex lengths match. pcre_fullinfo() - * also validates its magic number. */ - rc = pcre_fullinfo(spec->regex, NULL, PCRE_INFO_SIZE, &len); - if (rc < 0 || len != entry_len) { - rc = -1; -- goto err; -+ goto out; - } - - rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t)); - if (rc < 0 || !entry_len) { - rc = -1; -- goto err; -+ goto out; - } -- spec->lsd.study_data = (void *)mmap_area->next_addr; -- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; -- rc = next_entry(NULL, mmap_area, entry_len); -- if (rc < 0) -- goto err; - -- /* Check that study data lengths match. */ -- rc = pcre_fullinfo(spec->regex, &spec->lsd, -- PCRE_INFO_STUDYSIZE, &len); -- if (rc < 0 || len != entry_len) { -- rc = -1; -- goto err; -+ if (entry_len) { -+ spec->lsd.study_data = (void *)mmap_area->next_addr; -+ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; -+ rc = next_entry(NULL, mmap_area, entry_len); -+ if (rc < 0) -+ goto out; -+ -+ /* Check that study data lengths match. */ -+ rc = pcre_fullinfo(spec->regex, &spec->lsd, -+ PCRE_INFO_STUDYSIZE, &len); -+ if (rc < 0 || len != entry_len) { -+ rc = -1; -+ goto out; -+ } - } - - data->nspec++; - } - -- rc = digest_add_specfile(digest, NULL, addr, mmap_stat.st_size, -- mmap_path); -- if (rc) -- goto err; -- --err: -+ rc = 0; -+out: - free(stem_map); - - return rc; - } - --static int process_file(const char *path, const char *suffix, -- struct selabel_handle *rec, -- const char *prefix, struct selabel_digest *digest) --{ -- FILE *fp; -+struct file_details { -+ const char *suffix; - struct stat sb; -- unsigned int lineno; -- size_t line_len = 0; -- char *line_buf = NULL; -- int rc; -- char stack_path[PATH_MAX + 1]; -- bool isbinary = false; -+}; -+ -+static char *rolling_append(char *current, const char *suffix, size_t max) -+{ -+ size_t size; -+ size_t suffix_size; -+ size_t current_size; -+ -+ if (!suffix) -+ return current; -+ -+ current_size = strlen(current); -+ suffix_size = strlen(suffix); -+ -+ size = current_size + suffix_size; -+ if (size < current_size || size < suffix_size) -+ return NULL; -+ -+ /* ensure space for the '.' and the '\0' characters. */ -+ if (size >= (SIZE_MAX - 2)) -+ return NULL; -+ -+ size += 2; -+ -+ if (size > max) -+ return NULL; -+ -+ /* Append any given suffix */ -+ char *to = current + current_size; -+ *to++ = '.'; -+ strcpy(to, suffix); -+ -+ return current; -+} -+ -+static bool fcontext_is_binary(FILE *fp) -+{ - uint32_t magic; - -- /* append the path suffix if we have one */ -- if (suffix) { -- rc = snprintf(stack_path, sizeof(stack_path), -- "%s.%s", path, suffix); -- if (rc >= (int)sizeof(stack_path)) { -- errno = ENAMETOOLONG; -- return -1; -- } -- path = stack_path; -+ size_t len = fread(&magic, sizeof(magic), 1, fp); -+ rewind(fp); -+ -+ return (len && (magic == SELINUX_MAGIC_COMPILED_FCONTEXT)); -+} -+ -+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) -+ -+static FILE *open_file(const char *path, const char *suffix, -+ char *save_path, size_t len, struct stat *sb, bool open_oldest) -+{ -+ unsigned int i; -+ int rc; -+ char stack_path[len]; -+ struct file_details *found = NULL; -+ -+ /* -+ * Rolling append of suffix. Try to open with path.suffix then the -+ * next as path.suffix.suffix and so forth. -+ */ -+ struct file_details fdetails[2] = { -+ { .suffix = suffix }, -+ { .suffix = "bin" } -+ }; -+ -+ rc = snprintf(stack_path, sizeof(stack_path), "%s", path); -+ if (rc >= (int) sizeof(stack_path)) { -+ errno = ENAMETOOLONG; -+ return NULL; - } - -- /* Open the specification file. */ -- fp = fopen(path, "r"); -- if (fp) { -- __fsetlocking(fp, FSETLOCKING_BYCALLER); -+ for (i = 0; i < ARRAY_SIZE(fdetails); i++) { - -- if (fstat(fileno(fp), &sb) < 0) -- return -1; -- if (!S_ISREG(sb.st_mode)) { -- errno = EINVAL; -- return -1; -- } -+ /* This handles the case if suffix is null */ -+ path = rolling_append(stack_path, fdetails[i].suffix, -+ sizeof(stack_path)); -+ if (!path) -+ return NULL; - -- magic = 0; -- if (fread(&magic, sizeof magic, 1, fp) != 1) { -- if (ferror(fp)) { -- errno = EINVAL; -- fclose(fp); -- return -1; -- } -- clearerr(fp); -- } -+ rc = stat(path, &fdetails[i].sb); -+ if (rc) -+ continue; - -- if (magic == SELINUX_MAGIC_COMPILED_FCONTEXT) { -- /* file_contexts.bin format */ -- fclose(fp); -- fp = NULL; -- isbinary = true; -- } else { -- rewind(fp); -+ /* first file thing found, just take it */ -+ if (!found) { -+ strcpy(save_path, path); -+ found = &fdetails[i]; -+ continue; - } -- } else { -+ - /* -- * Text file does not exist, so clear the timestamp -- * so that we will always pass the timestamp comparison -- * with the bin file in load_mmap(). -+ * Keep picking the newest file found. Where "newest" -+ * includes equality. This provides a precedence on -+ * secondary suffixes even when the timestamp is the -+ * same. Ie choose file_contexts.bin over file_contexts -+ * even if the time stamp is the same. Invert this logic -+ * on open_oldest set to true. The idea is that if the -+ * newest file failed to process, we can attempt to -+ * process the oldest. The logic here is subtle and depends -+ * on the array ordering in fdetails for the case when time -+ * stamps are the same. - */ -- sb.st_mtime = 0; -+ if (open_oldest ^ -+ (fdetails[i].sb.st_mtime >= found->sb.st_mtime)) { -+ found = &fdetails[i]; -+ strcpy(save_path, path); -+ } - } - -- rc = load_mmap(rec, path, &sb, isbinary, digest); -- if (rc == 0) -- goto out; -+ if (!found) { -+ errno = ENOENT; -+ return NULL; -+ } -+ -+ memcpy(sb, &found->sb, sizeof(*sb)); -+ return fopen(save_path, "r"); -+} - -- if (!fp) -- return -1; /* no text or bin file */ -+static int process_file(const char *path, const char *suffix, -+ struct selabel_handle *rec, -+ const char *prefix, struct selabel_digest *digest) -+{ -+ int rc; -+ unsigned int i; -+ struct stat sb; -+ FILE *fp = NULL; -+ char found_path[PATH_MAX]; - - /* -- * Then do detailed validation of the input and fill the spec array -+ * On the first pass open the newest modified file. If it fails to -+ * process, then the second pass shall open the oldest file. If both -+ * passes fail, then it's a fatal error. - */ -- lineno = 0; -- rc = 0; -- while (getline(&line_buf, &line_len, fp) > 0) { -- rc = process_line(rec, path, prefix, line_buf, ++lineno); -- if (rc) -- goto out; -- } -+ for (i = 0; i < 2; i++) { -+ fp = open_file(path, suffix, found_path, sizeof(found_path), -+ &sb, i > 0); -+ if (fp == NULL) -+ return -1; - -- rc = digest_add_specfile(digest, fp, NULL, sb.st_size, path); -+ rc = fcontext_is_binary(fp) ? -+ load_mmap(fp, sb.st_size, rec, found_path) : -+ process_text_file(fp, prefix, rec, found_path); -+ if (!rc) -+ rc = digest_add_specfile(digest, fp, NULL, sb.st_size, -+ found_path); - --out: -- free(line_buf); -- if (fp) - fclose(fp); -- return rc; -+ -+ if (!rc) -+ return 0; -+ } -+ return -1; - } - - static void closef(struct selabel_handle *rec); -diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h -index 72fed1f..6d1e890 100644 ---- libselinux-2.5/src/label_file.h -+++ libselinux-2.5/src/label_file.h -@@ -80,9 +80,12 @@ struct saved_data { - - static inline pcre_extra *get_pcre_extra(struct spec *spec) - { -- if (spec->from_mmap) -- return &spec->lsd; -- else -+ if (spec->from_mmap) { -+ if (spec->lsd.study_data) -+ return &spec->lsd; -+ else -+ return NULL; -+ } else - return spec->sd; - } - -diff --git libselinux-2.5/src/label_internal.h libselinux-2.5/src/label_internal.h -index aa48fff..0827ef6 100644 ---- libselinux-2.5/src/label_internal.h -+++ libselinux-2.5/src/label_internal.h -@@ -124,7 +124,7 @@ selabel_validate(struct selabel_handle *rec, - */ - extern int myprintf_compat; - extern void __attribute__ ((format(printf, 1, 2))) --(*myprintf) (const char *fmt, ...); -+(*myprintf) (const char *fmt, ...) hidden; - - #define COMPAT_LOG(type, fmt...) if (myprintf_compat) \ - myprintf(fmt); \ -diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c -index 21ee58b..4f39fc7 100644 ---- libselinux-2.5/src/load_policy.c -+++ libselinux-2.5/src/load_policy.c -@@ -17,6 +17,10 @@ - #include "policy.h" - #include - -+#ifndef MNT_DETACH -+#define MNT_DETACH 2 -+#endif -+ - int security_load_policy(void *data, size_t len) - { - char path[PATH_MAX]; -@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) - fclose(cfg); - free(buf); - } --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (rc == 0) -- umount2("/proc", MNT_DETACH); - - /* - * Determine the final desired mode. -@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) - /* Only emit this error if selinux was not disabled */ - fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); - } -+ -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); - - goto noload; - } - set_selinuxmnt(mntpoint); - -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); -+ - /* - * Note: The following code depends on having selinuxfs - * already mounted and selinuxmnt set above. -diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c +diff --git libselinux-2.6/src/lsetfilecon.c libselinux-2.6/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 ---- libselinux-2.5/src/lsetfilecon.c -+++ libselinux-2.5/src/lsetfilecon.c +--- libselinux-2.6/src/lsetfilecon.c ++++ libselinux-2.6/src/lsetfilecon.c @@ -9,8 +9,13 @@ int lsetfilecon_raw(const char *path, const char * context) @@ -1655,28 +656,11 @@ index 1d3b28a..ea6d70b 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c -index 5b495a0..d92ed79 100644 ---- libselinux-2.5/src/matchpathcon.c -+++ libselinux-2.5/src/matchpathcon.c -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include "selinux_internal.h" - #include "label_internal.h" - #include "callbacks.h" -@@ -62,7 +63,7 @@ static void - { - va_list ap; - va_start(ap, fmt); -- vfprintf(stderr, fmt, ap); -+ vsyslog(LOG_ERR, fmt, ap); - va_end(ap); - } - -@@ -361,12 +362,6 @@ int realpath_not_final(const char *name, char *resolved_path) +diff --git libselinux-2.6/src/matchpathcon.c libselinux-2.6/src/matchpathcon.c +index 724eb65..58b4144 100644 +--- libselinux-2.6/src/matchpathcon.c ++++ libselinux-2.6/src/matchpathcon.c +@@ -389,12 +389,6 @@ int realpath_not_final(const char *name, char *resolved_path) goto out; } @@ -1689,225 +673,10 @@ index 5b495a0..d92ed79 100644 last_component = strrchr(tmp_path, '/'); if (last_component == tmp_path) { -@@ -470,6 +465,17 @@ int selinux_file_context_verify(const char *path, mode_t mode) - char * con = NULL; - char * fcontext = NULL; - int rc = 0; -+ char stackpath[PATH_MAX + 1]; -+ char *p = NULL; -+ -+ if (S_ISLNK(mode)) { -+ if (!realpath_not_final(path, stackpath)) -+ path = stackpath; -+ } else { -+ p = realpath(path, stackpath); -+ if (p) -+ path = p; -+ } - - rc = lgetfilecon_raw(path, &con); - if (rc == -1) { -diff --git libselinux-2.5/src/policy.h libselinux-2.5/src/policy.h -index bf270b5..f6d7242 100644 ---- libselinux-2.5/src/policy.h -+++ libselinux-2.5/src/policy.h -@@ -3,8 +3,13 @@ - - /* Private definitions used internally by libselinux. */ - --/* xattr name for SELinux attributes. */ -+/* -+ * xattr name for SELinux attributes. -+ * This may have been exported via Kernel uapi header. -+ */ -+#ifndef XATTR_NAME_SELINUX - #define XATTR_NAME_SELINUX "security.selinux" -+#endif - - /* Initial length guess for getting contexts. */ - #define INITCONTEXTLEN 255 -diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c -index 527a0a5..eee4612 100644 ---- libselinux-2.5/src/procattr.c -+++ libselinux-2.5/src/procattr.c -@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags) - char *path; - pid_t tid; - -- if (pid > 0) -+ if (pid > 0) { - rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); -- else { -+ } else if (pid == 0) { - rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); - if (rc < 0) - return -1; -@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags) - free(path); - tid = gettid(); - rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); -+ } else { -+ errno = EINVAL; -+ return -1; - } - if (rc < 0) - return -1; -@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context, - #define getpidattr_def(fn, attr) \ - int get##fn##_raw(pid_t pid, char **c) \ - { \ -- return getprocattrcon_raw(c, pid, #attr); \ -+ if (pid <= 0) { \ -+ errno = EINVAL; \ -+ return -1; \ -+ } else { \ -+ return getprocattrcon_raw(c, pid, #attr); \ -+ } \ - } \ - int get##fn(pid_t pid, char **c) \ - { \ -- return getprocattrcon(c, pid, #attr); \ -+ if (pid <= 0) { \ -+ errno = EINVAL; \ -+ return -1; \ -+ } else { \ -+ return getprocattrcon(c, pid, #attr); \ -+ } \ - } - - all_selfattr_def(con, current) -diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c -index bec5f3b..88bcc85 100644 ---- libselinux-2.5/src/selinux_config.c -+++ libselinux-2.5/src/selinux_config.c -@@ -50,7 +50,9 @@ - #define BOOLEAN_SUBS 27 - #define OPENSSH_CONTEXTS 28 - #define SYSTEMD_CONTEXTS 29 --#define NEL 30 -+#define SNAPPERD_CONTEXTS 30 -+#define OPENRC_CONTEXTS 31 -+#define NEL 32 - - /* Part of one-time lazy init */ - static pthread_once_t once = PTHREAD_ONCE_INIT; -@@ -492,6 +494,13 @@ const char *selinux_lxc_contexts_path(void) - - hidden_def(selinux_lxc_contexts_path) - -+const char *selinux_openrc_contexts_path(void) -+{ -+ return get_path(OPENRC_CONTEXTS); -+} -+ -+hidden_def(selinux_openrc_contexts_path) -+ - const char *selinux_openssh_contexts_path(void) - { - return get_path(OPENSSH_CONTEXTS); -@@ -499,6 +508,13 @@ const char *selinux_openssh_contexts_path(void) - - hidden_def(selinux_openssh_contexts_path) - -+const char *selinux_snapperd_contexts_path(void) -+{ -+ return get_path(SNAPPERD_CONTEXTS); -+} -+ -+hidden_def(selinux_snapperd_contexts_path) -+ - const char *selinux_systemd_contexts_path(void) - { - return get_path(SYSTEMD_CONTEXTS); -diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h -index 46566f6..3d5c9fb 100644 ---- libselinux-2.5/src/selinux_internal.h -+++ libselinux-2.5/src/selinux_internal.h -@@ -83,7 +83,9 @@ hidden_proto(selinux_mkload_policy) - hidden_proto(selinux_media_context_path) - hidden_proto(selinux_x_context_path) - hidden_proto(selinux_sepgsql_context_path) -+ hidden_proto(selinux_openrc_contexts_path) - hidden_proto(selinux_openssh_contexts_path) -+ hidden_proto(selinux_snapperd_contexts_path) - hidden_proto(selinux_systemd_contexts_path) - hidden_proto(selinux_path) - hidden_proto(selinux_check_passwd_access) -diff --git libselinux-2.5/src/selinuxswig.i libselinux-2.5/src/selinuxswig.i -index c1e4ef7..687c43b 100644 ---- libselinux-2.5/src/selinuxswig.i -+++ libselinux-2.5/src/selinuxswig.i -@@ -9,6 +9,7 @@ - #include "../include/selinux/get_context_list.h" - #include "../include/selinux/get_default_type.h" - #include "../include/selinux/label.h" -+ #include "../include/selinux/restorecon.h" - #include "../include/selinux/selinux.h" - %} - %apply int *OUTPUT { int *enforce }; -@@ -61,4 +62,5 @@ - %include "../include/selinux/get_context_list.h" - %include "../include/selinux/get_default_type.h" - %include "../include/selinux/label.h" -+%include "../include/selinux/restorecon.h" - %include "../include/selinux/selinux.h" -diff --git libselinux-2.5/src/selinuxswig_python.i libselinux-2.5/src/selinuxswig_python.i -index 8cea18d..eac8475 100644 ---- libselinux-2.5/src/selinuxswig_python.i -+++ libselinux-2.5/src/selinuxswig_python.i -@@ -14,31 +14,23 @@ DISABLED = -1 - PERMISSIVE = 0 - ENFORCING = 1 - --def restorecon(path, recursive=False): -- """ Restore SELinux context on a given path """ -- -- try: -- mode = os.lstat(path)[stat.ST_MODE] -- status, context = matchpathcon(path, mode) -- except OSError: -- path = os.path.realpath(os.path.expanduser(path)) -- mode = os.lstat(path)[stat.ST_MODE] -- status, context = matchpathcon(path, mode) -- -- if status == 0: -- try: -- status, oldcontext = lgetfilecon(path) -- except OSError as e: -- if e.errno != errno.ENODATA: -- raise -- oldcontext = None -- if context != oldcontext: -- lsetfilecon(path, context) -- -- if recursive: -- for root, dirs, files in os.walk(path): -- for name in files + dirs: -- restorecon(os.path.join(root, name)) -+def restorecon(path, recursive=False, verbose=False): -+ """ Restore SELinux context on a given path -+ -+ Arguments: -+ path -- The pathname for the file or directory to be relabeled. -+ -+ Keyword arguments: -+ recursive -- Change files and directories file labels recursively (default False) -+ verbose -- Show changes in file labels (default False) -+ """ -+ -+ restorecon_flags = SELINUX_RESTORECON_IGNORE_DIGEST | SELINUX_RESTORECON_REALPATH -+ if recursive: -+ restorecon_flags |= SELINUX_RESTORECON_RECURSE -+ if verbose: -+ restorecon_flags |= SELINUX_RESTORECON_VERBOSE -+ selinux_restorecon(os.path.expanduser(path), restorecon_flags) - - def chcon(path, context, recursive=False): - """ Set the SELinux context on a given path """ -diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c +diff --git libselinux-2.6/src/setfilecon.c libselinux-2.6/src/setfilecon.c index d05969c..3f0200e 100644 ---- libselinux-2.5/src/setfilecon.c -+++ libselinux-2.5/src/setfilecon.c +--- libselinux-2.6/src/setfilecon.c ++++ libselinux-2.6/src/setfilecon.c @@ -9,8 +9,12 @@ int setfilecon_raw(const char *path, const char * context) @@ -1923,80 +692,3 @@ index d05969c..3f0200e 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore -index 060eaab..ed3bf0b 100644 ---- libselinux-2.5/utils/.gitignore -+++ libselinux-2.5/utils/.gitignore -@@ -14,7 +14,12 @@ getseuser - matchpathcon - policyvers - sefcontext_compile -+selabel_digest -+selabel_lookup -+selabel_lookup_best_match -+selabel_partial_match - selinux_check_securetty_context -+selinux_restorecon - selinuxenabled - selinuxexeccon - setenforce -diff --git libselinux-2.5/utils/Makefile libselinux-2.5/utils/Makefile -index cf7af52..8497cb4 100644 ---- libselinux-2.5/utils/Makefile -+++ libselinux-2.5/utils/Makefile -@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr - LIBDIR ?= $(PREFIX)/lib - USRBINDIR ?= $(PREFIX)/sbin - SBINDIR ?= $(DESTDIR)/sbin -+INCLUDEDIR ?= $(PREFIX)/include - - MAX_STACK_SIZE=8192 - CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ -@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi - -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ - -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ - -Werror -Wno-aggregate-return -Wno-redundant-decls --override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS) -+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) - LDLIBS += -L../src -lselinux -L$(LIBDIR) - - TARGETS=$(patsubst %.c,%,$(wildcard *.c)) -diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c -index d2578b6..fd6fb78 100644 ---- libselinux-2.5/utils/sefcontext_compile.c -+++ libselinux-2.5/utils/sefcontext_compile.c -@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd) - if (len != to_write) - goto err; - -- /* determine the size of the pcre study info */ -- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); -- if (rc < 0) -- goto err; -+ if (sd) { -+ /* determine the size of the pcre study info */ -+ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); -+ if (rc < 0) -+ goto err; -+ } else -+ size = 0; - - /* write the number of bytes in the pcre study data */ - to_write = size; -@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd) - if (len != 1) - goto err; - -- /* write the actual pcre study data as a char array */ -- len = fwrite(sd->study_data, 1, to_write, bin_file); -- if (len != to_write) -- goto err; -+ if (sd) { -+ /* write the actual pcre study data as a char array */ -+ len = fwrite(sd->study_data, 1, to_write, bin_file); -+ if (len != to_write) -+ goto err; -+ } - } - - rc = 0; diff --git a/libselinux.spec b/libselinux.spec index 008ffb0..89fc4e2 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,26 +3,31 @@ %endif %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 2.5-10 +%define libsepolver 2.6-0 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux -Version: 2.5 -Release: 18%{?dist} +Version: 2.6 +Release: 1%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-2.5.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-2.6.tar.gz Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: -# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/3dcc89405fc1efdcd41b96c50b030174fcaf4514 +# $ VERSION=2.6 ./make-fedora-selinux-patch.sh libselinux +# FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/3dcc89405fc1efdcd41b96c50b030174fcaf4514 Patch1: libselinux-fedora.patch -BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel +%if 0%{?fedora} > 25 +BuildRequires: pkgconf-pkg-config +%else +BuildRequires: pkgconfig +%endif +BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel %if 0%{?with_python3} BuildRequires: python3 python3-devel %endif # if with_python3 @@ -103,7 +108,7 @@ The libselinux-static package contains the static libraries needed for developing SELinux applications. %prep -%autosetup -p 1 -n libselinux-2.5 +%autosetup -p 1 -n libselinux-%{version} %build export LDFLAGS="%{?__global_ldflags}" @@ -257,6 +262,9 @@ rm -rf %{buildroot} %{ruby_vendorarchdir}/selinux.so %changelog +* Sun Feb 12 2017 Petr Lautrbach - 2.6-1 +- Update to upstream release 2016-10-14 + * Fri Feb 10 2017 Fedora Release Engineering - 2.5-18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index de6b592..3704ff2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d1399f5c2fd2fbe0e9603d5143b30367 libselinux-2.5.tar.gz +SHA512 (libselinux-2.6.tar.gz) = 906e1bf98c669862ab4f4e883d511db8d739a5763dc857c9405ad3cc6c70766a482853d07134698a1a98257a8632cc756d0549a7640c2915d051714f502ff14b