SHA256
1
0
forked from pool/libselinux
libselinux/libselinux-rhat.patch

756 lines
23 KiB
Diff
Raw Normal View History

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index a4079aa..0b122af 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
+#define SELINUX_TRANS_DIR "/var/run/setrans"
/* Compute an access decision. */
extern int security_compute_av(const security_context_t scon,
@@ -496,8 +497,15 @@ extern int selinux_getpolicytype(char **policytype);
*/
extern const char *selinux_policy_root(void);
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+/*
+ selinux_set_policy_root sets an alternate policy root directory path under
+ which the compiled policy file and context configuration files exist.
+ */
+extern int selinux_set_policy_root(const char *rootpath);
+
/* These functions return the paths to specific files under the
policy root directory. */
+extern const char *selinux_current_policy_path(void);
extern const char *selinux_binary_policy_path(void);
extern const char *selinux_failsafe_context_path(void);
extern const char *selinux_removable_context_path(void);
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index c6837fc..de62d26 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -37,9 +37,9 @@ the SELinux policy database in the kernel
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con );
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
-.BI "int security_get_initial_context(const char *" name ", security_context_t " con );
+.BI "int security_get_initial_context(const char *" name ", security_context_t *" con );
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
-.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con );
+.BI "int security_get_initial_context_raw(const char *" name ", security_context_t *" con );
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata);
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
index ec97dcf..503c52c 100644
--- a/libselinux/man/man3/selinux_binary_policy_path.3
+++ b/libselinux/man/man3/selinux_binary_policy_path.3
@@ -1,6 +1,6 @@
.TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
.SH "NAME"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
-selinux_path, selinux_policy_root, selinux_binary_policy_path,
+selinux_path, selinux_policy_root, selinux_binary_policy_path, selinux_current_policy_path,
selinux_failsafe_context_path, selinux_removable_context_path,
selinux_default_context_path, selinux_user_contexts_path,
selinux_file_context_path, selinux_media_context_path,
@@ -17,6 +17,8 @@ directories and files
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.B const char *selinux_binary_policy_path(void);
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+.B const char *selinux_current_policy_path(void);
+.sp
.B const char *selinux_failsafe_context_path(void);
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.B const char *selinux_removable_context_path(void);
@@ -55,6 +57,9 @@ returns the top-level policy directory.
.BR selinux_binary_policy_path ()
returns the binary policy file loaded into kernel.
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+.BR selinux_current_policy_path ()
+returns the currently loaded policy file from the kernel.
+.sp
.BR selinux_default_type_path ()
returns the context file mapping roles to default types.
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/man/man3/selinux_current_policy_path.3 b/libselinux/man/man3/selinux_current_policy_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_current_policy_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
index a6ccf86..63dc901 100644
--- a/libselinux/man/man3/selinux_policy_root.3
+++ b/libselinux/man/man3/selinux_policy_root.3
@@ -1,21 +1,34 @@
.TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
.SH "NAME"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
selinux_policy_root \- return the path of the SELinux policy files for this machine
+selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine.
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.B const char *selinux_policy_root(void);
.
+.sp
+.B int selinux_set_policy_root(const char *policypath);
+.
.SH "DESCRIPTION"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
.BR selinux_policy_root ()
reads the contents of the
.I /etc/selinux/config
file to determine which policy files should be used for this machine.
.
+.BR selinux_set_policy_root ()
+sets up all all policy paths based on the alternate root
+
+.I /etc/selinux/config
+file to determine which policy files should be used for this machine.
+.
.SH "RETURN VALUE"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
-On success, returns a directory path containing the SELinux policy files.
-On failure, NULL is returned.
+On success, selinux_policy_root returns a directory path containing the SELinux policy files.
+On failure, selinux_policy_root returns NULL.
+
+On success, selinux_set_policy_root returns 0 on success -1 on failure.
+
.
.SH "SEE ALSO"
.BR selinux "(8)"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/man/man3/selinux_set_policy_root.3 b/libselinux/man/man3/selinux_set_policy_root.3
new file mode 100644
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index 0000000..8077658
--- /dev/null
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+++ b/libselinux/man/man3/selinux_set_policy_root.3
@@ -0,0 +1 @@
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+.so man3/selinux_policy_root.3
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index 368991f..5d60789 100644
--- a/libselinux/man/man8/matchpathcon.8
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+++ b/libselinux/man/man8/matchpathcon.8
@@ -13,6 +13,8 @@ matchpathcon \- get the default SELinux security context for the specified path
.IR file_contexts_file ]
.RB [ \-p
.IR prefix ]
+.RB [ \-P
+.IR policy_root_path ]
.I filepath...
.
.SH "DESCRIPTION"
@@ -46,6 +48,9 @@ Use alternate file_context file
.BI \-p " prefix"
Use prefix to speed translations
.TP
+.BI \-P " policy_root_path"
+Use alternate policy root path
+.TP
.B \-V
Verify file context on disk matches defaults
.
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index a328866..50868e4 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -37,20 +37,22 @@ The
configuration file also controls what policy
is active on the system. SELinux allows for multiple policies to be
installed on the system, but only one policy may be active at any
-given time. At present, two kinds of SELinux policy exist: targeted
-and strict. The targeted policy is designed as a policy where most
-processes operate without restrictions, and only specific services are
+given time. At present, multiple kinds of SELinux policy exist: targeted,
+mls for example. The targeted policy is designed as a policy where most
+user processes operate without restrictions, and only specific services are
placed into distinct security domains that are confined by the policy.
For example, the user would run in a completely unconfined domain
while the named daemon or apache daemon would run in a specific domain
-tailored to its operation. The strict policy is designed as a policy
-where all processes are partitioned into fine-grained security domains
-and confined by policy. It is anticipated in the future that other
-policies will be created (Multi-Level Security for example). You can
+tailored to its operation. The MLS (Multi-Level Security) policy is designed
+as a policy where all processes are partitioned into fine-grained security
+domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.
+
+You can
define which policy you will run by setting the
.B SELINUXTYPE
environment variable within
.IR /etc/selinux/config .
+You must reboot and possibly relabel if you change the policy type to have it take effect on the system.
The corresponding
policy configuration for each such policy must be installed in the
.I /etc/selinux/{SELINUXTYPE}/
@@ -58,7 +60,7 @@ directories.
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
A given SELinux policy can be customized further based on a set of
compile-time tunable options and a set of runtime policy booleans.
-.B \%system\-config\-securitylevel
+.B \%system\-config\-selinux
allows customization of these booleans and tunables.
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
@@ -86,11 +88,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.nh
.BR booleans (8),
.BR setsebool (8),
-.BR selinuxenabled (8),
+.BR sepolicy (8),
+.BR system-config-selinux (8),
.BR togglesebool (8),
.BR restorecon (8),
+.BR fixfiles (8),
.BR setfiles (8),
-.BR semange (8),
+.BR semanage (8),
.BR sepolicy(8)
Every confined service on the system has a man page in the following format:
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index ffe381b..560bc25 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -210,27 +210,12 @@ static int __policy_init(const char *init_path)
return 1;
}
} else {
- vers = sepol_policy_kern_vers_max();
- if (vers < 0) {
- snprintf(errormsg, sizeof(errormsg),
- "Could not get policy version: %s\n",
- strerror(errno));
- PyErr_SetString( PyExc_ValueError, errormsg);
- return 1;
- }
- snprintf(path, PATH_MAX, "%s.%d",
- selinux_binary_policy_path(), vers);
- fp = fopen(path, "r");
- while (!fp && errno == ENOENT && --vers) {
- snprintf(path, PATH_MAX, "%s.%d",
- selinux_binary_policy_path(), vers);
- fp = fopen(path, "r");
- }
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ fp = fopen(selinux_current_policy_path(), "r");
if (!fp) {
snprintf(errormsg, sizeof(errormsg),
- "unable to open %s.%d: %s\n",
- selinux_binary_policy_path(),
- security_policyvers(), strerror(errno));
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ "unable to open %s: %s\n",
+ selinux_current_policy_path(),
+ strerror(errno));
PyErr_SetString( PyExc_ValueError, errormsg);
return 1;
}
@@ -310,10 +295,12 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
}
#define RETURN(X) \
- PyTuple_SetItem(result, 0, Py_BuildValue("i", X)); \
- return result;
+ { \
+ return Py_BuildValue("iO", (X), Py_None); \
+ }
static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
+ char *reason_buf = NULL;
security_context_t scon;
security_context_t tcon;
char *tclassstr;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -328,10 +315,6 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
struct sepol_av_decision avd;
int rc;
int i=0;
- PyObject *result = PyTuple_New(2);
- if (!result) return NULL;
- Py_INCREF(Py_None);
- PyTuple_SetItem(result, 1, Py_None);
if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj))
return NULL;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -342,22 +325,21 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
/* should raise an error here. */
if (numlines < 0) return NULL; /* Not a list */
- if (!avc) {
+ if (!avc)
RETURN(NOPOLICY)
- }
rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
- if (rc < 0) {
+ if (rc < 0)
RETURN(BADSCON)
- }
+
rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
- if (rc < 0) {
+ if (rc < 0)
RETURN(BADTCON)
- }
+
tclass = string_to_security_class(tclassstr);
- if (!tclass) {
+ if (!tclass)
RETURN(BADTCLASS)
- }
+
/* Convert the permission list to an AV. */
av = 0;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -377,21 +359,20 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
#endif
perm = string_to_av_perm(tclass, permstr);
- if (!perm) {
+ if (!perm)
RETURN(BADPERM)
- }
+
av |= perm;
}
/* Reproduce the computation. */
- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
- if (rc < 0) {
+ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0);
+ if (rc < 0)
RETURN(BADCOMPUTE)
- }
- if (!reason) {
+ if (!reason)
RETURN(ALLOW)
- }
+
if (reason & SEPOL_COMPUTEAV_TE) {
avc->ssid = ssid;
avc->tsid = tsid;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -404,28 +385,34 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
RETURN(TERULE)
}
} else {
- PyTuple_SetItem(result, 0, Py_BuildValue("i", BOOLEAN));
+ PyObject *outboollist;
struct boolean_t *b = bools;
int len=0;
while (b->name) {
len++; b++;
}
b = bools;
- PyObject *outboollist = PyTuple_New(len);
+ outboollist = PyList_New(len);
len=0;
while(b->name) {
- PyObject *bool = Py_BuildValue("(si)", b->name, b->active);
- PyTuple_SetItem(outboollist, len++, bool);
+ PyObject *bool_ = Py_BuildValue("(si)", b->name, b->active);
+ PyList_SetItem(outboollist, len++, bool_);
b++;
}
free(bools);
- PyTuple_SetItem(result, 1, outboollist);
- return result;
+ /* 'N' steals the reference to outboollist */
+ return Py_BuildValue("iN", BOOLEAN, outboollist);
}
}
if (reason & SEPOL_COMPUTEAV_CONS) {
- RETURN(CONSTRAINT);
+ if (reason_buf) {
+ PyObject *result = NULL;
+ result = Py_BuildValue("is", CONSTRAINT, reason_buf);
+ free(reason_buf);
+ return result;
+ }
+ RETURN(CONSTRAINT)
}
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
if (reason & SEPOL_COMPUTEAV_RBAC)
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 802a07f..6ff83a7 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -827,6 +827,7 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid,
errsave = errno;
avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
errno = errsave;
+ if (!avc_enforcing) return 0;
return rc;
}
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index b9e8002..355730a 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -426,7 +426,7 @@ int get_ordered_context_list(const char *user,
/* Initialize ordering array. */
ordering = malloc(nreach * sizeof(unsigned int));
if (!ordering)
- goto oom_order;
+ goto failsafe;
for (i = 0; i < nreach; i++)
ordering[i] = nreach;
@@ -435,7 +435,7 @@ int get_ordered_context_list(const char *user,
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
fname = malloc(fname_len);
if (!fname)
- goto oom_order;
+ goto failsafe;
snprintf(fname, fname_len, "%s%s", user_contexts_path, user);
fp = fopen(fname, "r");
if (fp) {
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -465,31 +465,28 @@ int get_ordered_context_list(const char *user,
}
}
+ if (!nordered)
+ goto failsafe;
+
/* Apply the ordering. */
- if (nordered) {
- co = malloc(nreach * sizeof(struct context_order));
- if (!co)
- goto oom_order;
- for (i = 0; i < nreach; i++) {
- co[i].con = reachable[i];
- co[i].order = ordering[i];
- }
- qsort(co, nreach, sizeof(struct context_order), order_compare);
- for (i = 0; i < nreach; i++)
- reachable[i] = co[i].con;
- free(co);
+ co = malloc(nreach * sizeof(struct context_order));
+ if (!co)
+ goto failsafe;
+ for (i = 0; i < nreach; i++) {
+ co[i].con = reachable[i];
+ co[i].order = ordering[i];
}
+ qsort(co, nreach, sizeof(struct context_order), order_compare);
+ for (i = 0; i < nreach; i++)
+ reachable[i] = co[i].con;
+ free(co);
- /* Return the ordered list.
- If we successfully ordered it, then only report the ordered entries
- to the caller. Otherwise, fall back to the entire reachable list. */
- if (nordered && nordered < nreach) {
+ /* Only report the ordered entries to the caller. */
+ if (nordered < nreach) {
for (i = nordered; i < nreach; i++)
free(reachable[i]);
reachable[nordered] = NULL;
rc = nordered;
- } else {
- rc = nreach;
}
out:
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -523,14 +520,6 @@ int get_ordered_context_list(const char *user,
}
rc = 1; /* one context in the list */
goto out;
-
- oom_order:
- /* Unable to order context list due to OOM condition.
- Fall back to unordered reachable context list. */
- fprintf(stderr, "%s: out of memory, unable to order list\n",
- __FUNCTION__);
- rc = nreach;
- goto out;
}
hidden_def(get_ordered_context_list)
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 5f697f3..9b0d6b0 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
break;
} else if (rc == PCRE_ERROR_NOMATCH)
continue;
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ errno = ENOENT;
/* else it's an error */
goto finish;
}
@@ -660,6 +662,7 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
goto finish;
}
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ errno = 0;
ret = &spec_arr[i].lr;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
finish:
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
#include <stdio.h>
+#include <syslog.h>
#include "selinux_internal.h"
#include "label_internal.h"
#include "callbacks.h"
@@ -62,7 +63,7 @@ static void
{
va_list ap;
va_start(ap, fmt);
- vfprintf(stderr, fmt, ap);
+ vsyslog(LOG_ERR, fmt, ap);
va_end(ap);
}
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index 6c5b45a..0a0dd3e 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -257,6 +257,7 @@ out:
free(context);
return -1;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
} else {
+ free(*prev_context);
*prev_context = context;
return 0;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
}
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index 296f357..0040524 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -8,6 +8,8 @@
#include <limits.h>
#include <unistd.h>
#include <pthread.h>
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+#include <errno.h>
+#include "policy.h"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
#include "selinux_internal.h"
#include "get_default_type_internal.h"
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type)
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
hidden_def(selinux_getpolicytype)
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+static int setpolicytype(const char *type)
+{
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ free(selinux_policytype);
+ selinux_policytype = strdup(type);
+ return selinux_policytype ? 0 : -1;
+}
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
static char *selinux_policyroot = NULL;
static const char *selinux_rootpath = SELINUXDIR;
@@ -261,6 +270,37 @@ const char *selinux_policy_root(void)
return selinux_policyroot;
}
+int selinux_set_policy_root(const char *path)
+{
+ int i;
+ char *policy_type = strchr(selinux_policyroot, '/');
+ if (!policy_type) {
+ errno = EINVAL;
+ return -1;
+ }
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ policy_type++;
+
+ fini_selinuxmnt();
+ fini_selinux_policyroot();
+
+ selinux_policyroot = strdup(path);
+ if (! selinux_policyroot)
+ return -1;
+
+ if (setpolicytype(policy_type) != 0)
+ return -1;
+
+ for (i = 0; i < NEL; i++)
+ if (asprintf(&file_paths[i], "%s%s",
+ selinux_policyroot,
+ file_path_suffixes_data.str +
+ file_path_suffixes_idx[i])
+ == -1)
+ return -1;
+
+ return 0;
+}
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
const char *selinux_path(void)
{
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
return selinux_rootpath;
@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void)
hidden_def(selinux_binary_policy_path)
+const char *selinux_current_policy_path(void)
+{
+ int rc = 0;
+ int vers = 0;
+ static char policy_path[PATH_MAX];
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ if (selinux_mnt) {
+ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
+ if (access(policy_path, F_OK) == 0 ) {
+ return policy_path;
+ }
+ }
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ vers = security_policyvers();
+ do {
+ /* Check prior versions to see if old policy is available */
+ snprintf(policy_path, sizeof(policy_path), "%s.%d",
+ selinux_binary_policy_path(), vers);
+ } while ((rc = access(policy_path, F_OK)) && --vers > 0);
+
+ if (rc) return NULL;
+ return policy_path;
+}
+
+hidden_def(selinux_current_policy_path)
+
const char *selinux_file_context_path(void)
{
return get_path(FILE_CONTEXTS);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
index 2c7c85c..4a4aebc 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
@@ -60,6 +60,7 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(security_setenforce)
hidden_proto(security_deny_unknown)
hidden_proto(selinux_boolean_sub)
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ hidden_proto(selinux_current_policy_path)
hidden_proto(selinux_binary_policy_path)
hidden_proto(selinux_booleans_subs_path)
hidden_proto(selinux_default_context_path)
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
diff --git a/libselinux/src/setrans_internal.h b/libselinux/src/setrans_internal.h
index a801ee8..b3bdca2 100644
--- a/libselinux/src/setrans_internal.h
+++ b/libselinux/src/setrans_internal.h
@@ -1,6 +1,7 @@
/* Author: Trusted Computer Solutions, Inc. */
+#include <selinux/selinux.h>
-#define SETRANS_UNIX_SOCKET "/var/run/setrans/.setrans-unix"
+#define SETRANS_UNIX_SOCKET SELINUX_TRANS_DIR "/.setrans-unix"
#define RAW_TO_TRANS_CONTEXT 2
#define TRANS_TO_RAW_CONTEXT 3
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index dd5aaa3..9d3ff3a 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -12,11 +12,10 @@
#include <limits.h>
#include <stdlib.h>
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
-
static void usage(const char *progname)
{
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
fprintf(stderr,
- "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
+ "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
progname);
exit(1);
}
@@ -78,7 +77,7 @@ int main(int argc, char **argv)
if (argc < 2)
usage(argv[0]);
- while ((opt = getopt(argc, argv, "m:Nnf:p:Vq")) > 0) {
+ while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
switch (opt) {
case 'n':
header = 0;
@@ -113,6 +112,15 @@ int main(int argc, char **argv)
exit(1);
}
break;
+ case 'P':
+ if (selinux_set_policy_root(optarg) < 0 ) {
+ fprintf(stderr,
+ "Error setting policy root %s: %s\n",
+ optarg,
+ errno ? strerror(errno) : "invalid");
+ exit(1);
+ }
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ break;
case 'p':
if (init) {
fprintf(stderr,
diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
index 6f79dd6..e019a07 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -145,7 +145,7 @@ static int process_file(struct saved_data *data, const char *filename)
* u32 - data length of the pcre regex study daya
* char - a buffer holding the raw pcre regex study data
*/
-static int write_binary_file(struct saved_data *data, char *filename)
+static int write_binary_file(struct saved_data *data, int fd)
{
struct spec *specs = data->spec_arr;
FILE *bin_file;
@@ -155,7 +155,7 @@ static int write_binary_file(struct saved_data *data, char *filename)
uint32_t i;
int rc;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
- bin_file = fopen(filename, "w");
+ bin_file = fdopen(fd, "w");
if (!bin_file) {
perror("fopen output_file");
exit(EXIT_FAILURE);
@@ -321,7 +321,9 @@ int main(int argc, char *argv[])
const char *path;
char stack_path[PATH_MAX + 1];
int rc;
-
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ char *tmp= NULL;
+ int fd;
+
if (argc != 2) {
fprintf(stderr, "usage: %s input_file\n", argv[0]);
exit(EXIT_FAILURE);
@@ -342,13 +344,29 @@ int main(int argc, char *argv[])
rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path);
if (rc < 0 || rc >= sizeof(stack_path))
return rc;
- rc = write_binary_file(&data, stack_path);
+
+ if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0)
+ return -1;
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ fd = mkstemp(tmp);
+ if (fd < 0)
+ goto err;
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ rc = write_binary_file(&data, fd);
+
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
if (rc < 0)
- return rc;
+ goto err;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
+ rename(tmp, stack_path);
rc = free_specs(&data);
if (rc < 0)
- return rc;
+ goto err;
Accepting request 161739 from home:vitezslav_cizek:branches:security:SELinux -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf * selinux_status_open: do not leak statusfd on exec * Fix errors found by coverity * Change boooleans.subs to booleans.subs_dist. * optimize set*con functions * pkg-config do not specifc ruby version * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error OBS-URL: https://build.opensuse.org/request/show/161739 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=63
2013-04-02 13:49:27 +02:00
- return 0;
+ rc = 0;
+out:
+ free(tmp);
+ return rc;
+err:
+ rc = -1;
+ goto out;
}