SHA256
1
0
forked from pool/libsemanage
OBS User unknown 2008-09-02 10:29:51 +00:00 committed by Git OBS Bridge
parent 51816338fb
commit 94069a2e43
6 changed files with 304 additions and 54 deletions

View File

@ -1,28 +0,0 @@
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.15/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c 2008-01-28 16:52:22.000000000 -0500
+++ libsemanage-2.0.15/src/genhomedircon.c 2008-01-25 10:28:39.000000000 -0500
@@ -406,7 +406,6 @@
const char *role_prefix)
{
replacement_pair_t repl[] = {
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
{NULL, NULL}
@@ -466,7 +465,6 @@
replacement_pair_t repl[] = {
{.search_for = TEMPLATE_USER,.replace_with = user},
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
{NULL, NULL}
};
Ustr *line = USTR_NULL;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.15/src/semanage.conf
--- nsalibsemanage/src/semanage.conf 2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.15/src/semanage.conf 2008-01-25 10:28:39.000000000 -0500
@@ -35,4 +35,4 @@
# given in <sepol/policydb.h>. Change this setting if a different
# version is necessary.
#policy-version = 19
-
+expand-check=0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:36301668cda87140099c6cb8dbd3fc5e66b8b8ead13c4e854fdd4bbbca507e9a
size 134226

View File

@ -0,0 +1,252 @@
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
--- nsalibsemanage/src/direct_api.c 2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/direct_api.c 2008-08-26 10:25:38.000000000 -0400
@@ -489,12 +489,6 @@
modified |= ifaces->dtable->is_modified(ifaces->dbase);
modified |= nodes->dtable->is_modified(nodes->dbase);
- /* FIXME: get rid of these, once we support loading the existing policy,
- * instead of rebuilding it */
- modified |= seusers_modified;
- modified |= fcontexts_modified;
- modified |= users_extra_modified;
-
/* If there were policy changes, or explicitly requested, rebuild the policy */
if (sh->do_rebuild || modified) {
@@ -667,11 +661,33 @@
retval = semanage_verify_kernel(sh);
if (retval < 0)
goto cleanup;
- }
+ } else {
+ retval = sepol_policydb_create(&out);
+ if (retval < 0)
+ goto cleanup;
+
+ retval = semanage_read_policydb(sh, out);
+ if (retval < 0)
+ goto cleanup;
+
+ /* dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
+ dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
+ dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
+ */
+ if (seusers_modified) {
+ retval = pseusers->dtable->clear(sh, pseusers->dbase);
+ if (retval < 0)
+ goto cleanup;
+ }
- /* FIXME: else if !modified, but seusers_modified,
- * load the existing policy instead of rebuilding */
+ retval = semanage_base_merge_components(sh);
+ if (retval < 0)
+ goto cleanup;
+ /* Seusers */
+ }
/* ======= Post-process: Validate non-policydb components ===== */
/* Validate local modifications to file contexts.
@@ -724,7 +740,8 @@
sepol_policydb_free(out);
out = NULL;
- if (sh->do_rebuild || modified) {
+ if (sh->do_rebuild || modified ||
+ seusers_modified || fcontexts_modified || users_extra_modified) {
retval = semanage_install_sandbox(sh);
}
@@ -733,12 +750,14 @@
free(mod_filenames[i]);
}
- /* Detach from policydb, so it can be freed */
- dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
- dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+ if (modified) {
+ /* Detach from policydb, so it can be freed */
+ dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
+ dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+ }
free(mod_filenames);
sepol_policydb_free(out);
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c 2008-08-05 09:57:28.000000000 -0400
+++ libsemanage-2.0.27/src/genhomedircon.c 2008-08-26 10:30:30.000000000 -0400
@@ -487,7 +487,6 @@
const char *role_prefix)
{
replacement_pair_t repl[] = {
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
{NULL, NULL}
@@ -547,7 +546,6 @@
replacement_pair_t repl[] = {
{.search_for = TEMPLATE_USER,.replace_with = user},
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
{NULL, NULL}
};
Ustr *line = USTR_NULL;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf
--- nsalibsemanage/src/semanage.conf 2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage.conf 2008-08-14 14:53:32.000000000 -0400
@@ -35,4 +35,4 @@
# given in <sepol/policydb.h>. Change this setting if a different
# version is necessary.
#policy-version = 19
-
+expand-check=0
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c 2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.c 2008-08-14 14:53:32.000000000 -0400
@@ -1648,6 +1648,47 @@
}
/**
+ * Read the policy from the sandbox (kernel)
+ */
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+{
+
+ int retval = STATUS_ERR;
+ const char *kernel_filename = NULL;
+ struct sepol_policy_file *pf = NULL;
+ FILE *infile = NULL;
+
+ if ((kernel_filename =
+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
+ goto cleanup;
+ }
+ if ((infile = fopen(kernel_filename, "r")) == NULL) {
+ ERR(sh, "Could not open kernel policy %s for reading.",
+ kernel_filename);
+ goto cleanup;
+ }
+ __fsetlocking(infile, FSETLOCKING_BYCALLER);
+ if (sepol_policy_file_create(&pf)) {
+ ERR(sh, "Out of memory!");
+ goto cleanup;
+ }
+ sepol_policy_file_set_fp(pf, infile);
+ sepol_policy_file_set_handle(pf, sh->sepolh);
+ if (sepol_policydb_read(in, pf) == -1) {
+ ERR(sh, "Error while reading kernel policy from %s.",
+ kernel_filename);
+ goto cleanup;
+ }
+ retval = STATUS_SUCCESS;
+
+ cleanup:
+ if (infile != NULL) {
+ fclose(infile);
+ }
+ sepol_policy_file_free(pf);
+ return retval;
+}
+/**
* Writes the final policy to the sandbox (kernel)
*/
int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h 2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.h 2008-08-14 14:53:32.000000000 -0400
@@ -97,6 +97,9 @@
sepol_module_package_t * base,
sepol_policydb_t ** policydb);
+int semanage_read_policydb(semanage_handle_t * sh,
+ sepol_policydb_t * policydb);
+
int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * policydb);
diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c
--- nsalibsemanage/tests/test_fcontext.c 1969-12-31 19:00:00.000000000 -0500
+++ libsemanage-2.0.27/tests/test_fcontext.c 2008-08-15 10:59:48.000000000 -0400
@@ -0,0 +1,72 @@
+#include <semanage/fcontext_record.h>
+#include <semanage/semanage.h>
+#include <semanage/fcontexts_local.h>
+#include <sepol/sepol.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(const int argc, const char **argv) {
+ semanage_handle_t *sh = NULL;
+ semanage_fcontext_t *fcontext;
+ semanage_context_t *con;
+ semanage_fcontext_key_t *k;
+
+ int exist = 0;
+ sh = semanage_handle_create();
+ if (sh == NULL) {
+ perror("Can't create semanage handle\n");
+ return -1;
+ }
+ if (semanage_access_check(sh) < 0) {
+ perror("Semanage access check failed\n");
+ return -1;
+ }
+ if (semanage_connect(sh) < 0) {
+ perror("Semanage connect failed\n");
+ return -1;
+ }
+
+ if (semanage_fcontext_key_create(sh, argv[2], SEMANAGE_FCONTEXT_REG, &k) < 0) {
+ fprintf(stderr, "Could not create key for %s", argv[2]);
+ return -1;
+ }
+
+ if(semanage_fcontext_exists(sh, k, &exist) < 0) {
+ fprintf(stderr,"Could not check if key exists for %s", argv[2]);
+ return -1;
+ }
+ if (exist) {
+ fprintf(stderr,"Could create %s mapping already exists", argv[2]);
+ return -1;
+ }
+
+ if (semanage_fcontext_create(sh, &fcontext) < 0) {
+ fprintf(stderr,"Could not create file context for %s", argv[2]);
+ return -1;
+ }
+ semanage_fcontext_set_expr(sh, fcontext, argv[2]);
+
+ if (semanage_context_from_string(sh, argv[1], &con)) {
+ fprintf(stderr,"Could not create context using %s for file context %s", argv[1], argv[2]);
+ return -1;
+ }
+
+ if (semanage_fcontext_set_con(sh, fcontext, con) < 0) {
+ fprintf(stderr,"Could not set file context for %s", argv[2]);
+ return -1;
+ }
+
+ semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_REG);
+
+ if(semanage_fcontext_modify_local(sh, k, fcontext) < 0) {
+ fprintf(stderr,"Could not add file context for %s", argv[2]);
+ return -1;
+ }
+ semanage_fcontext_key_free(k);
+ semanage_fcontext_free(fcontext);
+
+ return 0;
+}
+

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5926b525bd00ed23a49a619373d4aaebf61882834b20cf3790654f88fd850be9
size 139476

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Tue Sep 2 12:13:42 CEST 2008 - prusnak@suse.cz
- updated to 2.0.27
* Modify genhomedircon to skip %groupname entries.
Ultimately we need to expand them to the list of users to support
per-role homedir labeling when using the %groupname syntax.
- updated to 2.0.26
* Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
Strip any trailing slash before appending /*$.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Aug 1 17:32:21 CEST 2008 - ro@suse.de Fri Aug 1 17:32:21 CEST 2008 - ro@suse.de

View File

@ -1,10 +1,17 @@
# #
# spec file for package libsemanage (Version 2.0.25) # spec file for package libsemanage (Version 2.0.27)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
# #
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via http://bugs.opensuse.org/
# #
@ -17,8 +24,8 @@ BuildRequires: libselinux-devel >= %{libselinux_ver}
BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: libsepol-devel >= %{libsepol_ver}
Name: libsemanage Name: libsemanage
Version: 2.0.25 Version: 2.0.27
Release: 2 Release: 1
Url: http://www.nsa.gov/selinux/ Url: http://www.nsa.gov/selinux/
License: LGPL v2.1 only License: LGPL v2.1 only
Group: System/Libraries Group: System/Libraries
@ -29,14 +36,14 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define debug_package_requires libsemanage1 = %{version} %define debug_package_requires libsemanage1 = %{version}
%description %description
Security-enhanced Linux is a feature of the Linux® kernel and a number Security-enhanced Linux is a feature of the Linux(R) kernel and a
of utilities with enhanced security functionality designed to add number of utilities with enhanced security functionality designed to
mandatory access controls to Linux. The Security-enhanced Linux kernel add mandatory access controls to Linux. The Security-enhanced Linux
contains new architectural components originally developed to improve kernel contains new architectural components originally developed to
the security of the Flask operating system. These architectural improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security. Multi-level Security.
libsemanage provides an API for the manipulation of SELinux binary libsemanage provides an API for the manipulation of SELinux binary
@ -53,14 +60,14 @@ Group: System/Libraries
Summary: SELinux binary policy manipulation library Summary: SELinux binary policy manipulation library
%description -n libsemanage1 %description -n libsemanage1
Security-enhanced Linux is a feature of the Linux® kernel and a number Security-enhanced Linux is a feature of the Linux(R) kernel and a
of utilities with enhanced security functionality designed to add number of utilities with enhanced security functionality designed to
mandatory access controls to Linux. The Security-enhanced Linux kernel add mandatory access controls to Linux. The Security-enhanced Linux
contains new architectural components originally developed to improve kernel contains new architectural components originally developed to
the security of the Flask operating system. These architectural improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security. Multi-level Security.
libsemanage provides an API for the manipulation of SELinux binary libsemanage provides an API for the manipulation of SELinux binary
@ -78,14 +85,14 @@ Group: System/Libraries
Requires: libsemanage1 = %{version}-%{release} libustr-devel Requires: libsemanage1 = %{version}-%{release} libustr-devel
%description devel %description devel
Security-enhanced Linux is a feature of the Linux® kernel and a number Security-enhanced Linux is a feature of the Linux(R) kernel and a
of utilities with enhanced security functionality designed to add number of utilities with enhanced security functionality designed to
mandatory access controls to Linux. The Security-enhanced Linux kernel add mandatory access controls to Linux. The Security-enhanced Linux
contains new architectural components originally developed to improve kernel contains new architectural components originally developed to
the security of the Flask operating system. These architectural improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security. Multi-level Security.
libsemanage provides an API for the manipulation of SELinux binary libsemanage provides an API for the manipulation of SELinux binary
@ -161,6 +168,14 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/python*/site-packages/* %{_libdir}/python*/site-packages/*
%changelog %changelog
* Tue Sep 02 2008 prusnak@suse.cz
- updated to 2.0.27
* Modify genhomedircon to skip %%groupname entries.
Ultimately we need to expand them to the list of users to support
per-role homedir labeling when using the %%groupname syntax.
- updated to 2.0.26
* Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
Strip any trailing slash before appending /*$.
* Fri Aug 01 2008 ro@suse.de * Fri Aug 01 2008 ro@suse.de
- fix requires for debuginfo package - fix requires for debuginfo package
* Tue Jul 15 2008 prusnak@suse.cz * Tue Jul 15 2008 prusnak@suse.cz