From 94069a2e4355942ea66312a47761d54c10b174802e0faf66537d7f36997c724c Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Tue, 2 Sep 2008 10:29:51 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/libsemanage?expand=0&rev=2

---
 libsemanage-2.0.25-rhat.patch |  28 ----
 libsemanage-2.0.25.tar.bz2    |   3 -
 libsemanage-2.0.27-rhat.patch | 252 ++++++++++++++++++++++++++++++++++
 libsemanage-2.0.27.tar.bz2    |   3 +
 libsemanage.changes           |  11 ++
 libsemanage.spec              |  61 ++++----
 6 files changed, 304 insertions(+), 54 deletions(-)
 delete mode 100644 libsemanage-2.0.25-rhat.patch
 delete mode 100644 libsemanage-2.0.25.tar.bz2
 create mode 100644 libsemanage-2.0.27-rhat.patch
 create mode 100644 libsemanage-2.0.27.tar.bz2

diff --git a/libsemanage-2.0.25-rhat.patch b/libsemanage-2.0.25-rhat.patch
deleted file mode 100644
index 512d978..0000000
--- a/libsemanage-2.0.25-rhat.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.15/src/genhomedircon.c
---- nsalibsemanage/src/genhomedircon.c	2008-01-28 16:52:22.000000000 -0500
-+++ libsemanage-2.0.15/src/genhomedircon.c	2008-01-25 10:28:39.000000000 -0500
-@@ -406,7 +406,6 @@
- 				  const char *role_prefix)
- {
- 	replacement_pair_t repl[] = {
--		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
- 		{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
- 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
- 		{NULL, NULL}
-@@ -466,7 +465,6 @@
- 	replacement_pair_t repl[] = {
- 		{.search_for = TEMPLATE_USER,.replace_with = user},
- 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
--		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
- 		{NULL, NULL}
- 	};
- 	Ustr *line = USTR_NULL;
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.15/src/semanage.conf
---- nsalibsemanage/src/semanage.conf	2007-07-16 14:20:38.000000000 -0400
-+++ libsemanage-2.0.15/src/semanage.conf	2008-01-25 10:28:39.000000000 -0500
-@@ -35,4 +35,4 @@
- # given in <sepol/policydb.h>.  Change this setting if a different
- # version is necessary.
- #policy-version = 19
--
-+expand-check=0
diff --git a/libsemanage-2.0.25.tar.bz2 b/libsemanage-2.0.25.tar.bz2
deleted file mode 100644
index fc72dce..0000000
--- a/libsemanage-2.0.25.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:36301668cda87140099c6cb8dbd3fc5e66b8b8ead13c4e854fdd4bbbca507e9a
-size 134226
diff --git a/libsemanage-2.0.27-rhat.patch b/libsemanage-2.0.27-rhat.patch
new file mode 100644
index 0000000..2efffef
--- /dev/null
+++ b/libsemanage-2.0.27-rhat.patch
@@ -0,0 +1,252 @@
+diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
+--- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
++++ libsemanage-2.0.27/src/direct_api.c	2008-08-26 10:25:38.000000000 -0400
+@@ -489,12 +489,6 @@
+ 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
+ 	modified |= nodes->dtable->is_modified(nodes->dbase);
+ 
+-	/* FIXME: get rid of these, once we support loading the existing policy,
+-	 * instead of rebuilding it */
+-	modified |= seusers_modified;
+-	modified |= fcontexts_modified;
+-	modified |= users_extra_modified;
+-
+ 	/* If there were policy changes, or explicitly requested, rebuild the policy */
+ 	if (sh->do_rebuild || modified) {
+ 
+@@ -667,11 +661,33 @@
+ 		retval = semanage_verify_kernel(sh);
+ 		if (retval < 0)
+ 			goto cleanup;
+-	}
++	} else {
++		retval = sepol_policydb_create(&out);
++		if (retval < 0)
++			goto cleanup;
++		
++		retval = semanage_read_policydb(sh, out);
++		if (retval < 0)
++			goto cleanup;
++		
++		/*		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
++		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
++		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
++		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
++		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
++		*/
++		if (seusers_modified) {
++			retval = pseusers->dtable->clear(sh, pseusers->dbase);
++			if (retval < 0)
++				goto cleanup;
++		}
+ 
+-	/* FIXME: else if !modified, but seusers_modified, 
+-	 * load the existing policy instead of rebuilding */
++		retval = semanage_base_merge_components(sh);
++		if (retval < 0)
++		  goto cleanup;
+ 
++		/* Seusers */
++	}
+ 	/* ======= Post-process: Validate non-policydb components ===== */
+ 
+ 	/* Validate local modifications to file contexts.
+@@ -724,7 +740,8 @@
+ 	sepol_policydb_free(out);
+ 	out = NULL;
+ 
+-	if (sh->do_rebuild || modified) {
++	if (sh->do_rebuild || modified || 
++	    seusers_modified || fcontexts_modified || users_extra_modified) {
+ 		retval = semanage_install_sandbox(sh);
+ 	}
+ 
+@@ -733,12 +750,14 @@
+ 		free(mod_filenames[i]);
+ 	}
+ 
+-	/* Detach from policydb, so it can be freed */
+-	dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
+-	dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
+-	dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
+-	dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
+-	dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
++	if (modified) {
++		/* Detach from policydb, so it can be freed */
++		dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
++		dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
++		dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
++		dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
++		dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
++	}
+ 
+ 	free(mod_filenames);
+ 	sepol_policydb_free(out);
+diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
+--- nsalibsemanage/src/genhomedircon.c	2008-08-05 09:57:28.000000000 -0400
++++ libsemanage-2.0.27/src/genhomedircon.c	2008-08-26 10:30:30.000000000 -0400
+@@ -487,7 +487,6 @@
+ 				  const char *role_prefix)
+ {
+ 	replacement_pair_t repl[] = {
+-		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
+ 		{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
+ 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
+ 		{NULL, NULL}
+@@ -547,7 +546,6 @@
+ 	replacement_pair_t repl[] = {
+ 		{.search_for = TEMPLATE_USER,.replace_with = user},
+ 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
+-		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
+ 		{NULL, NULL}
+ 	};
+ 	Ustr *line = USTR_NULL;
+diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf
+--- nsalibsemanage/src/semanage.conf	2008-06-12 23:25:16.000000000 -0400
++++ libsemanage-2.0.27/src/semanage.conf	2008-08-14 14:53:32.000000000 -0400
+@@ -35,4 +35,4 @@
+ # given in <sepol/policydb.h>.  Change this setting if a different
+ # version is necessary.
+ #policy-version = 19
+-
++expand-check=0
+diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
+--- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
++++ libsemanage-2.0.27/src/semanage_store.c	2008-08-14 14:53:32.000000000 -0400
+@@ -1648,6 +1648,47 @@
+ }
+ 
+ /**
++ * Read the policy from the sandbox (kernel)
++ */
++int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
++{
++
++	int retval = STATUS_ERR;
++	const char *kernel_filename = NULL;
++	struct sepol_policy_file *pf = NULL;
++	FILE *infile = NULL;
++
++	if ((kernel_filename =
++	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
++		goto cleanup;
++	}
++	if ((infile = fopen(kernel_filename, "r")) == NULL) {
++		ERR(sh, "Could not open kernel policy %s for reading.",
++		    kernel_filename);
++		goto cleanup;
++	}
++	__fsetlocking(infile, FSETLOCKING_BYCALLER);
++	if (sepol_policy_file_create(&pf)) {
++		ERR(sh, "Out of memory!");
++		goto cleanup;
++	}
++	sepol_policy_file_set_fp(pf, infile);
++	sepol_policy_file_set_handle(pf, sh->sepolh);
++	if (sepol_policydb_read(in, pf) == -1) {
++		ERR(sh, "Error while reading kernel policy from %s.",
++		    kernel_filename);
++		goto cleanup;
++	}
++	retval = STATUS_SUCCESS;
++
++      cleanup:
++	if (infile != NULL) {
++		fclose(infile);
++	}
++	sepol_policy_file_free(pf);
++	return retval;
++}
++/**
+  * Writes the final policy to the sandbox (kernel)
+  */
+ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
+diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
+--- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
++++ libsemanage-2.0.27/src/semanage_store.h	2008-08-14 14:53:32.000000000 -0400
+@@ -97,6 +97,9 @@
+ 			    sepol_module_package_t * base,
+ 			    sepol_policydb_t ** policydb);
+ 
++int semanage_read_policydb(semanage_handle_t * sh,
++			    sepol_policydb_t * policydb);
++
+ int semanage_write_policydb(semanage_handle_t * sh,
+ 			    sepol_policydb_t * policydb);
+ 
+diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c
+--- nsalibsemanage/tests/test_fcontext.c	1969-12-31 19:00:00.000000000 -0500
++++ libsemanage-2.0.27/tests/test_fcontext.c	2008-08-15 10:59:48.000000000 -0400
+@@ -0,0 +1,72 @@
++#include <semanage/fcontext_record.h>
++#include <semanage/semanage.h>
++#include <semanage/fcontexts_local.h>
++#include <sepol/sepol.h>
++
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++int main(const int argc, const char **argv) {
++	semanage_handle_t *sh = NULL;
++	semanage_fcontext_t *fcontext;
++	semanage_context_t *con;
++	semanage_fcontext_key_t *k;
++
++	int exist = 0;
++	sh = semanage_handle_create();
++	if (sh == NULL) { 
++		perror("Can't create semanage handle\n");
++		return -1;
++	}
++        if (semanage_access_check(sh) < 0) {
++		perror("Semanage access check failed\n");
++		return -1;
++	}
++        if (semanage_connect(sh) < 0) {
++		perror("Semanage connect failed\n");
++		return -1;
++	}
++
++	if (semanage_fcontext_key_create(sh, argv[2], SEMANAGE_FCONTEXT_REG, &k) < 0) {
++		fprintf(stderr, "Could not create key for %s", argv[2]);
++		return -1;
++	}
++
++	if(semanage_fcontext_exists(sh, k, &exist) < 0) {
++		fprintf(stderr,"Could not check if key exists for %s", argv[2]);
++		return -1;
++	}
++	if (exist) {
++		fprintf(stderr,"Could create %s mapping already exists", argv[2]);
++		return -1;
++	}
++
++	if (semanage_fcontext_create(sh, &fcontext) < 0) {
++		fprintf(stderr,"Could not create file context for %s", argv[2]);
++		return -1;
++	}
++	semanage_fcontext_set_expr(sh, fcontext, argv[2]);
++
++	if (semanage_context_from_string(sh, argv[1], &con)) {
++		fprintf(stderr,"Could not create context using %s for file context %s", argv[1], argv[2]);
++		return -1;
++	}
++
++	if (semanage_fcontext_set_con(sh, fcontext, con) < 0) {
++		fprintf(stderr,"Could not set file context for %s", argv[2]);
++		return -1;
++	}
++
++	semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_REG);
++
++	if(semanage_fcontext_modify_local(sh, k, fcontext) < 0) {
++		fprintf(stderr,"Could not add file context for %s", argv[2]);
++		return -1;
++	}
++	semanage_fcontext_key_free(k);
++	semanage_fcontext_free(fcontext);
++
++	return 0;
++}
++
diff --git a/libsemanage-2.0.27.tar.bz2 b/libsemanage-2.0.27.tar.bz2
new file mode 100644
index 0000000..efadb97
--- /dev/null
+++ b/libsemanage-2.0.27.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5926b525bd00ed23a49a619373d4aaebf61882834b20cf3790654f88fd850be9
+size 139476
diff --git a/libsemanage.changes b/libsemanage.changes
index 4bf6102..73b3fbd 100644
--- a/libsemanage.changes
+++ b/libsemanage.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Sep  2 12:13:42 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.0.27
+  * Modify genhomedircon to skip %groupname entries.
+    Ultimately we need to expand them to the list of users to support
+    per-role homedir labeling when using the %groupname syntax.
+- updated to 2.0.26
+  * Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
+    Strip any trailing slash before appending /*$.
+
 -------------------------------------------------------------------
 Fri Aug  1 17:32:21 CEST 2008 - ro@suse.de
 
diff --git a/libsemanage.spec b/libsemanage.spec
index 9a31810..2d72e16 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -1,10 +1,17 @@
 #
-# spec file for package libsemanage (Version 2.0.25)
+# spec file for package libsemanage (Version 2.0.27)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# This file and all modifications and additions to the pristine
-# package are under the same license as the package itself.
 #
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
@@ -17,8 +24,8 @@ BuildRequires:  libselinux-devel >= %{libselinux_ver}
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
 
 Name:           libsemanage
-Version:        2.0.25
-Release:        2
+Version:        2.0.27
+Release:        1
 Url:            http://www.nsa.gov/selinux/
 License:        LGPL v2.1 only
 Group:          System/Libraries
@@ -29,14 +36,14 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define debug_package_requires libsemanage1 = %{version}
 
 %description
-Security-enhanced Linux is a feature of the Linux® kernel and a number
-of utilities with enhanced security functionality designed to add
-mandatory access controls to Linux.  The Security-enhanced Linux kernel
-contains new architectural components originally developed to improve
-the security of the Flask operating system. These architectural
+Security-enhanced Linux is a feature of the Linux(R) kernel and a
+number of utilities with enhanced security functionality designed to
+add mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These architectural
 components provide general support for the enforcement of many kinds of
 mandatory access control policies, including those based on the
-concepts of Type Enforcement®, Role-based Access Control, and
+concepts of Type Enforcement(R), Role-based Access Control, and
 Multi-level Security.
 
 libsemanage provides an API for the manipulation of SELinux binary
@@ -53,14 +60,14 @@ Group:          System/Libraries
 Summary:        SELinux binary policy manipulation library
 
 %description -n libsemanage1
-Security-enhanced Linux is a feature of the Linux® kernel and a number
-of utilities with enhanced security functionality designed to add
-mandatory access controls to Linux.  The Security-enhanced Linux kernel
-contains new architectural components originally developed to improve
-the security of the Flask operating system. These architectural
+Security-enhanced Linux is a feature of the Linux(R) kernel and a
+number of utilities with enhanced security functionality designed to
+add mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These architectural
 components provide general support for the enforcement of many kinds of
 mandatory access control policies, including those based on the
-concepts of Type Enforcement®, Role-based Access Control, and
+concepts of Type Enforcement(R), Role-based Access Control, and
 Multi-level Security.
 
 libsemanage provides an API for the manipulation of SELinux binary
@@ -78,14 +85,14 @@ Group:          System/Libraries
 Requires:       libsemanage1 = %{version}-%{release} libustr-devel
 
 %description devel
-Security-enhanced Linux is a feature of the Linux® kernel and a number
-of utilities with enhanced security functionality designed to add
-mandatory access controls to Linux.  The Security-enhanced Linux kernel
-contains new architectural components originally developed to improve
-the security of the Flask operating system. These architectural
+Security-enhanced Linux is a feature of the Linux(R) kernel and a
+number of utilities with enhanced security functionality designed to
+add mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These architectural
 components provide general support for the enforcement of many kinds of
 mandatory access control policies, including those based on the
-concepts of Type Enforcement®, Role-based Access Control, and
+concepts of Type Enforcement(R), Role-based Access Control, and
 Multi-level Security.
 
 libsemanage provides an API for the manipulation of SELinux binary
@@ -161,6 +168,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/python*/site-packages/*
 
 %changelog
+* Tue Sep 02 2008 prusnak@suse.cz
+- updated to 2.0.27
+  * Modify genhomedircon to skip %%groupname entries.
+  Ultimately we need to expand them to the list of users to support
+  per-role homedir labeling when using the %%groupname syntax.
+- updated to 2.0.26
+  * Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
+  Strip any trailing slash before appending /*$.
 * Fri Aug 01 2008 ro@suse.de
 - fix requires for debuginfo package
 * Tue Jul 15 2008 prusnak@suse.cz