From decdbe3544dafd0d2e071c9566644dd4b5c6fbe2 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Wed, 16 May 2018 20:53:28 +0200 Subject: [PATCH] libselinux package update Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/libselinux-rhel.patch | 552 +++++++++++++++++----------------- SOURCES/selinuxconlist.8 | 2 +- SOURCES/selinuxdefcon.8 | 4 +- SPECS/libselinux.spec | 162 +++++----- 4 files changed, 360 insertions(+), 360 deletions(-) diff --git a/SOURCES/libselinux-rhel.patch b/SOURCES/libselinux-rhel.patch index 8799d10a..90f81441 100644 --- a/SOURCES/libselinux-rhel.patch +++ b/SOURCES/libselinux-rhel.patch @@ -21,8 +21,8 @@ index 24673dd..41507e4 100644 + * procattr: return error on invalid pid_t input, from Daniel Cashman. + 2.5 2016-02-23 - * selinux_restorecon.3 man page corrections, from Richard Haines. - * Add selinux_restorecon function, from Richard Haines. + * selinux_restorecon.3 man page corrections, from Richard Haines. + * Add selinux_restorecon function, from Richard Haines. diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile index 6142b60..bdf9de8 100644 --- libselinux-2.5/Makefile @@ -30,7 +30,7 @@ index 6142b60..bdf9de8 100644 @@ -1,4 +1,4 @@ -SUBDIRS = src include utils man +SUBDIRS = src include utils man golang - + DISABLE_AVC ?= n DISABLE_SETRANS ?= n diff --git libselinux-2.5/golang/Makefile libselinux-2.5/golang/Makefile @@ -45,14 +45,14 @@ index 0000000..b75677b +GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux +all: + -+install: ++install: + [ -d $(GODIR) ] || mkdir -p $(GODIR) + install -m 644 selinux.go $(GODIR) + +test: + @mkdir selinux + @cp selinux.go selinux -+ GOPATH=$(pwd) go run test.go ++ GOPATH=$(pwd) go run test.go + @rm -rf selinux + +clean: @@ -535,7 +535,7 @@ index dbfe72d..bdbbadf 100644 @@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks registered via may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See .BR avc_init (3). - + -Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is +Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets exercised is .BR AVC_CALLBACK_RESET . @@ -553,7 +553,7 @@ index 7353952..3e9fca8 100644 +If requested permissions are granted, zero is returned. If requested permissions are denied or an error occurred, \-1 is returned and .I errno is set appropriately. - + diff --git libselinux-2.5/man/man3/getfilecon.3 libselinux-2.5/man/man3/getfilecon.3 index 5bb575b..ec02866 100644 --- libselinux-2.5/man/man3/getfilecon.3 @@ -567,7 +567,7 @@ index 5bb575b..ec02866 100644 +selinux_access_check as this function can return a cached value, which is not +suitable for access checking. It should only be used to print translated value +to the user. - + .BR lgetfilecon () is identical to diff --git libselinux-2.5/man/man3/is_selinux_enabled.3 libselinux-2.5/man/man3/is_selinux_enabled.3 @@ -578,16 +578,16 @@ index f02052c..df62c22 100644 is_selinux_enabled \- check whether SELinux is enabled . .SH "NAME" --is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS +-is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS +is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS . .SH "SYNOPSIS" .B #include @@ -18,7 +18,9 @@ returns 1 if SELinux is running or 0 if it is not. On error, \-1 is returned. - + .BR is_selinux_mls_enabled () --returns 1 if SELinux is running in MLS mode or 0 if it is not. +-returns 1 if SELinux is running in MLS mode or 0 if it is not. +returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To +determine the policy in use on the system, use +.BR selinux_getpolicytype (3). @@ -696,7 +696,7 @@ index 6f1034b..c9f188c 100644 +.BR sepolicy(8), +.BR seinfo(8), +.BR sesearch(8) - + Every confined service on the system has a man page in the following format: .br diff --git libselinux-2.5/src/Makefile libselinux-2.5/src/Makefile @@ -708,7 +708,7 @@ index d0021ae..d94163e 100644 RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY)) +PKG_CONFIG ?= pkg-config - + # Installation directories. PREFIX ?= $(DESTDIR)/usr @@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib @@ -724,99 +724,99 @@ index d0021ae..d94163e 100644 +RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby) RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) LIBBASE ?= $(shell basename $(LIBDIR)) - + @@ -48,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y) endif - + GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c)) +SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) - + MAX_STACK_SIZE=32768 - + diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c index 12745b3..7aca3f0 100644 --- libselinux-2.5/src/audit2why.c +++ libselinux-2.5/src/audit2why.c @@ -206,7 +206,7 @@ static int __policy_init(const char *init_path) - "unable to open %s: %s\n", - path, strerror(errno)); - PyErr_SetString( PyExc_ValueError, errormsg); + "unable to open %s: %s\n", + path, strerror(errno)); + PyErr_SetString( PyExc_ValueError, errormsg); - return 1; + return -1; - } - } else { - const char *curpolicy = selinux_current_policy_path(); + } + } else { + const char *curpolicy = selinux_current_policy_path(); @@ -215,7 +215,7 @@ static int __policy_init(const char *init_path) - snprintf(errormsg, sizeof(errormsg), - "You must specify the -p option with the path to the policy file.\n"); - PyErr_SetString( PyExc_ValueError, errormsg); + snprintf(errormsg, sizeof(errormsg), + "You must specify the -p option with the path to the policy file.\n"); + PyErr_SetString( PyExc_ValueError, errormsg); - return 1; + return -1; - } - fp = fopen(curpolicy, "r"); - if (!fp) { + } + fp = fopen(curpolicy, "r"); + if (!fp) { @@ -224,7 +224,7 @@ static int __policy_init(const char *init_path) - curpolicy, - strerror(errno)); - PyErr_SetString( PyExc_ValueError, errormsg); + curpolicy, + strerror(errno)); + PyErr_SetString( PyExc_ValueError, errormsg); - return 1; + return -1; - } - } - + } + } + @@ -232,7 +232,7 @@ static int __policy_init(const char *init_path) - if (!avc) { - PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); - fclose(fp); + if (!avc) { + PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); + fclose(fp); - return 1; + return -1; - } - - /* Set up a policydb directly so that we can mutate it later + } + + /* Set up a policydb directly so that we can mutate it later @@ -244,7 +244,7 @@ static int __policy_init(const char *init_path) - "policydb_init failed: %s\n", strerror(errno)); - PyErr_SetString( PyExc_RuntimeError, errormsg); - fclose(fp); + "policydb_init failed: %s\n", strerror(errno)); + PyErr_SetString( PyExc_RuntimeError, errormsg); + fclose(fp); - return 1; + return -1; - } - sepol_policy_file_set_fp(pf, fp); - if (sepol_policydb_read(avc->policydb, pf)) { + } + sepol_policy_file_set_fp(pf, fp); + if (sepol_policydb_read(avc->policydb, pf)) { @@ -252,7 +252,7 @@ static int __policy_init(const char *init_path) - "invalid binary policy %s\n", path); - PyErr_SetString( PyExc_ValueError, errormsg); - fclose(fp); + "invalid binary policy %s\n", path); + PyErr_SetString( PyExc_ValueError, errormsg); + fclose(fp); - return 1; + return -1; - } - fclose(fp); - sepol_set_policydb(&avc->policydb->p); + } + fclose(fp); + sepol_set_policydb(&avc->policydb->p); @@ -264,13 +264,13 @@ static int __policy_init(const char *init_path) - avc->policydb, &cnt); - if (rc < 0) { - PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); + avc->policydb, &cnt); + if (rc < 0) { + PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); - return 1; + return -1; - } - - boollist = calloc(cnt, sizeof(*boollist)); - if (!boollist) { - PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); + } + + boollist = calloc(cnt, sizeof(*boollist)); + if (!boollist) { + PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); - return 1; + return -1; - } - - sepol_bool_iterate(avc->handle, avc->policydb, + } + + sepol_bool_iterate(avc->handle, avc->policydb, @@ -282,7 +282,7 @@ static int __policy_init(const char *init_path) - if (rc < 0) { - PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); - free(boollist); + if (rc < 0) { + PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); + free(boollist); - return 1; + return -1; - } - sepol_set_sidtab(&sidtab); - return 0; + } + sepol_set_sidtab(&sidtab); + return 0; @@ -298,6 +298,8 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) return NULL; @@ -825,169 +825,169 @@ index 12745b3..7aca3f0 100644 + return NULL; return Py_BuildValue("i", result); } - + @@ -343,8 +345,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - if (rc < 0) - RETURN(BADTCON) - + if (rc < 0) + RETURN(BADTCON) + - tclass = string_to_security_class(tclassstr); - if (!tclass) + rc = sepol_string_to_security_class(tclassstr, &tclass); + if (rc < 0) - RETURN(BADTCLASS) - - /* Convert the permission list to an AV. */ + RETURN(BADTCLASS) + + /* Convert the permission list to an AV. */ @@ -365,8 +367,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - permstr = PyString_AsString( strObj ); + permstr = PyString_AsString( strObj ); #endif - + - perm = string_to_av_perm(tclass, permstr); - if (!perm) + rc = sepol_string_to_av_perm(tclass, permstr, &perm); + if (rc < 0) - RETURN(BADPERM) - - av |= perm; + RETURN(BADPERM) + + av |= perm; diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c index 9669264..c775430 100644 --- libselinux-2.5/src/avc_sidtab.c +++ libselinux-2.5/src/avc_sidtab.c @@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, - int hvalue, rc = 0; - struct sidtab_node *cur; - + int hvalue, rc = 0; + struct sidtab_node *cur; + + if (! ctx) { + errno=EINVAL; + return -1; + } + - *sid = NULL; - hvalue = sidtab_hash(ctx); - + *sid = NULL; + hvalue = sidtab_hash(ctx); + diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c index 4b39a28..6a96b4a 100644 --- libselinux-2.5/src/booleans.c +++ libselinux-2.5/src/booleans.c @@ -53,6 +53,7 @@ int security_get_boolean_names(char ***names, int *len) - snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); - *len = scandir(path, &namelist, &filename_select, alphasort); - if (*len <= 0) { + snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); + *len = scandir(path, &namelist, &filename_select, alphasort); + if (*len <= 0) { + errno = ENOENT; - return -1; - } - + return -1; + } + diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c index 7cf3139..364a746 100644 --- libselinux-2.5/src/canonicalize_context.c +++ libselinux-2.5/src/canonicalize_context.c @@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, - size_t size; - int fd, ret; - + size_t size; + int fd, ret; + + if (! con) { + errno=EINVAL; + return -1; + } + - if (!selinux_mnt) { - errno = ENOENT; - return -1; + if (!selinux_mnt) { + errno = ENOENT; + return -1; diff --git libselinux-2.5/src/check_context.c libselinux-2.5/src/check_context.c index 52063fa..234749c 100644 --- libselinux-2.5/src/check_context.c +++ libselinux-2.5/src/check_context.c @@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) - char path[PATH_MAX]; - int fd, ret; - + char path[PATH_MAX]; + int fd, ret; + + if (! con) { + errno=EINVAL; + return -1; + } + - if (!selinux_mnt) { - errno = ENOENT; - return -1; + if (!selinux_mnt) { + errno = ENOENT; + return -1; diff --git libselinux-2.5/src/compute_av.c libselinux-2.5/src/compute_av.c index 937e5c3..35ace7f 100644 --- libselinux-2.5/src/compute_av.c +++ libselinux-2.5/src/compute_av.c @@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon, - return -1; - } - + return -1; + } + + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + - snprintf(path, sizeof path, "%s/access", selinux_mnt); - fd = open(path, O_RDWR); - if (fd < 0) + snprintf(path, sizeof path, "%s/access", selinux_mnt); + fd = open(path, O_RDWR); + if (fd < 0) diff --git libselinux-2.5/src/compute_create.c libselinux-2.5/src/compute_create.c index 9559d42..14a65d1 100644 --- libselinux-2.5/src/compute_create.c +++ libselinux-2.5/src/compute_create.c @@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, - return -1; - } - + return -1; + } + + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + - snprintf(path, sizeof path, "%s/create", selinux_mnt); - fd = open(path, O_RDWR); - if (fd < 0) + snprintf(path, sizeof path, "%s/create", selinux_mnt); + fd = open(path, O_RDWR); + if (fd < 0) diff --git libselinux-2.5/src/compute_member.c libselinux-2.5/src/compute_member.c index 1fc7e41..065d996 100644 --- libselinux-2.5/src/compute_member.c +++ libselinux-2.5/src/compute_member.c @@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, - return -1; - } - + return -1; + } + + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + - snprintf(path, sizeof path, "%s/member", selinux_mnt); - fd = open(path, O_RDWR); - if (fd < 0) + snprintf(path, sizeof path, "%s/member", selinux_mnt); + fd = open(path, O_RDWR); + if (fd < 0) diff --git libselinux-2.5/src/compute_relabel.c libselinux-2.5/src/compute_relabel.c index 4615aee..cc77f36 100644 --- libselinux-2.5/src/compute_relabel.c +++ libselinux-2.5/src/compute_relabel.c @@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, - return -1; - } - + return -1; + } + + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + - snprintf(path, sizeof path, "%s/relabel", selinux_mnt); - fd = open(path, O_RDWR); - if (fd < 0) + snprintf(path, sizeof path, "%s/relabel", selinux_mnt); + fd = open(path, O_RDWR); + if (fd < 0) diff --git libselinux-2.5/src/compute_user.c libselinux-2.5/src/compute_user.c index b37c5d3..7703c26 100644 --- libselinux-2.5/src/compute_user.c +++ libselinux-2.5/src/compute_user.c @@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, - return -1; - } - + return -1; + } + + if (! scon) { + errno=EINVAL; + return -1; + } + - snprintf(path, sizeof path, "%s/user", selinux_mnt); - fd = open(path, O_RDWR); - if (fd < 0) + snprintf(path, sizeof path, "%s/user", selinux_mnt); + fd = open(path, O_RDWR); + if (fd < 0) diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh index b7cff7e..a58bf3f 100755 --- libselinux-2.5/src/exception.sh @@ -998,7 +998,7 @@ index b7cff7e..a58bf3f 100755 } -gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h +${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h - for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done + for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux -.o diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h index d1f9b48..95b228b 100644 @@ -1017,7 +1017,7 @@ index 52707d0..0cbe12d 100644 --- libselinux-2.5/src/fsetfilecon.c +++ libselinux-2.5/src/fsetfilecon.c @@ -9,8 +9,12 @@ - + int fsetfilecon_raw(int fd, const char * context) { - int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, @@ -1028,9 +1028,9 @@ index 52707d0..0cbe12d 100644 + return -1; + } + rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c index 3db4de0..3c687a2 100644 --- libselinux-2.5/src/init.c @@ -1040,23 +1040,23 @@ index 3db4de0..3c687a2 100644 #include #include -#include - + #include "dso.h" #include "policy.h" @@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt) - + int selinuxfs_exists(void) { - int exists = 0, mnt_rc = 0; + int exists = 0; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + - mnt_rc = mount("proc", "/proc", "proc", 0, 0); - - fp = fopen("/proc/filesystems", "r"); + fp = fopen("/proc/filesystems", "r"); - if (!fp) { - exists = 1; /* Fail as if it exists */ - goto out; @@ -1064,13 +1064,13 @@ index 3db4de0..3c687a2 100644 - + if (!fp) + return 1; /* Fail as if it exists */ - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - num = getline(&buf, &len, fp); + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); @@ -84,14 +78,6 @@ int selinuxfs_exists(void) - - free(buf); - fclose(fp); + + free(buf); + fclose(fp); - -out: -#ifndef MNT_DETACH @@ -1079,7 +1079,7 @@ index 3db4de0..3c687a2 100644 - if (mnt_rc == 0) - umount2("/proc", MNT_DETACH); - - return exists; + return exists; } hidden_def(selinuxfs_exists) diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c @@ -1087,15 +1087,15 @@ index 071d902..c89bb35 100644 --- libselinux-2.5/src/label_file.c +++ libselinux-2.5/src/label_file.c @@ -388,18 +388,21 @@ static int load_mmap(struct selabel_handle *rec, const char *path, - rc = -1; - goto err; - } + rc = -1; + goto err; + } - spec->lsd.study_data = (void *)mmap_area->next_addr; - spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; - rc = next_entry(NULL, mmap_area, entry_len); - if (rc < 0) - goto err; - + - /* Check that study data lengths match. */ - rc = pcre_fullinfo(spec->regex, &spec->lsd, - PCRE_INFO_STUDYSIZE, &len); @@ -1116,15 +1116,15 @@ index 071d902..c89bb35 100644 + rc = -1; + goto err; + } - } - - data->nspec++; + } + + data->nspec++; diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h index 72fed1f..6d1e890 100644 --- libselinux-2.5/src/label_file.h +++ libselinux-2.5/src/label_file.h @@ -80,9 +80,12 @@ struct saved_data { - + static inline pcre_extra *get_pcre_extra(struct spec *spec) { - if (spec->from_mmap) @@ -1136,9 +1136,9 @@ index 72fed1f..6d1e890 100644 + else + return NULL; + } else - return spec->sd; + return spec->sd; } - + diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c index 21ee58b..4f39fc7 100644 --- libselinux-2.5/src/load_policy.c @@ -1146,50 +1146,50 @@ index 21ee58b..4f39fc7 100644 @@ -17,6 +17,10 @@ #include "policy.h" #include - + +#ifndef MNT_DETACH +#define MNT_DETACH 2 +#endif + int security_load_policy(void *data, size_t len) { - char path[PATH_MAX]; + char path[PATH_MAX]; @@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) - fclose(cfg); - free(buf); - } + fclose(cfg); + free(buf); + } -#ifndef MNT_DETACH -#define MNT_DETACH 2 -#endif - if (rc == 0) - umount2("/proc", MNT_DETACH); - - /* - * Determine the final desired mode. + + /* + * Determine the final desired mode. @@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) - /* Only emit this error if selinux was not disabled */ - fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); - } + /* Only emit this error if selinux was not disabled */ + fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); + } + + if (rc == 0) + umount2("/proc", MNT_DETACH); - - goto noload; - } - set_selinuxmnt(mntpoint); - + + goto noload; + } + set_selinuxmnt(mntpoint); + + if (rc == 0) + umount2("/proc", MNT_DETACH); + - /* - * Note: The following code depends on having selinuxfs - * already mounted and selinuxmnt set above. + /* + * Note: The following code depends on having selinuxfs + * already mounted and selinuxmnt set above. diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 --- libselinux-2.5/src/lsetfilecon.c +++ libselinux-2.5/src/lsetfilecon.c @@ -9,8 +9,13 @@ - + int lsetfilecon_raw(const char *path, const char * context) { - int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, @@ -1201,9 +1201,9 @@ index 1d3b28a..ea6d70b 100644 + } + + rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c index 5b495a0..d92ed79 100644 --- libselinux-2.5/src/matchpathcon.c @@ -1218,30 +1218,30 @@ index 5b495a0..d92ed79 100644 #include "callbacks.h" @@ -62,7 +63,7 @@ static void { - va_list ap; - va_start(ap, fmt); + va_list ap; + va_start(ap, fmt); - vfprintf(stderr, fmt, ap); + vsyslog(LOG_ERR, fmt, ap); - va_end(ap); + va_end(ap); } - + @@ -361,12 +362,6 @@ int realpath_not_final(const char *name, char *resolved_path) - goto out; - } - + goto out; + } + - /* strip leading // */ - while (tmp_path[len] && tmp_path[len] == '/' && - tmp_path[len+1] && tmp_path[len+1] == '/') { - tmp_path++; - len++; - } - last_component = strrchr(tmp_path, '/'); - - if (last_component == tmp_path) { + last_component = strrchr(tmp_path, '/'); + + if (last_component == tmp_path) { @@ -470,6 +465,17 @@ int selinux_file_context_verify(const char *path, mode_t mode) - char * con = NULL; - char * fcontext = NULL; - int rc = 0; + char * con = NULL; + char * fcontext = NULL; + int rc = 0; + char stackpath[PATH_MAX + 1]; + char *p = NULL; + @@ -1253,39 +1253,39 @@ index 5b495a0..d92ed79 100644 + if (p) + path = p; + } - - rc = lgetfilecon_raw(path, &con); - if (rc == -1) { + + rc = lgetfilecon_raw(path, &con); + if (rc == -1) { diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c index 527a0a5..eee4612 100644 --- libselinux-2.5/src/procattr.c +++ libselinux-2.5/src/procattr.c @@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags) - char *path; - pid_t tid; - + char *path; + pid_t tid; + - if (pid > 0) + if (pid > 0) { - rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); + rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); - else { + } else if (pid == 0) { - rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); - if (rc < 0) - return -1; + rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); + if (rc < 0) + return -1; @@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags) - free(path); - tid = gettid(); - rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); + free(path); + tid = gettid(); + rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); + } else { + errno = EINVAL; + return -1; - } - if (rc < 0) - return -1; + } + if (rc < 0) + return -1; @@ -303,11 +306,21 @@ static int setprocattrcon(const char * context, #define getpidattr_def(fn, attr) \ - int get##fn##_raw(pid_t pid, char **c) \ - { \ + int get##fn##_raw(pid_t pid, char **c) \ + { \ - return getprocattrcon_raw(c, pid, #attr); \ + if (pid <= 0) { \ + errno = EINVAL; \ @@ -1293,9 +1293,9 @@ index 527a0a5..eee4612 100644 + } else { \ + return getprocattrcon_raw(c, pid, #attr); \ + } \ - } \ - int get##fn(pid_t pid, char **c) \ - { \ + } \ + int get##fn(pid_t pid, char **c) \ + { \ - return getprocattrcon(c, pid, #attr); \ + if (pid <= 0) { \ + errno = EINVAL; \ @@ -1303,8 +1303,8 @@ index 527a0a5..eee4612 100644 + } else { \ + return getprocattrcon(c, pid, #attr); \ + } \ - } - + } + all_selfattr_def(con, current) diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c index bec5f3b..c519a77 100644 @@ -1317,13 +1317,13 @@ index bec5f3b..c519a77 100644 -#define NEL 30 +#define SNAPPERD_CONTEXTS 30 +#define NEL 31 - + /* Part of one-time lazy init */ static pthread_once_t once = PTHREAD_ONCE_INIT; @@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void) - + hidden_def(selinux_openssh_contexts_path) - + +const char *selinux_snapperd_contexts_path(void) +{ + return get_path(SNAPPERD_CONTEXTS); @@ -1333,7 +1333,7 @@ index bec5f3b..c519a77 100644 + const char *selinux_systemd_contexts_path(void) { - return get_path(SYSTEMD_CONTEXTS); + return get_path(SYSTEMD_CONTEXTS); diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h index 46566f6..9b9145c 100644 --- libselinux-2.5/src/selinux_internal.h @@ -1351,23 +1351,23 @@ index 17ed6fe..d2c2402 100644 --- libselinux-2.5/src/selinux_restorecon.c +++ libselinux-2.5/src/selinux_restorecon.c @@ -245,25 +245,41 @@ int selinux_restorecon(const char *pathname_orig, - * realpath of containing dir, then appending last component name. - */ - if (userealpath) { + * realpath of containing dir, then appending last component name. + */ + if (userealpath) { - pathbname = basename((char *)pathname_orig); + char *basename_cpy = strdup(pathname_orig); + if (!basename_cpy) + goto realpatherr; + pathbname = basename(basename_cpy); - if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") || - !strcmp(pathbname, "..")) { - pathname = realpath(pathname_orig, NULL); + if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") || + !strcmp(pathbname, "..")) { + pathname = realpath(pathname_orig, NULL); - if (!pathname) + if (!pathname) { + free(basename_cpy); - goto realpatherr; + goto realpatherr; + } - } else { + } else { - pathdname = dirname((char *)pathname_orig); + char *dirname_cpy = strdup(pathname_orig); + if (!dirname_cpy) { @@ -1375,28 +1375,28 @@ index 17ed6fe..d2c2402 100644 + goto realpatherr; + } + pathdname = dirname(dirname_cpy); - pathdnamer = realpath(pathdname, NULL); + pathdnamer = realpath(pathdname, NULL); - if (!pathdnamer) + free(dirname_cpy); + if (!pathdnamer) { + free(basename_cpy); - goto realpatherr; + goto realpatherr; + } - if (!strcmp(pathdnamer, "/")) - error = asprintf(&pathname, "/%s", pathbname); - else - error = asprintf(&pathname, "%s/%s", - pathdnamer, pathbname); + if (!strcmp(pathdnamer, "/")) + error = asprintf(&pathname, "/%s", pathbname); + else + error = asprintf(&pathname, "%s/%s", + pathdnamer, pathbname); - if (error < 0) + if (error < 0) { + free(basename_cpy); - goto oom; + goto oom; + } - } + } + free(basename_cpy); - } else { - pathname = strdup(pathname_orig); - if (!pathname) + } else { + pathname = strdup(pathname_orig); + if (!pathname) diff --git libselinux-2.5/src/selinuxswig_python.i libselinux-2.5/src/selinuxswig_python.i index 8cea18d..592d70c 100644 --- libselinux-2.5/src/selinuxswig_python.i @@ -1413,7 +1413,7 @@ index 8cea18d..592d70c 100644 + if e.errno != errno.ENOENT: + raise + return - + if status == 0: try: diff --git libselinux-2.5/src/setexecfilecon.c libselinux-2.5/src/setexecfilecon.c @@ -1421,20 +1421,20 @@ index e72ba0d..9c821f8 100644 --- libselinux-2.5/src/setexecfilecon.c +++ libselinux-2.5/src/setexecfilecon.c @@ -45,7 +45,7 @@ int setexecfilecon(const char *filename, const char *fallback_type) - goto out; + goto out; out: - + - if (rc < 0 && security_getenforce() == 0) + if (rc < 0 && security_getenforce() < 1) - rc = 0; - - context_free(con); + rc = 0; + + context_free(con); diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c index d05969c..3f0200e 100644 --- libselinux-2.5/src/setfilecon.c +++ libselinux-2.5/src/setfilecon.c @@ -9,8 +9,12 @@ - + int setfilecon_raw(const char *path, const char * context) { - int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, @@ -1445,9 +1445,9 @@ index d05969c..3f0200e 100644 + return -1; + } + rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore index 060eaab..ed3bf0b 100644 --- libselinux-2.5/utils/.gitignore @@ -1474,7 +1474,7 @@ index cf7af52..8497cb4 100644 USRBINDIR ?= $(PREFIX)/sbin SBINDIR ?= $(DESTDIR)/sbin +INCLUDEDIR ?= $(PREFIX)/include - + MAX_STACK_SIZE=8192 CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ @@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi @@ -1484,7 +1484,7 @@ index cf7af52..8497cb4 100644 -override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS) +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) LDLIBS += -L../src -lselinux -L$(LIBDIR) - + TARGETS=$(patsubst %.c,%,$(wildcard *.c)) diff --git libselinux-2.5/utils/matchpathcon.c libselinux-2.5/utils/matchpathcon.c index d1f1348..0288feb 100644 @@ -1493,20 +1493,20 @@ index d1f1348..0288feb 100644 @@ -15,7 +15,7 @@ static void usage(const char *progname) { - fprintf(stderr, + fprintf(stderr, - "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", + "usage: %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n", - progname); - exit(1); + progname); + exit(1); } diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c index d2578b6..fd6fb78 100644 --- libselinux-2.5/utils/sefcontext_compile.c +++ libselinux-2.5/utils/sefcontext_compile.c @@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd) - if (len != to_write) - goto err; - + if (len != to_write) + goto err; + - /* determine the size of the pcre study info */ - rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); - if (rc < 0) @@ -1518,13 +1518,13 @@ index d2578b6..fd6fb78 100644 + goto err; + } else + size = 0; - - /* write the number of bytes in the pcre study data */ - to_write = size; + + /* write the number of bytes in the pcre study data */ + to_write = size; @@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd) - if (len != 1) - goto err; - + if (len != 1) + goto err; + - /* write the actual pcre study data as a char array */ - len = fwrite(sd->study_data, 1, to_write, bin_file); - if (len != to_write) @@ -1535,6 +1535,6 @@ index d2578b6..fd6fb78 100644 + if (len != to_write) + goto err; + } - } - - rc = 0; + } + + rc = 0; diff --git a/SOURCES/selinuxconlist.8 b/SOURCES/selinuxconlist.8 index 3bf795d6..c698daae 100644 --- a/SOURCES/selinuxconlist.8 +++ b/SOURCES/selinuxconlist.8 @@ -11,7 +11,7 @@ reports the list of context reachable for user from the current context or speci .B \-l level mcs/mls level -.SH AUTHOR +.SH AUTHOR This manual page was written by Dan Walsh . .SH "SEE ALSO" diff --git a/SOURCES/selinuxdefcon.8 b/SOURCES/selinuxdefcon.8 index ed08d0da..3cbeff25 100644 --- a/SOURCES/selinuxdefcon.8 +++ b/SOURCES/selinuxdefcon.8 @@ -1,6 +1,6 @@ .TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" .SH "NAME" -selinuxdefcon \- report default SELinux context for user +selinuxdefcon \- report default SELinux context for user .SH "SYNOPSIS" .B selinuxdefcon [-l level] user fromcon @@ -17,7 +17,7 @@ mcs/mls level .br unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -.SH AUTHOR +.SH AUTHOR This manual page was written by Dan Walsh . .SH "SEE ALSO" diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index 8d21a50a..20ccda88 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -57,8 +57,8 @@ Group: Development/Libraries Requires: libselinux%{?_isa} = %{version}-%{release} %description python -The libselinux-python package contains the python bindings for developing -SELinux applications. +The libselinux-python package contains the python bindings for developing +SELinux applications. %if 0%{?with_python3} %package python3 @@ -68,7 +68,7 @@ Requires: libselinux%{?_isa} = %{version}-%{release} %description python3 The libselinux-python3 package contains python 3 bindings for developing -SELinux applications. +SELinux applications. %endif # with_python3 %package ruby @@ -78,8 +78,8 @@ Requires: libselinux%{?_isa} = %{version}-%{release} Provides: ruby(selinux) %description ruby -The libselinux-ruby package contains the ruby bindings for developing -SELinux applications. +The libselinux-ruby package contains the ruby bindings for developing +SELinux applications. %package devel Summary: Header files and libraries used to build SELinux @@ -89,7 +89,7 @@ Requires: libsepol-devel%{?_isa} >= %{libsepolver} %description devel The libselinux-devel package contains the libraries and header files -needed for developing SELinux applications. +needed for developing SELinux applications. %package static Summary: Static libraries used to build SELinux @@ -98,7 +98,7 @@ Requires: libselinux-devel%{?_isa} = %{version}-%{release} %description static The libselinux-static package contains the static libraries -needed for developing SELinux applications. +needed for developing SELinux applications. %prep %setup -q -n libselinux-2.5 @@ -151,8 +151,8 @@ InstallPythonWrapper() { rm -rf %{buildroot} mkdir -p %{buildroot}/%{_prefix}/lib/tmpfiles.d -mkdir -p %{buildroot}/%{_libdir} -mkdir -p %{buildroot}%{_includedir} +mkdir -p %{buildroot}/%{_libdir} +mkdir -p %{buildroot}%{_includedir} mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}/var/run/setrans echo "d /var/run/setrans 0755 root root" > %{buildroot}/%{_prefix}/lib/tmpfiles.d/libselinux.conf @@ -326,7 +326,7 @@ Resolves:#1053122 Resolves: #1053122 * Mon Jan 6 2014 Dan Walsh - 2.2.2-1 -- Update to upstream +- Update to upstream * Fix userspace AVC handling of per-domain permissive mode. - Verify context is not null when passed into *setfilecon_raw @@ -348,12 +348,12 @@ Resolves: #1053122 Resolves: #1038606 * Mon Nov 25 2013 Dan Walsh - 2.2.1-1 -- Update to upstream +- Update to upstream * Remove -lpthread from pkg-config file; it is not required. - Add support for policy compressed with xv * Thu Oct 31 2013 Dan Walsh - 2.2-1 -- Update to upstream +- Update to upstream * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. * Support overriding Makefile RANLIB from Sven Vermeulen. * Update pkgconfig definition from Sven Vermeulen. @@ -384,7 +384,7 @@ Resolves: #1038606 Resolves: #971425 * Thu Oct 3 2013 Dan Walsh - 2.1.13-20 -- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek +- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek Resolves: #1013801 * Mon Sep 16 2013 Dan Walsh - 2.1.13-19 @@ -413,7 +413,7 @@ Resolves: #1013801 - Add Eric Paris patch to fix procattr calls after a fork. * Tue Mar 26 2013 Dan Walsh - 2.1.13-12 -- Move secolor.conf.5 into mcstrans package and out of libselinux +- Move secolor.conf.5 into mcstrans package and out of libselinux * Wed Mar 20 2013 Dan Walsh - 2.1.13-11 - Fix python bindings for selinux_check_access @@ -449,7 +449,7 @@ Resolves: #1013801 - Revert some changes which are causing the wrong policy version file to be created * Thu Feb 7 2013 Dan Walsh - 2.1.13-1 -- Update to upstream +- Update to upstream * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible @@ -475,7 +475,7 @@ Resolves: #1013801 * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error - * matchmediacon: do not leak fd + * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error * Sun Jan 27 2013 Dan Walsh - 2.1.12-20 @@ -544,7 +544,7 @@ Resolves: #1013801 - Rebuild with fixed libsepol * Thu Sep 13 2012 Dan Walsh - 2.1.12-1 -- Update to upstream +- Update to upstream * Add support for lxc_contexts_path * utils: add service to getdefaultcon * libsemanage: do not set soname needlessly @@ -593,7 +593,7 @@ Resolves: #1013801 - Revert Eric Paris Patch for selinux_binary_policy_path * Wed Jul 4 2012 Dan Walsh - 2.1.11-1 -- Update to upstream +- Update to upstream * Fortify source now requires all code to be compiled with -O flag * asprintf return code must be checked * avc_netlink_recieve handle EINTR @@ -607,7 +607,7 @@ Resolves: #1013801 * additional makefile support for rubywrap * Mon Jun 11 2012 Dan Walsh - 2.1.10-5 -- Fix booleans.subs name, change function name to selinux_boolean_sub, +- Fix booleans.subs name, change function name to selinux_boolean_sub, add man page, minor fixes to the function * Fri May 25 2012 Dan Walsh - 2.1.10-4 @@ -623,7 +623,7 @@ Resolves: #1013801 - Add support fot boolean subs file * Thu Mar 29 2012 Dan Walsh - 2.1.10-1 -- Update to upstream +- Update to upstream * Fix dead links to www.nsa.gov/selinux * Remove jump over variable declaration * Fix old style function definitions @@ -659,7 +659,7 @@ Resolves: #1013801 - Make work with ruby-1.9 * Fri Feb 3 2012 Dan Walsh - 2.1.9-7 -- avc_netlink_recieve should continue to poll if it receinves an EINTR rather +- avc_netlink_recieve should continue to poll if it receinves an EINTR rather * Sun Jan 29 2012 Kay Sievers - 2.1.9-6 - use /sbin/ldconfig, glibc does not provide @@ -739,7 +739,7 @@ Resolves: #1013801 - Add selinux_check_access function. Needed for passwd, chfn, chsh * Thu Sep 22 2011 Dan Walsh - 2.1.6-2 -- Handle situation where selinux=0 passed to the kernel and both /selinux and +- Handle situation where selinux=0 passed to the kernel and both /selinux and * Mon Sep 19 2011 Dan Walsh - 2.1.6-1 -Update to upstream @@ -759,8 +759,8 @@ Resolves: #1013801 - Fix handling of subset labeling that is causing segfault in restorecon * Fri Sep 2 2011 Dan Walsh - 2.1.5-2 -- Change matchpathcon_init_prefix and selabel_open to allow multiple initial -prefixes. Now you can specify a ";" separated list of prefixes and the +- Change matchpathcon_init_prefix and selabel_open to allow multiple initial +prefixes. Now you can specify a ";" separated list of prefixes and the labeling system will only load regular expressions that match these prefixes. * Tue Aug 30 2011 Dan Walsh - 2.1.5-1 @@ -813,7 +813,7 @@ labeling system will only load regular expressions that match these prefixes. * Update man pages for selinux_color_* functions by Richard Haines. * Mon Jun 13 2011 Dan Walsh - 2.0.102-6 -- Only call dups check within selabel/matchpathcon if you are validating the +- Only call dups check within selabel/matchpathcon if you are validating the context - This seems to speed the loading of labels by 4 times. @@ -852,15 +852,15 @@ context * Tue Apr 5 2011 Dan Walsh - 2.0.99-4 Add patch from dbhole@redhat.com to initialize thread keys to -1 Errors were being seen in libpthread/libdl that were related -to corrupt thread specific keys. Global destructors that are called on dl -unload. During destruction delete a thread specific key without checking -if it has been initialized. Since the constructor is not called each time -(i.e. key is not initialized with pthread_key_create each time), and the -default is 0, there is a possibility that key 0 for an active thread gets +to corrupt thread specific keys. Global destructors that are called on dl +unload. During destruction delete a thread specific key without checking +if it has been initialized. Since the constructor is not called each time +(i.e. key is not initialized with pthread_key_create each time), and the +default is 0, there is a possibility that key 0 for an active thread gets deleted. This is exactly what is happening in case of OpenJDK. Workaround patch that initializes the key to -1. Thus if the constructor is not -called, the destructor tries to delete key -1 which is deemed invalid by +called, the destructor tries to delete key -1 which is deemed invalid by pthread_key_delete, and is ignored. * Tue Apr 5 2011 Dan Walsh - 2.0.99-3 @@ -883,11 +883,11 @@ pthread_key_delete, and is ignored. - Fix Makefile to use pkg-config --cflags python3 to discover include paths * Tue Dec 21 2010 Dan Walsh - 2.0.98-1 -- Update to upstream +- Update to upstream - Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list * Mon Dec 6 2010 Dan Walsh - 2.0.97-1 -- Update to upstream +- Update to upstream * Thread local storage fixes from Eamon Walsh. * Sat Dec 4 2010 Dan Walsh - 2.0.96-9 @@ -915,31 +915,31 @@ pthread_key_delete, and is ignored. - Turn off messages in audit2why * Wed Mar 24 2010 Dan Walsh - 2.0.96-1 -- Update to upstream +- Update to upstream * Add const qualifiers to public API where appropriate by KaiGai Kohei. 2.0.95 2010-06-10 * Remove duplicate slashes in paths in selabel_lookup from Chad Sellers * Adds a chcon method to the libselinux python bindings from Steve Lawrence -- add python3 subpackage from David Malcolm +- add python3 subpackage from David Malcolm * Wed Mar 24 2010 Dan Walsh - 2.0.94-1 * Set errno=EINVAL for invalid contexts from Dan Walsh. * Tue Mar 16 2010 Dan Walsh - 2.0.93-1 -- Update to upstream +- Update to upstream * Show strerror for security_getenforce() by Colin Waters. * Merged selabel database support by KaiGai Kohei. * Modify netlink socket blocking code by KaiGai Kohei. * Sun Mar 7 2010 Dan Walsh - 2.0.92-1 -- Update to upstream +- Update to upstream * Fix from Eric Paris to fix leak on non-selinux systems. * regenerate swig wrappers * pkgconfig fix to respect LIBDIR from Dan Walsh. * Wed Feb 24 2010 Dan Walsh - 2.0.91-1 -- Update to upstream +- Update to upstream * Change the AVC to only audit the permissions specified by the policy, excluding any permissions specified via dontaudit or not specified via auditallow. @@ -958,7 +958,7 @@ pthread_key_delete, and is ignored. - Free memory on disabled selinux boxes * Tue Dec 1 2009 Dan Walsh - 2.0.90-1 -- Update to upstream +- Update to upstream * add/reformat man pages by Guido Trentalancia . * Change exception.sh to be called with bash by Manoj Srivastava @@ -966,15 +966,15 @@ pthread_key_delete, and is ignored. - Fix selinuxdefcon man page * Mon Nov 2 2009 Dan Walsh - 2.0.89-1 -- Update to upstream +- Update to upstream * Add pkgconfig file from Eamon Walsh. * Thu Oct 29 2009 Dan Walsh - 2.0.88-1 -- Update to upstream +- Update to upstream * Rename and export selinux_reset_config() * Tue Sep 8 2009 Dan Walsh - 2.0.87-1 -- Update to upstream +- Update to upstream * Add exception handling in libselinux from Dan Walsh. This uses a shell script called exception.sh to generate a swig interface file. * make swigify @@ -984,14 +984,14 @@ pthread_key_delete, and is ignored. - Eliminate -pthread switch in Makefile * Tue Sep 8 2009 Dan Walsh - 2.0.86-1 -- Update to upstream +- Update to upstream * Removal of reference counting on userspace AVC SID's. * Sat Jul 25 2009 Fedora Release Engineering - 2.0.85-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Tue Jul 7 2009 Dan Walsh - 2.0.85-1 -- Update to upstream +- Update to upstream * Reverted Tomas Mraz's fix for freeing thread local storage to avoid pthread dependency. * Removed fini_context_translations() altogether. @@ -999,7 +999,7 @@ pthread_key_delete, and is ignored. by Steve Grubb. * Tue Jul 7 2009 Dan Walsh - 2.0.84-1 -- Update to upstream +- Update to upstream * Add per-service seuser support from Dan Walsh. * Let load_policy gracefully handle selinuxfs being mounted from Stephen Smalley. * Check /proc/filesystems before /proc/mounts for selinuxfs from Eric @@ -1009,20 +1009,20 @@ pthread_key_delete, and is ignored. - Add provices ruby(selinux) * Tue Jun 23 2009 Dan Walsh - 2.0.82-1 -- Update to upstream +- Update to upstream * Fix improper use of thread local storage from Tomas Mraz . * Label substitution support from Dan Walsh. * Support for labeling virtual machine images from Dan Walsh. * Mon May 18 2009 Dan Walsh - 2.0.81-1 -- Update to upstream +- Update to upstream * Trim / from the end of input paths to matchpathcon from Dan Walsh. * Fix leak in process_line in label_file.c from Hiroshi Shinji. * Move matchpathcon to /sbin, add matchpathcon to clean target from Dan Walsh. * getdefaultcon to print just the correct match and add verbose option from Dan Walsh. * Wed Apr 8 2009 Dan Walsh - 2.0.80-1 -- Update to upstream +- Update to upstream * deny_unknown wrapper function from KaiGai Kohei. * security_compute_av_flags API from KaiGai Kohei. * Netlink socket management and callbacks from KaiGai Kohei. @@ -1040,22 +1040,22 @@ pthread_key_delete, and is ignored. - Add back in av_decision to python swig * Thu Mar 12 2009 Dan Walsh - 2.0.79-1 -- Update to upstream +- Update to upstream * Netlink socket handoff patch from Adam Jackson. * AVC caching of compute_create results by Eric Paris. * Tue Mar 10 2009 Dan Walsh - 2.0.78-5 -- Add patch from ajax to accellerate X SELinux +- Add patch from ajax to accellerate X SELinux - Update eparis patch * Mon Mar 9 2009 Dan Walsh - 2.0.78-4 - Add eparis patch to accellerate Xwindows performance * Mon Mar 9 2009 Dan Walsh - 2.0.78-3 -- Fix URL +- Fix URL * Fri Mar 6 2009 Dan Walsh - 2.0.78-2 -- Add substitute pattern +- Add substitute pattern - matchpathcon output <> on ENOENT * Mon Mar 2 2009 Dan Walsh - 2.0.78-1 @@ -1066,7 +1066,7 @@ pthread_key_delete, and is ignored. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Wed Feb 18 2009 Dan Walsh - 2.0.77-5 -- Add +- Add - selinux_virtual_domain_context_path - selinux_virtual_image_context_path @@ -1113,7 +1113,7 @@ pthread_key_delete, and is ignored. * Update flask headers from refpolicy trunk from Dan Walsh. * Fri Sep 26 2008 Dan Walsh - 2.0.71-6 -- Fix matchpathcon -V call +- Fix matchpathcon -V call * Tue Sep 9 2008 Dan Walsh - 2.0.71-5 - Add flask definitions for open, X and nlmsg_tty_audit @@ -1273,7 +1273,7 @@ pthread_key_delete, and is ignored. - smp_mflag * Thu Jan 3 2008 Dan Walsh - 2.0.46-2 -- Fix spec file caused by spec review +- Fix spec file caused by spec review * Fri Nov 30 2007 Dan Walsh - 2.0.46-1 - Upgrade to upstream @@ -1315,7 +1315,7 @@ pthread_key_delete, and is ignored. * Wed Sep 26 2007 Dan Walsh - 2.0.35-1 - Upgrade to upstream * Make netlink socket close-on-exec to avoid descriptor leakage from Dan Walsh. - * Pass CFLAGS when using gcc for linking from Dennis Gilmore. + * Pass CFLAGS when using gcc for linking from Dennis Gilmore. * Mon Sep 24 2007 Dan Walsh - 2.0.34-3 - Add sparc patch to from Dennis Gilmore to build on Sparc platform @@ -1347,7 +1347,7 @@ pthread_key_delete, and is ignored. * Fix file_contexts.homedirs path from Todd Miller. * Tue Aug 21 2007 Dan Walsh - 2.0.30-2 -- Remove requirement on setransd, Moved to selinux-policy-mls +- Remove requirement on setransd, Moved to selinux-policy-mls * Fri Aug 10 2007 Dan Walsh - 2.0.30-1 - Move libselinux.so into devel package @@ -1359,7 +1359,7 @@ pthread_key_delete, and is ignored. * Fri Aug 3 2007 Dan Walsh - 2.0.29-1 - Upgrade to upstream - * Updated version for stable branch. + * Updated version for stable branch. * Added x_contexts path function patch from Eamon Walsh. * Fix build for EMBEDDED=y from Yuichi Nakamura. * Fix markup problems in selinux man pages from Dan Walsh. @@ -1480,13 +1480,13 @@ pthread_key_delete, and is ignored. of the use of the non-standard format (original patch changed for style). - Merged patch from Todd Miller to fix memory leak in matchpathcon.c. - + * Fri Jan 19 2007 Dan Walsh - 1.34.0-2 - Add context function to python to split context into 4 parts * Fri Jan 19 2007 Dan Walsh - 1.34.0-1 - Upgrade to upstream - * Updated version for stable branch. + * Updated version for stable branch. * Wed Jan 17 2007 Dan Walsh - 1.33.6-1 - Upgrade to upstream @@ -1540,7 +1540,7 @@ Resolves: #200110 * Tue Oct 24 2006 Dan Walsh - 1.33.1-1 - Upgrade to latest from NSA * Merged updated flask definitions from Darrel Goeddel. - This adds the context security class, and also adds + This adds the context security class, and also adds the string definitions for setsockcreate and polmatch. * Tue Oct 17 2006 Dan Walsh - 1.32-1 @@ -1607,8 +1607,8 @@ Resolves: #200110 - only build non-fpic objects with -mno-tls-direct-seg-refs * Tue Aug 1 2006 Jeremy Katz - 1.30.19-4 -- build with -mno-tls-direct-seg-refs on x86 to avoid triggering - segfaults with xen (#200783) +- build with -mno-tls-direct-seg-refs on x86 to avoid triggering + segfaults with xen (#200783) * Mon Jul 17 2006 Dan Walsh 1.30.19-3 - Rebuild for new gcc @@ -1660,7 +1660,7 @@ Resolves: #200110 - Check for selinux_mnt == NULL * Tue May 30 2006 Dan Walsh 1.30.11-1 -- Merged matchmediacon and trans_to_raw_context fixes from +- Merged matchmediacon and trans_to_raw_context fixes from Serge Hallyn. * Fri May 26 2006 Dan Walsh 1.30.10-4 @@ -1704,7 +1704,7 @@ Resolves: #200110 * Mon May 8 2006 Dan Walsh 1.30.5-1 - Upgrade to latest from NSA - * Merged fix warnings patch from Karl MacMillan. + * Merged fix warnings patch from Karl MacMillan. * Merged setrans client support from Dan Walsh. This removes use of libsetrans. * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh. @@ -1796,7 +1796,7 @@ Resolves: #200110 allocated by libsetrans. * Sun Dec 11 2005 Dan Walsh 1.29.1-3 -- update to latest libsetrans +- update to latest libsetrans - Fix potential memory leak * Fri Dec 09 2005 Jesse Keating @@ -1931,7 +1931,7 @@ Resolves: #200110 * Fri Oct 7 2005 Dan Walsh 1.27.7-1 - Update to latest from NSA * Changed getseuserbyname to fall back to the Linux username and - NULL level if seusers config file doesn't exist unless + NULL level if seusers config file doesn't exist unless REQUIRESEUSERS=1 is set in /etc/selinux/config. * Moved seusers.conf under $SELINUXTYPE and renamed to seusers. @@ -1939,7 +1939,7 @@ Resolves: #200110 - Update to latest from NSA * Added selinux_init_load_policy() function as an even higher level interface for the initial policy load by /sbin/init. This obsoletes - the load_policy() function in the sysvinit-selinux.patch. + the load_policy() function in the sysvinit-selinux.patch. * Added selinux_mkload_policy() function as a higher level interface for loading policy than the security_load_policy() interface. @@ -1997,7 +1997,7 @@ Resolves: #200110 * Thu Aug 25 2005 Dan Walsh 1.25.4-1 - Update from NSA - * Hid translation-related symbols entirely and ensured that + * Hid translation-related symbols entirely and ensured that raw functions have hidden definitions for internal use. * Allowed setting NULL via context_set* functions. * Allowed whitespace in MLS component of context. @@ -2021,7 +2021,7 @@ Resolves: #200110 code from Serge Hallyn (IBM). Bugs found by Coverity. * Removed setupns; migrated to pam. * Merged patches to rename checkPasswdAccess() from Joshua Brindle. - Original symbol is temporarily retained for compatibility until + Original symbol is temporarily retained for compatibility until all callers are updated. * Mon Jul 18 2005 Dan Walsh 1.24.2-1 @@ -2035,9 +2035,9 @@ Resolves: #200110 * Fri May 20 2005 Dan Walsh 1.23.11-1 - Update from NSA * Merged avcstat and selinux man page from Dan Walsh. - * Changed security_load_booleans to process booleans.local + * Changed security_load_booleans to process booleans.local even if booleans file doesn't exist. - + * Fri Apr 29 2005 Dan Walsh 1.23.10-3 - Fix avcstat to clear totals @@ -2089,7 +2089,7 @@ Resolves: #200110 - Update from NSA * Added set_matchpathcon_flags() function for setting flags controlling operation of matchpathcon. MATCHPATHCON_BASEONLY - means only process the base file_contexts file, not + means only process the base file_contexts file, not file_contexts.homedirs or file_contexts.local, and is for use by setfiles -c. * Updated matchpathcon.3 man page. @@ -2177,7 +2177,7 @@ Resolves: #200110 * Wed Dec 29 2004 Dan Walsh 1.19.4-1 - Update to latest from upstream - * Changed matchpathcon to return -1 with errno ENOENT for + * Changed matchpathcon to return -1 with errno ENOENT for <> entries, and also for an empty file_contexts configuration. * Tue Dec 28 2004 Dan Walsh 1.19.3-3 @@ -2209,7 +2209,7 @@ Resolves: #200110 - Update from upstream, fix setsebool -P segfault * Fri Nov 5 2004 Steve Grubb 1.18.1-5 -- Add a patch from upstream. Fixes signed/unsigned issues, and +- Add a patch from upstream. Fixes signed/unsigned issues, and incomplete structure copy. * Thu Nov 4 2004 Dan Walsh 1.18.1-4 @@ -2281,11 +2281,11 @@ Resolves: #200110 * Thu Sep 2 2004 Dan Walsh 1.17.8-1 - Update from NSA - * Added set_matchpathcon_printf. + * Added set_matchpathcon_printf. * Wed Sep 1 2004 Dan Walsh 1.17.7-1 - Update from NSA - * Reworked av_inherit.h to allow easier re-use by kernel. + * Reworked av_inherit.h to allow easier re-use by kernel. * Tue Aug 31 2004 Dan Walsh 1.17.6-1 - Add strcasecmp in selinux_config @@ -2410,11 +2410,11 @@ Resolves: #200110 - Update with latest from NSA * Thu Apr 22 2004 Dan Walsh 1.11.3-1 -- Add changes for relaxed policy -- Update to match NSA +- Add changes for relaxed policy +- Update to match NSA * Thu Apr 15 2004 Dan Walsh 1.11.2-1 -- Add relaxed policy changes +- Add relaxed policy changes * Thu Apr 15 2004 Dan Walsh 1.11-4 - Sync with NSA @@ -2487,7 +2487,7 @@ Resolves: #200110 - Add mntpoint patch for SysVinit * Fri Dec 12 2003 Dan Walsh 1.4-2 -- Add -r -u -t to getcon +- Add -r -u -t to getcon * Sat Dec 6 2003 Dan Walsh 1.4-1 - Upgrade to latest from NSA