|
 |
0e42ca |
diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
|
|
|
0e42ca |
index 24673dd..41507e4 100644
|
|
|
0e42ca |
--- libselinux-2.5/ChangeLog
|
|
|
0e42ca |
+++ libselinux-2.5/ChangeLog
|
|
|
0e42ca |
@@ -1,3 +1,20 @@
|
|
|
0e42ca |
+ * Handle NULL pcre study data, from Stephen Smalley.
|
|
|
0e42ca |
+ * Fix in tree compilation of utils that depend on libsepol, from Laurent Bigonville.
|
|
|
0e42ca |
+ * Clarify is_selinux_mls_enabled() description, from David King.
|
|
|
0e42ca |
+ * Explain how to free policy type from selinux_getpolicytype(), from David King.
|
|
|
0e42ca |
+ * Compare absolute pathname in matchpathcon -V, from Petr Lautrbach.
|
|
|
0e42ca |
+ * Add selinux_snapperd_contexts_path(), from Petr Lautrbach.
|
|
|
0e42ca |
+ * Modify audit2why analyze function to use loaded policy, from Joshua Brindle.
|
|
|
0e42ca |
+ * Sort object files for deterministic linking order, from Laurent Bigonville.
|
|
|
0e42ca |
+ * Respect CC and PKG_CONFIG environment variable, from Julien Pivotto.
|
|
|
0e42ca |
+ * Avoid mounting /proc outside of selinux_init_load_policy(), from Stephen Smalley.
|
|
|
0e42ca |
+ * Fix multiple spelling errors, from Laurent Bigonville.
|
|
|
0e42ca |
+ * Fix typo in sefcontext_compile.8, from Petr Lautrbach and Milos Malik
|
|
|
0e42ca |
+ * Fix location of selinuxfs mount point, from Dan Walsh.
|
|
|
0e42ca |
+ * Only mount /proc if necessary, from Stephen Smalley.
|
|
|
0e42ca |
+ * procattr: return einval for <= 0 pid args, from Daniel Cashman.
|
|
|
0e42ca |
+ * procattr: return error on invalid pid_t input, from Daniel Cashman.
|
|
|
0e42ca |
+
|
|
|
0e42ca |
2.5 2016-02-23
|
|
|
0e42ca |
* selinux_restorecon.3 man page corrections, from Richard Haines.
|
|
|
0e42ca |
* Add selinux_restorecon function, from Richard Haines.
|
|
|
0e42ca |
diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile
|
|
|
0e42ca |
index 6142b60..bdf9de8 100644
|
|
|
0e42ca |
--- libselinux-2.5/Makefile
|
|
|
0e42ca |
+++ libselinux-2.5/Makefile
|
|
|
0e42ca |
@@ -1,4 +1,4 @@
|
|
|
0e42ca |
-SUBDIRS = src include utils man
|
|
|
0e42ca |
+SUBDIRS = src include utils man golang
|
|
|
0e42ca |
|
|
|
0e42ca |
DISABLE_AVC ?= n
|
|
|
0e42ca |
DISABLE_SETRANS ?= n
|
|
|
0e42ca |
diff --git libselinux-2.5/golang/Makefile libselinux-2.5/golang/Makefile
|
|
|
0e42ca |
new file mode 100644
|
|
|
0e42ca |
index 0000000..b75677b
|
|
|
0e42ca |
--- /dev/null
|
|
|
0e42ca |
+++ libselinux-2.5/golang/Makefile
|
|
|
0e42ca |
@@ -0,0 +1,22 @@
|
|
|
0e42ca |
+# Installation directories.
|
|
|
0e42ca |
+PREFIX ?= $(DESTDIR)/usr
|
|
|
0e42ca |
+LIBDIR ?= $(DESTDIR)/usr/lib
|
|
|
0e42ca |
+GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux
|
|
|
0e42ca |
+all:
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+install:
|
|
|
0e42ca |
+ [ -d $(GODIR) ] || mkdir -p $(GODIR)
|
|
|
0e42ca |
+ install -m 644 selinux.go $(GODIR)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+test:
|
|
|
0e42ca |
+ @mkdir selinux
|
|
|
0e42ca |
+ @cp selinux.go selinux
|
|
|
0e42ca |
+ GOPATH=$(pwd) go run test.go
|
|
|
0e42ca |
+ @rm -rf selinux
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+clean:
|
|
|
0e42ca |
+ @rm -f *~
|
|
|
0e42ca |
+ @rm -rf selinux
|
|
|
0e42ca |
+indent:
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+relabel:
|
|
|
0e42ca |
diff --git libselinux-2.5/golang/selinux.go libselinux-2.5/golang/selinux.go
|
|
|
0e42ca |
new file mode 100644
|
|
|
0e42ca |
index 0000000..34bf6bb
|
|
|
0e42ca |
--- /dev/null
|
|
|
0e42ca |
+++ libselinux-2.5/golang/selinux.go
|
|
|
0e42ca |
@@ -0,0 +1,412 @@
|
|
|
0e42ca |
+package selinux
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+/*
|
|
|
0e42ca |
+ The selinux package is a go bindings to libselinux required to add selinux
|
|
|
0e42ca |
+ support to docker.
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ Author Dan Walsh <dwalsh@redhat.com>
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
|
|
|
0e42ca |
+ By Vaughan Newton
|
|
|
0e42ca |
+*/
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+// #cgo pkg-config: libselinux
|
|
|
0e42ca |
+// #include <selinux/selinux.h>
|
|
|
0e42ca |
+// #include <stdlib.h>
|
|
|
0e42ca |
+import "C"
|
|
|
0e42ca |
+import (
|
|
|
0e42ca |
+ "bufio"
|
|
|
0e42ca |
+ "crypto/rand"
|
|
|
0e42ca |
+ "encoding/binary"
|
|
|
0e42ca |
+ "fmt"
|
|
|
0e42ca |
+ "io"
|
|
|
0e42ca |
+ "os"
|
|
|
0e42ca |
+ "path"
|
|
|
0e42ca |
+ "path/filepath"
|
|
|
0e42ca |
+ "regexp"
|
|
|
0e42ca |
+ "strings"
|
|
|
0e42ca |
+ "unsafe"
|
|
|
0e42ca |
+)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+var (
|
|
|
0e42ca |
+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
|
|
|
0e42ca |
+ mcsList = make(map[string]bool)
|
|
|
0e42ca |
+)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Matchpathcon(path string, mode os.FileMode) (string, error) {
|
|
|
0e42ca |
+ var con C.security_context_t
|
|
|
0e42ca |
+ var scon string
|
|
|
0e42ca |
+ rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con)
|
|
|
0e42ca |
+ if rc == 0 {
|
|
|
0e42ca |
+ scon = C.GoString(con)
|
|
|
0e42ca |
+ C.free(unsafe.Pointer(con))
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return scon, err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Setfilecon(path, scon string) (int, error) {
|
|
|
0e42ca |
+ rc, err := C.lsetfilecon(C.CString(path), C.CString(scon))
|
|
|
0e42ca |
+ return int(rc), err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Getfilecon(path string) (string, error) {
|
|
|
0e42ca |
+ var scon C.security_context_t
|
|
|
0e42ca |
+ var fcon string
|
|
|
0e42ca |
+ rc, err := C.lgetfilecon(C.CString(path), &scon)
|
|
|
0e42ca |
+ if rc >= 0 {
|
|
|
0e42ca |
+ fcon = C.GoString(scon)
|
|
|
0e42ca |
+ err = nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return fcon, err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Setfscreatecon(scon string) (int, error) {
|
|
|
0e42ca |
+ var (
|
|
|
0e42ca |
+ rc C.int
|
|
|
0e42ca |
+ err error
|
|
|
0e42ca |
+ )
|
|
|
0e42ca |
+ if scon != "" {
|
|
|
0e42ca |
+ rc, err = C.setfscreatecon(C.CString(scon))
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ rc, err = C.setfscreatecon(nil)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return int(rc), err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Getfscreatecon() (string, error) {
|
|
|
0e42ca |
+ var scon C.security_context_t
|
|
|
0e42ca |
+ var fcon string
|
|
|
0e42ca |
+ rc, err := C.getfscreatecon(&scon)
|
|
|
0e42ca |
+ if rc >= 0 {
|
|
|
0e42ca |
+ fcon = C.GoString(scon)
|
|
|
0e42ca |
+ err = nil
|
|
|
0e42ca |
+ C.freecon(scon)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return fcon, err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Getcon() string {
|
|
|
0e42ca |
+ var pcon C.security_context_t
|
|
|
0e42ca |
+ C.getcon(&pcon)
|
|
|
0e42ca |
+ scon := C.GoString(pcon)
|
|
|
0e42ca |
+ C.freecon(pcon)
|
|
|
0e42ca |
+ return scon
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Getpidcon(pid int) (string, error) {
|
|
|
0e42ca |
+ var pcon C.security_context_t
|
|
|
0e42ca |
+ var scon string
|
|
|
0e42ca |
+ rc, err := C.getpidcon(C.pid_t(pid), &pcon)
|
|
|
0e42ca |
+ if rc >= 0 {
|
|
|
0e42ca |
+ scon = C.GoString(pcon)
|
|
|
0e42ca |
+ C.freecon(pcon)
|
|
|
0e42ca |
+ err = nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return scon, err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Getpeercon(socket int) (string, error) {
|
|
|
0e42ca |
+ var pcon C.security_context_t
|
|
|
0e42ca |
+ var scon string
|
|
|
0e42ca |
+ rc, err := C.getpeercon(C.int(socket), &pcon)
|
|
|
0e42ca |
+ if rc >= 0 {
|
|
|
0e42ca |
+ scon = C.GoString(pcon)
|
|
|
0e42ca |
+ C.freecon(pcon)
|
|
|
0e42ca |
+ err = nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return scon, err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Setexeccon(scon string) error {
|
|
|
0e42ca |
+ var val *C.char
|
|
|
0e42ca |
+ if !SelinuxEnabled() {
|
|
|
0e42ca |
+ return nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if scon != "" {
|
|
|
0e42ca |
+ val = C.CString(scon)
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ val = nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ _, err := C.setexeccon(val)
|
|
|
0e42ca |
+ return err
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+type Context struct {
|
|
|
0e42ca |
+ con []string
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func (c *Context) SetUser(user string) {
|
|
|
0e42ca |
+ c.con[0] = user
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) GetUser() string {
|
|
|
0e42ca |
+ return c.con[0]
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) SetRole(role string) {
|
|
|
0e42ca |
+ c.con[1] = role
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) GetRole() string {
|
|
|
0e42ca |
+ return c.con[1]
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) SetType(setype string) {
|
|
|
0e42ca |
+ c.con[2] = setype
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) GetType() string {
|
|
|
0e42ca |
+ return c.con[2]
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) SetLevel(mls string) {
|
|
|
0e42ca |
+ c.con[3] = mls
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) GetLevel() string {
|
|
|
0e42ca |
+ return c.con[3]
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) Get() string {
|
|
|
0e42ca |
+ return strings.Join(c.con, ":")
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func (c *Context) Set(scon string) {
|
|
|
0e42ca |
+ c.con = strings.SplitN(scon, ":", 4)
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func NewContext(scon string) Context {
|
|
|
0e42ca |
+ var con Context
|
|
|
0e42ca |
+ con.Set(scon)
|
|
|
0e42ca |
+ return con
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func SelinuxEnabled() bool {
|
|
|
0e42ca |
+ b := C.is_selinux_enabled()
|
|
|
0e42ca |
+ if b > 0 {
|
|
|
0e42ca |
+ return true
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return false
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+const (
|
|
|
0e42ca |
+ Enforcing = 1
|
|
|
0e42ca |
+ Permissive = 0
|
|
|
0e42ca |
+ Disabled = -1
|
|
|
0e42ca |
+)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func SelinuxGetEnforce() int {
|
|
|
0e42ca |
+ return int(C.security_getenforce())
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func SelinuxGetEnforceMode() int {
|
|
|
0e42ca |
+ var enforce C.int
|
|
|
0e42ca |
+ C.selinux_getenforcemode(&enforce)
|
|
|
0e42ca |
+ return int(enforce)
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func mcsAdd(mcs string) {
|
|
|
0e42ca |
+ mcsList[mcs] = true
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func mcsDelete(mcs string) {
|
|
|
0e42ca |
+ mcsList[mcs] = false
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func mcsExists(mcs string) bool {
|
|
|
0e42ca |
+ return mcsList[mcs]
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func IntToMcs(id int, catRange uint32) string {
|
|
|
0e42ca |
+ if (id < 1) || (id > 523776) {
|
|
|
0e42ca |
+ return ""
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ SETSIZE := int(catRange)
|
|
|
0e42ca |
+ TIER := SETSIZE
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ ORD := id
|
|
|
0e42ca |
+ for ORD > TIER {
|
|
|
0e42ca |
+ ORD = ORD - TIER
|
|
|
0e42ca |
+ TIER -= 1
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ TIER = SETSIZE - TIER
|
|
|
0e42ca |
+ ORD = ORD + TIER
|
|
|
0e42ca |
+ return fmt.Sprintf("s0:c%d,c%d", TIER, ORD)
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func uniqMcs(catRange uint32) string {
|
|
|
0e42ca |
+ var n uint32
|
|
|
0e42ca |
+ var c1, c2 uint32
|
|
|
0e42ca |
+ var mcs string
|
|
|
0e42ca |
+ for {
|
|
|
0e42ca |
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
|
|
|
0e42ca |
+ c1 = n % catRange
|
|
|
0e42ca |
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
|
|
|
0e42ca |
+ c2 = n % catRange
|
|
|
0e42ca |
+ if c1 == c2 {
|
|
|
0e42ca |
+ continue
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ if c1 > c2 {
|
|
|
0e42ca |
+ t := c1
|
|
|
0e42ca |
+ c1 = c2
|
|
|
0e42ca |
+ c2 = t
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
|
|
|
0e42ca |
+ if mcsExists(mcs) {
|
|
|
0e42ca |
+ continue
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ mcsAdd(mcs)
|
|
|
0e42ca |
+ break
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return mcs
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+func freeContext(processLabel string) {
|
|
|
0e42ca |
+ var scon Context
|
|
|
0e42ca |
+ scon = NewContext(processLabel)
|
|
|
0e42ca |
+ mcsDelete(scon.GetLevel())
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func GetLxcContexts() (processLabel string, fileLabel string) {
|
|
|
0e42ca |
+ var val, key string
|
|
|
0e42ca |
+ var bufin *bufio.Reader
|
|
|
0e42ca |
+ if !SelinuxEnabled() {
|
|
|
0e42ca |
+ return
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ lxcPath := C.GoString(C.selinux_lxc_contexts_path())
|
|
|
0e42ca |
+ fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0"
|
|
|
0e42ca |
+ processLabel = "system_u:system_r:svirt_lxc_net_t:s0"
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ in, err := os.Open(lxcPath)
|
|
|
0e42ca |
+ if err != nil {
|
|
|
0e42ca |
+ goto exit
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ defer in.Close()
|
|
|
0e42ca |
+ bufin = bufio.NewReader(in)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ for done := false; !done; {
|
|
|
0e42ca |
+ var line string
|
|
|
0e42ca |
+ if line, err = bufin.ReadString('\n'); err != nil {
|
|
|
0e42ca |
+ if err == io.EOF {
|
|
|
0e42ca |
+ done = true
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ goto exit
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ line = strings.TrimSpace(line)
|
|
|
0e42ca |
+ if len(line) == 0 {
|
|
|
0e42ca |
+ // Skip blank lines
|
|
|
0e42ca |
+ continue
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if line[0] == ';' || line[0] == '#' {
|
|
|
0e42ca |
+ // Skip comments
|
|
|
0e42ca |
+ continue
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if groups := assignRegex.FindStringSubmatch(line); groups != nil {
|
|
|
0e42ca |
+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
|
|
|
0e42ca |
+ if key == "process" {
|
|
|
0e42ca |
+ processLabel = strings.Trim(val, "\"")
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if key == "file" {
|
|
|
0e42ca |
+ fileLabel = strings.Trim(val, "\"")
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+exit:
|
|
|
0e42ca |
+ var scon Context
|
|
|
0e42ca |
+ mcs := IntToMcs(os.Getpid(), 1024)
|
|
|
0e42ca |
+ scon = NewContext(processLabel)
|
|
|
0e42ca |
+ scon.SetLevel(mcs)
|
|
|
0e42ca |
+ processLabel = scon.Get()
|
|
|
0e42ca |
+ scon = NewContext(fileLabel)
|
|
|
0e42ca |
+ scon.SetLevel(mcs)
|
|
|
0e42ca |
+ fileLabel = scon.Get()
|
|
|
0e42ca |
+ return processLabel, fileLabel
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func CopyLevel(src, dest string) (string, error) {
|
|
|
0e42ca |
+ if !SelinuxEnabled() {
|
|
|
0e42ca |
+ return "", nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if src == "" {
|
|
|
0e42ca |
+ return "", nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ rc, err := C.security_check_context(C.CString(src))
|
|
|
0e42ca |
+ if rc != 0 {
|
|
|
0e42ca |
+ return "", err
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ rc, err = C.security_check_context(C.CString(dest))
|
|
|
0e42ca |
+ if rc != 0 {
|
|
|
0e42ca |
+ return "", err
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ scon := NewContext(src)
|
|
|
0e42ca |
+ tcon := NewContext(dest)
|
|
|
0e42ca |
+ tcon.SetLevel(scon.GetLevel())
|
|
|
0e42ca |
+ return tcon.Get(), nil
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func RestoreCon(fpath string, recurse bool) error {
|
|
|
0e42ca |
+ var flabel string
|
|
|
0e42ca |
+ var err error
|
|
|
0e42ca |
+ var fs os.FileInfo
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if !SelinuxEnabled() {
|
|
|
0e42ca |
+ return nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if recurse {
|
|
|
0e42ca |
+ var paths []string
|
|
|
0e42ca |
+ var err error
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil {
|
|
|
0e42ca |
+ return fmt.Errorf("Unable to find directory %v: %v", fpath, err)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ for _, fpath := range paths {
|
|
|
0e42ca |
+ if err = RestoreCon(fpath, false); err != nil {
|
|
|
0e42ca |
+ return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ return nil
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ if fs, err = os.Stat(fpath); err != nil {
|
|
|
0e42ca |
+ return fmt.Errorf("Unable stat %v: %v", fpath, err)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" {
|
|
|
0e42ca |
+ return fmt.Errorf("Unable to get context for %v: %v", fpath, err)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if rc, err := Setfilecon(fpath, flabel); rc != 0 {
|
|
|
0e42ca |
+ return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err)
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ return nil
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func Test() {
|
|
|
0e42ca |
+ var plabel, flabel string
|
|
|
0e42ca |
+ if !SelinuxEnabled() {
|
|
|
0e42ca |
+ return
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ plabel, flabel = GetLxcContexts()
|
|
|
0e42ca |
+ fmt.Println(plabel)
|
|
|
0e42ca |
+ fmt.Println(flabel)
|
|
|
0e42ca |
+ freeContext(plabel)
|
|
|
0e42ca |
+ plabel, flabel = GetLxcContexts()
|
|
|
0e42ca |
+ fmt.Println(plabel)
|
|
|
0e42ca |
+ fmt.Println(flabel)
|
|
|
0e42ca |
+ freeContext(plabel)
|
|
|
0e42ca |
+ if SelinuxEnabled() {
|
|
|
0e42ca |
+ fmt.Println("Enabled")
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ fmt.Println("Disabled")
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ fmt.Println("getenforce ", SelinuxGetEnforce())
|
|
|
0e42ca |
+ fmt.Println("getenforcemode ", SelinuxGetEnforceMode())
|
|
|
0e42ca |
+ flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0)
|
|
|
0e42ca |
+ fmt.Println(flabel)
|
|
|
0e42ca |
+ pid := os.Getpid()
|
|
|
0e42ca |
+ fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023))
|
|
|
0e42ca |
+ fmt.Println(Getcon())
|
|
|
0e42ca |
+ fmt.Println(Getfilecon("/etc/passwd"))
|
|
|
0e42ca |
+ fmt.Println(Getpidcon(1))
|
|
|
0e42ca |
+ Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
|
|
|
0e42ca |
+ fmt.Println(Getfscreatecon())
|
|
|
0e42ca |
+ Setfscreatecon("")
|
|
|
0e42ca |
+ fmt.Println(Getfscreatecon())
|
|
|
0e42ca |
+ fmt.Println(Getpidcon(1))
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
diff --git libselinux-2.5/golang/test.go libselinux-2.5/golang/test.go
|
|
|
0e42ca |
new file mode 100644
|
|
|
0e42ca |
index 0000000..fed6de8
|
|
|
0e42ca |
--- /dev/null
|
|
|
0e42ca |
+++ libselinux-2.5/golang/test.go
|
|
|
0e42ca |
@@ -0,0 +1,9 @@
|
|
|
0e42ca |
+package main
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+import (
|
|
|
0e42ca |
+ "./selinux"
|
|
|
0e42ca |
+)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+func main() {
|
|
|
0e42ca |
+ selinux.Test()
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
diff --git libselinux-2.5/include/selinux/av_permissions.h libselinux-2.5/include/selinux/av_permissions.h
|
|
|
0e42ca |
index c1269af..631f027 100644
|
|
|
0e42ca |
--- libselinux-2.5/include/selinux/av_permissions.h
|
|
|
0e42ca |
+++ libselinux-2.5/include/selinux/av_permissions.h
|
|
|
0e42ca |
@@ -876,6 +876,8 @@
|
|
|
0e42ca |
#define NSCD__SHMEMHOST 0x00000080UL
|
|
|
0e42ca |
#define NSCD__GETSERV 0x00000100UL
|
|
|
0e42ca |
#define NSCD__SHMEMSERV 0x00000200UL
|
|
|
0e42ca |
+#define NSCD__GETNETGRP 0x00000400UL
|
|
|
0e42ca |
+#define NSCD__SHMEMNETGRP 0x00000800UL
|
|
|
0e42ca |
#define ASSOCIATION__SENDTO 0x00000001UL
|
|
|
0e42ca |
#define ASSOCIATION__RECVFROM 0x00000002UL
|
|
|
0e42ca |
#define ASSOCIATION__SETCONTEXT 0x00000004UL
|
|
|
0e42ca |
diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h
|
|
|
0e42ca |
index 2262086..3d8673f 100644
|
|
|
0e42ca |
--- libselinux-2.5/include/selinux/selinux.h
|
|
|
0e42ca |
+++ libselinux-2.5/include/selinux/selinux.h
|
|
|
0e42ca |
@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
|
|
|
0e42ca |
extern const char *selinux_x_context_path(void);
|
|
|
0e42ca |
extern const char *selinux_sepgsql_context_path(void);
|
|
|
0e42ca |
extern const char *selinux_openssh_contexts_path(void);
|
|
|
0e42ca |
+extern const char *selinux_snapperd_contexts_path(void);
|
|
|
0e42ca |
extern const char *selinux_systemd_contexts_path(void);
|
|
|
0e42ca |
extern const char *selinux_contexts_path(void);
|
|
|
0e42ca |
extern const char *selinux_securetty_types_path(void);
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/avc_add_callback.3 libselinux-2.5/man/man3/avc_add_callback.3
|
|
|
0e42ca |
index dbfe72d..bdbbadf 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/avc_add_callback.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/avc_add_callback.3
|
|
|
0e42ca |
@@ -57,7 +57,7 @@ and will cause any SID to match.
|
|
|
0e42ca |
.I callback
|
|
|
0e42ca |
is the callback function provided by the userspace object manager. The
|
|
|
0e42ca |
.I event
|
|
|
0e42ca |
-argument indicates the security event which occured; the remaining arguments
|
|
|
0e42ca |
+argument indicates the security event which occurred; the remaining arguments
|
|
|
0e42ca |
are interpreted according to the event as described below. The return value
|
|
|
0e42ca |
of the callback should be zero on success, \-1 on error with
|
|
|
0e42ca |
.I errno
|
|
|
0e42ca |
@@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks registered via
|
|
|
0e42ca |
may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See
|
|
|
0e42ca |
.BR avc_init (3).
|
|
|
0e42ca |
|
|
|
0e42ca |
-Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is
|
|
|
0e42ca |
+Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets exercised is
|
|
|
0e42ca |
.BR AVC_CALLBACK_RESET .
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "AUTHOR"
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/avc_has_perm.3 libselinux-2.5/man/man3/avc_has_perm.3
|
|
|
0e42ca |
index 7353952..3e9fca8 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/avc_has_perm.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/avc_has_perm.3
|
|
|
0e42ca |
@@ -108,7 +108,7 @@ for the first time.
|
|
|
0e42ca |
Using an uninitialized structure will produce undefined behavior.
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "RETURN VALUE"
|
|
|
0e42ca |
-If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and
|
|
|
0e42ca |
+If requested permissions are granted, zero is returned. If requested permissions are denied or an error occurred, \-1 is returned and
|
|
|
0e42ca |
.I errno
|
|
|
0e42ca |
is set appropriately.
|
|
|
0e42ca |
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/getfilecon.3 libselinux-2.5/man/man3/getfilecon.3
|
|
|
0e42ca |
index 5bb575b..ec02866 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/getfilecon.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/getfilecon.3
|
|
|
0e42ca |
@@ -20,7 +20,10 @@ getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file
|
|
|
0e42ca |
.SH "DESCRIPTION"
|
|
|
0e42ca |
.BR getfilecon ()
|
|
|
0e42ca |
retrieves the context associated with the given path in the file system, the
|
|
|
0e42ca |
-length of the context is returned.
|
|
|
0e42ca |
+length of the context is returned. The context should not be used in
|
|
|
0e42ca |
+selinux_access_check as this function can return a cached value, which is not
|
|
|
0e42ca |
+suitable for access checking. It should only be used to print translated value
|
|
|
0e42ca |
+to the user.
|
|
|
0e42ca |
|
|
|
0e42ca |
.BR lgetfilecon ()
|
|
|
0e42ca |
is identical to
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/is_selinux_enabled.3 libselinux-2.5/man/man3/is_selinux_enabled.3
|
|
|
0e42ca |
index f02052c..df62c22 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/is_selinux_enabled.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/is_selinux_enabled.3
|
|
|
0e42ca |
@@ -3,7 +3,7 @@
|
|
|
0e42ca |
is_selinux_enabled \- check whether SELinux is enabled
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "NAME"
|
|
|
0e42ca |
-is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS
|
|
|
0e42ca |
+is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "SYNOPSIS"
|
|
|
0e42ca |
.B #include <selinux/selinux.h>
|
|
|
0e42ca |
@@ -18,7 +18,9 @@ returns 1 if SELinux is running or 0 if it is not.
|
|
|
0e42ca |
On error, \-1 is returned.
|
|
|
0e42ca |
|
|
|
0e42ca |
.BR is_selinux_mls_enabled ()
|
|
|
0e42ca |
-returns 1 if SELinux is running in MLS mode or 0 if it is not.
|
|
|
0e42ca |
+returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To
|
|
|
0e42ca |
+determine the policy in use on the system, use
|
|
|
0e42ca |
+.BR selinux_getpolicytype (3).
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "SEE ALSO"
|
|
|
0e42ca |
.BR selinux "(8)"
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/security_disable.3 libselinux-2.5/man/man3/security_disable.3
|
|
|
0e42ca |
index c75ce0d..072923c 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/security_disable.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/security_disable.3
|
|
|
0e42ca |
@@ -12,7 +12,7 @@ security_disable \- disable the SELinux kernel code at runtime
|
|
|
0e42ca |
disables the SELinux kernel code, unregisters selinuxfs from
|
|
|
0e42ca |
.IR /proc/filesystems ,
|
|
|
0e42ca |
and then unmounts
|
|
|
0e42ca |
-.IR /selinux .
|
|
|
0e42ca |
+.IR /sys/fs/selinux .
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
This function can only be called at runtime and prior to the initial policy
|
|
|
0e42ca |
load. After the initial policy load, the SELinux kernel code cannot be disabled,
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/selinux_getpolicytype.3 libselinux-2.5/man/man3/selinux_getpolicytype.3
|
|
|
0e42ca |
index c947e2c..b219d42 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/selinux_getpolicytype.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/selinux_getpolicytype.3
|
|
|
0e42ca |
@@ -13,7 +13,10 @@ Reads the contents of the
|
|
|
0e42ca |
.I /etc/selinux/config
|
|
|
0e42ca |
file to determine the SELinux policy used on the system, and sets
|
|
|
0e42ca |
.I \%policytype
|
|
|
0e42ca |
-accordinly.
|
|
|
0e42ca |
+accordingly. Free
|
|
|
0e42ca |
+.I \%policytype
|
|
|
0e42ca |
+with
|
|
|
0e42ca |
+.BR free (3).
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "RETURN VALUE"
|
|
|
0e42ca |
On success, zero is returned.
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man3/selinux_status_open.3 libselinux-2.5/man/man3/selinux_status_open.3
|
|
|
0e42ca |
index f779dd9..2d44be5 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man3/selinux_status_open.3
|
|
|
0e42ca |
+++ libselinux-2.5/man/man3/selinux_status_open.3
|
|
|
0e42ca |
@@ -23,7 +23,7 @@ without invocation of system calls
|
|
|
0e42ca |
.SH "DESCRIPTION"
|
|
|
0e42ca |
Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
|
|
|
0e42ca |
placed on
|
|
|
0e42ca |
-.I /selinux/status
|
|
|
0e42ca |
+.I /sys/fs/selinux/status
|
|
|
0e42ca |
entry. It enables userspace applications to mmap this page with read-only
|
|
|
0e42ca |
mode, then it informs some status without system call invocations.
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
@@ -38,7 +38,7 @@ without system-call invocation or worker thread for monitoring.
|
|
|
0e42ca |
.BR selinux_status_open ()
|
|
|
0e42ca |
tries to
|
|
|
0e42ca |
.BR open (2)
|
|
|
0e42ca |
-.I /selinux/status
|
|
|
0e42ca |
+.I /sys/fs/selinux/status
|
|
|
0e42ca |
and
|
|
|
0e42ca |
.BR mmap (2)
|
|
|
0e42ca |
it in read-only mode. The file-descriptor and pointer to the page shall
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man5/removable_context.5 libselinux-2.5/man/man5/removable_context.5
|
|
|
0e42ca |
index 60aaa93..f16e8bd 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man5/removable_context.5
|
|
|
0e42ca |
+++ libselinux-2.5/man/man5/removable_context.5
|
|
|
0e42ca |
@@ -3,8 +3,7 @@
|
|
|
0e42ca |
removable_context \- The SELinux removable devices context configuration file
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "DESCRIPTION"
|
|
|
0e42ca |
-This file contains the default label that should be used for removable devices that are not defined in the \fImedia\fR file (that is described in
|
|
|
0e42ca |
-.BR selabel_media "(5)). "
|
|
|
0e42ca |
+This file contains the default label that should be used for removable devices.
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
.BR selinux_removable_context_path "(3) "
|
|
|
0e42ca |
will return the active policy path to this file. The default removable context file is:
|
|
|
0e42ca |
@@ -34,4 +33,4 @@ A user, role, type and optional range (for MCS/MLS) separated by colons (:) that
|
|
|
0e42ca |
system_u:object_r:removable_t:s0
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "SEE ALSO"
|
|
|
0e42ca |
-.BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media "(5), " selinux_config "(5) "
|
|
|
0e42ca |
+.BR selinux "(8), " selinux_removable_context_path "(3), " selinux_config "(5) "
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man5/selabel_media.5 libselinux-2.5/man/man5/selabel_media.5
|
|
|
0e42ca |
index 395ed0e..b7c28e3 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man5/selabel_media.5
|
|
|
0e42ca |
+++ libselinux-2.5/man/man5/selabel_media.5
|
|
|
0e42ca |
@@ -52,8 +52,6 @@ The default media contexts file is:
|
|
|
0e42ca |
.RE
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)).
|
|
|
0e42ca |
-.sp
|
|
|
0e42ca |
-Should there not be a valid entry in the \fImedia\fR file, then the default \fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)).
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH "FILE FORMAT"
|
|
|
0e42ca |
Each line within the \fImedia\fR file is as follows:
|
|
|
0e42ca |
@@ -90,4 +88,4 @@ this is not set, then it is possible for an invalid context to be returned.
|
|
|
0e42ca |
.SH "SEE ALSO"
|
|
|
0e42ca |
.ad l
|
|
|
0e42ca |
.nh
|
|
|
0e42ca |
-.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " removable_context "(5) "
|
|
|
0e42ca |
+.BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5) "
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man8/avcstat.8 libselinux-2.5/man/man8/avcstat.8
|
|
|
0e42ca |
index 204687d..2c4bce1 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man8/avcstat.8
|
|
|
0e42ca |
+++ libselinux-2.5/man/man8/avcstat.8
|
|
|
0e42ca |
@@ -25,7 +25,7 @@ Display the cumulative values.
|
|
|
0e42ca |
.TP
|
|
|
0e42ca |
.B \-f
|
|
|
0e42ca |
Specifies the location of the AVC statistics file, defaulting to
|
|
|
0e42ca |
-.IR /selinux/avc/cache_stats .
|
|
|
0e42ca |
+.IR /sys/fs/selinux/avc/cache_stats .
|
|
|
0e42ca |
.
|
|
|
0e42ca |
.SH AUTHOR
|
|
|
0e42ca |
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man8/sefcontext_compile.8 libselinux-2.5/man/man8/sefcontext_compile.8
|
|
|
0e42ca |
index b77ff3a..4eae173 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man8/sefcontext_compile.8
|
|
|
0e42ca |
+++ libselinux-2.5/man/man8/sefcontext_compile.8
|
|
|
0e42ca |
@@ -13,14 +13,14 @@ sefcontext_compile \- compile file context regular expression files
|
|
|
0e42ca |
.SH "DESCRIPTION"
|
|
|
0e42ca |
.B sefcontext_compile
|
|
|
0e42ca |
is used to compile file context regular expressions into
|
|
|
0e42ca |
-.BR prce (3)
|
|
|
0e42ca |
+.BR pcre (3)
|
|
|
0e42ca |
format.
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
The compiled file is used by libselinux file labeling functions.
|
|
|
0e42ca |
.sp
|
|
|
0e42ca |
By default
|
|
|
0e42ca |
.B sefcontext_compile
|
|
|
0e42ca |
-writes the compiled prce file with the
|
|
|
0e42ca |
+writes the compiled pcre file with the
|
|
|
0e42ca |
.B .bin
|
|
|
0e42ca |
suffix appended (e.g. \fIinputfile\fB.bin\fR).
|
|
|
0e42ca |
.SH OPTIONS
|
|
|
0e42ca |
diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8
|
|
|
0e42ca |
index 6f1034b..c9f188c 100644
|
|
|
0e42ca |
--- libselinux-2.5/man/man8/selinux.8
|
|
|
0e42ca |
+++ libselinux-2.5/man/man8/selinux.8
|
|
|
0e42ca |
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
|
0e42ca |
.BR sepolicy (8),
|
|
|
0e42ca |
.BR system-config-selinux (8),
|
|
|
0e42ca |
.BR togglesebool (8),
|
|
|
0e42ca |
-.BR restorecon (8),
|
|
|
0e42ca |
.BR fixfiles (8),
|
|
|
0e42ca |
+.BR restorecon (8),
|
|
|
0e42ca |
.BR setfiles (8),
|
|
|
0e42ca |
.BR semanage (8),
|
|
|
0e42ca |
-.BR sepolicy(8)
|
|
|
0e42ca |
+.BR sepolicy(8),
|
|
|
0e42ca |
+.BR seinfo(8),
|
|
|
0e42ca |
+.BR sesearch(8)
|
|
|
0e42ca |
|
|
|
0e42ca |
Every confined service on the system has a man page in the following format:
|
|
|
0e42ca |
.br
|
|
|
0e42ca |
diff --git libselinux-2.5/src/Makefile libselinux-2.5/src/Makefile
|
|
|
0e42ca |
index d0021ae..d94163e 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/Makefile
|
|
|
0e42ca |
+++ libselinux-2.5/src/Makefile
|
|
|
0e42ca |
@@ -5,6 +5,7 @@ PYTHON ?= python
|
|
|
0e42ca |
PYPREFIX ?= $(notdir $(PYTHON))
|
|
|
0e42ca |
RUBY ?= ruby
|
|
|
0e42ca |
RUBYPREFIX ?= $(notdir $(RUBY))
|
|
|
0e42ca |
+PKG_CONFIG ?= pkg-config
|
|
|
0e42ca |
|
|
|
0e42ca |
# Installation directories.
|
|
|
0e42ca |
PREFIX ?= $(DESTDIR)/usr
|
|
|
0e42ca |
@@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
|
|
|
0e42ca |
SHLIBDIR ?= $(DESTDIR)/lib
|
|
|
0e42ca |
INCLUDEDIR ?= $(PREFIX)/include
|
|
|
0e42ca |
PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
|
|
|
0e42ca |
-PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
|
|
|
0e42ca |
+PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
|
|
|
0e42ca |
PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
|
|
|
0e42ca |
RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
|
|
|
0e42ca |
RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
|
|
|
0e42ca |
-RUBYINC ?= $(shell pkg-config --cflags ruby)
|
|
|
0e42ca |
+RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby)
|
|
|
0e42ca |
RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
|
|
|
0e42ca |
LIBBASE ?= $(shell basename $(LIBDIR))
|
|
|
0e42ca |
|
|
|
0e42ca |
@@ -48,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y)
|
|
|
0e42ca |
endif
|
|
|
0e42ca |
|
|
|
0e42ca |
GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
|
|
|
0e42ca |
-SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
|
|
|
0e42ca |
+SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
|
|
|
0e42ca |
|
|
|
0e42ca |
MAX_STACK_SIZE=32768
|
|
|
0e42ca |
|
|
|
0e42ca |
diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c
|
|
|
0e42ca |
index 12745b3..7aca3f0 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/audit2why.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/audit2why.c
|
|
|
0e42ca |
@@ -206,7 +206,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
"unable to open %s: %s\n",
|
|
|
0e42ca |
path, strerror(errno));
|
|
|
0e42ca |
PyErr_SetString( PyExc_ValueError, errormsg);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
} else {
|
|
|
0e42ca |
const char *curpolicy = selinux_current_policy_path();
|
|
|
0e42ca |
@@ -215,7 +215,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
snprintf(errormsg, sizeof(errormsg),
|
|
|
0e42ca |
"You must specify the -p option with the path to the policy file.\n");
|
|
|
0e42ca |
PyErr_SetString( PyExc_ValueError, errormsg);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
fp = fopen(curpolicy, "r");
|
|
|
0e42ca |
if (!fp) {
|
|
|
0e42ca |
@@ -224,7 +224,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
curpolicy,
|
|
|
0e42ca |
strerror(errno));
|
|
|
0e42ca |
PyErr_SetString( PyExc_ValueError, errormsg);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
@@ -232,7 +232,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
if (!avc) {
|
|
|
0e42ca |
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
|
|
|
0e42ca |
fclose(fp);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
/* Set up a policydb directly so that we can mutate it later
|
|
|
0e42ca |
@@ -244,7 +244,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
"policydb_init failed: %s\n", strerror(errno));
|
|
|
0e42ca |
PyErr_SetString( PyExc_RuntimeError, errormsg);
|
|
|
0e42ca |
fclose(fp);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
sepol_policy_file_set_fp(pf, fp);
|
|
|
0e42ca |
if (sepol_policydb_read(avc->policydb, pf)) {
|
|
|
0e42ca |
@@ -252,7 +252,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
"invalid binary policy %s\n", path);
|
|
|
0e42ca |
PyErr_SetString( PyExc_ValueError, errormsg);
|
|
|
0e42ca |
fclose(fp);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
fclose(fp);
|
|
|
0e42ca |
sepol_set_policydb(&avc->policydb->p);
|
|
|
0e42ca |
@@ -264,13 +264,13 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
avc->policydb, &cnt);
|
|
|
0e42ca |
if (rc < 0) {
|
|
|
0e42ca |
PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n");
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
boollist = calloc(cnt, sizeof(*boollist));
|
|
|
0e42ca |
if (!boollist) {
|
|
|
0e42ca |
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
sepol_bool_iterate(avc->handle, avc->policydb,
|
|
|
0e42ca |
@@ -282,7 +282,7 @@ static int __policy_init(const char *init_path)
|
|
|
0e42ca |
if (rc < 0) {
|
|
|
0e42ca |
PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n");
|
|
|
0e42ca |
free(boollist);
|
|
|
0e42ca |
- return 1;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
sepol_set_sidtab(&sidtab);
|
|
|
0e42ca |
return 0;
|
|
|
0e42ca |
@@ -298,6 +298,8 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
|
|
|
0e42ca |
if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
|
|
|
0e42ca |
return NULL;
|
|
|
0e42ca |
result = __policy_init(init_path);
|
|
|
0e42ca |
+ if (result == -1)
|
|
|
0e42ca |
+ return NULL;
|
|
|
0e42ca |
return Py_BuildValue("i", result);
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
@@ -343,8 +345,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
|
|
|
0e42ca |
if (rc < 0)
|
|
|
0e42ca |
RETURN(BADTCON)
|
|
|
0e42ca |
|
|
|
0e42ca |
- tclass = string_to_security_class(tclassstr);
|
|
|
0e42ca |
- if (!tclass)
|
|
|
0e42ca |
+ rc = sepol_string_to_security_class(tclassstr, &tclass);
|
|
|
0e42ca |
+ if (rc < 0)
|
|
|
0e42ca |
RETURN(BADTCLASS)
|
|
|
0e42ca |
|
|
|
0e42ca |
/* Convert the permission list to an AV. */
|
|
|
0e42ca |
@@ -365,8 +367,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
|
|
|
0e42ca |
permstr = PyString_AsString( strObj );
|
|
|
0e42ca |
#endif
|
|
|
0e42ca |
|
|
|
0e42ca |
- perm = string_to_av_perm(tclass, permstr);
|
|
|
0e42ca |
- if (!perm)
|
|
|
0e42ca |
+ rc = sepol_string_to_av_perm(tclass, permstr, &perm);
|
|
|
0e42ca |
+ if (rc < 0)
|
|
|
0e42ca |
RETURN(BADPERM)
|
|
|
0e42ca |
|
|
|
0e42ca |
av |= perm;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c
|
|
|
0e42ca |
index 9669264..c775430 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/avc_sidtab.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/avc_sidtab.c
|
|
|
0e42ca |
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
|
|
|
0e42ca |
int hvalue, rc = 0;
|
|
|
0e42ca |
struct sidtab_node *cur;
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if (! ctx) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
*sid = NULL;
|
|
|
0e42ca |
hvalue = sidtab_hash(ctx);
|
|
|
0e42ca |
|
|
|
0e42ca |
diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c
|
|
|
0e42ca |
index 4b39a28..6a96b4a 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/booleans.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/booleans.c
|
|
|
0e42ca |
@@ -53,6 +53,7 @@ int security_get_boolean_names(char ***names, int *len)
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
|
|
|
0e42ca |
*len = scandir(path, &namelist, &filename_select, alphasort);
|
|
|
0e42ca |
if (*len <= 0) {
|
|
|
0e42ca |
+ errno = ENOENT;
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c
|
|
|
0e42ca |
index 7cf3139..364a746 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/canonicalize_context.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/canonicalize_context.c
|
|
|
0e42ca |
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
|
|
|
0e42ca |
size_t size;
|
|
|
0e42ca |
int fd, ret;
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if (! con) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
if (!selinux_mnt) {
|
|
|
0e42ca |
errno = ENOENT;
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/check_context.c libselinux-2.5/src/check_context.c
|
|
|
0e42ca |
index 52063fa..234749c 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/check_context.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/check_context.c
|
|
|
0e42ca |
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
|
|
|
0e42ca |
char path[PATH_MAX];
|
|
|
0e42ca |
int fd, ret;
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if (! con) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
if (!selinux_mnt) {
|
|
|
0e42ca |
errno = ENOENT;
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/compute_av.c libselinux-2.5/src/compute_av.c
|
|
|
0e42ca |
index 937e5c3..35ace7f 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/compute_av.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/compute_av.c
|
|
|
0e42ca |
@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon,
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if ((! scon) || (! tcon)) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s/access", selinux_mnt);
|
|
|
0e42ca |
fd = open(path, O_RDWR);
|
|
|
0e42ca |
if (fd < 0)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/compute_create.c libselinux-2.5/src/compute_create.c
|
|
|
0e42ca |
index 9559d42..14a65d1 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/compute_create.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/compute_create.c
|
|
|
0e42ca |
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if ((! scon) || (! tcon)) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s/create", selinux_mnt);
|
|
|
0e42ca |
fd = open(path, O_RDWR);
|
|
|
0e42ca |
if (fd < 0)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/compute_member.c libselinux-2.5/src/compute_member.c
|
|
|
0e42ca |
index 1fc7e41..065d996 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/compute_member.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/compute_member.c
|
|
|
0e42ca |
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if ((! scon) || (! tcon)) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s/member", selinux_mnt);
|
|
|
0e42ca |
fd = open(path, O_RDWR);
|
|
|
0e42ca |
if (fd < 0)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/compute_relabel.c libselinux-2.5/src/compute_relabel.c
|
|
|
0e42ca |
index 4615aee..cc77f36 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/compute_relabel.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/compute_relabel.c
|
|
|
0e42ca |
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if ((! scon) || (! tcon)) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
|
|
|
0e42ca |
fd = open(path, O_RDWR);
|
|
|
0e42ca |
if (fd < 0)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/compute_user.c libselinux-2.5/src/compute_user.c
|
|
|
0e42ca |
index b37c5d3..7703c26 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/compute_user.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/compute_user.c
|
|
|
0e42ca |
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if (! scon) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
snprintf(path, sizeof path, "%s/user", selinux_mnt);
|
|
|
0e42ca |
fd = open(path, O_RDWR);
|
|
|
0e42ca |
if (fd < 0)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh
|
|
|
0e42ca |
index b7cff7e..a58bf3f 100755
|
|
|
0e42ca |
--- libselinux-2.5/src/exception.sh
|
|
|
0e42ca |
+++ libselinux-2.5/src/exception.sh
|
|
|
0e42ca |
@@ -15,6 +15,6 @@ echo "
|
|
|
0e42ca |
;;
|
|
|
0e42ca |
esac
|
|
|
0e42ca |
}
|
|
|
0e42ca |
-gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
|
|
|
0e42ca |
+${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
|
|
|
0e42ca |
for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
|
|
|
0e42ca |
rm -f -- temp.aux -.o
|
|
|
0e42ca |
diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h
|
|
|
0e42ca |
index d1f9b48..95b228b 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/file_path_suffixes.h
|
|
|
0e42ca |
+++ libselinux-2.5/src/file_path_suffixes.h
|
|
|
0e42ca |
@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
|
|
|
0e42ca |
S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
|
|
|
0e42ca |
S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
|
|
|
0e42ca |
S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
|
|
|
0e42ca |
+ S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
|
|
|
0e42ca |
S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
|
|
|
0e42ca |
S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
|
|
|
0e42ca |
S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
|
|
|
0e42ca |
diff --git libselinux-2.5/src/fsetfilecon.c libselinux-2.5/src/fsetfilecon.c
|
|
|
0e42ca |
index 52707d0..0cbe12d 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/fsetfilecon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/fsetfilecon.c
|
|
|
0e42ca |
@@ -9,8 +9,12 @@
|
|
|
0e42ca |
|
|
|
0e42ca |
int fsetfilecon_raw(int fd, const char * context)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
|
|
0e42ca |
- 0);
|
|
|
0e42ca |
+ int rc;
|
|
|
0e42ca |
+ if (! context) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
|
|
0e42ca |
if (rc < 0 && errno == ENOTSUP) {
|
|
|
0e42ca |
char * ccontext = NULL;
|
|
|
0e42ca |
int err = errno;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
|
|
|
0e42ca |
index 3db4de0..3c687a2 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/init.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/init.c
|
|
|
0e42ca |
@@ -11,7 +11,6 @@
|
|
|
0e42ca |
#include <sys/vfs.h>
|
|
|
0e42ca |
#include <stdint.h>
|
|
|
0e42ca |
#include <limits.h>
|
|
|
0e42ca |
-#include <sys/mount.h>
|
|
|
0e42ca |
|
|
|
0e42ca |
#include "dso.h"
|
|
|
0e42ca |
#include "policy.h"
|
|
|
0e42ca |
@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
|
|
|
0e42ca |
|
|
|
0e42ca |
int selinuxfs_exists(void)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
- int exists = 0, mnt_rc = 0;
|
|
|
0e42ca |
+ int exists = 0;
|
|
|
0e42ca |
FILE *fp = NULL;
|
|
|
0e42ca |
char *buf = NULL;
|
|
|
0e42ca |
size_t len;
|
|
|
0e42ca |
ssize_t num;
|
|
|
0e42ca |
|
|
|
0e42ca |
- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
|
|
|
0e42ca |
-
|
|
|
0e42ca |
fp = fopen("/proc/filesystems", "r");
|
|
|
0e42ca |
- if (!fp) {
|
|
|
0e42ca |
- exists = 1; /* Fail as if it exists */
|
|
|
0e42ca |
- goto out;
|
|
|
0e42ca |
- }
|
|
|
0e42ca |
-
|
|
|
0e42ca |
+ if (!fp)
|
|
|
0e42ca |
+ return 1; /* Fail as if it exists */
|
|
|
0e42ca |
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
|
|
0e42ca |
|
|
|
0e42ca |
num = getline(&buf, &len, fp);
|
|
|
0e42ca |
@@ -84,14 +78,6 @@ int selinuxfs_exists(void)
|
|
|
0e42ca |
|
|
|
0e42ca |
free(buf);
|
|
|
0e42ca |
fclose(fp);
|
|
|
0e42ca |
-
|
|
|
0e42ca |
-out:
|
|
|
0e42ca |
-#ifndef MNT_DETACH
|
|
|
0e42ca |
-#define MNT_DETACH 2
|
|
|
0e42ca |
-#endif
|
|
|
0e42ca |
- if (mnt_rc == 0)
|
|
|
0e42ca |
- umount2("/proc", MNT_DETACH);
|
|
|
0e42ca |
-
|
|
|
0e42ca |
return exists;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
hidden_def(selinuxfs_exists)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c
|
|
|
0e42ca |
index 071d902..c89bb35 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/label_file.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/label_file.c
|
|
|
0e42ca |
@@ -388,18 +388,21 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
|
|
0e42ca |
rc = -1;
|
|
|
0e42ca |
goto err;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
- spec->lsd.study_data = (void *)mmap_area->next_addr;
|
|
|
0e42ca |
- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
|
|
|
0e42ca |
- rc = next_entry(NULL, mmap_area, entry_len);
|
|
|
0e42ca |
- if (rc < 0)
|
|
|
0e42ca |
- goto err;
|
|
|
0e42ca |
|
|
|
0e42ca |
- /* Check that study data lengths match. */
|
|
|
0e42ca |
- rc = pcre_fullinfo(spec->regex, &spec->lsd,
|
|
|
0e42ca |
- PCRE_INFO_STUDYSIZE, &len;;
|
|
|
0e42ca |
- if (rc < 0 || len != entry_len) {
|
|
|
0e42ca |
- rc = -1;
|
|
|
0e42ca |
- goto err;
|
|
|
0e42ca |
+ if (entry_len) {
|
|
|
0e42ca |
+ spec->lsd.study_data = (void *)mmap_area->next_addr;
|
|
|
0e42ca |
+ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
|
|
|
0e42ca |
+ rc = next_entry(NULL, mmap_area, entry_len);
|
|
|
0e42ca |
+ if (rc < 0)
|
|
|
0e42ca |
+ goto err;
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ /* Check that study data lengths match. */
|
|
|
0e42ca |
+ rc = pcre_fullinfo(spec->regex, &spec->lsd,
|
|
|
0e42ca |
+ PCRE_INFO_STUDYSIZE, &len;;
|
|
|
0e42ca |
+ if (rc < 0 || len != entry_len) {
|
|
|
0e42ca |
+ rc = -1;
|
|
|
0e42ca |
+ goto err;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
data->nspec++;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h
|
|
|
0e42ca |
index 72fed1f..6d1e890 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/label_file.h
|
|
|
0e42ca |
+++ libselinux-2.5/src/label_file.h
|
|
|
0e42ca |
@@ -80,9 +80,12 @@ struct saved_data {
|
|
|
0e42ca |
|
|
|
0e42ca |
static inline pcre_extra *get_pcre_extra(struct spec *spec)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
- if (spec->from_mmap)
|
|
|
0e42ca |
- return &spec->lsd;
|
|
|
0e42ca |
- else
|
|
|
0e42ca |
+ if (spec->from_mmap) {
|
|
|
0e42ca |
+ if (spec->lsd.study_data)
|
|
|
0e42ca |
+ return &spec->lsd;
|
|
|
0e42ca |
+ else
|
|
|
0e42ca |
+ return NULL;
|
|
|
0e42ca |
+ } else
|
|
|
0e42ca |
return spec->sd;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c
|
|
|
0e42ca |
index 21ee58b..4f39fc7 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/load_policy.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/load_policy.c
|
|
|
0e42ca |
@@ -17,6 +17,10 @@
|
|
|
0e42ca |
#include "policy.h"
|
|
|
0e42ca |
#include <limits.h>
|
|
|
0e42ca |
|
|
|
0e42ca |
+#ifndef MNT_DETACH
|
|
|
0e42ca |
+#define MNT_DETACH 2
|
|
|
0e42ca |
+#endif
|
|
|
0e42ca |
+
|
|
|
0e42ca |
int security_load_policy(void *data, size_t len)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
char path[PATH_MAX];
|
|
|
0e42ca |
@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
|
|
|
0e42ca |
fclose(cfg);
|
|
|
0e42ca |
free(buf);
|
|
|
0e42ca |
}
|
|
|
0e42ca |
-#ifndef MNT_DETACH
|
|
|
0e42ca |
-#define MNT_DETACH 2
|
|
|
0e42ca |
-#endif
|
|
|
0e42ca |
- if (rc == 0)
|
|
|
0e42ca |
- umount2("/proc", MNT_DETACH);
|
|
|
0e42ca |
|
|
|
0e42ca |
/*
|
|
|
0e42ca |
* Determine the final desired mode.
|
|
|
0e42ca |
@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
|
|
|
0e42ca |
/* Only emit this error if selinux was not disabled */
|
|
|
0e42ca |
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
|
|
|
0e42ca |
}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if (rc == 0)
|
|
|
0e42ca |
+ umount2("/proc", MNT_DETACH);
|
|
|
0e42ca |
|
|
|
0e42ca |
goto noload;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
set_selinuxmnt(mntpoint);
|
|
|
0e42ca |
|
|
|
0e42ca |
+ if (rc == 0)
|
|
|
0e42ca |
+ umount2("/proc", MNT_DETACH);
|
|
|
0e42ca |
+
|
|
|
0e42ca |
/*
|
|
|
0e42ca |
* Note: The following code depends on having selinuxfs
|
|
|
0e42ca |
* already mounted and selinuxmnt set above.
|
|
|
0e42ca |
diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c
|
|
|
0e42ca |
index 1d3b28a..ea6d70b 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/lsetfilecon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/lsetfilecon.c
|
|
|
0e42ca |
@@ -9,8 +9,13 @@
|
|
|
0e42ca |
|
|
|
0e42ca |
int lsetfilecon_raw(const char *path, const char * context)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
|
|
0e42ca |
- 0);
|
|
|
0e42ca |
+ int rc;
|
|
|
0e42ca |
+ if (! context) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
|
|
0e42ca |
if (rc < 0 && errno == ENOTSUP) {
|
|
|
0e42ca |
char * ccontext = NULL;
|
|
|
0e42ca |
int err = errno;
|
|
|
0e42ca |
diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c
|
|
|
0e42ca |
index 5b495a0..d92ed79 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/matchpathcon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/matchpathcon.c
|
|
|
0e42ca |
@@ -2,6 +2,7 @@
|
|
|
0e42ca |
#include <string.h>
|
|
|
0e42ca |
#include <errno.h>
|
|
|
0e42ca |
#include <stdio.h>
|
|
|
0e42ca |
+#include <syslog.h>
|
|
|
0e42ca |
#include "selinux_internal.h"
|
|
|
0e42ca |
#include "label_internal.h"
|
|
|
0e42ca |
#include "callbacks.h"
|
|
|
0e42ca |
@@ -62,7 +63,7 @@ static void
|
|
|
0e42ca |
{
|
|
|
0e42ca |
va_list ap;
|
|
|
0e42ca |
va_start(ap, fmt);
|
|
|
0e42ca |
- vfprintf(stderr, fmt, ap);
|
|
|
0e42ca |
+ vsyslog(LOG_ERR, fmt, ap);
|
|
|
0e42ca |
va_end(ap);
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
@@ -361,12 +362,6 @@ int realpath_not_final(const char *name, char *resolved_path)
|
|
|
0e42ca |
goto out;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
- /* strip leading // */
|
|
|
0e42ca |
- while (tmp_path[len] && tmp_path[len] == '/' &&
|
|
|
0e42ca |
- tmp_path[len+1] && tmp_path[len+1] == '/') {
|
|
|
0e42ca |
- tmp_path++;
|
|
|
0e42ca |
- len++;
|
|
|
0e42ca |
- }
|
|
|
0e42ca |
last_component = strrchr(tmp_path, '/');
|
|
|
0e42ca |
|
|
|
0e42ca |
if (last_component == tmp_path) {
|
|
|
0e42ca |
@@ -470,6 +465,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
|
|
|
0e42ca |
char * con = NULL;
|
|
|
0e42ca |
char * fcontext = NULL;
|
|
|
0e42ca |
int rc = 0;
|
|
|
0e42ca |
+ char stackpath[PATH_MAX + 1];
|
|
|
0e42ca |
+ char *p = NULL;
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+ if (S_ISLNK(mode)) {
|
|
|
0e42ca |
+ if (!realpath_not_final(path, stackpath))
|
|
|
0e42ca |
+ path = stackpath;
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ p = realpath(path, stackpath);
|
|
|
0e42ca |
+ if (p)
|
|
|
0e42ca |
+ path = p;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
|
|
|
0e42ca |
rc = lgetfilecon_raw(path, &con);
|
|
|
0e42ca |
if (rc == -1) {
|
|
|
0e42ca |
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
|
|
|
0e42ca |
index 527a0a5..eee4612 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/procattr.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/procattr.c
|
|
|
0e42ca |
@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
|
|
|
0e42ca |
char *path;
|
|
|
0e42ca |
pid_t tid;
|
|
|
0e42ca |
|
|
|
0e42ca |
- if (pid > 0)
|
|
|
0e42ca |
+ if (pid > 0) {
|
|
|
0e42ca |
rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
|
|
|
0e42ca |
- else {
|
|
|
0e42ca |
+ } else if (pid == 0) {
|
|
|
0e42ca |
rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
|
|
|
0e42ca |
if (rc < 0)
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
|
|
|
0e42ca |
free(path);
|
|
|
0e42ca |
tid = gettid();
|
|
|
0e42ca |
rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
|
|
|
0e42ca |
+ } else {
|
|
|
0e42ca |
+ errno = EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
}
|
|
|
0e42ca |
if (rc < 0)
|
|
|
0e42ca |
return -1;
|
|
|
0e42ca |
@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context,
|
|
|
0e42ca |
#define getpidattr_def(fn, attr) \
|
|
|
0e42ca |
int get##fn##_raw(pid_t pid, char **c) \
|
|
|
0e42ca |
{ \
|
|
|
0e42ca |
- return getprocattrcon_raw(c, pid, #attr); \
|
|
|
0e42ca |
+ if (pid <= 0) { \
|
|
|
0e42ca |
+ errno = EINVAL; \
|
|
|
0e42ca |
+ return -1; \
|
|
|
0e42ca |
+ } else { \
|
|
|
0e42ca |
+ return getprocattrcon_raw(c, pid, #attr); \
|
|
|
0e42ca |
+ } \
|
|
|
0e42ca |
} \
|
|
|
0e42ca |
int get##fn(pid_t pid, char **c) \
|
|
|
0e42ca |
{ \
|
|
|
0e42ca |
- return getprocattrcon(c, pid, #attr); \
|
|
|
0e42ca |
+ if (pid <= 0) { \
|
|
|
0e42ca |
+ errno = EINVAL; \
|
|
|
0e42ca |
+ return -1; \
|
|
|
0e42ca |
+ } else { \
|
|
|
0e42ca |
+ return getprocattrcon(c, pid, #attr); \
|
|
|
0e42ca |
+ } \
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
all_selfattr_def(con, current)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c
|
|
|
0e42ca |
index bec5f3b..c519a77 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/selinux_config.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/selinux_config.c
|
|
|
0e42ca |
@@ -50,7 +50,8 @@
|
|
|
0e42ca |
#define BOOLEAN_SUBS 27
|
|
|
0e42ca |
#define OPENSSH_CONTEXTS 28
|
|
|
0e42ca |
#define SYSTEMD_CONTEXTS 29
|
|
|
0e42ca |
-#define NEL 30
|
|
|
0e42ca |
+#define SNAPPERD_CONTEXTS 30
|
|
|
0e42ca |
+#define NEL 31
|
|
|
0e42ca |
|
|
|
0e42ca |
/* Part of one-time lazy init */
|
|
|
0e42ca |
static pthread_once_t once = PTHREAD_ONCE_INIT;
|
|
|
0e42ca |
@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
|
|
|
0e42ca |
|
|
|
0e42ca |
hidden_def(selinux_openssh_contexts_path)
|
|
|
0e42ca |
|
|
|
0e42ca |
+const char *selinux_snapperd_contexts_path(void)
|
|
|
0e42ca |
+{
|
|
|
0e42ca |
+ return get_path(SNAPPERD_CONTEXTS);
|
|
|
0e42ca |
+}
|
|
|
0e42ca |
+
|
|
|
0e42ca |
+hidden_def(selinux_snapperd_contexts_path)
|
|
|
0e42ca |
+
|
|
|
0e42ca |
const char *selinux_systemd_contexts_path(void)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
return get_path(SYSTEMD_CONTEXTS);
|
|
|
0e42ca |
diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h
|
|
|
0e42ca |
index 46566f6..9b9145c 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/selinux_internal.h
|
|
|
0e42ca |
+++ libselinux-2.5/src/selinux_internal.h
|
|
|
0e42ca |
@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
|
|
|
0e42ca |
hidden_proto(selinux_x_context_path)
|
|
|
0e42ca |
hidden_proto(selinux_sepgsql_context_path)
|
|
|
0e42ca |
hidden_proto(selinux_openssh_contexts_path)
|
|
|
0e42ca |
+ hidden_proto(selinux_snapperd_contexts_path)
|
|
|
0e42ca |
hidden_proto(selinux_systemd_contexts_path)
|
|
|
0e42ca |
hidden_proto(selinux_path)
|
|
|
0e42ca |
hidden_proto(selinux_check_passwd_access)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/selinux_restorecon.c libselinux-2.5/src/selinux_restorecon.c
|
|
|
0e42ca |
index 17ed6fe..d2c2402 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/selinux_restorecon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/selinux_restorecon.c
|
|
|
0e42ca |
@@ -245,25 +245,41 @@ int selinux_restorecon(const char *pathname_orig,
|
|
|
0e42ca |
* realpath of containing dir, then appending last component name.
|
|
|
0e42ca |
*/
|
|
|
0e42ca |
if (userealpath) {
|
|
|
0e42ca |
- pathbname = basename((char *)pathname_orig);
|
|
|
0e42ca |
+ char *basename_cpy = strdup(pathname_orig);
|
|
|
0e42ca |
+ if (!basename_cpy)
|
|
|
0e42ca |
+ goto realpatherr;
|
|
|
0e42ca |
+ pathbname = basename(basename_cpy);
|
|
|
0e42ca |
if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") ||
|
|
|
0e42ca |
!strcmp(pathbname, "..")) {
|
|
|
0e42ca |
pathname = realpath(pathname_orig, NULL);
|
|
|
0e42ca |
- if (!pathname)
|
|
|
0e42ca |
+ if (!pathname) {
|
|
|
0e42ca |
+ free(basename_cpy);
|
|
|
0e42ca |
goto realpatherr;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
} else {
|
|
|
0e42ca |
- pathdname = dirname((char *)pathname_orig);
|
|
|
0e42ca |
+ char *dirname_cpy = strdup(pathname_orig);
|
|
|
0e42ca |
+ if (!dirname_cpy) {
|
|
|
0e42ca |
+ free(basename_cpy);
|
|
|
0e42ca |
+ goto realpatherr;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ pathdname = dirname(dirname_cpy);
|
|
|
0e42ca |
pathdnamer = realpath(pathdname, NULL);
|
|
|
0e42ca |
- if (!pathdnamer)
|
|
|
0e42ca |
+ free(dirname_cpy);
|
|
|
0e42ca |
+ if (!pathdnamer) {
|
|
|
0e42ca |
+ free(basename_cpy);
|
|
|
0e42ca |
goto realpatherr;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
if (!strcmp(pathdnamer, "/"))
|
|
|
0e42ca |
error = asprintf(&pathname, "/%s", pathbname);
|
|
|
0e42ca |
else
|
|
|
0e42ca |
error = asprintf(&pathname, "%s/%s",
|
|
|
0e42ca |
pathdnamer, pathbname);
|
|
|
0e42ca |
- if (error < 0)
|
|
|
0e42ca |
+ if (error < 0) {
|
|
|
0e42ca |
+ free(basename_cpy);
|
|
|
0e42ca |
goto oom;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
}
|
|
|
0e42ca |
+ free(basename_cpy);
|
|
|
0e42ca |
} else {
|
|
|
0e42ca |
pathname = strdup(pathname_orig);
|
|
|
0e42ca |
if (!pathname)
|
|
|
0e42ca |
diff --git libselinux-2.5/src/selinuxswig_python.i libselinux-2.5/src/selinuxswig_python.i
|
|
|
0e42ca |
index 8cea18d..592d70c 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/selinuxswig_python.i
|
|
|
0e42ca |
+++ libselinux-2.5/src/selinuxswig_python.i
|
|
|
0e42ca |
@@ -23,7 +23,13 @@ def restorecon(path, recursive=False):
|
|
|
0e42ca |
except OSError:
|
|
|
0e42ca |
path = os.path.realpath(os.path.expanduser(path))
|
|
|
0e42ca |
mode = os.lstat(path)[stat.ST_MODE]
|
|
|
0e42ca |
- status, context = matchpathcon(path, mode)
|
|
|
0e42ca |
+ try:
|
|
|
0e42ca |
+ status, context = matchpathcon(path, mode)
|
|
|
0e42ca |
+ except OSError as e:
|
|
|
0e42ca |
+ # matchpathcon returns ENOENT when <<none>> in file context
|
|
|
0e42ca |
+ if e.errno != errno.ENOENT:
|
|
|
0e42ca |
+ raise
|
|
|
0e42ca |
+ return
|
|
|
0e42ca |
|
|
|
0e42ca |
if status == 0:
|
|
|
0e42ca |
try:
|
|
|
0e42ca |
diff --git libselinux-2.5/src/setexecfilecon.c libselinux-2.5/src/setexecfilecon.c
|
|
|
0e42ca |
index e72ba0d..9c821f8 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/setexecfilecon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/setexecfilecon.c
|
|
|
0e42ca |
@@ -45,7 +45,7 @@ int setexecfilecon(const char *filename, const char *fallback_type)
|
|
|
0e42ca |
goto out;
|
|
|
0e42ca |
out:
|
|
|
0e42ca |
|
|
|
0e42ca |
- if (rc < 0 && security_getenforce() == 0)
|
|
|
0e42ca |
+ if (rc < 0 && security_getenforce() < 1)
|
|
|
0e42ca |
rc = 0;
|
|
|
0e42ca |
|
|
|
0e42ca |
context_free(con);
|
|
|
0e42ca |
diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c
|
|
|
0e42ca |
index d05969c..3f0200e 100644
|
|
|
0e42ca |
--- libselinux-2.5/src/setfilecon.c
|
|
|
0e42ca |
+++ libselinux-2.5/src/setfilecon.c
|
|
|
0e42ca |
@@ -9,8 +9,12 @@
|
|
|
0e42ca |
|
|
|
0e42ca |
int setfilecon_raw(const char *path, const char * context)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
|
|
0e42ca |
- 0);
|
|
|
0e42ca |
+ int rc;
|
|
|
0e42ca |
+ if (! context) {
|
|
|
0e42ca |
+ errno=EINVAL;
|
|
|
0e42ca |
+ return -1;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
|
|
0e42ca |
if (rc < 0 && errno == ENOTSUP) {
|
|
|
0e42ca |
char * ccontext = NULL;
|
|
|
0e42ca |
int err = errno;
|
|
|
0e42ca |
diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore
|
|
|
0e42ca |
index 060eaab..ed3bf0b 100644
|
|
|
0e42ca |
--- libselinux-2.5/utils/.gitignore
|
|
|
0e42ca |
+++ libselinux-2.5/utils/.gitignore
|
|
|
0e42ca |
@@ -14,7 +14,12 @@ getseuser
|
|
|
0e42ca |
matchpathcon
|
|
|
0e42ca |
policyvers
|
|
|
0e42ca |
sefcontext_compile
|
|
|
0e42ca |
+selabel_digest
|
|
|
0e42ca |
+selabel_lookup
|
|
|
0e42ca |
+selabel_lookup_best_match
|
|
|
0e42ca |
+selabel_partial_match
|
|
|
0e42ca |
selinux_check_securetty_context
|
|
|
0e42ca |
+selinux_restorecon
|
|
|
0e42ca |
selinuxenabled
|
|
|
0e42ca |
selinuxexeccon
|
|
|
0e42ca |
setenforce
|
|
|
0e42ca |
diff --git libselinux-2.5/utils/Makefile libselinux-2.5/utils/Makefile
|
|
|
0e42ca |
index cf7af52..8497cb4 100644
|
|
|
0e42ca |
--- libselinux-2.5/utils/Makefile
|
|
|
0e42ca |
+++ libselinux-2.5/utils/Makefile
|
|
|
0e42ca |
@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
|
|
|
0e42ca |
LIBDIR ?= $(PREFIX)/lib
|
|
|
0e42ca |
USRBINDIR ?= $(PREFIX)/sbin
|
|
|
0e42ca |
SBINDIR ?= $(DESTDIR)/sbin
|
|
|
0e42ca |
+INCLUDEDIR ?= $(PREFIX)/include
|
|
|
0e42ca |
|
|
|
0e42ca |
MAX_STACK_SIZE=8192
|
|
|
0e42ca |
CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \
|
|
|
0e42ca |
@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
|
|
|
0e42ca |
-fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
|
|
|
0e42ca |
-fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
|
|
|
0e42ca |
-Werror -Wno-aggregate-return -Wno-redundant-decls
|
|
|
0e42ca |
-override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
|
|
|
0e42ca |
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
|
|
|
0e42ca |
LDLIBS += -L../src -lselinux -L$(LIBDIR)
|
|
|
0e42ca |
|
|
|
0e42ca |
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
|
|
|
0e42ca |
diff --git libselinux-2.5/utils/matchpathcon.c libselinux-2.5/utils/matchpathcon.c
|
|
|
0e42ca |
index d1f1348..0288feb 100644
|
|
|
0e42ca |
--- libselinux-2.5/utils/matchpathcon.c
|
|
|
0e42ca |
+++ libselinux-2.5/utils/matchpathcon.c
|
|
|
0e42ca |
@@ -15,7 +15,7 @@
|
|
|
0e42ca |
static void usage(const char *progname)
|
|
|
0e42ca |
{
|
|
|
0e42ca |
fprintf(stderr,
|
|
|
0e42ca |
- "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
|
|
|
0e42ca |
+ "usage: %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
|
|
|
0e42ca |
progname);
|
|
|
0e42ca |
exit(1);
|
|
|
0e42ca |
}
|
|
|
0e42ca |
diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c
|
|
|
0e42ca |
index d2578b6..fd6fb78 100644
|
|
|
0e42ca |
--- libselinux-2.5/utils/sefcontext_compile.c
|
|
|
0e42ca |
+++ libselinux-2.5/utils/sefcontext_compile.c
|
|
|
0e42ca |
@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd)
|
|
|
0e42ca |
if (len != to_write)
|
|
|
0e42ca |
goto err;
|
|
|
0e42ca |
|
|
|
0e42ca |
- /* determine the size of the pcre study info */
|
|
|
0e42ca |
- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
|
|
|
0e42ca |
- if (rc < 0)
|
|
|
0e42ca |
- goto err;
|
|
|
0e42ca |
+ if (sd) {
|
|
|
0e42ca |
+ /* determine the size of the pcre study info */
|
|
|
0e42ca |
+ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
|
|
|
0e42ca |
+ if (rc < 0)
|
|
|
0e42ca |
+ goto err;
|
|
|
0e42ca |
+ } else
|
|
|
0e42ca |
+ size = 0;
|
|
|
0e42ca |
|
|
|
0e42ca |
/* write the number of bytes in the pcre study data */
|
|
|
0e42ca |
to_write = size;
|
|
|
0e42ca |
@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd)
|
|
|
0e42ca |
if (len != 1)
|
|
|
0e42ca |
goto err;
|
|
|
0e42ca |
|
|
|
0e42ca |
- /* write the actual pcre study data as a char array */
|
|
|
0e42ca |
- len = fwrite(sd->study_data, 1, to_write, bin_file);
|
|
|
0e42ca |
- if (len != to_write)
|
|
|
0e42ca |
- goto err;
|
|
|
0e42ca |
+ if (sd) {
|
|
|
0e42ca |
+ /* write the actual pcre study data as a char array */
|
|
|
0e42ca |
+ len = fwrite(sd->study_data, 1, to_write, bin_file);
|
|
|
0e42ca |
+ if (len != to_write)
|
|
|
0e42ca |
+ goto err;
|
|
|
0e42ca |
+ }
|
|
|
0e42ca |
}
|
|
|
0e42ca |
|
|
|
0e42ca |
rc = 0;
|