diff --git a/SOURCES/libsemanage-rhel.patch b/SOURCES/libsemanage-rhel.patch index 5ae063c..c0fbaee 100644 --- a/SOURCES/libsemanage-rhel.patch +++ b/SOURCES/libsemanage-rhel.patch @@ -520,7 +520,7 @@ index a21b3ee..a51269e 100644 ERR(handle, "could not open %s for writing: %s", fname, strerror(errno)); diff --git libsemanage-2.5/src/direct_api.c libsemanage-2.5/src/direct_api.c -index 2187b65..fea6572 100644 +index 2187b65..6dd21dd 100644 --- libsemanage-2.5/src/direct_api.c +++ libsemanage-2.5/src/direct_api.c @@ -40,6 +40,8 @@ @@ -532,7 +532,19 @@ index 2187b65..fea6572 100644 #include "iface_internal.h" #include "boolean_internal.h" #include "fcontext_internal.h" -@@ -146,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh) +@@ -87,6 +89,11 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + semanage_module_info_t **modinfo); + ++static int semanage_direct_list_by_name(semanage_handle_t *sh, ++ semanage_module_info_t **modinfo, ++ int *num_modules, ++ char *optional_module_name); ++ + static int semanage_direct_list_all(semanage_handle_t *sh, + semanage_module_info_t **modinfo, + int *num_modules); +@@ -146,9 +153,6 @@ int semanage_direct_connect(semanage_handle_t * sh) if (semanage_create_store(sh, 1)) goto err; @@ -542,7 +554,7 @@ index 2187b65..fea6572 100644 sh->u.direct.translock_file_fd = -1; sh->u.direct.activelock_file_fd = -1; -@@ -208,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh) +@@ -208,6 +212,12 @@ int semanage_direct_connect(semanage_handle_t * sh) semanage_fcontext_dbase_local(sh)) < 0) goto err; @@ -555,7 +567,7 @@ index 2187b65..fea6572 100644 if (seuser_file_dbase_init(sh, semanage_path(SEMANAGE_ACTIVE, SEMANAGE_SEUSERS_LOCAL), -@@ -224,6 +229,22 @@ int semanage_direct_connect(semanage_handle_t * sh) +@@ -224,6 +234,22 @@ int semanage_direct_connect(semanage_handle_t * sh) semanage_node_dbase_local(sh)) < 0) goto err; @@ -578,7 +590,7 @@ index 2187b65..fea6572 100644 /* Object databases: local modifications + policy */ if (user_base_policydb_dbase_init(sh, semanage_user_base_dbase_policy(sh)) < -@@ -248,6 +269,12 @@ int semanage_direct_connect(semanage_handle_t * sh) +@@ -248,6 +274,12 @@ int semanage_direct_connect(semanage_handle_t * sh) if (port_policydb_dbase_init(sh, semanage_port_dbase_policy(sh)) < 0) goto err; @@ -591,7 +603,7 @@ index 2187b65..fea6572 100644 if (iface_policydb_dbase_init(sh, semanage_iface_dbase_policy(sh)) < 0) goto err; -@@ -275,7 +302,9 @@ int semanage_direct_connect(semanage_handle_t * sh) +@@ -275,7 +307,9 @@ int semanage_direct_connect(semanage_handle_t * sh) /* set the disable dontaudit value */ path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_DISABLE_DONTAUDIT); @@ -602,7 +614,7 @@ index 2187b65..fea6572 100644 sepol_set_disable_dontaudit(sh->sepolh, 1); else sepol_set_disable_dontaudit(sh->sepolh, 0); -@@ -320,9 +349,12 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) +@@ -320,9 +354,12 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) user_extra_file_dbase_release(semanage_user_extra_dbase_local(sh)); user_join_dbase_release(semanage_user_dbase_local(sh)); port_file_dbase_release(semanage_port_dbase_local(sh)); @@ -615,7 +627,7 @@ index 2187b65..fea6572 100644 seuser_file_dbase_release(semanage_seuser_dbase_local(sh)); node_file_dbase_release(semanage_node_dbase_local(sh)); -@@ -331,6 +363,8 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) +@@ -331,6 +368,8 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) user_extra_file_dbase_release(semanage_user_extra_dbase_policy(sh)); user_join_dbase_release(semanage_user_dbase_policy(sh)); port_policydb_dbase_release(semanage_port_dbase_policy(sh)); @@ -624,7 +636,7 @@ index 2187b65..fea6572 100644 iface_policydb_dbase_release(semanage_iface_dbase_policy(sh)); bool_policydb_dbase_release(semanage_bool_dbase_policy(sh)); fcontext_file_dbase_release(semanage_fcontext_dbase_policy(sh)); -@@ -345,10 +379,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) +@@ -345,10 +384,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) static int semanage_direct_begintrans(semanage_handle_t * sh) { @@ -635,7 +647,7 @@ index 2187b65..fea6572 100644 if (semanage_get_trans_lock(sh) < 0) { return -1; } -@@ -363,6 +393,35 @@ static int semanage_direct_begintrans(semanage_handle_t * sh) +@@ -363,6 +398,35 @@ static int semanage_direct_begintrans(semanage_handle_t * sh) /********************* utility functions *********************/ @@ -671,7 +683,7 @@ index 2187b65..fea6572 100644 #include #include #include -@@ -588,13 +647,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c +@@ -588,13 +652,33 @@ static int semanage_direct_update_user_extra(semanage_handle_t * sh, cil_db_t *c } if (size > 0) { @@ -707,7 +719,7 @@ index 2187b65..fea6572 100644 pusers_extra->dtable->drop_cache(pusers_extra->dbase); -@@ -623,11 +702,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb +@@ -623,11 +707,33 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb } if (size > 0) { @@ -742,7 +754,7 @@ index 2187b65..fea6572 100644 pseusers->dtable->drop_cache(pseusers->dbase); } else { -@@ -1037,8 +1138,9 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh, +@@ -1037,8 +1143,9 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh, goto cleanup; } @@ -753,7 +765,7 @@ index 2187b65..fea6572 100644 continue; } -@@ -1066,23 +1168,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1066,23 +1173,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) size_t fc_buffer_len = 0; const char *ofilename = NULL; const char *path; @@ -788,7 +800,7 @@ index 2187b65..fea6572 100644 dbase_config_t *bools = semanage_bool_dbase_local(sh); dbase_config_t *pbools = semanage_bool_dbase_policy(sh); dbase_config_t *ifaces = semanage_iface_dbase_local(sh); -@@ -1092,13 +1197,25 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1092,13 +1202,25 @@ static int semanage_direct_commit(semanage_handle_t * sh) dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh); dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh); dbase_config_t *seusers = semanage_seuser_dbase_local(sh); @@ -817,7 +829,7 @@ index 2187b65..fea6572 100644 if (sepol_get_disable_dontaudit(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); -@@ -1120,10 +1237,10 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1120,10 +1242,10 @@ static int semanage_direct_commit(semanage_handle_t * sh) /* Create or remove the preserve_tunables flag file. */ path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES); @@ -831,7 +843,7 @@ index 2187b65..fea6572 100644 if (sepol_get_preserve_tunables(sh->sepolh) == 1) { FILE *touch; touch = fopen(path, "w"); -@@ -1151,54 +1268,76 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1151,54 +1273,76 @@ static int semanage_direct_commit(semanage_handle_t * sh) goto cleanup; } @@ -944,7 +956,7 @@ index 2187b65..fea6572 100644 /* =================== Module expansion =============== */ retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); -@@ -1287,43 +1426,74 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1287,43 +1431,74 @@ static int semanage_direct_commit(semanage_handle_t * sh) goto cleanup; cil_db_destroy(&cildb); @@ -980,20 +992,21 @@ index 2187b65..fea6572 100644 + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_STORE_SEUSERS), -+ sh->conf->file_mode); ++ 0); + if (retval < 0) + goto cleanup; + pseusers->dtable->drop_cache(pseusers->dbase); + } else { + pseusers->dtable->clear(sh, pseusers->dbase); + } -+ + +- /* ============= Apply changes, and verify =============== */ + path = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA_LINKED); + if (stat(path, &sb) == 0) { + retval = semanage_copy_file(path, + semanage_path(SEMANAGE_TMP, + SEMANAGE_USERS_EXTRA), -+ sh->conf->file_mode); ++ 0); + if (retval < 0) + goto cleanup; + pusers_extra->dtable->drop_cache(pusers_extra->dbase); @@ -1002,7 +1015,9 @@ index 2187b65..fea6572 100644 + } + } -- /* ============= Apply changes, and verify =============== */ +- retval = semanage_base_merge_components(sh); +- if (retval < 0) +- goto cleanup; + /* Attach our databases to the policydb we just created or loaded. */ + dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); @@ -1012,15 +1027,12 @@ index 2187b65..fea6572 100644 + dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); + dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); -- retval = semanage_base_merge_components(sh); -- if (retval < 0) -- goto cleanup; +- retval = semanage_write_policydb(sh, out); + /* Merge local changes */ + retval = semanage_base_merge_components(sh); + if (retval < 0) + goto cleanup; - -- retval = semanage_write_policydb(sh, out); ++ + if (do_write_kernel) { + /* Write new kernel policy. */ + retval = semanage_write_policydb(sh, out, @@ -1039,7 +1051,7 @@ index 2187b65..fea6572 100644 } /* ======= Post-process: Validate non-policydb components ===== */ -@@ -1332,26 +1502,39 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1332,26 +1507,39 @@ static int semanage_direct_commit(semanage_handle_t * sh) * Note: those are still cached, even though they've been * merged into the main file_contexts. We won't check the * large file_contexts - checked at compile time */ @@ -1082,7 +1094,7 @@ index 2187b65..fea6572 100644 /* ================== Write non-policydb components ========= */ /* Commit changes to components */ -@@ -1367,43 +1550,46 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1367,43 +1555,46 @@ static int semanage_direct_commit(semanage_handle_t * sh) } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); @@ -1155,7 +1167,7 @@ index 2187b65..fea6572 100644 } } else { WARN(sh, "WARNING: genhomedircon is disabled. \ -@@ -1415,9 +1601,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) +@@ -1415,9 +1606,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) sepol_policydb_free(out); out = NULL; @@ -1166,7 +1178,7 @@ index 2187b65..fea6572 100644 cleanup: for (i = 0; i < num_modinfos; i++) { -@@ -1429,14 +1614,14 @@ cleanup: +@@ -1429,14 +1619,14 @@ cleanup: free(mod_filenames[i]); } @@ -1189,7 +1201,7 @@ index 2187b65..fea6572 100644 free(mod_filenames); sepol_policydb_free(out); -@@ -1452,6 +1637,8 @@ cleanup: +@@ -1452,6 +1642,8 @@ cleanup: semanage_remove_directory(semanage_final_path (SEMANAGE_FINAL_TMP, SEMANAGE_FINAL_TOPLEVEL)); @@ -1198,7 +1210,7 @@ index 2187b65..fea6572 100644 return retval; } -@@ -1600,7 +1787,8 @@ static int semanage_direct_extract(semanage_handle_t * sh, +@@ -1600,7 +1792,8 @@ static int semanage_direct_extract(semanage_handle_t * sh, goto cleanup; } @@ -1208,7 +1220,7 @@ index 2187b65..fea6572 100644 ERR(sh, "Module does not exist: %s", module_path); rc = -1; goto cleanup; -@@ -1630,7 +1818,7 @@ static int semanage_direct_extract(semanage_handle_t * sh, +@@ -1630,7 +1823,7 @@ static int semanage_direct_extract(semanage_handle_t * sh, goto cleanup; } @@ -1217,7 +1229,7 @@ index 2187b65..fea6572 100644 rc = semanage_compile_module(sh, _modinfo); if (rc < 0) { goto cleanup; -@@ -1802,6 +1990,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, +@@ -1802,6 +1995,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, const char *path = NULL; FILE *fp = NULL; semanage_module_info_t *modinfo = NULL; @@ -1225,7 +1237,7 @@ index 2187b65..fea6572 100644 /* check transaction */ if (!sh->is_in_transaction) { -@@ -1862,7 +2051,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, +@@ -1862,7 +2056,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, switch (enabled) { case 0: /* disable the module */ @@ -1235,7 +1247,7 @@ index 2187b65..fea6572 100644 if (fp == NULL) { ERR(sh, -@@ -1931,7 +2122,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh) +@@ -1931,7 +2127,7 @@ int semanage_direct_mls_enabled(semanage_handle_t * sh) if (retval < 0) goto cleanup; @@ -1244,7 +1256,19 @@ index 2187b65..fea6572 100644 if (retval < 0) goto cleanup; -@@ -2075,6 +2266,31 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, +@@ -1975,7 +2171,10 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, + + /* if priority == 0, then find the highest priority available */ + if (modkey->priority == 0) { +- ret = semanage_direct_list_all(sh, &modinfos, &modinfos_len); ++ ret = semanage_direct_list_by_name(sh, ++ &modinfos, ++ &modinfos_len, ++ modkey->name); + if (ret != 0) { + status = -1; + goto cleanup; +@@ -2075,6 +2274,31 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, free(tmp); tmp = NULL; @@ -1276,7 +1300,64 @@ index 2187b65..fea6572 100644 if (fclose(fp) != 0) { ERR(sh, "Unable to close %s module lang ext file.", -@@ -2516,6 +2732,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, +@@ -2288,6 +2512,14 @@ static int semanage_modules_filename_select(const struct dirent *d) + static int semanage_direct_list_all(semanage_handle_t *sh, + semanage_module_info_t **modinfos, + int *modinfos_len) ++{ ++ return semanage_direct_list_by_name(sh, modinfos, modinfos_len, NULL); ++} ++ ++static int semanage_direct_list_by_name(semanage_handle_t *sh, ++ semanage_module_info_t **modinfos, ++ int *modinfos_len, ++ char *optional_module_name) + { + assert(sh); + assert(modinfos); +@@ -2387,6 +2619,7 @@ static int semanage_direct_list_all(semanage_handle_t *sh, + &modules, + semanage_modules_filename_select, + versionsort); ++ + if (modules_len == -1) { + ERR(sh, + "Error while scanning directory %s.", +@@ -2397,6 +2630,33 @@ static int semanage_direct_list_all(semanage_handle_t *sh, + + if (modules_len == 0) continue; + ++ if (optional_module_name) { ++ for (j = 0; j < modules_len; j++) { ++ /* try to find specified module */ ++ if (strcmp(modules[j]->d_name, optional_module_name)) { ++ free(modules[j]); ++ } else { ++ /* module found, move it to the beginning of */ ++ /* the list and clean up the remaining entries */ ++ modules[0] = modules[j]; ++ for (j++; j < modules_len; j++){ ++ free(modules[j]); ++ } ++ ++ modules_len = 1; ++ j = 0; ++ break; ++ } ++ } ++ /* module not found on this priority, clean up and continue */ ++ if (j == modules_len) { ++ modules_len = 0; ++ free(modules); ++ modules = NULL; ++ continue; ++ } ++ } ++ + /* add space for modules */ + tmp = realloc(*modinfos, + sizeof(semanage_module_info_t) * +@@ -2516,6 +2776,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, int type; char path[PATH_MAX]; @@ -1284,7 +1365,16 @@ index 2187b65..fea6572 100644 semanage_module_info_t *higher_info = NULL; semanage_module_key_t higher_key; -@@ -2613,7 +2830,8 @@ static int semanage_direct_install_info(semanage_handle_t *sh, +@@ -2564,7 +2825,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, + if (higher_info->enabled == 0 && modinfo->enabled == -1) { + errno = 0; + WARN(sh, +- "%s module will be disabled after install due to default enabled status.", ++ "%s module will be disabled after install as there is a disabled instance of this module present in the system.", + modinfo->name); + } + } +@@ -2613,7 +2874,8 @@ static int semanage_direct_install_info(semanage_handle_t *sh, goto cleanup; } @@ -1294,7 +1384,7 @@ index 2187b65..fea6572 100644 ret = unlink(path); if (ret != 0) { ERR(sh, "Error while removing cached CIL file %s: %s", path, strerror(errno)); -@@ -2627,6 +2845,7 @@ cleanup: +@@ -2627,6 +2889,7 @@ cleanup: semanage_module_key_destroy(sh, &higher_key); semanage_module_info_destroy(sh, higher_info); free(higher_info); @@ -3922,7 +4012,7 @@ index d31bd48..896ac51 100644 const int CCOUNT = sizeof(components) / sizeof(components[0]); diff --git libsemanage-2.5/src/semanage_store.c libsemanage-2.5/src/semanage_store.c -index fa0876f..c13b763 100644 +index fa0876f..79b0df9 100644 --- libsemanage-2.5/src/semanage_store.c +++ libsemanage-2.5/src/semanage_store.c @@ -95,23 +95,28 @@ static const char *semanage_store_paths[SEMANAGE_NUM_STORES] = { @@ -3997,15 +4087,29 @@ index fa0876f..c13b763 100644 semanage_final_suffix[SEMANAGE_NC] = strdup(selinux_netfilter_context_path() + offset); if (semanage_final_suffix[SEMANAGE_NC] == NULL) { -@@ -512,7 +538,6 @@ char *semanage_conf_path(void) +@@ -512,17 +538,20 @@ char *semanage_conf_path(void) int semanage_create_store(semanage_handle_t * sh, int create) { struct stat sb; - int mode_mask = R_OK | W_OK | X_OK; const char *path = semanage_files[SEMANAGE_ROOT]; int fd; ++ mode_t mask; -@@ -531,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, "Could not create module store at %s.", + path); + return -2; + } ++ umask(mask); + } else { + if (create) + ERR(sh, +@@ -531,9 +560,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -4017,7 +4121,23 @@ index fa0876f..c13b763 100644 path); return -1; } -@@ -554,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -541,12 +570,15 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL); + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, + "Could not create module store, active subdirectory at %s.", + path); + return -2; + } ++ umask(mask); + } else { + ERR(sh, + "Could not read from module store, active subdirectory at %s.", +@@ -554,9 +586,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -4029,7 +4149,23 @@ index fa0876f..c13b763 100644 path); return -1; } -@@ -577,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -564,12 +596,15 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_MODULES); + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) == -1) { ++ umask(mask); + ERR(sh, + "Could not create module store, active modules subdirectory at %s.", + path); + return -2; + } ++ umask(mask); + } else { + ERR(sh, + "Could not read from module store, active modules subdirectory at %s.", +@@ -577,9 +612,9 @@ int semanage_create_store(semanage_handle_t * sh, int create) return -1; } } else { @@ -4041,7 +4177,21 @@ index fa0876f..c13b763 100644 path); return -1; } -@@ -598,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create) +@@ -587,19 +622,22 @@ int semanage_create_store(semanage_handle_t * sh, int create) + path = semanage_files[SEMANAGE_READ_LOCK]; + if (stat(path, &sb) == -1) { + if (errno == ENOENT && create) { ++ mask = umask(0077); + if ((fd = creat(path, S_IRUSR | S_IWUSR)) == -1) { ++ umask(mask); + ERR(sh, "Could not create lock file at %s.", + path); + return -2; + } ++ umask(mask); + close(fd); + } else { + ERR(sh, "Could not read lock file at %s.", path); return -1; } } else { @@ -4052,7 +4202,95 @@ index fa0876f..c13b763 100644 return -1; } } -@@ -1137,7 +1162,7 @@ cleanup: +@@ -737,6 +775,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + struct stat sb; + struct dirent **names = NULL; + char path[PATH_MAX], path2[PATH_MAX]; ++ mode_t mask; + + if ((len = scandir(src, &names, semanage_filename_select, NULL)) == -1) { + fprintf(stderr, "Could not read the contents of %s: %s\n", src, strerror(errno)); +@@ -744,10 +783,13 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + } + + if (stat(dst, &sb) != 0) { ++ mask = umask(0077); + if (mkdir(dst, S_IRWXU) != 0) { ++ umask(mask); + fprintf(stderr, "Could not create %s: %s\n", dst, strerror(errno)); + goto cleanup; + } ++ umask(mask); + } + + for (i = 0; i < len; i++) { +@@ -759,14 +801,20 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + } + snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name); + if (S_ISDIR(sb.st_mode)) { ++ mask = umask(0077); + if (mkdir(path2, 0700) == -1 || + semanage_copy_dir_flags(path, path2, flag) == -1) { ++ umask(mask); + goto cleanup; + } ++ umask(mask); + } else if (S_ISREG(sb.st_mode) && flag == 1) { ++ mask = umask(0077); + if (semanage_copy_file(path, path2, sb.st_mode) < 0) { ++ umask(mask); + goto cleanup; + } ++ umask(mask); + } + } + retval = 0; +@@ -846,16 +894,20 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path) + { + int status = 0; + struct stat sb; ++ mode_t mask; + + /* check if directory already exists */ + if (stat(path, &sb) != 0) { + /* make the modules directory */ ++ mask = umask(0077); + if (mkdir(path, S_IRWXU) != 0) { ++ umask(mask); + ERR(sh, "Cannot make directory at %s", path); + status = -1; + goto cleanup; + + } ++ umask(mask); + } + else { + /* check that it really is a directory */ +@@ -880,6 +932,7 @@ int semanage_make_sandbox(semanage_handle_t * sh) + const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL); + struct stat buf; + int errsv; ++ mode_t mask; + + if (stat(sandbox, &buf) == -1) { + if (errno != ENOENT) { +@@ -896,12 +949,15 @@ int semanage_make_sandbox(semanage_handle_t * sh) + } + } + ++ mask = umask(0077); + if (mkdir(sandbox, S_IRWXU) == -1 || + semanage_copy_dir(semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL), + sandbox) == -1) { ++ umask(mask); + ERR(sh, "Could not copy files to sandbox %s.", sandbox); + goto cleanup; + } ++ umask(mask); + return 0; + + cleanup: +@@ -1137,7 +1193,7 @@ cleanup: free(all_modinfos); if (status != 0) { @@ -4061,7 +4299,7 @@ index fa0876f..c13b763 100644 semanage_module_info_destroy(sh, &(*modinfo)[i]); } free(*modinfo); -@@ -1491,6 +1516,45 @@ static int sefcontext_compile(semanage_handle_t * sh, const char *path) { +@@ -1491,6 +1547,45 @@ static int sefcontext_compile(semanage_handle_t * sh, const char *path) { return 0; } @@ -4107,7 +4345,7 @@ index fa0876f..c13b763 100644 /* Load the contexts of the final tmp into the final selinux directory. * Return 0 on success, -3 on error. */ -@@ -1566,35 +1630,6 @@ static int semanage_install_final_tmp(semanage_handle_t * sh) +@@ -1566,35 +1661,6 @@ static int semanage_install_final_tmp(semanage_handle_t * sh) } skip_reload: @@ -4143,7 +4381,7 @@ index fa0876f..c13b763 100644 status = 0; cleanup: return status; -@@ -1737,6 +1772,9 @@ int semanage_install_sandbox(semanage_handle_t * sh) +@@ -1737,6 +1803,9 @@ int semanage_install_sandbox(semanage_handle_t * sh) goto cleanup; } @@ -4153,7 +4391,7 @@ index fa0876f..c13b763 100644 if ((commit_num = semanage_commit_sandbox(sh)) < 0) { retval = commit_num; goto cleanup; -@@ -2003,9 +2041,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename +@@ -2003,9 +2072,10 @@ int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filename */ /** @@ -4166,7 +4404,7 @@ index fa0876f..c13b763 100644 { int retval = STATUS_ERR; -@@ -2014,7 +2053,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) +@@ -2014,7 +2084,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) FILE *infile = NULL; if ((kernel_filename = @@ -4175,7 +4413,7 @@ index fa0876f..c13b763 100644 goto cleanup; } if ((infile = fopen(kernel_filename, "r")) == NULL) { -@@ -2044,18 +2083,20 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) +@@ -2044,18 +2114,20 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) return retval; } /** @@ -4199,7 +4437,7 @@ index fa0876f..c13b763 100644 goto cleanup; } if ((outfile = fopen(kernel_filename, "wb")) == NULL) { -@@ -2081,6 +2122,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) +@@ -2081,6 +2153,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) if (outfile != NULL) { fclose(outfile); } @@ -4377,6 +4615,34 @@ index 1346b2e..8604b8a 100644 /** node typemaps **/ /* the wrapper will setup this parameter for passing... the resulting python functions +diff --git libsemanage-2.5/src/seusers_local.c libsemanage-2.5/src/seusers_local.c +index 42c3a8b..ea3836c 100644 +--- libsemanage-2.5/src/seusers_local.c ++++ libsemanage-2.5/src/seusers_local.c +@@ -67,17 +67,18 @@ static int semanage_seuser_audit(semanage_handle_t * handle, + const char *sep = "-"; + int rc = -1; + strcpy(msg, "login"); ++ if (previous) { ++ name = semanage_seuser_get_name(previous); ++ psename = semanage_seuser_get_sename(previous); ++ pmls = semanage_seuser_get_mlsrange(previous); ++ proles = semanage_user_roles(handle, psename); ++ } + if (seuser) { + name = semanage_seuser_get_name(seuser); + sename = semanage_seuser_get_sename(seuser); + mls = semanage_seuser_get_mlsrange(seuser); + roles = semanage_user_roles(handle, sename); + } +- if (previous) { +- psename = semanage_seuser_get_sename(previous); +- pmls = semanage_seuser_get_mlsrange(previous); +- proles = semanage_user_roles(handle, psename); +- } + if (audit_type != AUDIT_ROLE_REMOVE) { + if (sename && (!psename || strcmp(psename, sename) != 0)) { + strcat(msg,sep); diff --git libsemanage-2.5/tests/.gitignore libsemanage-2.5/tests/.gitignore new file mode 100644 index 0000000..f07111d diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index eb09964..4c6f497 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -1,17 +1,17 @@ %global with_python3 0 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib(1))")} -%define libsepolver 2.5-8 -%define libselinuxver 2.5-12 +%define libsepolver 2.5-10 +%define libselinuxver 2.5-14 Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.5 -Release: 11%{?dist} +Release: 14%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsemanage-2.5.tar.gz -# HEAD 5a336c116e3808e21a2334671fffed73348111c9 +# HEAD abf13a864699272ea826b0f8ff993027a342b377 Patch1: libsemanage-rhel.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -193,6 +193,18 @@ rm -rf ${RPM_BUILD_ROOT} %endif # if with_python3 %changelog +* Tue Sep 11 2018 Vit Mojzis - 2.5-14 +- Include user name in ROLE_REMOVE audit events (#1622045) +- Improve "reset umask before creating directories" + +* Wed Jul 25 2018 Vit Mojzis - 2.5-13 +- Reset umask before creating directories (#1186422) +- Enable listing modules by name (#1566729) + +* Mon Apr 30 2018 Vit Mojzis - 2.5-12 +- Do not change file mode of seusers and users_extra (#1512639) +- Improve warning for installing disabled module (#1337199) + * Tue Feb 27 2018 Vit Mojzis - 2.5-11 - Add dependencies on libselinux and libsemanage (#1548020)