diff --git a/SOURCES/0001-Skip-policy-module-re-link-when-only-setting-boolean.patch b/SOURCES/0001-Skip-policy-module-re-link-when-only-setting-boolean.patch new file mode 100644 index 0000000..582eb49 --- /dev/null +++ b/SOURCES/0001-Skip-policy-module-re-link-when-only-setting-boolean.patch @@ -0,0 +1,101 @@ +commit d7a44033e8488106579be9923c67c70546943a41 +Author: Stephen Smalley +Date: Fri Jul 25 12:05:43 2014 -0400 + + Skip policy module re-link when only setting booleans. + + Since booleans are only set, not added/removed, we do not need to re-link + modules when setting them. We can instead just take the existing binary + policy and mutate it for the new values. + + Signed-off-by: Stephen Smalley + +diff --git a/src/direct_api.c b/src/direct_api.c +index 64dc7d9..5b94725 100644 +--- a/src/direct_api.c ++++ b/src/direct_api.c +@@ -690,7 +690,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + /* Declare some variables */ + int modified = 0, fcontexts_modified, ports_modified, + seusers_modified, users_extra_modified, dontaudit_modified, +- preserve_tunables_modified; ++ preserve_tunables_modified, bools_modified; + dbase_config_t *users = semanage_user_dbase_local(sh); + dbase_config_t *users_base = semanage_user_base_dbase_local(sh); + dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh); +@@ -771,11 +771,11 @@ static int semanage_direct_commit(semanage_handle_t * sh) + users_extra_modified = + users_extra->dtable->is_modified(users_extra->dbase); + ports_modified = ports->dtable->is_modified(ports->dbase); ++ bools_modified = bools->dtable->is_modified(bools->dbase); + + modified = sh->modules_modified; + modified |= ports_modified; + modified |= users->dtable->is_modified(users_base->dbase); +- modified |= bools->dtable->is_modified(bools->dbase); + modified |= ifaces->dtable->is_modified(ifaces->dbase); + modified |= nodes->dtable->is_modified(nodes->dbase); + modified |= dontaudit_modified; +@@ -891,15 +891,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) + + /* ==================== Policydb-backed ================ */ + +- /* Create new policy object, then attach to policy databases +- * that work with a policydb */ ++ /* Create new policy object */ + retval = semanage_expand_sandbox(sh, base, &out); + if (retval < 0) + goto cleanup; + + sepol_module_package_free(base); + base = NULL; ++ } else { ++ /* Load already linked policy */ ++ retval = sepol_policydb_create(&out); ++ if (retval < 0) ++ goto cleanup; ++ ++ retval = semanage_read_policydb(sh, out); ++ if (retval < 0) ++ goto cleanup; ++ } + ++ if (sh->do_rebuild || modified || bools_modified) { ++ /* Attach to policy databases that work with a policydb. */ + dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, + out); + dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); +@@ -921,14 +932,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + } else { +- retval = sepol_policydb_create(&out); +- if (retval < 0) +- goto cleanup; +- +- retval = semanage_read_policydb(sh, out); +- if (retval < 0) +- goto cleanup; +- ++ /* Changes to non-kernel policy configurations only. */ + if (seusers_modified || users_extra_modified) { + retval = semanage_link_base(sh, &base); + if (retval < 0) +@@ -1007,7 +1011,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + sepol_policydb_free(out); + out = NULL; + +- if (sh->do_rebuild || modified || ++ if (sh->do_rebuild || modified || bools_modified || + seusers_modified || fcontexts_modified || users_extra_modified) { + retval = semanage_install_sandbox(sh); + } +@@ -1017,7 +1021,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + free(mod_filenames[i]); + } + +- if (modified) { ++ if (modified || bools_modified) { + /* Detach from policydb, so it can be freed */ + dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); + dbase_policydb_detach((dbase_policydb_t *) pports->dbase); diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index 07f9352..b7715ea 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -7,11 +7,13 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.1.10 -Release: 16%{?dist} +Release: 18%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: libsemanage-%{version}.tgz Patch: libsemanage-rhat.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1098446 +Patch1: 0001-Skip-policy-module-re-link-when-only-setting-boolean.patch URL: http://oss.tresys.com/git/selinux.git Source1: semanage.conf @@ -84,6 +86,7 @@ SELinux management applications. %prep %setup -q %patch -p2 -b .rhat +%patch1 -p1 -b .921017 %build # To support building the Python wrapper against multiple Python runtimes @@ -147,6 +150,7 @@ rm -rf ${RPM_BUILD_ROOT} %dir %{_sysconfdir}/selinux %config(noreplace) %{_sysconfdir}/selinux/semanage.conf /%{_libdir}/libsemanage.so.1 +%{_mandir}/man5/* %post -p /sbin/ldconfig @@ -179,6 +183,14 @@ rm -rf ${RPM_BUILD_ROOT} %endif # if with_python3 %changelog +* Wed Jul 22 2015 Petr Lautrbach 2.1.10-18 +- Add semanage.conf(5) man page +Resolves: rhbz#915651 + +* Tue Jul 07 2015 Petr Lautrbach 2.1.10-17 +- Skip policy module re-link when only setting booleans. +Resolves: rhbz#1098446 + * Fri Jan 24 2014 Daniel Mach - 2.1.10-16 - Mass rebuild 2014-01-24