From 14aba272622d204aaea6cfede026295b72c07b71 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 05 2019 14:48:42 +0000 Subject: import mcstrans-2.9-1.2.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc37203 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mcstrans-2.9.tar.gz diff --git a/.mcstrans.metadata b/.mcstrans.metadata new file mode 100644 index 0000000..c872327 --- /dev/null +++ b/.mcstrans.metadata @@ -0,0 +1 @@ +64bea2c1cd56e0550049a548dde0ac2e53f71714 SOURCES/mcstrans-2.9.tar.gz diff --git a/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch new file mode 100644 index 0000000..b12c2b8 --- /dev/null +++ b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch @@ -0,0 +1,126 @@ +From eeac35fa98b8b2d323741703a2e59593d1ad200a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 28 Nov 2018 18:28:05 +0100 +Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan + defects + +--- + mcstrans/src/mcstrans.c | 17 ++++++++++++++++- + mcstrans/src/mcstransd.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 96bdbdff..29cadb78 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { + + map->raw = strdup(raw); + if (!map->raw) { ++ free(map); + goto err; + } + map->trans = strdup(trans); + if (!map->trans) { ++ free(map->raw); ++ free(map); + goto err; + } + + log_debug(" add_cache (%s,%s)\n", raw, trans); +- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) ++ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { ++ free(map->trans); ++ free(map->raw); ++ free(map); + goto err; ++ } + + if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) + goto err; +@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + trans = compute_trans_from_raw(range, domain); + if (trans) + if (add_cache(domain, range, trans) < 0) { ++ free(trans); + free(range); + return -1; + } +@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + ltrans = compute_trans_from_raw(lrange, domain); + if (ltrans) { + if (add_cache(domain, lrange, ltrans) < 0) { ++ free(ltrans); + free(range); + return -1; + } +@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + utrans = compute_trans_from_raw(urange, domain); + if (utrans) { + if (add_cache(domain, urange, utrans) < 0) { ++ free(utrans); + free(ltrans); + free(range); + return -1; +@@ -1647,7 +1657,9 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(raw, domain); + if (canonical && strcmp(canonical, range)) + if (add_cache(domain, raw, canonical) < 0) { ++ free(canonical); + free(range); ++ free(raw); + return -1; + } + } +@@ -1655,6 +1667,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + free(canonical); + if (add_cache(domain, raw, range) < 0) { + free(range); ++ free(raw); + return -1; + } + } else { +@@ -1672,6 +1685,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(lraw, domain); + if (canonical) + if (add_cache(domain, lraw, canonical) < 0) { ++ free(canonical); + free(lraw); + free(range); + return -1; +@@ -1703,6 +1717,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(uraw, domain); + if (canonical) + if (add_cache(domain, uraw, canonical) < 0) { ++ free(canonical); + free(uraw); + free(lraw); + free(range); +diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c +index 85899493..a1ec81ac 100644 +--- a/mcstrans/src/mcstransd.c ++++ b/mcstrans/src/mcstransd.c +@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds) + /* Setup pollfd for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + /* So we don't get bothered later */ + revents = revents & ~(POLLHUP); + } +@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds) + /* Set the pollfd up for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + + revents = revents & ~(POLLHUP); + } +- if (revents) { ++ if (revents && connfd != -1) { + syslog(LOG_ERR, "Unknown/error events (%x) encountered" + " for fd (%d)\n", revents, connfd); + +-- +2.21.0 + diff --git a/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch b/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch new file mode 100644 index 0000000..3135c30 --- /dev/null +++ b/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch @@ -0,0 +1,59 @@ +From 659cb59cd6cfe36c954c77f945c06a0cd8218287 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 15 Apr 2019 15:22:51 +0200 +Subject: [PATCH 2/2] mcstrans: Do not accept incomplete contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +$ python3 +> import selinux +> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:") + +Traceback (most recent call last): + File "", line 2, in +OSError: [Errno 0] Error + +:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status' +Redirecting to /bin/systemctl status mcstransd.service +● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form + Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago + Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV) + Main PID: 16681 (code=dumped, signal=SEGV) + +systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV +systemd[1]: mcstrans.service: Failed with result 'core-dump'. + +Signed-off-by: Petr Lautrbach +--- + mcstrans/src/mcscolor.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c +index 6ea1aa97..79fc1c8b 100644 +--- a/mcstrans/src/mcscolor.c ++++ b/mcstrans/src/mcscolor.c +@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = { + static const secolor_t default_color = { 0x000000, 0xffffff }; + + static int parse_components(context_t con, char **components) { +- components[COLOR_USER] = (char *)context_user_get(con); +- components[COLOR_ROLE] = (char *)context_role_get(con); +- components[COLOR_TYPE] = (char *)context_type_get(con); +- components[COLOR_RANGE] = (char *)context_range_get(con); ++ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL) ++ return -1; + + return 0; + } +-- +2.21.0 + diff --git a/SOURCES/secolor.conf.8 b/SOURCES/secolor.conf.8 new file mode 100644 index 0000000..2947aca --- /dev/null +++ b/SOURCES/secolor.conf.8 @@ -0,0 +1,180 @@ +.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation" +.SH "NAME" +secolor.conf \- The SELinux color configuration file +. +.SH "DESCRIPTION" +The +.I /etc/selinux/{SELINUXTYPE}/secolor.conf +configuation file controls the color to be associated to the context components associated to the +.I raw +context passed by +.BR selinux_raw_context_to_color "(3)," +when context related information is to be displayed in color by an SELinux-aware application. +.sp +.BR selinux_raw_context_to_color "(3)" +obtains this color information from the active policy +.B secolor.conf +file as returned by +.BR selinux_colors_path "(3)." +. +.SH "FILE FORMAT" +The file format is as follows: +.RS +.B color +.I color_name +.BI "= #"color_mask +.br +[...] +.sp +.I context_component string +.B = +.I fg_color_name bg_color_name +.br +[...] +.sp +.RE + +Where: +.br +.B color +.RS +The color keyword. Each color entry is on a new line. +.RE +.I color_name +.RS +A single word name for the color (e.g. red). +.RE +.I color_mask +.RS +A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff. +.RE +.I context_component +.RS +The context component name that must be one of the following: +.br +.RS +user, role, type or range +.RE +Each +.IR context_component " " string " ..." +entry is on a new line. +.RE +.I string +.RS +This is the +.I context_component +string that will be matched with the +.I raw +context component passed by +.BR selinux_raw_context_to_color "(3)." +.br +A wildcard '*' may be used to match any undefined string for the user, role and type +.I context_component +entries only. +.RE + +.I fg_color_name +.RS +The color_name string that will be used as the foreground color. +A +.I color_mask +may also be used. +.RE +.I bg_color_name +.RS +The color_name string that will be used as the background color. +A +.I color_mask +may also be used. +.RE +. +.SH "EXAMPLES" +Example 1 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #D2B48C +.sp +user * = black white +.br +role * = white black +.br +type * = tan orange +.br +range s0\-s0:c0.c1023 = black green +.br +range s1\-s1:c0.c1023 = white green +.br +range s3\-s3:c0.c1023 = black tan +.br +range s5\-s5:c0.c1023 = white blue +.br +range s7\-s7:c0.c1023 = black red +.br +range s9\-s9:c0.c1023 = black orange +.br +range s15:c0.c1023 = black yellow +.RE + +.sp +Example 2 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #d2b48c +.sp +user unconfined_u = #ff0000 green +.br +role unconfined_r = red #ffffff +.br +type unconfined_t = red orange +.br +user user_u = black green +.br +role user_r = white black +.br +type user_t = tan red +.br +user xguest_u = black yellow +.br +role xguest_r = black red +.br +type xguest_t = black green +.br +user sysadm_u = white black +.br +range s0:c0.c1023 = black white +.br +user * = black white +.br +role * = black white +.br +type * = black white +.RE +. +.SH "SEE ALSO" +.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" diff --git a/SPECS/mcstrans.spec b/SPECS/mcstrans.spec new file mode 100644 index 0000000..14b576e --- /dev/null +++ b/SPECS/mcstrans.spec @@ -0,0 +1,277 @@ +Summary: SELinux Translation Daemon +Name: mcstrans +Version: 2.9 +Release: 1.2%{?dist} +License: GPL+ +Url: https://github.com/SELinuxProject/selinux/wiki +Source: https://github.com/SELinuxProject/selinux/releases/download/20190315/mcstrans-2.9.tar.gz +Source2: secolor.conf.8 +# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch +Patch0002: 0002-mcstrans-Do-not-accept-incomplete-contexts.patch +BuildRequires: gcc +BuildRequires: libselinux-devel >= %{version} +BuildRequires: libcap-devel pcre-devel libsepol-devel libsepol-static +BuildRequires: systemd +Requires: pcre +%{?systemd_requires} +Provides: setransd +Provides: libsetrans +Obsoletes: libsetrans + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +mcstrans provides an translation daemon to translate SELinux categories +from internal representations to user defined representation. + +%prep +%autosetup -p 2 -n mcstrans-%{version} + +%build +%set_build_flags +make LIBDIR="%{_libdir}" %{?_smp_mflags} + +%install +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}/%{_libdir} +mkdir -p %{buildroot}%{_usr}/share/mcstrans +mkdir -p %{buildroot}%{_sysconfdir}/selinux/mls/setrans.d + +make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" SBINDIR="%{_sbindir}" install +rm -f %{buildroot}%{_libdir}/*.a +cp -r share/* %{buildroot}%{_usr}/share/mcstrans/ +# Systemd +mkdir -p %{buildroot}%{_unitdir} +ln -s %{_unitdir}/mcstrans.service %{buildroot}/%{_unitdir}/mcstransd.service +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/mcstrans +install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ + +%clean +rm -rf %{buildroot} + +%post +%systemd_post mcstransd.service + +%preun +%systemd_preun mcstransd.service + +%postun +%systemd_postun mcstransd.service + +%files +%defattr(-,root,root,0755) +%{_mandir}/man8/mcs.8.gz +%{_mandir}/man8/mcstransd.8.gz +%{_mandir}/man8/setrans.conf.8.gz +%{_mandir}/ru/man8/mcs.8.gz +%{_mandir}/ru/man8/mcstransd.8.gz +%{_mandir}/ru/man8/setrans.conf.8.gz +%{_mandir}/man8/secolor.conf.8.gz +/usr/sbin/mcstransd +%{_unitdir}/mcstrans.service +%{_unitdir}/mcstransd.service +%dir %{_sysconfdir}/selinux/mls/setrans.d + +%dir %{_usr}/share/mcstrans + +%defattr(0644,root,root,0755) +%dir %{_usr}/share/mcstrans/util +%dir %{_usr}/share/mcstrans/examples +%{_usr}/share/mcstrans/examples/* + +%defattr(0755,root,root,0755) +%{_usr}/share/mcstrans/util/* + +%changelog +* Fri Apr 12 2019 Petr Lautrbach - 2.9-1.2 +- SELinux userspace 2.9 release + +* Sun Dec 16 2018 Petr Lautrbach - 2.8-2 +- Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects + +* Tue Oct 2 2018 Petr Lautrbach - 2.8-1 +- Update to mcstrans-2.8 + +* Thu Aug 03 2017 Fedora Release Engineering - 0.3.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.3.4-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.3.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.3.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 0.3.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 0.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 19 2014 Karsten Hopp |karsten@redhat.com> - 0.3.4-4 +- fix changelog order so that it builds with a recent rpm + +* Wed Oct 16 2013 Dan Walsh - 0.3.4-3 +- Make mcstrans PIE and fully relro +- Resolves: #983268 + +* Tue Oct 15 2013 Dan Walsh - 0.3.4-2 +- Add RELRO support for long running services + +* Thu Sep 12 2013 Dan Walsh - 0.3.4-1 +- Update to latest version/applying patches +- Move binary to /usr/sbin rather then /sbin +* Sat Aug 03 2013 Fedora Release Engineering - 0.3.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Mar 26 2013 Dan Walsh - 0.3.3-7 +- Add secolor.conf.5 man page +- Make mcstransd watch for content being written to /run/setrans for files names containing translations. +-- This will allow apps like libvirt to write content nameing randomly selected MCS labels +- Fix memory leak in mcstransd + +* Thu Feb 14 2013 Fedora Release Engineering - 0.3.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 0.3.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Feb 10 2012 Petr Pisar - 0.3.3-4 +- Rebuild against PCRE 8.30 + +* Thu Feb 2 2012 Dan Walsh - 0.3.3-3 +- Fix the systemd service file + +* Wed Feb 1 2012 Dan Walsh - 0.3.3-2 +- Update to upstream +- Write pid file + +* Fri Jan 13 2012 Fedora Release Engineering - 0.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.3.2-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 5 2011 Ted X Toth - 0.3.2-0 +- Add constraints +- Add setrans.conf man page +- Fix mixed raw and translated range bug +- Moved todo comments to TODO file + +* Fri Oct 16 2009 Dan Walsh 0.3.1-4 +- Add mcstransd man page + +* Thu Sep 17 2009 Miroslav Grepl 0.3.1-3 +- Fix init script + +* Sat Jul 25 2009 Fedora Release Engineering - 0.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 5 2009 Joe Nall 0.3.1-1 +- Rewrite translations to allow individual word/category mapping +- Eamon Walsh's color mapping changes + +* Wed May 28 2008 Tom "spot" Callaway 0.2.11-2 +- fix license tag + +* Wed May 7 2008 Dan Walsh 0.2.11-1 +- More fixes from Jim Meyering + +* Tue May 6 2008 Dan Walsh 0.2.10-1 +- More error checking on failed strdup + +* Tue May 6 2008 Dan Walsh 0.2.9-1 +- Start mcstrans before netlabel + +* Mon Apr 14 2008 Dan Walsh 0.2.8-1 +- Fix error handling + +* Tue Feb 12 2008 Dan Walsh 0.2.7-2 +- Rebuild for gcc 4.3 + +* Tue Oct 30 2007 Steve Conklin - 0.2.7-1 +- Folded current patches into tarball + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-3 +- Fixed a compile problem with max_categories + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-2 +- Fixed some init script errors + +* Thu Sep 13 2007 Dan Walsh 0.2.6-1 +- Check for max_categories and error out + +* Thu Mar 1 2007 Dan Walsh 0.2.5-1 +- Fix case where s0="" + +* Mon Feb 26 2007 Dan Walsh 0.2.4-1 +- Translate range if fully specified correctly + +* Mon Feb 12 2007 Dan Walsh 0.2.3-1 +- Additional fix to handle ssh root/sysadm_r/s0:c1,c2 +Resolves: #224637 + +* Mon Feb 5 2007 Dan Walsh 0.2.1-1 +- Rewrite to handle MLS properly +Resolves: #225355 + +* Mon Jan 29 2007 Dan Walsh 0.1.10-2 +- Cleanup memory when complete + +* Mon Dec 4 2006 Dan Walsh 0.1.10-1 +- Fix Memory Leak +Resolves: #218173 + +* Thu Sep 21 2006 Dan Walsh 0.1.9-1 +- Add -pie +- Fix compiler warnings +- Fix Memory Leak +Resolves: #218173 + +* Wed Sep 13 2006 Peter Jones - 0.1.8-3 +- Fix subsys locking in init script + +* Wed Aug 23 2006 Dan Walsh 0.1.8-1 +- Only allow one version to run + +* Wed Jul 12 2006 Jesse Keating - sh: line 0: fg: no job control +- rebuild + +* Mon Jun 19 2006 Dan Walsh 0.1.7-1 +- Apply sgrubb patch to only call getpeercon on translations + +* Tue Jun 6 2006 Dan Walsh 0.1.6-1 +- Exit gracefully when selinux is not enabled + +* Mon May 15 2006 Dan Walsh 0.1.5-1 +- Fix sighup handling + +* Mon May 15 2006 Dan Walsh 0.1.4-1 +- Add patch from sgrubb +- Fix 64 bit size problems +- Increase the open file limit +- Make sure maximum size is not exceeded + +* Fri May 12 2006 Dan Walsh 0.1.3-1 +- Move initscripts to /etc/rc.d/init.d + +* Thu May 11 2006 Dan Walsh 0.1.2-1 +- Drop Privs + +* Mon May 8 2006 Dan Walsh 0.1.1-1 +- Initial Version +- This daemon reuses the code from libsetrans