| To: vim-dev@vim.org |
| Subject: Patch 7.1.296 |
| Fcc: outbox |
| From: Bram Moolenaar <Bram@moolenaar.net> |
| Mime-Version: 1.0 |
| Content-Type: text/plain; charset=ISO-8859-1 |
| Content-Transfer-Encoding: 8bit |
| |
| |
| Patch 7.1.296 |
| Problem: SELinux is not supported. |
| Solution: Detect the selinux library and use mch_copy_sec(). (James Vega) |
| Files: src/auto/configure, src/config.h.in, src/configure.in, |
| src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro |
| |
| |
| |
| |
| |
| *** 845,850 **** |
| --- 845,851 ---- |
| --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) |
| --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
| --disable-darwin Disable Darwin (Mac OS X) support. |
| + --disable-selinux Don't check for SELinux support. |
| --disable-xsmp Disable XSMP session management |
| --disable-xsmp-interact Disable XSMP interaction |
| --enable-mzschemeinterp Include MzScheme interpreter. |
| |
| *** 3611,3616 **** |
| --- 3612,3705 ---- |
| esac |
| fi |
| |
| + echo "$as_me:$LINENO: checking --disable-selinux argument" >&5 |
| + echo $ECHO_N "checking --disable-selinux argument... $ECHO_C" >&6 |
| + # Check whether --enable-selinux or --disable-selinux was given. |
| + if test "${enable_selinux+set}" = set; then |
| + enableval="$enable_selinux" |
| + |
| + else |
| + enable_selinux="yes" |
| + fi; |
| + if test "$enable_selinux" = "yes"; then |
| + echo "$as_me:$LINENO: result: no" >&5 |
| + echo "${ECHO_T}no" >&6 |
| + echo "$as_me:$LINENO: checking for is_selinux_enabled in -lselinux" >&5 |
| + echo $ECHO_N "checking for is_selinux_enabled in -lselinux... $ECHO_C" >&6 |
| + if test "${ac_cv_lib_selinux_is_selinux_enabled+set}" = set; then |
| + echo $ECHO_N "(cached) $ECHO_C" >&6 |
| + else |
| + ac_check_lib_save_LIBS=$LIBS |
| + LIBS="-lselinux $LIBS" |
| + cat >conftest.$ac_ext <<_ACEOF |
| + /* confdefs.h. */ |
| + _ACEOF |
| + cat confdefs.h >>conftest.$ac_ext |
| + cat >>conftest.$ac_ext <<_ACEOF |
| + /* end confdefs.h. */ |
| + |
| + /* Override any gcc2 internal prototype to avoid an error. */ |
| + #ifdef __cplusplus |
| + extern "C" |
| + #endif |
| + /* We use char because int might match the return type of a gcc2 |
| + builtin and then its argument prototype would still apply. */ |
| + char is_selinux_enabled (); |
| + int |
| + main () |
| + { |
| + is_selinux_enabled (); |
| + ; |
| + return 0; |
| + } |
| + _ACEOF |
| + rm -f conftest.$ac_objext conftest$ac_exeext |
| + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 |
| + (eval $ac_link) 2>conftest.er1 |
| + ac_status=$? |
| + grep -v '^ *+' conftest.er1 >conftest.err |
| + rm -f conftest.er1 |
| + cat conftest.err >&5 |
| + echo "$as_me:$LINENO: \$? = $ac_status" >&5 |
| + (exit $ac_status); } && |
| + { ac_try='test -z "$ac_c_werror_flag" |
| + || test ! -s conftest.err' |
| + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 |
| + (eval $ac_try) 2>&5 |
| + ac_status=$? |
| + echo "$as_me:$LINENO: \$? = $ac_status" >&5 |
| + (exit $ac_status); }; } && |
| + { ac_try='test -s conftest$ac_exeext' |
| + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 |
| + (eval $ac_try) 2>&5 |
| + ac_status=$? |
| + echo "$as_me:$LINENO: \$? = $ac_status" >&5 |
| + (exit $ac_status); }; }; then |
| + ac_cv_lib_selinux_is_selinux_enabled=yes |
| + else |
| + echo "$as_me: failed program was:" >&5 |
| + sed 's/^/| /' conftest.$ac_ext >&5 |
| + |
| + ac_cv_lib_selinux_is_selinux_enabled=no |
| + fi |
| + rm -f conftest.err conftest.$ac_objext \ |
| + conftest$ac_exeext conftest.$ac_ext |
| + LIBS=$ac_check_lib_save_LIBS |
| + fi |
| + echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_is_selinux_enabled" >&5 |
| + echo "${ECHO_T}$ac_cv_lib_selinux_is_selinux_enabled" >&6 |
| + if test $ac_cv_lib_selinux_is_selinux_enabled = yes; then |
| + LIBS="$LIBS -lselinux" |
| + cat >>confdefs.h <<\_ACEOF |
| + #define HAVE_SELINUX 1 |
| + _ACEOF |
| + |
| + fi |
| + |
| + else |
| + echo "$as_me:$LINENO: result: yes" >&5 |
| + echo "${ECHO_T}yes" >&6 |
| + fi |
| |
| |
| echo "$as_me:$LINENO: checking --with-features argument" >&5 |
| |
| |
| |
| *** 156,161 **** |
| --- 156,162 ---- |
| #undef HAVE_READLINK |
| #undef HAVE_RENAME |
| #undef HAVE_SELECT |
| + #undef HAVE_SELINUX |
| #undef HAVE_SETENV |
| #undef HAVE_SETPGID |
| #undef HAVE_SETSID |
| |
| |
| |
| *** 299,304 **** |
| --- 299,317 ---- |
| esac |
| fi |
| |
| + dnl Link with -lselinux for SELinux stuff; if not found |
| + AC_MSG_CHECKING(--disable-selinux argument) |
| + AC_ARG_ENABLE(selinux, |
| + [ --disable-selinux Don't check for SELinux support.], |
| + , enable_selinux="yes") |
| + if test "$enable_selinux" = "yes"; then |
| + AC_MSG_RESULT(no) |
| + AC_CHECK_LIB(selinux, is_selinux_enabled, |
| + [LIBS="$LIBS -lselinux" |
| + AC_DEFINE(HAVE_SELINUX)]) |
| + else |
| + AC_MSG_RESULT(yes) |
| + fi |
| |
| dnl Check user requested features. |
| |
| |
| |
| |
| *** 3651,3656 **** |
| --- 3660,3668 ---- |
| ) |
| mch_setperm(backup, |
| (perm & 0707) | ((perm & 07) << 3)); |
| + # ifdef HAVE_SELINUX |
| + mch_copy_sec(fname, backup); |
| + # endif |
| #endif |
| |
| /* |
| |
| *** 3687,3692 **** |
| --- 3699,3707 ---- |
| #ifdef HAVE_ACL |
| mch_set_acl(backup, acl); |
| #endif |
| + #ifdef HAVE_SELINUX |
| + mch_copy_sec(fname, backup); |
| + #endif |
| break; |
| } |
| } |
| |
| *** 4309,4314 **** |
| --- 4324,4335 ---- |
| } |
| #endif |
| |
| + #ifdef HAVE_SELINUX |
| + /* Probably need to set the security context. */ |
| + if (!backup_copy) |
| + mch_copy_sec(backup, wfname); |
| + #endif |
| + |
| #ifdef UNIX |
| /* When creating a new file, set its owner/group to that of the original |
| * file. Get the new device and inode number. */ |
| |
| |
| |
| *** 1346,1350 **** |
| --- 1346,1355 ---- |
| mfp->mf_ffname = NULL; |
| } |
| else |
| + { |
| + #ifdef HAVE_SELINUX |
| + mch_copy_sec(fname, mfp->mf_fname); |
| + #endif |
| mch_hide(mfp->mf_fname); /* try setting the 'hidden' flag */ |
| + } |
| } |
| |
| |
| |
| *** 45,50 **** |
| --- 45,55 ---- |
| # include <X11/SM/SMlib.h> |
| #endif |
| |
| + #ifdef HAVE_SELINUX |
| + # include <selinux/selinux.h> |
| + static int selinux_enabled = -1; |
| + #endif |
| + |
| /* |
| * Use this prototype for select, some include files have a wrong prototype |
| */ |
| |
| *** 2557,2562 **** |
| --- 2562,2623 ---- |
| } vim_acl_solaris_T; |
| # endif |
| |
| + #if defined(HAVE_SELINUX) || defined(PROTO) |
| + /* |
| + * Copy security info from "from_file" to "to_file". |
| + */ |
| + void |
| + mch_copy_sec(from_file, to_file) |
| + char_u *from_file; |
| + char_u *to_file; |
| + { |
| + if (from_file == NULL) |
| + return; |
| + |
| + if (selinux_enabled == -1) |
| + selinux_enabled = is_selinux_enabled(); |
| + |
| + if (selinux_enabled > 0) |
| + { |
| + security_context_t from_context = NULL; |
| + security_context_t to_context = NULL; |
| + |
| + if (getfilecon((char *)from_file, &from_context) < 0) |
| + { |
| + /* If the filesystem doesn't support extended attributes, |
| + the original had no special security context and the |
| + target cannot have one either. */ |
| + if (errno == EOPNOTSUPP) |
| + return; |
| + |
| + MSG_PUTS(_("\nCould not get security context for ")); |
| + msg_outtrans(from_file); |
| + msg_putchar('\n'); |
| + return; |
| + } |
| + if (getfilecon((char *)to_file, &to_context) < 0) |
| + { |
| + MSG_PUTS(_("\nCould not get security context for ")); |
| + msg_outtrans(to_file); |
| + msg_putchar('\n'); |
| + freecon (from_context); |
| + return ; |
| + } |
| + if (strcmp(from_context, to_context) != 0) |
| + { |
| + if (setfilecon((char *)to_file, from_context) < 0) |
| + { |
| + MSG_PUTS(_("\nCould not set security context for ")); |
| + msg_outtrans(to_file); |
| + msg_putchar('\n'); |
| + } |
| + } |
| + freecon(to_context); |
| + freecon(from_context); |
| + } |
| + } |
| + #endif /* HAVE_SELINUX */ |
| + |
| /* |
| * Return a pointer to the ACL of file "fname" in allocated memory. |
| * Return NULL if the ACL is not available for whatever reason. |
| |
| |
| |
| *** 34,39 **** |
| --- 34,40 ---- |
| void fname_case __ARGS((char_u *name, int len)); |
| long mch_getperm __ARGS((char_u *name)); |
| int mch_setperm __ARGS((char_u *name, long perm)); |
| + void mch_copy_sec __ARGS((char_u *from_file, char_u *to_file)); |
| vim_acl_T mch_get_acl __ARGS((char_u *fname)); |
| void mch_set_acl __ARGS((char_u *fname, vim_acl_T aclent)); |
| void mch_free_acl __ARGS((vim_acl_T aclent)); |
| |
| |
| |
| *** 668,669 **** |
| --- 673,676 ---- |
| { /* Add new patch number below this line */ |
| + /**/ |
| + 296, |
| /**/ |
| |
| -- |
| Michael: There is no such thing as a dump question. |
| Bernard: Sure there is. For example "what is a core dump?" |
| |
| /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ |
| /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ |
| \\\ download, build and distribute -- http://www.A-A-P.org /// |
| \\\ help me help AIDS victims -- http://ICCF-Holland.org /// |