Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2545] branches/policyrep
|
From: <mad...@us...> - 2007-09-04 18:22:57
|
Revision: 2545
http://selinux.svn.sourceforge.net/selinux/?rev=2545&view=rev
Author: madmethod
Date: 2007-09-04 11:22:54 -0700 (Tue, 04 Sep 2007)
Log Message:
-----------
merge from trunk r2494:HEAD
Modified Paths:
--------------
branches/policyrep/libselinux/ChangeLog
branches/policyrep/libselinux/Makefile
branches/policyrep/libselinux/VERSION
branches/policyrep/libselinux/include/selinux/av_permissions.h
branches/policyrep/libselinux/include/selinux/flask.h
branches/policyrep/libselinux/include/selinux/selinux.h
branches/policyrep/libselinux/man/man3/avc_add_callback.3
branches/policyrep/libselinux/man/man3/avc_cache_stats.3
branches/policyrep/libselinux/man/man3/avc_compute_create.3
branches/policyrep/libselinux/man/man3/avc_context_to_sid.3
branches/policyrep/libselinux/man/man3/avc_has_perm.3
branches/policyrep/libselinux/man/man3/avc_init.3
branches/policyrep/libselinux/man/man3/context_new.3
branches/policyrep/libselinux/man/man3/freecon.3
branches/policyrep/libselinux/man/man3/get_ordered_context_list.3
branches/policyrep/libselinux/man/man3/getcon.3
branches/policyrep/libselinux/man/man3/getexeccon.3
branches/policyrep/libselinux/man/man3/getfilecon.3
branches/policyrep/libselinux/man/man3/getfscreatecon.3
branches/policyrep/libselinux/man/man3/getseuserbyname.3
branches/policyrep/libselinux/man/man3/is_context_customizable.3
branches/policyrep/libselinux/man/man3/matchmediacon.3
branches/policyrep/libselinux/man/man3/matchpathcon.3
branches/policyrep/libselinux/man/man3/security_class_to_string.3
branches/policyrep/libselinux/man/man3/security_compute_av.3
branches/policyrep/libselinux/man/man3/security_getenforce.3
branches/policyrep/libselinux/man/man3/security_load_booleans.3
branches/policyrep/libselinux/man/man3/selabel_lookup.3
branches/policyrep/libselinux/man/man3/selabel_open.3
branches/policyrep/libselinux/man/man3/selabel_stats.3
branches/policyrep/libselinux/man/man3/selinux_binary_policy_path.3
branches/policyrep/libselinux/man/man3/selinux_getenforcemode.3
branches/policyrep/libselinux/man/man3/selinux_policy_root.3
branches/policyrep/libselinux/man/man3/selinux_set_callback.3
branches/policyrep/libselinux/man/man3/setfilecon.3
branches/policyrep/libselinux/man/man5/selabel_file.5
branches/policyrep/libselinux/man/man5/selabel_media.5
branches/policyrep/libselinux/man/man5/selabel_x.5
branches/policyrep/libselinux/man/man8/matchpathcon.8
branches/policyrep/libselinux/man/man8/selinux.8
branches/policyrep/libselinux/src/Makefile
branches/policyrep/libselinux/src/file_path_suffixes.h
branches/policyrep/libselinux/src/label_internal.h
branches/policyrep/libselinux/src/label_x.c
branches/policyrep/libselinux/src/mapping.h
branches/policyrep/libselinux/src/matchpathcon.c
branches/policyrep/libselinux/src/selinux_config.c
branches/policyrep/libselinux/src/selinux_internal.h
branches/policyrep/libselinux/src/stringrep.c
branches/policyrep/libsemanage/ChangeLog
branches/policyrep/libsemanage/VERSION
branches/policyrep/libsemanage/include/semanage/handle.h
branches/policyrep/libsemanage/src/Makefile
branches/policyrep/libsemanage/src/conf-parse.y
branches/policyrep/libsemanage/src/conf-scan.l
branches/policyrep/libsemanage/src/handle.c
branches/policyrep/libsemanage/src/libsemanage.map
branches/policyrep/libsemanage/src/semanage_conf.h
branches/policyrep/libsemanage/src/semanage_store.c
branches/policyrep/libsemanage/src/semanage_store.h
branches/policyrep/libsemanage/tests/Makefile
branches/policyrep/libsemanage/tests/libsemanage-tests.c
branches/policyrep/libsepol/ChangeLog
branches/policyrep/libsepol/VERSION
branches/policyrep/libsepol/include/sepol/handle.h
branches/policyrep/libsepol/src/avtab.c
branches/policyrep/libsepol/src/conditional.c
branches/policyrep/libsepol/src/context_record.c
branches/policyrep/libsepol/src/ebitmap.c
branches/policyrep/libsepol/src/expand.c
branches/policyrep/libsepol/src/handle.c
branches/policyrep/libsepol/src/handle.h
branches/policyrep/libsepol/src/libsepol.map
branches/policyrep/libsepol/src/module.c
branches/policyrep/libsepol/src/policydb.c
branches/policyrep/libsepol/src/private.h
branches/policyrep/libsepol/src/services.c
branches/policyrep/policycoreutils/ChangeLog
branches/policyrep/policycoreutils/VERSION
branches/policyrep/policycoreutils/newrole/Makefile
branches/policyrep/policycoreutils/run_init/Makefile
branches/policyrep/policycoreutils/scripts/Makefile
branches/policyrep/policycoreutils/scripts/chcat
branches/policyrep/policycoreutils/scripts/fixfiles
branches/policyrep/policycoreutils/semanage/semanage
branches/policyrep/policycoreutils/semodule/semodule.c
branches/policyrep/sepolgen/ChangeLog
branches/policyrep/sepolgen/VERSION
Added Paths:
-----------
branches/policyrep/libsemanage/src/genhomedircon.c
branches/policyrep/libsemanage/src/genhomedircon.h
branches/policyrep/libsemanage/src/utilities.c
branches/policyrep/libsemanage/src/utilities.h
branches/policyrep/libsemanage/tests/test_utilities.c
branches/policyrep/libsemanage/tests/test_utilities.h
Removed Paths:
-------------
branches/policyrep/policycoreutils/restorecon/
branches/policyrep/policycoreutils/scripts/genhomedircon
branches/policyrep/policycoreutils/scripts/genhomedircon.8
Modified: branches/policyrep/libselinux/ChangeLog
===================================================================
--- branches/policyrep/libselinux/ChangeLog 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/ChangeLog 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1,3 +1,26 @@
+2.0.31 2007-08-23
+ * Fix file_contexts.homedirs path from Todd Miller.
+
+2.0.30 2007-08-06
+ * Fix segfault resulting from uninitialized print-callback pointer.
+
+2.0.29 2007-08-02
+ * Added x_contexts path function patch from Eamon Walsh.
+
+2.0.28 2007-08-01
+ * Fix build for EMBEDDED=y from Yuichi Nakamura.
+
+2.0.27 2007-07-25
+ * Fix markup problems in selinux man pages from Dan Walsh.
+
+2.0.26 2007-07-23
+ * Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
+ * Added swigify to top-level Makefile from Dan Walsh.
+
+2.0.25 2007-07-23
+ * Fix for string_to_security_class segfault on x86_64 from Stephen
+ Smalley.
+
2.0.24 2007-09-07
* Fix for getfilecon() for zero-length contexts from Stephen Smalley.
Modified: branches/policyrep/libselinux/Makefile
===================================================================
--- branches/policyrep/libselinux/Makefile 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/Makefile 2007-09-04 18:22:54 UTC (rev 2545)
@@ -8,6 +8,9 @@
override DISABLE_RPM=y
override DISABLE_BOOL=y
endif
+ifeq ($(DISABLE_AVC),y)
+ EMFLAGS+= -DDISABLE_AVC
+endif
ifeq ($(DISABLE_BOOL),y)
EMFLAGS+= -DDISABLE_BOOL
endif
@@ -20,6 +23,9 @@
$(MAKE) -C src
$(MAKE) -C utils
+swigify: all
+ $(MAKE) -C src swigify
+
pywrap:
$(MAKE) -C src pywrap
Modified: branches/policyrep/libselinux/VERSION
===================================================================
--- branches/policyrep/libselinux/VERSION 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/VERSION 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1 +1 @@
-2.0.24
+2.0.31
Modified: branches/policyrep/libselinux/include/selinux/av_permissions.h
===================================================================
--- branches/policyrep/libselinux/include/selinux/av_permissions.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/include/selinux/av_permissions.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -290,12 +290,16 @@
#define NODE__RAWIP_RECV 0x00000010UL
#define NODE__RAWIP_SEND 0x00000020UL
#define NODE__ENFORCE_DEST 0x00000040UL
+#define NODE__DCCP_RECV 0x00000080UL
+#define NODE__DCCP_SEND 0x00000100UL
#define NETIF__TCP_RECV 0x00000001UL
#define NETIF__TCP_SEND 0x00000002UL
#define NETIF__UDP_RECV 0x00000004UL
#define NETIF__UDP_SEND 0x00000008UL
#define NETIF__RAWIP_RECV 0x00000010UL
#define NETIF__RAWIP_SEND 0x00000020UL
+#define NETIF__DCCP_RECV 0x00000040UL
+#define NETIF__DCCP_SEND 0x00000080UL
#define NETLINK_SOCKET__IOCTL 0x00000001UL
#define NETLINK_SOCKET__READ 0x00000002UL
#define NETLINK_SOCKET__WRITE 0x00000004UL
@@ -837,6 +841,8 @@
#define NSCD__SHMEMPWD 0x00000020UL
#define NSCD__SHMEMGRP 0x00000040UL
#define NSCD__SHMEMHOST 0x00000080UL
+#define NSCD__GETSERV 0x00000100UL
+#define NSCD__SHMEMSERV 0x00000200UL
#define ASSOCIATION__SENDTO 0x00000001UL
#define ASSOCIATION__RECVFROM 0x00000002UL
#define ASSOCIATION__SETCONTEXT 0x00000004UL
@@ -897,3 +903,28 @@
#define KEY__CREATE 0x00000040UL
#define CONTEXT__TRANSLATE 0x00000001UL
#define CONTEXT__CONTAINS 0x00000002UL
+#define DCCP_SOCKET__IOCTL 0x00000001UL
+#define DCCP_SOCKET__READ 0x00000002UL
+#define DCCP_SOCKET__WRITE 0x00000004UL
+#define DCCP_SOCKET__CREATE 0x00000008UL
+#define DCCP_SOCKET__GETATTR 0x00000010UL
+#define DCCP_SOCKET__SETATTR 0x00000020UL
+#define DCCP_SOCKET__LOCK 0x00000040UL
+#define DCCP_SOCKET__RELABELFROM 0x00000080UL
+#define DCCP_SOCKET__RELABELTO 0x00000100UL
+#define DCCP_SOCKET__APPEND 0x00000200UL
+#define DCCP_SOCKET__BIND 0x00000400UL
+#define DCCP_SOCKET__CONNECT 0x00000800UL
+#define DCCP_SOCKET__LISTEN 0x00001000UL
+#define DCCP_SOCKET__ACCEPT 0x00002000UL
+#define DCCP_SOCKET__GETOPT 0x00004000UL
+#define DCCP_SOCKET__SETOPT 0x00008000UL
+#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
+#define DCCP_SOCKET__RECVFROM 0x00020000UL
+#define DCCP_SOCKET__SENDTO 0x00040000UL
+#define DCCP_SOCKET__RECV_MSG 0x00080000UL
+#define DCCP_SOCKET__SEND_MSG 0x00100000UL
+#define DCCP_SOCKET__NAME_BIND 0x00200000UL
+#define DCCP_SOCKET__NODE_BIND 0x00400000UL
+#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
+#define MEMPROTECT__MMAP_ZERO 0x00000001UL
Modified: branches/policyrep/libselinux/include/selinux/flask.h
===================================================================
--- branches/policyrep/libselinux/include/selinux/flask.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/include/selinux/flask.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -64,6 +64,8 @@
#define SECCLASS_PACKET 57
#define SECCLASS_KEY 58
#define SECCLASS_CONTEXT 59
+#define SECCLASS_DCCP_SOCKET 60
+#define SECCLASS_MEMPROTECT 61
/*
* Security identifier indices for initial entities
Modified: branches/policyrep/libselinux/include/selinux/selinux.h
===================================================================
--- branches/policyrep/libselinux/include/selinux/selinux.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/include/selinux/selinux.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -454,6 +454,7 @@
extern const char *selinux_file_context_local_path(void);
extern const char *selinux_homedir_context_path(void);
extern const char *selinux_media_context_path(void);
+extern const char *selinux_x_context_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_securetty_types_path(void);
extern const char *selinux_booleans_path(void);
Modified: branches/policyrep/libselinux/man/man3/avc_add_callback.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_add_callback.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_add_callback.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,26 +6,26 @@
avc_add_callback \- additional event notification for SELinux userspace object managers.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "int avc_add_callback(int (*" callback ")(uint32_t " event ,
.in +\w'int avc_add_callback(int (*callback)('u
.BI "security_id_t " ssid ,
-.br
+
.BI "security_id_t " tsid ,
-.br
+
.BI "security_class_t " tclass ,
-.br
+
.BI "access_vector_t " perms ,
-.br
+
.BI "access_vector_t *" out_retained "),"
.in
.in +\w'int avc_add_callback('u
.BI "uint32_t " events ", security_id_t " ssid ,
-.br
+
.BI "security_id_t " tsid ", security_class_t " tclass ,
-.br
+
.BI "access_vector_t " perms ");"
.in
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/avc_cache_stats.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_cache_stats.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_cache_stats.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "void avc_av_stats(void);"
Modified: branches/policyrep/libselinux/man/man3/avc_compute_create.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_compute_create.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_compute_create.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
avc_compute_create \- obtain SELinux label for new object.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
Modified: branches/policyrep/libselinux/man/man3/avc_context_to_sid.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_context_to_sid.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_context_to_sid.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
avc_context_to_sid, avc_sid_to_context, sidput, sidget, avc_get_initial_sid \- obtain and manipulate SELinux security ID's.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");"
Modified: branches/policyrep/libselinux/man/man3/avc_has_perm.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_has_perm.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_has_perm.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");"
@@ -14,21 +14,21 @@
.BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_has_perm('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
-.br
+
.BI "struct avc_entry_ref *" aeref ", void *" auditdata ");"
.in
.sp
.BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_has_perm('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
-.br
+
.BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");"
.in
.sp
.BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'void avc_audit('u
.BI "security_class_t " tclass ", access_vector_t " requested ,
-.br
+
.BI "struct av_decision *" avd ", int " result ", void *" auditdata ");"
.in
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/avc_init.3
===================================================================
--- branches/policyrep/libselinux/man/man3/avc_init.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/avc_init.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,17 +6,17 @@
avc_init, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/avc.h>
.sp
.BI "int avc_init(const char *" msgprefix ,
.in +\w'int avc_init('u
.BI "const struct avc_memory_callback *" mem_callbacks ,
-.br
+
.BI "const struct avc_log_callback *" log_callbacks ,
-.br
+
.BI "const struct avc_thread_callback *" thread_callbacks ,
-.br
+
.BI "const struct avc_lock_callback *" lock_callbacks ");"
.in
.sp
Modified: branches/policyrep/libselinux/man/man3/context_new.3
===================================================================
--- branches/policyrep/libselinux/man/man3/context_new.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/context_new.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -4,27 +4,27 @@
.SH "SYNOPSIS"
.B #include <selinux/context.h>
-.br
+
.B "context_t context_new(const char *" context_str );
-.br
+
.B "const char * context_str(context_t " con );
-.br
+
.B "void context_free(context_t " con );
-.br
+
.B "const char * context_type_get(context_t " con );
-.br
+
.B "const char * context_range_get(context_t " con );
-.br
+
.B "const char * context_role_get(context_t " con );
-.br
+
.B "const char * context_user_get(context_t " con );
-.br
+
.B "const char * context_type_set(context_t " con ", const char* " type);
-.br
+
.B "const char * context_range_set(context_t " con ", const char* " range);
-.br
+
.B "const char * context_role_set(context_t " con ", const char* " role );
-.br
+
.B "const char * context_user_set(context_t " con ", const char* " user );
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/freecon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/freecon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/freecon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -5,7 +5,7 @@
.B #include <selinux/selinux.h>
.sp
.BI "void freecon(security_context_t "con );
-.br
+
.BI "void freeconary(security_context_t *" con );
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/get_ordered_context_list.3
===================================================================
--- branches/policyrep/libselinux/man/man3/get_ordered_context_list.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/get_ordered_context_list.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -4,7 +4,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/get_context_list.h>
.sp
.BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list );
Modified: branches/policyrep/libselinux/man/man3/getcon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/getcon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/getcon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1,21 +1,21 @@
.TH "getcon" "3" "1 January 2004" "ru...@co..." "SELinux API documentation"
.SH "NAME"
getcon, getprevcon, getpidcon \- get SELinux security context of a process.
-.br
+
getpeercon - get security context of a peer socket.
-.br
+
setcon - set current security context of a process.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getcon(security_context_t *" context );
-.br
+
.BI "int getprevcon(security_context_t *" context );
-.br
+
.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
-.br
+
.BI "int getpeercon(int " fd ", security_context_t *" context);
-.br
+
.BI "int setcon(security_context_t " context);
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/getexeccon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/getexeccon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/getexeccon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1,16 +1,16 @@
.TH "getexeccon" "3" "1 January 2004" "ru...@co..." "SELinux API documentation"
.SH "NAME"
getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.
-.br
+
rpm_execcon \- run a helper for rpm in an appropriate security context
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getexeccon(security_context_t *" context );
-.br
+
.BI "int setexeccon(security_context_t "context );
-.br
+
.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
.SH "DESCRIPTION"
@@ -26,17 +26,17 @@
setexeccon to reset to the default policy behavior.
The exec context is automatically reset after the next execve, so a
program doesn't need to explicitly sanitize it upon startup.
-.br
+
setexeccon can be applied prior to library
functions that internally perform an execve, e.g. execl*, execv*, popen,
in order to set an exec context for that operation.
-.br
+
Note: Signal handlers that perform an execve must take care to
save, reset, and restore the exec context to avoid unexpected behaviors.
-.br
+
.B rpm_execcon
runs a helper for rpm in an appropriate security context. The
verified parameter should contain the return code from the signature
Modified: branches/policyrep/libselinux/man/man3/getfilecon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/getfilecon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/getfilecon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -5,9 +5,9 @@
.B #include <selinux/selinux.h>
.sp
.BI "int getfilecon(const char *" path ", security_context_t *" con );
-.br
+
.BI "int lgetfilecon(const char *" path ", security_context_t *" con );
-.br
+
.BI "int fgetfilecon(int "fd ", security_context_t *" con );
.SH "DESCRIPTION"
.B getfilecon
@@ -22,7 +22,6 @@
is identical to getfilecon, only the open file pointed to by filedes (as
returned by open(2)) is interrogated in place of path.
-.br
The returned context should be freed with freecon if non-NULL.
.SH "RETURN VALUE"
Modified: branches/policyrep/libselinux/man/man3/getfscreatecon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/getfscreatecon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/getfscreatecon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
.B #include <selinux/selinux.h>
.sp
.BI "int getfscreatecon(security_context_t *" con );
-.br
+
.BI "int setfscreatecon(security_context_t "context );
.SH "DESCRIPTION"
@@ -22,12 +22,12 @@
setfscreatecon to reset to the default policy behavior.
The fscreate context is automatically reset after the next execve, so a
program doesn't need to explicitly sanitize it upon startup.
-.br
+
setfscreatecon can be applied prior to library
functions that internally perform an file creation,
in order to set an file context on the objects.
-.br
+
Note: Signal handlers that perform an setfscreate must take care to
save, reset, and restore the fscreate context to avoid unexpected behaviors.
.SH "RETURN VALUE"
Modified: branches/policyrep/libselinux/man/man3/getseuserbyname.3
===================================================================
--- branches/policyrep/libselinux/man/man3/getseuserbyname.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/getseuserbyname.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -12,8 +12,8 @@
then be passed to other libselinux functions such as
get_ordered_context_list_with_level and get_default_context_with_level.
-.br
+
The returned SELinux username and level should be freed by the caller
using free.
.SH "RETURN VALUE"
Modified: branches/policyrep/libselinux/man/man3/is_context_customizable.3
===================================================================
--- branches/policyrep/libselinux/man/man3/is_context_customizable.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/is_context_customizable.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -8,7 +8,7 @@
.SH "DESCRIPTION"
.B is_context_customizable
-.br
+
This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that
administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
Modified: branches/policyrep/libselinux/man/man3/matchmediacon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/matchmediacon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/matchmediacon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,14 +6,14 @@
.B #include <selinux/selinux.h>
.sp
.BI "int matchmediacon(const char *" media ", security_context_t *" con);"
-.br
+
.SH "DESCRIPTION"
-.br
+
.B matchmediacon
matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context.
.sp
-.br
+
.B Note:
Caller must free returned security context "con" using freecon.
.SH "RETURN VALUE"
Modified: branches/policyrep/libselinux/man/man3/matchpathcon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/matchpathcon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/matchpathcon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,18 +6,18 @@
.B #include <selinux/selinux.h>
.sp
.BI "int matchpathcon_init(const char *" path ");"
-.br
+
.BI "int matchpathcon_fini(void);"
-.br
+
.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
.sp
-.br
+
.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
-.br
+
.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));"
-.br
+
.BI "void set_matchpathcon_flags(unsigned int " flags ");"
-.br
+
.SH "DESCRIPTION"
.B matchpathcon_init
loads the file contexts configuration specified by
@@ -40,7 +40,7 @@
suffix are also looked up and loaded if present. These files provide
dynamically generated entries for user home directories and for local
customizations.
-.br
+
.sp
.B matchpathcon_fini
frees the memory allocated by a prior call to
@@ -49,7 +49,7 @@
.B matchpathcon_init
calls, or to free memory when finished using
.B matchpathcon.
-.br
+
.sp
.B matchpathcon
matches the specified pathname and mode against the file contexts
@@ -72,14 +72,14 @@
.I path,
defaulting to the active file contexts configuration.
.sp
-.br
+
.B set_matchpathcon_printf
sets the function used by
.B matchpathcon_init
when displaying errors about the file contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect
error reporting to a different destination.
-.br
+
.sp
.B set_matchpathcon_invalidcon
sets the function used by
@@ -100,7 +100,7 @@
and
.I lineno
in such error messages.
-.br
+
.sp
.B set_matchpathcon_flags
sets flags controlling the operation of
@@ -111,7 +111,7 @@
.B MATCHPATHCON_BASEONLY
flag is set, then only the base file contexts configuration file
will be processed, not any dynamically generated entries or local customizations.
-.br
+
.sp
.SH "RETURN VALUE"
Returns 0 on success or -1 otherwise.
Modified: branches/policyrep/libselinux/man/man3/security_class_to_string.3
===================================================================
--- branches/policyrep/libselinux/man/man3/security_class_to_string.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/security_class_to_string.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -8,7 +8,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/flask.h>
.sp
.BI "const char * security_class_to_string(security_class_t " tclass ");"
Modified: branches/policyrep/libselinux/man/man3/security_compute_av.3
===================================================================
--- branches/policyrep/libselinux/man/man3/security_compute_av.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/security_compute_av.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/flask.h>
.sp
.BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd );
Modified: branches/policyrep/libselinux/man/man3/security_getenforce.3
===================================================================
--- branches/policyrep/libselinux/man/man3/security_getenforce.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/security_getenforce.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -5,7 +5,7 @@
.B #include <selinux/selinux.h>
.sp
.B int security_getenforce();
-.br
+
.BI "int security_setenforce(int "value );
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/security_load_booleans.3
===================================================================
--- branches/policyrep/libselinux/man/man3/security_load_booleans.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/security_load_booleans.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -7,15 +7,15 @@
.B #include <selinux/selinux.h>
.sp
extern int security_load_booleans(char *path);
-.br
+
extern int security_get_boolean_names(char ***names, int *len);
-.br
+
extern int security_get_boolean_pending(const char *name);
-.br
+
extern int security_get_boolean_active(const char *name);
-.br
+
extern int security_set_boolean(const char *name, int value);
-.br
+
extern int security_commit_booleans(void);
@@ -29,27 +29,27 @@
The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once.
security_load_booleans
-.br
+
Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
security_get_boolean_names
-.br
+
Returns a list of boolean names, currently supported by the loaded policy.
security_set_boolean
-.br
+
Sets the pending value for boolean
security_get_boolean_pending
-.br
+
Return pending value for boolean
security_get_boolean_active
-.br
+
Return active value for boolean
security_commit_booleans
-.br
+
Commit all pending values for the booleans.
.SH AUTHOR
Modified: branches/policyrep/libselinux/man/man3/selabel_lookup.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selabel_lookup.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selabel_lookup.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,20 +6,20 @@
selabel_lookup \- obtain SELinux security context from a string label.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "int selabel_lookup(struct selabel_handle *" hnd ,
.in +\w'int selabel_lookup('u
.BI "security_context_t *" context ,
-.br
+
.BI "const char *" key ", int " type ");"
.in
.sp
.BI "int selabel_lookup_raw(struct selabel_handle *" hnd ,
.in +\w'int selabel_lookup_raw('u
.BI "security_context_t *" context ,
-.br
+
.BI "const char *" key ", int " type ");"
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man3/selabel_open.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selabel_open.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selabel_open.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,13 +6,13 @@
selabel_open, selabel_close \- userspace SELinux labeling interface.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "struct selabel_handle *selabel_open(int " backend ,
.in +\w'struct selabel_handle *selabel_open('u
.BI "struct selinux_opt *" options ,
-.br
+
.BI "unsigned " nopt ");"
.in
.sp
Modified: branches/policyrep/libselinux/man/man3/selabel_stats.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selabel_stats.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selabel_stats.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,7 +6,7 @@
selabel_stats \- obtain SELinux labeling statistics.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "void selabel_lookup(struct selabel_handle *" hnd ");"
Modified: branches/policyrep/libselinux/man/man3/selinux_binary_policy_path.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selinux_binary_policy_path.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selinux_binary_policy_path.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -10,27 +10,27 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.br
+
extern const char *selinux_policy_root(void);
-.br
+
extern const char *selinux_binary_policy_path(void);
-.br
+
extern const char *selinux_failsafe_context_path(void);
-.br
+
extern const char *selinux_removable_context_path(void);
-.br
+
extern const char *selinux_default_context_path(void);
-.br
+
extern const char *selinux_user_contexts_path(void);
-.br
+
extern const char *selinux_file_context_path(void);
-.br
+
extern const char *selinux_media_context_path(void);
-.br
+
extern const char *selinux_securetty_types_path(void);
-.br
+
extern const char *selinux_contexts_path(void);
-.br
+
extern const char *selinux_booleans_path(void);
Modified: branches/policyrep/libselinux/man/man3/selinux_getenforcemode.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selinux_getenforcemode.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selinux_getenforcemode.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -5,13 +5,13 @@
.B #include <selinux/selinux.h>
.sp
.B int selinux_getenforcemode(int *enforce);
-.br
+
.SH "DESCRIPTION"
.B selinux_getenforcemode
Reads the contents of the /etc/selinux/config file to determine how the
system was setup to run SELinux.
-.br
+
Sets the value of enforce to 1 if SELinux should be run in enforcing mode.
Sets the value of enforce to 0 if SELinux should be run in permissive mode.
Sets the value of enforce to -1 if SELinux should be disabled.
Modified: branches/policyrep/libselinux/man/man3/selinux_policy_root.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selinux_policy_root.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selinux_policy_root.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -5,8 +5,8 @@
.B #include <selinux/selinux.h>
.sp
.B char *selinux_policy_root();
-.br
+
.SH "DESCRIPTION"
.B selinux_policy_root
Reads the contents of the /etc/selinux/config file to determine which policy files should be used for this machine.
Modified: branches/policyrep/libselinux/man/man3/selinux_set_callback.3
===================================================================
--- branches/policyrep/libselinux/man/man3/selinux_set_callback.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/selinux_set_callback.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -39,11 +39,11 @@
argument indicates the type of message and will be set to one of the following:
.B SELINUX_ERROR
-.br
+
.B SELINUX_WARNING
-.br
+
.B SELINUX_INFO
-.br
+
.B SELINUX_AVC
.TP
Modified: branches/policyrep/libselinux/man/man3/setfilecon.3
===================================================================
--- branches/policyrep/libselinux/man/man3/setfilecon.3 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man3/setfilecon.3 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,9 +6,9 @@
.B #include <selinux/selinux.h>
.sp
.BI "int setfilecon(const char *" path ", security_context_t "con );
-.br
+
.BI "int lsetfilecon(const char *" path ", security_context_t "con );
-.br
+
.BI "int fsetfilecon(int "fd ", security_context_t "con );
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man5/selabel_file.5
===================================================================
--- branches/policyrep/libselinux/man/man5/selabel_file.5 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man5/selabel_file.5 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,13 +6,13 @@
selabel_file \- userspace SELinux labeling interface: file contexts backend.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "int selabel_lookup(struct selabel_handle *" hnd ,
.in +\w'int selabel_lookup('u
.BI "security_context_t *" context ,
-.br
+
.BI "const char *" path ", int " mode ");"
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man5/selabel_media.5
===================================================================
--- branches/policyrep/libselinux/man/man5/selabel_media.5 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man5/selabel_media.5 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,13 +6,13 @@
selabel_media \- userspace SELinux labeling interface: media contexts backend.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "int selabel_lookup(struct selabel_handle *" hnd ,
.in +\w'int selabel_lookup('u
.BI "security_context_t *" context ,
-.br
+
.BI "const char *" device_name ", int " unused ");"
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man5/selabel_x.5
===================================================================
--- branches/policyrep/libselinux/man/man5/selabel_x.5 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man5/selabel_x.5 2007-09-04 18:22:54 UTC (rev 2545)
@@ -6,13 +6,13 @@
selabel_x \- userspace SELinux labeling interface: X Window System contexts backend.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
-.br
+
.B #include <selinux/label.h>
.sp
.BI "int selabel_lookup(struct selabel_handle *" hnd ,
.in +\w'int selabel_lookup('u
.BI "security_context_t *" context ,
-.br
+
.BI "const char *" object_name ", int " object_type ");"
.SH "DESCRIPTION"
Modified: branches/policyrep/libselinux/man/man8/matchpathcon.8
===================================================================
--- branches/policyrep/libselinux/man/man8/matchpathcon.8 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man8/matchpathcon.8 2007-09-04 18:22:54 UTC (rev 2545)
@@ -10,16 +10,16 @@
.SH OPTIONS
.B \-n
Do not display path.
-.br
+
.B \-N
Do not use translations.
-.br
+
.B \-f file_context_file
Use alternate file_context file
-.br
+
.B \-p prefix
Use prefix to speed translations
-.br
+
.B \-V
Verify file context on disk matches defaults
Modified: branches/policyrep/libselinux/man/man8/selinux.8
===================================================================
--- branches/policyrep/libselinux/man/man8/selinux.8 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/man/man8/selinux.8 2007-09-04 18:22:54 UTC (rev 2545)
@@ -62,14 +62,13 @@
.B system-config-securitylevel
allows customization of these booleans and tunables.
-.br
Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.
.SH FILE LABELING
All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
-.br
+
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
.SH AUTHOR
Modified: branches/policyrep/libselinux/src/Makefile
===================================================================
--- branches/policyrep/libselinux/src/Makefile 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/Makefile 2007-09-04 18:22:54 UTC (rev 2545)
@@ -20,7 +20,7 @@
LIBSO=$(TARGET).$(LIBVERSION)
ifeq ($(DISABLE_AVC),y)
- UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c
+ UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c mapping.c stringrep.c checkAccess.c
endif
ifeq ($(DISABLE_BOOL),y)
UNUSED_SRCS+=booleans.c
Modified: branches/policyrep/libselinux/src/file_path_suffixes.h
===================================================================
--- branches/policyrep/libselinux/src/file_path_suffixes.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/file_path_suffixes.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -16,5 +16,6 @@
S_(SEUSERS, "/seusers")
S_(TRANSLATIONS, "/setrans.conf")
S_(NETFILTER_CONTEXTS, "/contexts/netfilter_contexts")
- S_(FILE_CONTEXTS_HOMEDIR, "/contexts/files/file_contexts.homedir")
+ S_(FILE_CONTEXTS_HOMEDIR, "/contexts/files/file_contexts.homedirs")
S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local")
+ S_(X_CONTEXTS, "/contexts/x_contexts")
Modified: branches/policyrep/libselinux/src/label_internal.h
===================================================================
--- branches/policyrep/libselinux/src/label_internal.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/label_internal.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -58,10 +58,11 @@
/*
* Compatibility support
*/
+extern int myprintf_compat;
extern void __attribute__ ((format(printf, 1, 2)))
(*myprintf) (const char *fmt,...);
-#define COMPAT_LOG(type, fmt...) if (myprintf) \
+#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \
myprintf(fmt); \
else \
selinux_log(type, fmt);
Modified: branches/policyrep/libselinux/src/label_x.c
===================================================================
--- branches/policyrep/libselinux/src/label_x.c 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/label_x.c 2007-09-04 18:22:54 UTC (rev 2545)
@@ -107,7 +107,7 @@
/* Open the specification file. */
if (!path)
- path = "/etc/selinux/refpolicy/contexts/x_contexts";
+ path = selinux_x_context_path();
if ((fp = fopen(path, "r")) == NULL)
return -1;
__fsetlocking(fp, FSETLOCKING_BYCALLER);
Modified: branches/policyrep/libselinux/src/mapping.h
===================================================================
--- branches/policyrep/libselinux/src/mapping.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/mapping.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -31,4 +31,11 @@
extern void
map_decision(security_class_t tclass, struct av_decision *avd);
+/*mapping is not used for embedded build*/
+#ifdef DISABLE_AVC
+#define unmap_perm(x,y) y
+#define unmap_class(x) x
+#define map_decision(x,y)
+#endif
+
#endif /* _SELINUX_MAPPING_H_ */
Modified: branches/policyrep/libselinux/src/matchpathcon.c
===================================================================
--- branches/policyrep/libselinux/src/matchpathcon.c 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/matchpathcon.c 2007-09-04 18:22:54 UTC (rev 2545)
@@ -65,14 +65,13 @@
#ifdef __GNUC__
__attribute__ ((format(printf, 1, 2)))
#endif
- (*myprintf) (const char *fmt,...);
+ (*myprintf) (const char *fmt,...) = &default_printf;
+int myprintf_compat = 0;
void set_matchpathcon_printf(void (*f) (const char *fmt, ...))
{
- if (f)
- myprintf = f;
- else
- myprintf = &default_printf;
+ myprintf = f ? f : &default_printf;
+ myprintf_compat = 1;
}
static int (*myinvalidcon) (const char *p, unsigned l, char *c) = NULL;
Modified: branches/policyrep/libselinux/src/selinux_config.c
===================================================================
--- branches/policyrep/libselinux/src/selinux_config.c 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/selinux_config.c 2007-09-04 18:22:54 UTC (rev 2545)
@@ -38,7 +38,8 @@
#define FILE_CONTEXTS_HOMEDIR 16
#define FILE_CONTEXTS_LOCAL 17
#define SECURETTY_TYPES 18
-#define NEL 19
+#define X_CONTEXTS 19
+#define NEL 20
/* New layout is relative to SELINUXDIR/policytype. */
static char *file_paths[NEL];
@@ -369,3 +370,10 @@
}
hidden_def(selinux_file_context_local_path)
+
+const char *selinux_x_context_path()
+{
+ return get_path(X_CONTEXTS);
+}
+
+hidden_def(selinux_x_context_path)
Modified: branches/policyrep/libselinux/src/selinux_internal.h
===================================================================
--- branches/policyrep/libselinux/src/selinux_internal.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/selinux_internal.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -65,6 +65,7 @@
hidden_proto(selinux_booleans_path)
hidden_proto(selinux_customizable_types_path)
hidden_proto(selinux_media_context_path)
+ hidden_proto(selinux_x_context_path)
hidden_proto(selinux_path)
hidden_proto(selinux_check_passwd_access)
hidden_proto(selinux_check_securetty_context)
Modified: branches/policyrep/libselinux/src/stringrep.c
===================================================================
--- branches/policyrep/libselinux/src/stringrep.c 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libselinux/src/stringrep.c 2007-09-04 18:22:54 UTC (rev 2545)
@@ -236,7 +236,7 @@
dentry = readdir(dir);
while (dentry != NULL) {
- size_t value;
+ unsigned int value;
struct stat m;
snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
@@ -258,7 +258,7 @@
if (ret < 0)
goto err4;
- if (sscanf(buf, "%u", (unsigned int *)&value) != 1)
+ if (sscanf(buf, "%u", &value) != 1)
goto err4;
node->perms[value-1] = strdup(dentry->d_name);
Modified: branches/policyrep/libsemanage/ChangeLog
===================================================================
--- branches/policyrep/libsemanage/ChangeLog 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/ChangeLog 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1,3 +1,13 @@
+2.0.5 2007-08-23
+ * Replace genhomedircon script with equivalent functionality within
+ libsemanage and introduce disable-genhomedircon option in
+ semanage.conf from Todd Miller.
+ Note: Depends on ustr.
+
+2.0.4 2007-08-16
+ * Allow dontaudits to be turned off via semanage interface when
+ updating policy from Joshua Brindle.
+
2.0.3 2007-04-25
* Fix to libsemanage man patches so whatis will work better from Dan Walsh
Modified: branches/policyrep/libsemanage/VERSION
===================================================================
--- branches/policyrep/libsemanage/VERSION 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/VERSION 2007-09-04 18:22:54 UTC (rev 2545)
@@ -1 +1 @@
-2.0.3
+2.0.5
Modified: branches/policyrep/libsemanage/include/semanage/handle.h
===================================================================
--- branches/policyrep/libsemanage/include/semanage/handle.h 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/include/semanage/handle.h 2007-09-04 18:22:54 UTC (rev 2545)
@@ -69,6 +69,9 @@
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/* Set whether or not to disable dontaudits upon commit */
+void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
+
/* Check whether policy is managed via libsemanage on this system.
* Must be called prior to trying to connect.
* Return 1 if policy is managed via libsemanage on this system,
Modified: branches/policyrep/libsemanage/src/Makefile
===================================================================
--- branches/policyrep/libsemanage/src/Makefile 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/src/Makefile 2007-09-04 18:22:54 UTC (rev 2545)
@@ -54,7 +54,7 @@
ranlib $@
$(LIBSO): $(LOBJS)
- $(CC) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
+ $(CC) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
ln -sf $@ $(TARGET)
conf-scan.c: conf-scan.l conf-parse.h
Modified: branches/policyrep/libsemanage/src/conf-parse.y
===================================================================
--- branches/policyrep/libsemanage/src/conf-parse.y 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/src/conf-parse.y 2007-09-04 18:22:54 UTC (rev 2545)
@@ -57,7 +57,7 @@
}
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
-%token LOAD_POLICY_START SETFILES_START GENHOMEDIRCON_START
+%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
%token <s> ARG
@@ -80,6 +80,7 @@
| file_mode
| save_previous
| save_linked
+ | disable_genhomedircon
;
module_store: MODULE_STORE '=' ARG {
@@ -137,6 +138,16 @@
}
;
+disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
+ if (strcasecmp($3, "false") == 0) {
+ current_conf->disable_genhomedircon = 0;
+ } else if (strcasecmp($3, "true") == 0) {
+ current_conf->disable_genhomedircon = 1;
+ } else {
+ yyerror("disable-genhomedircon can only be 'true' or 'false'");
+ }
+ free($3);
+ }
command_block:
command_start external_opts BLOCK_END {
@@ -164,14 +175,6 @@
YYABORT;
}
}
- | GENHOMEDIRCON_START {
- semanage_conf_external_prog_destroy(current_conf->genhomedircon);
- current_conf->genhomedircon = NULL;
- if (new_external_prog(¤t_conf->genhomedircon) == -1) {
- parse_errors++;
- YYABORT;
- }
- }
;
verify_block: verify_start external_opts BLOCK_END {
@@ -239,16 +242,6 @@
return -1;
}
- if ((conf->genhomedircon =
- calloc(1, sizeof(*(current_conf->genhomedircon)))) == NULL) {
- return -1;
- }
- if ((conf->genhomedircon->path =
- strdup("/usr/sbin/genhomedircon")) == NULL
- || (conf->genhomedircon->args = strdup("-t $@")) == NULL) {
- return -1;
- }
-
return 0;
}
@@ -303,7 +296,6 @@
free(conf->store_path);
semanage_conf_external_prog_destroy(conf->load_policy);
semanage_conf_external_prog_destroy(conf->setfiles);
- semanage_conf_external_prog_destroy(conf->genhomedircon);
semanage_conf_external_prog_destroy(conf->mod_prog);
semanage_conf_external_prog_destroy(conf->linked_prog);
semanage_conf_external_prog_destroy(conf->kernel_prog);
Modified: branches/policyrep/libsemanage/src/conf-scan.l
===================================================================
--- branches/policyrep/libsemanage/src/conf-scan.l 2007-08-29 13:03:18 UTC (rev 2544)
+++ branches/policyrep/libsemanage/src/conf-scan.l 2007-09-04 18:22:54 UTC (rev 2545)
@@ -44,9 +44,9 @@
file-mode return FILE_MODE;
save-previous return SAVE_PREVIOUS;
save-linked return SAVE_LINKED;
+disable-genhomedircon return DISABLE_GENHOMEDIRCON;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
-"[genhomedircon]" return GENHOMEDIRCON_START;
"[verify module]" return VERIFY_MOD_START;
"[verify linked]" return VERIFY_LINKED_START;
"[verify kernel]" return VERIFY_KERNEL_START;
Copied: branches/policyrep/libsemanage/src/genhomedircon.c (from rev 2544, trunk/libsemanage/src/genhomedircon.c)
===================================================================
--- branches/policyrep/libsemanage/src/genhomedircon.c (rev 0)
+++ branches/policyrep/libsemanage/src/genhomedircon.c 2007-09-04 18:22:54 UTC (rev 2545)
@@ -0,0 +1,717 @@
+/* Author: Mark Goldman <mgo...@tr...>
+ * Paul Rosenfeld <pro...@tr...>
+ *
+ * Copyright (C) 2007 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of the
+ * License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA
+ */
+
+#include <semanage/handle.h>
+#include <semanage/seusers_policy.h>
+#include <semanage/users_policy.h>
+#include <semanage/user_record.h>
+#include "semanage_store.h"
+#include "seuser_internal.h"
+#include "debug.h"
+
+#include "utilities.h"
+#include "genhomedircon.h"
+#include <ustr.h>
+
+#include <assert.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <errno.h>
+
+/* paths used in get_home_dirs() */
+#define PATH_ETC_USERADD "/etc/default/useradd"
+#define PATH_ETC_LIBUSER "/etc/libuser.conf"
+#define PATH_DEFAULT_HOME "/home"
+#define PATH_EXPORT_HOME "/export/home"
+#define PATH_ETC_LOGIN_DEFS "/etc/login.defs"
+
+/* other paths */
+#define PATH_SHELLS_FILE "/etc/shells"
+#define PATH_NOLOGIN_SHELL "/sbin/nologin"
+
+/* comments written to context file */
+#define COMMENT_FILE_CONTEXT_HEADER "#\n#\n# " \
+ "User-specific file contexts, generated via libsemanage\n" \
+ "# use semanage command to manage system users to change" \
+ " the file_context\n#\n#\n"
+
+#define COMMENT_USER_HOME_CONTEXT "\n\n#\n# Home Context for user %s" \
+ "\n#\n\n"
+
+/* placeholders used in the template file
+ which are searched for and replaced */
+#define TEMPLATE_HOME_ROOT "HOME_ROOT"
+#define TEMPLATE_HOME_DIR "HOME_DIR"
+#define TEMPLATE_USER "USER"
+#define TEMPLATE_ROLE "ROLE"
+#define TEMPLATE_SEUSER "system_u"
+
+#define FALLBACK_USER "user_u"
+#define FALLBACK_USER_PREFIX "user"
+#define DEFAULT_LOGIN "__default__"
+
+typedef struct {
+ const char *fcfilepath;
+ int usepasswd;
+ const char *homedir_template_path;
+ semanage_handle_t *h_semanage;
+} genhomedircon_settings_t;
+
+typedef struct user_entry {
+ char *name;
+ char *sename;
+ char *prefix;
+ char *home;
+ struct user_entry *next;
+} genhomedircon_user_entry_t;
+
+typedef struct {
+ const char *search_for;
+ const char *replace_with;
+} replacement_pair_t;
+
+static semanage_list_t *default_shell_list(void)
+{
+ semanage_list_t *list = NULL;
+
+ if (semanage_list_push(&list, "/bin/csh")
+ || semanage_list_push(&list, "/bin/tcsh")
+ || semanage_list_push(&list, "/bin/ksh")
+ || semanage_list_push(&list, "/bin/bsh")
+ || semanage_list_push(&list, "/bin/ash")
+ || semanage_list_push(&list, "/usr/bin/ksh")
+ || semanage_list_push(&list, "/usr/bin/pdksh")
+ || semanage_list_push(&list, "/bin/zsh")
+ || semanage_list_push(&list, "/bin/sh")
+ || semanage_list_push(&list, "/bin/bash"))
+ goto fail;
+
+ return list;
+
+ fail:
+ semanage_list_destroy(&list);
+ return NULL;
+}
+
+static semanage_list_t *get_shell_list(void)
+{
+ FILE *shells;
+ char *temp = NULL;
+ semanage_list_t *list = NULL;
+ size_t buff_len = 0;
+
+ shells = fopen(PATH_SHELLS_FILE, "r");
+ if (!shells)
+ return default_shell_list();
+ while (getline(&temp, &buff_len, shells) >= 0) {
+ if (strcmp(temp, PATH_NOLOGIN_SHELL)) {
+ if (semanage_list_push(&list, temp)) {
+ free(temp);
+ semanage_list_destroy(&list);
+ return default_shell_list();
+ }
+ }
+ }
+ free(temp);
+
+ return list;
+}
+
+static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
+{
+ semanage_list_t *homedir_list = NULL;
+ semanage_list_t *shells = NULL;
+ char *path = NULL;
+ size_t minuid = 0;
+ size_t minuid_set = 0;
+ size_t temp;
+ struct passwd *pwbuf;
+ struct stat buf;
+
+ shells = get_shell_list();
+ assert(shells);
+
+ path = semanage_findval(PATH_ETC_USERADD, "HOME", "=");
+ if (path && *path) {
+ if (semanage_list_push(&homedir_list, path)) {
+ free(path);
+ goto fail;
+ }
+ }
+ free(path);
+
+ path = semanage_findval(PATH_ETC_LIBUSER, "LU_HOMEDIRECTORY", "=");
+ if (path && *path) {
+ if (semanage_list_push(&homedir_list, path)) {
+ free(path);
+ goto fail;
+ }
+ }
+ free(path);
+
+ if (!homedir_list) {
+ if (semanage_list_push(&homedir_list, PATH_DEFAULT_HOME)) {
+ goto fail;
+ }
+ }
+
+ if (!stat(PATH_EXPORT_HOME, &buf)) {
+ if (S_ISDIR(buf.st_mode)) {
+ if (semanage_list_push(&homedir_list, PATH_EXPORT_HOME)) {
+ goto fail;
+ }
+ }
+ }
+
+ if (!(s->usepasswd))
+ return homedir_list;
+
+ path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MIN", NULL);
+ if (path && *path) {
+ temp = atoi(path);
+ if (!minuid_set || temp < minuid) {
+ minuid = temp;
+ minuid_set = 1;
+ }
+ }
+ free(path);
+
+ path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "=");
+ if (path && *path) {
+ temp = atoi(path);
+ if (!minuid_set || temp < minuid) {
+ minuid = temp;
+ minuid_set = 1;
+ }
+ }
+ free(path);
+
+ if (!minuid_set) {
+ minuid = 500;
+ minuid_set = 1;
+ }
+
+ setpwent();
+ for (errno = 0; (pwbuf = getpwent()); errno = 0) {
+ if (pwbuf->pw_uid < minuid)
+ continue;
+ if (!semanage_list_find(shells, pwbuf->pw_shell))
+ continue;
+ if (strcmp(pwbuf->pw_dir, "/") == 0)
+ continue;
+ if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
+ continue;
+ if (!(path = strdup(pwbuf->pw_dir))) {
+ break;
+ }
+
+ semanage_rtrim(path, '/');
+ if (!semanage_list_find(homedir_list, path)) {
+ if (semanage_list_push(&homedir_list, path)) {
+ free(path);
+ goto fail;
+ }
+ }
+ free(path);
+ }
+
+ if (errno) {
+ WARN(s->h_semanage, "Error while fetching users. "
+ "Returning list so far.");
+ }
+ endpwent();
+ semanage_list_destroy(&shells);
+ if (semanage_list_sort(&homedir_list))
+ goto fail;
+
+ ...
[truncated message content] |
