rpms/xinetd/devel xinetd-2.3.14-label.patch, 1.1, 1.2 xinetd.spec, 1.36, 1.37

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Aug 24 18:30:48 UTC 2006 

Author: sgrubb

Update of /cvs/dist/rpms/xinetd/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23267

Modified Files:
	xinetd-2.3.14-label.patch xinetd.spec 
Log Message:
* Thu Aug 24 2006 Steve Grubb <sgrubb at redhat.com> 2:2.3.14-5
- Revised labeled networking patch


xinetd-2.3.14-label.patch:
 config.h.in            |    1 
 configure.in           |   28 ++++++++++++++++++++++++++
 xinetd/child.c         |   52 +++++++++++++++++++++++++++++++++++++++++++++++++
 xinetd/confparse.c     |   23 +++++++++++++++++++++
 xinetd/main.c          |    5 +++-
 xinetd/nvlists.c       |    1 
 xinetd/sconf.h         |    2 +
 xinetd/xinetd.conf.man |    3 ++
 8 files changed, 114 insertions(+), 1 deletion(-)

Index: xinetd-2.3.14-label.patch
===================================================================
RCS file: /cvs/dist/rpms/xinetd/devel/xinetd-2.3.14-label.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- xinetd-2.3.14-label.patch	23 Aug 2006 22:17:33 -0000	1.1
+++ xinetd-2.3.14-label.patch	24 Aug 2006 18:30:45 -0000	1.2
@@ -1,6 +1,6 @@
 diff -urNp xinetd-2.3.14.orig/config.h.in xinetd-2.3.14/config.h.in
 --- xinetd-2.3.14.orig/config.h.in	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/config.h.in	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/config.h.in	2006-08-24 14:20:38.000000000 -0400
 @@ -112,6 +112,7 @@
  /* Options */
  #undef HAVE_LIBWRAP
@@ -11,7 +11,7 @@
  
 diff -urNp xinetd-2.3.14.orig/configure.in xinetd-2.3.14/configure.in
 --- xinetd-2.3.14.orig/configure.in	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/configure.in	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/configure.in	2006-08-24 14:20:38.000000000 -0400
 @@ -289,6 +289,34 @@ AC_ARG_WITH(libwrap,
  	AC_MSG_RESULT(no)
  )
@@ -49,7 +49,7 @@
  AC_CHECK_FUNCS(isatty)
 diff -urNp xinetd-2.3.14.orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
 --- xinetd-2.3.14.orig/xinetd/child.c	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/xinetd/child.c	2006-08-23 17:27:22.000000000 -0400
++++ xinetd-2.3.14/xinetd/child.c	2006-08-24 14:25:39.000000000 -0400
 @@ -31,6 +31,9 @@
  #ifdef HAVE_NETDB_H
  #include <netdb.h>
@@ -66,7 +66,7 @@
  
 +/* Local declarations */
 +#ifdef LABELED_NET
-+static int set_exec_context_from_socket( int fd );
++static int set_context_from_socket( int fd );
 +#endif
 +
 +
@@ -83,9 +83,9 @@
 +#ifdef LABELED_NET
 +   if (SC_LABELED_NET(scp))
 +   {
-+      if (set_exec_context_from_socket( descriptor ) < 0)
++      if (set_context_from_socket( descriptor ) < 0)
 +         msg( LOG_ERR, func,
-+             "Changing process context failed for %s", SC_NAME( scp )) ;
++             "Changing process context failed for %s", SC_ID( scp )) ;
 +         _exit( 1 ) ;
 +   }
 +#endif
@@ -93,60 +93,76 @@
     (void) Sclose( descriptor ) ;
  
  #ifndef solaris
-@@ -461,3 +483,50 @@ void child_exit(void)
+@@ -461,3 +483,33 @@ void child_exit(void)
     }
  }
  
 +#ifdef LABELED_NET
-+static int get_context_from_socket(int fd, char *buffer, unsigned int *buflen)
++static int set_context_from_socket( int fd )
 +{
-+   const char *func = "get_context_from_socket" ;
++   const char *func = "set_context_from_socket" ;
++   security_context_t peer_context;
 +
-+   int retval = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buffer, buflen);
-+   
-+   if ( debug.on )
-+   {
-+     if (retval)
-+	msg( LOG_DEBUG, func, 
-+	     "error getting context of fd %d: %s", fd, strerror(errno));
-+     else
-+	msg( LOG_DEBUG, func, 
-+	     "got context for fd %d: %s", fd, buffer);
-+   }
-+     
-+   return retval;
-+}
-+
-+static int set_exec_context_from_socket( int fd )
-+{
-+   const char *func = "set_exec_context_from_socket" ;
-+
-+   char buffer[255];
-+   unsigned int buflen = 255;
-+
-+   if (get_context_from_socket(fd, buffer, &buflen))
++   if (getpeercon(fd, &peer_context) < 0)
 +      return -1;
 +
-+   int retval = setexeccon(buffer);
++   int retval = setexeccon(peer_context);
++   freecon( peer_context );
 +
 +   if (debug.on)
 +   {
 +      security_context_t current_exec_context;
-+      getexeccon( &current_exec_context );
++      if ( getexeccon( &current_exec_context ) == 0 ) {
 +
-+      msg( LOG_DEBUG, func, 
++         msg( LOG_DEBUG, func, 
 +	   "current security exec context now: %s", 
-+	   current_exec_context);
++	   current_exec_context ? current_exec_context : "unknown" );
 +
-+      freecon( current_exec_context );
++         freecon( current_exec_context );
++      } 
++      else
++         msg( LOG_DEBUG, func, "Error calling getexeccon: %m" );
 +   }
 +
 +   return retval;
 +}
 +#endif
+diff -urNp xinetd-2.3.14.orig/xinetd/confparse.c xinetd-2.3.14/xinetd/confparse.c
+--- xinetd-2.3.14.orig/xinetd/confparse.c	2006-06-16 13:20:01.000000000 -0400
++++ xinetd-2.3.14/xinetd/confparse.c	2006-08-24 14:20:38.000000000 -0400
+@@ -697,6 +697,29 @@ static status_e check_entry( struct serv
+          return( FAILED ) ;
+    }
+ 
++#ifdef LABELED_NET
++      if (SC_LABELED_NET(scp)) {
++         if ( SC_IS_INTERNAL( scp ) ) {
++            msg( LOG_ERR, func,
++               "Internal services cannot support labeled networking: %s",
++               SC_ID(scp) ) ;
++            return( FAILED ) ;
++         }
++         if ( SC_SOCKET_TYPE(scp) != SOCK_STREAM ) {
++            msg( LOG_ERR, func,
++               "Non-stream socket types cannot support labeled networking: %s",
++               SC_ID(scp) ) ;
++            return( FAILED ) ;
++         }
++         if ( SC_WAITS( scp ) ) {
++            msg( LOG_ERR, func,
++               "Tcp wait services cannot support labeled networking: %s",
++               SC_ID(scp) ) ;
++            return( FAILED ) ;
++         }
++      }
++#endif
++
+    if ( SC_IS_MUXCLIENT( scp ) ) 
+    {
+ 	   if ( !SC_IS_UNLISTED( scp ) )
 diff -urNp xinetd-2.3.14.orig/xinetd/main.c xinetd-2.3.14/xinetd/main.c
 --- xinetd-2.3.14.orig/xinetd/main.c	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/xinetd/main.c	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/xinetd/main.c	2006-08-24 14:20:38.000000000 -0400
 @@ -80,7 +80,10 @@ int main( int argc, char *argv[] )
  #ifdef HAVE_DNSREGISTRATION
     "rendezvous "
@@ -161,7 +177,7 @@
     "options compiled in."
 diff -urNp xinetd-2.3.14.orig/xinetd/nvlists.c xinetd-2.3.14/xinetd/nvlists.c
 --- xinetd-2.3.14.orig/xinetd/nvlists.c	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/xinetd/nvlists.c	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/xinetd/nvlists.c	2006-08-24 14:20:38.000000000 -0400
 @@ -47,6 +47,7 @@ const struct name_value service_flags[] 
        { "SENSOR",                     SF_SENSOR              },
        { "IPv4",                       SF_IPV4                },
@@ -172,7 +188,7 @@
  
 diff -urNp xinetd-2.3.14.orig/xinetd/sconf.h xinetd-2.3.14/xinetd/sconf.h
 --- xinetd-2.3.14.orig/xinetd/sconf.h	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/xinetd/sconf.h	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/xinetd/sconf.h	2006-08-24 14:20:38.000000000 -0400
 @@ -58,6 +58,7 @@
  #define SF_SENSOR       9
  #define SF_IPV4         10
@@ -191,13 +207,13 @@
  #define SC_IS_INTERNAL( scp )    ( M_IS_SET( (scp)->sc_type, ST_INTERNAL ) )
 diff -urNp xinetd-2.3.14.orig/xinetd/xinetd.conf.man xinetd-2.3.14/xinetd/xinetd.conf.man
 --- xinetd-2.3.14.orig/xinetd/xinetd.conf.man	2006-06-16 13:20:01.000000000 -0400
-+++ xinetd-2.3.14/xinetd/xinetd.conf.man	2006-08-23 17:26:04.000000000 -0400
++++ xinetd-2.3.14/xinetd/xinetd.conf.man	2006-08-24 14:20:38.000000000 -0400
 @@ -145,6 +145,9 @@ Sets the service to be an IPv4 service (
  .B IPv6
  Sets the service to be an IPv6 service (AF_INET6), if IPv6 is available on the system.
  .TP
 +.B LABELED
-+The LABELED flag will tell xinetd to change the child processes SE Linux context to match that of the incoming connection as it starts the service.
++The LABELED flag will tell xinetd to change the child processes SE Linux context to match that of the incoming connection as it starts the service. This only works for external tcp non-waiting servers and is an error if applied to an internal, udp, or tcp-wait server.
 +.TP
  .B REUSE
  The REUSE flag is deprecated.  All services now implicitly use the REUSE flag.


Index: xinetd.spec
===================================================================
RCS file: /cvs/dist/rpms/xinetd/devel/xinetd.spec,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- xinetd.spec	24 Aug 2006 00:14:28 -0000	1.36
+++ xinetd.spec	24 Aug 2006 18:30:45 -0000	1.37
@@ -4,7 +4,7 @@
 Summary: A secure replacement for inetd.
 Name: xinetd
 Version: 2.3.14
-Release: 4
+Release: 5
 License: Distributable (BSD-like)
 Group: System Environment/Daemons
 Epoch: 2
@@ -102,6 +102,9 @@
 %{_mandir}/*/*
 
 %changelog
+* Thu Aug 24 2006 Steve Grubb <sgrubb at redhat.com> 2:2.3.14-5
+- Revised labeled networking patch
+
 * Wed Aug 23 2006 Steve Grubb <sgrubb at redhat.com> 2:2.3.14-4
 - Added labeled networking patch

More information about the fedora-cvs-commits mailing list