rpms/policycoreutils/devel policycoreutils-1.30.10-audit-mass-relabel.patch, NONE, 1.1 policycoreutils-1.30.10-secon.patch, NONE, 1.1 policycoreutils.spec, 1.272, 1.273
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed May 24 18:08:35 UTC 2006
Author: jantill
Update of /cvs/dist/rpms/policycoreutils/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8252
Modified Files:
policycoreutils.spec
Added Files:
policycoreutils-1.30.10-audit-mass-relabel.patch
policycoreutils-1.30.10-secon.patch
Log Message:
* Wed May 24 2006 James Antill <jantill at redhat.com> 1.30.10-2
- secon fixes for --self-exec etc.
- secon change from level => sensitivity, add clearance.
- Add mass relabel AUDIT patch, but disable it until kernel problem solved.
policycoreutils-1.30.10-audit-mass-relabel.patch:
Makefile | 1 +
setfiles.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
setfiles.c~ |only
3 files changed, 50 insertions(+), 2 deletions(-)
--- NEW FILE policycoreutils-1.30.10-audit-mass-relabel.patch ---
diff -ru policycoreutils-1.30.10-orig/setfiles/Makefile policycoreutils-1.30.10/setfiles/Makefile
--- policycoreutils-1.30.10-orig/setfiles/Makefile 2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/Makefile 2006-05-24 12:25:58.000000000 -0400
@@ -7,6 +7,7 @@
CFLAGS = -Werror -Wall -W
override CFLAGS += -D_FILE_OFFSET_BITS=64 -I$(PREFIX)/include
LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+LDLIBS += -laudit
all: setfiles
diff -ru policycoreutils-1.30.10-orig/setfiles/setfiles.c policycoreutils-1.30.10/setfiles/setfiles.c
--- policycoreutils-1.30.10-orig/setfiles/setfiles.c 2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/setfiles.c 2006-05-24 12:28:37.000000000 -0400
@@ -75,6 +75,11 @@
#include <selinux/selinux.h>
#include <syslog.h>
#include <libgen.h>
+#include <libaudit.h>
+
+#ifndef AUDIT_FS_RELABEL
+#define AUDIT_FS_RELABEL 2309
+#endif
static int add_assoc = 1;
static FILE *outfile=NULL;
@@ -395,7 +400,7 @@
/* trim trailing /, if present */
len = strlen(rootpath);
- while ('/' == rootpath[len - 1])
+ while (len && ('/' == rootpath[len - 1]))
rootpath[--len] = 0;
rootpathlen = len;
}
@@ -443,11 +448,48 @@
return 0;
}
+static void maybe_audit_mass_relabel(int done_root, int errs)
+{
+ int audit_fd = -1;
+ int rc = 0;
+ static FILE *fp = NULL;
+
+ if (!fp) fp = fopen("/abcd", "a");
+ if (!fp) fp = stderr;
+
+ fprintf(fp, "\n\nSF-DBG: ----\nSF-DBG: %s: done_root=%d\n", __func__, done_root);
+ fprintf(fp, "SF-DBG: %s: errs=%d\n", __func__, errs);
+ fprintf(fp, "SF-DBG: %s: rootpath=%s\n", __func__, rootpath);
+ fprintf(fp, "SF-DBG: %s: force=%d\n", __func__, force);
+
+ if (!done_root) /* only audit a forced full relabel */
+ return;
+
+ audit_fd = audit_open();
+ fprintf(fp, "SF-DBG: %s: audit_fd=%d\n", __func__, audit_fd);
+
+ if (audit_fd < 0) {
+ fprintf(stderr, "Error connecting to audit system.\n");
+ exit(1);
+ }
+
+ rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL,
+ "op=mass relabel", NULL, NULL, "/dev/console", !errs);
+ fprintf(fp, "SF-DBG: %s: rc=%d, errno=%d %s\n", __func__,
+ rc, errno, strerror(errno));
+ if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message.\n");
+ // exit(1);
+ }
+ close(audit_fd);
+}
+
int main(int argc, char **argv)
{
struct stat sb;
int opt, rc, i;
-
+ int done_root = 0; /* have we processed the / directory as an arg */
+
memset(excludeArray,0, sizeof(excludeArray));
/* Validate all file contexts during matchpathcon_init. */
@@ -618,6 +660,8 @@
}
else for (; optind < argc; optind++)
{
+ done_root |= !strcmp(argv[optind], "/");
+
if (NULL != rootpath) {
qprintf("%s: labeling files, pretending %s is /\n",
argv[0], rootpath);
@@ -648,6 +692,7 @@
fprintf(stderr,
"%s: error while labeling files under %s\n",
argv[0], argv[optind]);
+ maybe_audit_mass_relabel(done_root, 1);
exit(1);
}
}
@@ -664,6 +709,8 @@
matchpathcon_filespec_destroy();
}
+ maybe_audit_mass_relabel(done_root, 0);
+
if (warn_no_match)
matchpathcon_checkmatches(argv[0]);
Only in policycoreutils-1.30.10/setfiles: setfiles.c~
policycoreutils-1.30.10-secon.patch:
secon.c | 101 ++++++++++++++++++++++++++++++++++++++++++++--------------------
1 files changed, 70 insertions(+), 31 deletions(-)
--- NEW FILE policycoreutils-1.30.10-secon.patch ---
diff -ru policycoreutils-1.30.10-orig/secon/secon.c policycoreutils-1.30.10/secon/secon.c
--- policycoreutils-1.30.10-orig/secon/secon.c 2006-05-23 06:20:02.000000000 -0400
+++ policycoreutils-1.30.10/secon/secon.c 2006-05-24 13:33:22.000000000 -0400
@@ -35,17 +35,18 @@
struct
{
- unsigned int disp_user : 1;
- unsigned int disp_role : 1;
- unsigned int disp_type : 1;
- unsigned int disp_level : 1;
- unsigned int disp_mlsr : 1;
+ unsigned int disp_user : 1;
+ unsigned int disp_role : 1;
+ unsigned int disp_type : 1;
+ unsigned int disp_sen : 1;
+ unsigned int disp_clr : 1;
+ unsigned int disp_mlsr : 1;
- unsigned int disp_raw : 1;
+ unsigned int disp_raw : 1;
unsigned int disp_prompt : 1; /* no return, use : to sep */
- unsigned int from_type : 9; /* 16 bits */
+ unsigned int from_type : 8; /* 16 bits, uses 4 bits */
union
{
@@ -54,7 +55,7 @@
const char *link;
const char *arg;
} f;
-} opts[1] = {{FALSE, FALSE, FALSE, FALSE, FALSE,
+} opts[1] = {{FALSE, FALSE, FALSE, FALSE, FALSE, FALSE,
FALSE, FALSE, OPTS_FROM_ARG, {0}}};
@@ -62,16 +63,17 @@
{
fprintf(exit_code ? stderr : stdout,
" Usage: %s [-%s] [ context | - ]\n"
-" --help -h Show this message.\n"
-" --version -V Show the version.\n"
-" --prompt -P Output in a format good for a prompt.\n"
-" --user -u Show the user of the context.\n"
-" --role -r Show the role of the context.\n"
-" --type -t Show the type of the context.\n"
-" --level -l Show the sensitivity level of the context.\n"
-" --mls-range -m Show the sensitivity level and clearance of \n"
+" --help -h Show this message.\n"
+" --version -V Show the version.\n"
+" --prompt -P Output in a format good for a prompt.\n"
+" --user -u Show the user of the context.\n"
+" --role -r Show the role of the context.\n"
+" --type -t Show the type of the context.\n"
+" --sensitivity -s Show the sensitivity level of the context.\n"
+" --clearance -c Show the clearance level of the context.\n"
+" --mls-range -m Show the sensitivity to clearance range of \n"
" the context.\n"
-" --raw -R Show the context in \"raw\" format.\n"
+" --raw -R Show the context in \"raw\" format.\n"
" --current Get the context for the current process.\n"
" --self Get the context for the current process.\n"
" --self-exec Get the exec context for the current process.\n"
@@ -113,7 +115,8 @@
num += opts->disp_user;
num += opts->disp_role;
num += opts->disp_type;
- num += opts->disp_level;
+ num += opts->disp_sen;
+ num += opts->disp_clr;
num += opts->disp_mlsr;
return (num);
@@ -143,8 +146,10 @@
{"user", no_argument, NULL, 'u'},
{"role", no_argument, NULL, 'r'},
{"type", no_argument, NULL, 't'},
- {"level", no_argument, NULL, 'l'},
+ {"level", no_argument, NULL, 'l'}, /* compat. */
+ {"sensitivity", no_argument, NULL, 's'},
{"range", no_argument, NULL, 'm'},
+ {"clearance", no_argument, NULL, 'c'},
{"mls-range", no_argument, NULL, 'm'},
{"raw", no_argument, NULL, 'R'},
@@ -184,11 +189,13 @@
" %s version %s.\n", program_name, VERSION);
exit (EXIT_SUCCESS);
- case 'u': done = TRUE; opts->disp_user = !opts->disp_user; break;
- case 'r': done = TRUE; opts->disp_role = !opts->disp_role; break;
- case 't': done = TRUE; opts->disp_type = !opts->disp_type; break;
- case 'l': done = TRUE; opts->disp_level = !opts->disp_level; break;
- case 'm': done = TRUE; opts->disp_mlsr = !opts->disp_mlsr; break;
+ case 'u': done = TRUE; opts->disp_user = !opts->disp_user; break;
+ case 'r': done = TRUE; opts->disp_role = !opts->disp_role; break;
+ case 't': done = TRUE; opts->disp_type = !opts->disp_type; break;
+ case 'l': done = TRUE; opts->disp_sen = !opts->disp_sen; break;
+ case 's': done = TRUE; opts->disp_sen = !opts->disp_sen; break;
+ case 'c': done = TRUE; opts->disp_clr = !opts->disp_clr; break;
+ case 'm': done = TRUE; opts->disp_mlsr = !opts->disp_mlsr; break;
case 'P': opts->disp_prompt = !opts->disp_prompt; break;
@@ -235,9 +242,11 @@
opts->disp_user = TRUE;
opts->disp_role = TRUE;
opts->disp_type = TRUE;
- if (!opts->disp_prompt) /* when displaying prompt,
- just output "normal" by default */
- opts->disp_level = TRUE;
+ if (!opts->disp_prompt)
+ { /* when displaying prompt, just output "normal" by default */
+ opts->disp_sen = TRUE;
+ opts->disp_clr = TRUE;
+ }
opts->disp_mlsr = TRUE;
}
@@ -459,13 +468,24 @@
{
context_t con = NULL;
+ if (!*scon)
+ { /* --self-exec and --self-fs etc. */
+ if (opts->disp_user) disp__con_val("user", NULL);
+ if (opts->disp_role) disp__con_val("role", NULL);
+ if (opts->disp_type) disp__con_val("type", NULL);
+ if (opts->disp_sen) disp__con_val("sensitivity", NULL);
+ if (opts->disp_clr) disp__con_val("clearance", NULL);
+ if (opts->disp_mlsr) disp__con_val("mls-range", NULL);
+ return;
+ }
+
if (!(con = context_new(scon)))
- errx(EXIT_FAILURE, "Couln't create context from: %s", scon);
+ errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
if (opts->disp_user) disp__con_val("user", context_user_get(con));
if (opts->disp_role) disp__con_val("role", context_role_get(con));
if (opts->disp_type) disp__con_val("type", context_type_get(con));
- if (opts->disp_level)
+ if (opts->disp_sen)
{
const char *val = NULL;
char *tmp = NULL;
@@ -476,10 +496,29 @@
tmp = strdup(val);
if (!tmp)
- errx(EXIT_FAILURE, "Couln't create context from: %s", scon);
+ errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
if (strchr(tmp, '-')) *strchr(tmp, '-') = 0;
- disp__con_val("level", tmp);
+ disp__con_val("sensitivity", tmp);
+
+ free(tmp);
+ }
+ if (opts->disp_clr)
+ {
+ const char *val = NULL;
+ char *tmp = NULL;
+
+ val = context_range_get(con);
+ if (!val) val = ""; /* targeted has no "level" etc.,
+ any errors should happen at context_new() time */
+
+ tmp = strdup(val);
+ if (!tmp)
+ errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
+ if (strchr(tmp, '-'))
+ disp__con_val("clearance", strchr(tmp, '-') + 1);
+ else
+ disp__con_val("clearance", tmp);
free(tmp);
}
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.272
retrieving revision 1.273
diff -u -r1.272 -r1.273
--- policycoreutils.spec 23 May 2006 10:40:38 -0000 1.272
+++ policycoreutils.spec 24 May 2006 18:08:17 -0000 1.273
@@ -5,11 +5,13 @@
Summary: SELinux policy core utilities.
Name: policycoreutils
Version: 1.30.10
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
Patch: policycoreutils-rhat.patch
+Patch2: policycoreutils-1.30.10-secon.patch
+Patch3: policycoreutils-1.30.10-audit-mass-relabel.patch
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel
Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
@@ -37,6 +39,8 @@
%prep
%setup -q
%patch -p1 -b .rhat
+%patch2 -p1 -b .secon
+#patch3 -p1 -b .amr
%build
make LOG_AUDIT_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all
@@ -110,6 +114,11 @@
[ -x /sbin/service ] && /sbin/service restorecond condrestart
%changelog
+* Wed May 24 2006 James Antill <jantill at redhat.com> 1.30.10-2
+- secon fixes for --self-exec etc.
+- secon change from level => sensitivity, add clearance.
+- Add mass relabel AUDIT patch, but disable it until kernel problem solved.
+
* Tue May 24 2006 Dan Walsh <dwalsh at redhat.com> 1.30.10-1
- Update to upstream
* Merged patch with updates to audit2allow, secon, genhomedircon,
More information about the fedora-cvs-commits
mailing list