ef1637b55c27d818b9d7c7b09221f5d20258248a |
23-Apr-2015 |
Steve Lawrence <slawrence@tresys.com> |
Update libsemanage ChangeLog
hangeLog
|
f5c226810dded166fc996afa4bdaf03958e39e18 |
22-Apr-2015 |
Jason Zaman <jason@perfinion.com> |
libsemanage: do not copy contexts in semanage_migrate_store The modules from the old store were previously copied to the new one using setfscreatecon and shutil.copy2(). Now that refpolicy has rules about the new policy location[1], copying the contexts is redundant. More importantly, the setcreatefscon caused a constraint violation[2] which made the migration fail. In python3, shutil.copy2() copies xattrs as well which again causes problems. shutil.copy() is enough for our needs here as it will copy the file and permissions in both py2 and 3. We do not need the extra things that copy2() does (mtime, xattr, etc). [1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html [2] type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED allow semanage_t semanage_store_t:dir create; Signed-off-by: Jason Zaman <jason@perfinion.com> Acked-by: Steve Lawrence <slawrence@tresys.com> Changes from v1: - Changed some methods to not take a src param anymore.
tils/semanage_migrate_store
|
de4f82bb7ffb593b27952fcbed2a332d3bd5597b |
21-Apr-2015 |
Steve Lawrence <slawrence@tresys.com> |
Move ChangeLog entry to the correct project
hangeLog
|
6f79e5ed9e5904ec2540045a1ccfb290bc92ac91 |
21-Apr-2015 |
Steve Lawrence <slawrence@tresys.com> |
Update libselinux ChangeLog
hangeLog
|
072bb765a1cb6960d99bc06b01228a55f380d4fe |
19-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update libsemanage ChangeLog. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
|
a4e290e425a6e528111df6281c8ddbbd83d70640 |
19-Mar-2015 |
Thomas Hurd <thurd@tresys.com> |
libsemanage: Fix logic in bunzip for uncompressed pp files Unconditionally check the magic number before BZ2_bzReadOpen() instead of only when bzip_blocksize=0, since it falls through. That way if the file is not compressed it will return immediately and map_file can mmap it. If the file is compressed then it will go through the BZ2 functions and any errors will be reported correctly. This fixes 0afd5de5c1edb4de2cc5e0e2e2e89551c90534fc so that a bz2 error isn't reported when a uncompressed pp is installed successfully. Signed-off-by: Thomas Hurd <thurd@tresys.com>
rc/direct_api.c
|
3057bcf6a012fff3ef86e05e6f5065138898d649 |
18-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update ChangeLogs. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
|
b6d5805c7ad4bfa6d0544a21084e8ec1a47d7391 |
16-Mar-2015 |
Petr Lautrbach <plautrba@redhat.com> |
libsemanage: fix fname[] initialization in test_utilities.c There's no guaranty that last item in "char fname[]" will be a null character. Fixes segfault on some systems: Test: semanage_nc_sort ...passedtest_semanage_findval: : Invalid argument libsemanage-tests: TestRun.c:160: CU_assertImplementation: Assertion `((void *)0) != f_pCurTest' failed. make[1]: *** [test] Aborted (core dumped) Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
ests/test_utilities.c
|
8a9978727d6561e57aca269d38aae26ad9485850 |
18-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: use the new CIL API - Do not pass in the policydb where not necessary - Tell CIL what policy version and target platform to use when building the policydb Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/direct_api.c
|
13d502d5f1f97a37bdebbda32fb98bfe4d8b1ae2 |
27-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
Update libsemanage ChangeLog
hangeLog
|
432077b4dda7baa15b6daa1458759e674d398fa3 |
26-Feb-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsemanage: Fix memory leaks when parsing semanage.conf - Free args as they are parsed and strdup args when neccessary. Memory used for lex initialization is now freed using yylex_destroy(). - Add noyywrap option to flex. This is the correct way to make the scanner not call yywrap upon an end of file. Before, we were overriding the function and returning 1. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/conf-parse.y
rc/conf-scan.l
|
057197c69aaa36cf28694517151479de8ebb3c4c |
26-Feb-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsemanage: Add option to remove HLL files after compilation This adds a 'remove-hll' option to semanage.conf. If set to 'true', all HLL files will be removed from the SELinux store after successfully buildling the SELinux modules. The default for this option is 'false'. In order to delete already compiled HLL files, the modules need to be recompiled with the ignore-module-cache option. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Acked-by: Steve Lawrence <slawrence@tresys.com>
an/man5/semanage.conf.5
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/semanage_conf.h
|
65ed2793227a98978aab4d90f44b4fbaa6d48ddf |
26-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
Update libsemanage ChangeLog
hangeLog
|
0afd5de5c1edb4de2cc5e0e2e2e89551c90534fc |
26-Feb-2015 |
Thomas Hurd <thurd@tresys.com> |
libsemanage: Change bunzip to use heap instead of stack for buffer. Fixes segfault on systems with less than 256K stack size. After change, I was able to run semodule -l with a 32K stack size. Additionally, fix potential memory leak on realloc failure. Signed-off-by: Thomas Hurd <thurd@tresys.com> Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/direct_api.c
|
f0c9966f881211dcde89cfcad93f0360a71f959a |
02-Feb-2015 |
Steve Lawrence <slawrence@tresys.com> |
Bump to final release
hangeLog
ERSION
|
823ebc8c6b89cb6531fcd943ddb8059bd8743dd9 |
02-Dec-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump to release candidate 7
hangeLog
ERSION
|
f21b2e138ca576de280716e9fed5ac75efd0acf4 |
02-Dec-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: ensure migrated files have the correct types All files in /var/lib/selinux/ are now labeled the same as those in /etc/selinux/<store>/modules/active, which in refpolicy is semanage_store_t. Signed-off-by: Steve Lawrence <slawrence@tresys.com> Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
tils/semanage_migrate_store
|
b817a523c4ae852c911d3d8a18fafbaca44f1165 |
24-Nov-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: close hll file descriptors Stops leaking of file descriptors to things like load_policy and setfiles. Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> Signed-off-by: Steve Lawrence <slawrence@tresys.com> Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
rc/direct_api.c
|
877acdb31ff4261f0fcd03a8fb9ada76703802f3 |
19-Nov-2014 |
Jason Zaman <jason@perfinion.com> |
semanage_migrate_store: Python3 support Mainly used the 2to3 conversion tool. Also added in a __future__ import so that the script continues to work on Python 2. Tested on 2.7, 3.3, 3.4. Should work on 2.6 too but untested. Signed-off-by: Jason Zaman <jason@perfinion.com> Acked-by: Steve Lawrence <slawrence@tresys.com>
tils/semanage_migrate_store
|
07e75a9cc711b46e4c691defbb570624d2c5b2d7 |
12-Nov-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump to release candidate 6
hangeLog
ERSION
|
d1db56c52bf35039f37e809ae74052c484158874 |
29-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump to release candidate 5
hangeLog
ERSION
|
dee40ec1f878b770eb346c7c4f494ea47577a3ac |
20-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: install to LIBDIR instead of SHLIBDIR The libsemanage Makefile currently installs libsemanage.so.1 into SHLIBDIR, but links libsemanage.so to libsemanage.so.1 in LIBDIR. This means things will only work if SHLIBDIR and LIBDIR are the same. Fortunately, by default, they are the same because the default of SHLIBDIR is set to PREFIX/lib (same as LIBDIR default) instead of the standard DESTDIR/lib. Unfortunately, if a user overrides SHLIBDIR, by doing something like the following: make DESTDIR=~/tmp/ LIBDIR=~/tmp/usr/lib SHLIBDIR=~/tmp/lib install then a broken symlink is created. Note that in some cases this may still work even when SHLIBDIR and LIBDIR are not the same, e.g.: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install But this only works because, in systems like Fedora, /lib is a symlink to /usr/lib, so SHLIBDIR and LIBDIR are the same even though it doesn't immediately look like it. This patch changes the libsemanage Makefile to set the default value of SHLIBDIR to the standard DESTDIR/lib to prevent confusion, and installs libsemanage to LIBDIR and completely ignores SHLIBDIR. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/Makefile
|
6280387034812da544cd8b13dbdc91078af7d731 |
06-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump to release candidate 4
hangeLog
ERSION
|
ff5bbe6dcf79fc074b1379bed5cc5fdb32ede8aa |
01-Oct-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump VERSION/ChangeLog for release candidate 3 Signed-off-by: Steve Lawrence <slawrence@tresys.com>
hangeLog
ERSION
|
c4a4a1a7ed42c167a7d4bae06a1fffa8c6c9cb8d |
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
Fix gcc -Wstrict-prototypes warnings In C, defining a function with () means "any number of parameters", not "no parameter". Use (void) instead where applicable and add unused parameters when needed. Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/conf-parse.y
|
b8b0d7fa8ad38104ec017fd2b4d41bc5e4845f3c |
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsemanage: fix gcc -Wwrite-strings warnings Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/conf-parse.y
rc/utilities.c
rc/utilities.h
|
81f17737e76aad8eada653b23f00e2f288fa679c |
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsemanage: constify name and ext_lang parameters of semanage_module_install_hll This fixes a warning from "gcc -Wwrite-strings", when semanage_module_install_hll is called with "pp" as last parameter. Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/direct_api.c
rc/modules.c
rc/modules.h
rc/policy.h
|
9a6091479d04c4b8ee45c36c527abbd0310a88f9 |
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsemanage: Fix use of unitialized variable "gcc -O2 -Wall -Werror" fails to compile seusers_local.c: seusers_local.c: In function 'semanage_seuser_modify_local': seusers_local.c:122:6: error: 'rc' may be used uninitialized in this function [-Werror=maybe-uninitialized] It seems rc is not initialized when the call to semanage_seuser_clone fails in semanage_seuser_modify_local. Acked-by: Steve Lawrence <slawrence@tresys.com>
rc/seusers_local.c
|
213c3189d058ca512ff92552414f6ece1c5362e2 |
27-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump versions for r2 Signed-off-by: Steve Lawrence <slawrence@tresys.com>
hangeLog
ERSION
|
8f9d3a7c95249116473b8d9d56f0a040e231a83c |
26-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
Fix typos in ChangeLog and Versions
hangeLog
|
79fd2d06abf2e6e4e566e5fc57ae7a44e0b5dc7e |
26-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
Bump versions and update ChangeLog Signed-off-by: Steve Lawrence <slawrence@tresys.com>
hangeLog
ERSION
|
5e75b96e91534ae37405e1e417f4627f1e47d5c2 |
03-Apr-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsemanage: add the ability to set an alternative root path for store Allow an alternative selinux store root path to be used. The option can be set in semanage.conf as store_root. If no option is provided, the default path for the store_root is "/var/lib/selinux". Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
nclude/semanage/handle.h
an/man5/semanage.conf.5
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/handle.c
rc/libsemanage.map
rc/semanage_conf.h
rc/semanage_store.c
rc/semanage_store.h
|
cae4a4c951aa19b2717254d76deeb986af466238 |
07-Feb-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsemanage: add support for HLL to CIL compilers An HLL to CIL compiler must exist in the compiler_directory path which is configubrable in semanage.conf. By default, this path is /usr/libexec/selinux/hll/. The compiler name needs to match the HLL language extension. For example, for pp files, /usr/libexec/selinux/hll/pp must exist. The HLL infrastructure uncompresses the HLL module and pipes the data to the appropriate CIL compiler. The output CIL from the compiler is read from another pipe, compressed, and saved to the module store as a cached CIL file. This file will be used on all subsequent policy builds, unless a new module is installed with the same name at the same priority, at which point the cache is deleted and is subsequently rebuilt and cached. A new option is added to semanage.conf, ignore_cache, which if set to true will cause the cached CIL files to be ignored and all HLL files to be recompiled and the resulting CIL to be recached. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
nclude/semanage/handle.h
an/man5/semanage.conf.5
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/handle.c
rc/libsemanage.map
rc/modules.c
rc/semanage_conf.h
rc/semanage_store.c
rc/semanage_store.h
|
6d4e8591a336bb63ac406c7570d056fc92a5b826 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: semanage store migration script We created a migration script to ease the burden of transition from the old libsemanage store layout to the new. The script will detect all the stores in /etc/selinux using the old layout and convert them to the new layout in /var/lib/selinux. It also allows you to specify the default priority to use with -p and store to operate on with -s. After migration the script by default will leave the old store unchanged, but can be told to remove the old modules directory with -c. Reloading policy post migration can be disabled with the -n option. Examples: semanage_migrate_store Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active Attempting to rebuild policy from /var/lib/selinux semanage_migrate_store -s targeted Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active Attempting to rebuild policy from /var/lib/selinux semanage_migrate_store -p 150 Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active Attempting to rebuild policy from /var/lib/selinux Signed-off-by: Chad Sellers <csellers@tresys.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
akefile
tils/Makefile
tils/semanage_migrate_store
|
ddaa6e6ecac1f0e99905b143c1c25178fe344d7f |
17-Nov-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: use libcil for compiling modules Also finally removes the concept of a "base" module and special "_base" handling. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/direct_api.c
rc/modules.c
rc/semanage_store.c
rc/semanage_store.h
|
d5bcc2285f7a4a739f1b38eeb66d345c3427b1b3 |
14-Oct-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: update install functions to support CIL With CIL, the filename and language extension are no longer stored in the modules themselves like with pp files. So parse this information from the filename when given a file to install, and require the information be passed when just data. Symbolic versioning is used to maintain ABI compatability with the old install functions. API compatability is not maintained. Also, remove version from the module info struct and the semanage_module_info_{get,set}_version functions. These functions have not been part of an official release, so removing them without providing ABI/API compatability should not break anything. Because versioning is removed, semanage_module_upgrade can no longer perform the necessary checks to ensure an old module is not overriding a newer module. So, this just remove the upgrade functions from the API. Functions are added to maintain ABI compatability, which call the install functions. Also, CIL has no concept of a base module, so remove the notion of a base module, including the API functions semanage_module_base_install and related functions. To maintain ABI compatability, functions are added which call the new install functions, thus treating base modules as if they are normal modules. Signed-off-by: Steve Lawrence <slawrence@tresys.com> Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
nclude/semanage/modules.h
rc/direct_api.c
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
rc/modules.h
rc/policy.h
rc/pywrap-test.py
rc/semanage_store.c
rc/semanageswig_python.i
|
c654ca1cf4e872e5d84bcd3fe7168e7f5f5400df |
13-Oct-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: add target-platform option to semanage.conf The target platform used to come from the base module. However, CIL has no concept of a base module or a target platform. This adds an option to semanage.conf (target-platform) to control how policies should be built. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
an/man5/semanage.conf.5
rc/conf-parse.y
rc/conf-scan.l
rc/semanage.conf
rc/semanage_conf.h
|
8da5b141e37fe2115d0a06c9a15965a0b8adf62a |
10-Nov-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: rewrite semanage_direct_list to not assume binary modular policies Rather than getting the list of pp modules and parsing their headers to get the name, use the new source policy functions to get the necessary information from the module store. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/direct_api.c
rc/semanage_store.c
rc/semanage_store.h
|
c35678eb6dd8ba0ad289617a359ab080a6dc03d8 |
22-Nov-2011 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: add back support for semange_set_root using the new source policy infrastructure Removed in commits: - Revert "libsemanage: introduce semanage_set_root and friends" - Revert "libsemanage: Alternate path for semanage.conf" - Revert "libsemanage: Use default semanage.conf as a fallback" Signed-off-by: Steve Lawrence <slawrence@tresys.com>
nclude/semanage/handle.h
an/man3/semanage_set_root.3
an/man5/semanage.conf.5
rc/handle.c
rc/handle_internal.h
rc/libsemanage.map
rc/semanage_store.c
rc/semanage_store.h
|
9fbc6d14418f4d817cc6f3f4aa8c4288753f7d39 |
13-Jun-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: add back original module enable/disable functions for ABI compatability This uses symbolic versioning to maintain ABI compatability with the old versions of semanage_module_get_enabled. Also to maintain ABI, the functions semanage_module_{enable,disable} are added back and modified to call the new semanage_module_set_enabled function. Removed in commits: - Revert "Last attempt at upstreaming semodule_disable patch." - Revert "fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4" - Revert "libsemanage: change module disabled from rename to symlink" - Revert "libsemanage: Cleanup/fix enable/disable/remove module." Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
|
1875c85d5bafc42bfa39d1d9fbe7be2fc0a4e133 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: add functions to public api include/semanage/handle.h * Exports the handle get/set default priority functions. include/semanage/module.h * Exports the module info management functions. * Exports the get/set enabled status functions. * Exports the module key management functions. * Exports the module install, upgrade, remove info/key functions. include/semanage/semanage.h This patch includes the modifications to the map file for exporting the necessary functions. Examples: /* changing the default priority for a distro install */ semanage_set_default_priority(sh, 100); /* creating module meta data */ semanage_module_info_t *modinfo = NULL; semanage_module_info_create(sh, &modinfo); /* filling in that data */ semanage_module_info_set_priority( sh, modinfo, semanage_get_default_priority(sh)); semanage_module_info_set_name( sh, modinfo, "mymodule"); semanage_module_info_set_version( sh, modinfo, "0.1.2"); semanage_module_info_set_lang_ext( sh, modinfo, "pp"); semanage_module_info_set_enabled( sh, modinfo, -1); /* Sets enabled to default: * If the module was already enabled/disabled * then it will remain so after install. * If it wasn't, then it will be enabled. */ /* install the module */ semanage_module_install_info(sh, modinfo, data, data_len); /* cleanup modinfo */ semanage_module_info_destroy(sh, modinfo); /* create a key for retrieving a module's meta data */ semanage_module_key_t *modkey = NULL; semanage_module_key_create(sh, &modkey); /* Only set the module name, this will find the highest * priority module of that name. */ semanage_module_key_set_name(sh, modkey, "mymodule"); /* get the newly installed module */ semanage_module_get_module_info(sh, modkey, &modinfo); /* get the priority of the module found */ uint16_t priority = 0; semanage_module_info_get_priority(sh, modinfo, &priority); /* set the priority in the key to the one found */ semanage_module_key_set_priority(sh, modkey, priority); /* remove the highest priority module with the name "mymodule" */ semanage_module_remove_key(sh, modkey); /* print all the modules installed */ semanage_module_info_t *modinfos = NULL; int modinfos_len = 0; semanage_module_list_all(sh, &modinfos, &modinfos_len); char *name = NULL; int i = 0; for (i = 0; i < modinfos_len; i++) { semanage_module_info_get_priority( sh, semanage_module_list_nth(modinfos, i), &priority); semanage_module_info_get_name( sh, semanage_module_list_nth(modinfos, i), &name); printf("%d\t%s\n", priority, name); } Signed-off-by: Chad Sellers <csellers@tresys.com>
nclude/semanage/handle.h
nclude/semanage/modules.h
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
rc/modules.h
rc/semanageswig_python.i
|
bb5121efbde783ed8216a17cfc0cb23b47e7874f |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: installing/removing modules via info and key These functions install/remove modules based on the module info/key. The motivation for these interfaces is to provide the additional information about a module (version, language, and enabled status) at install time and also to separate the meta-data in preparation for supporting source policies. This patch combines the implementations of all the install/remove functions to use the semanage_direct_install_info and semanage_direct_remove_key functions. The motivation here is to reduce the amount of duplicate installation code (for example, semanage_direct_install and semanage_direct_install_file have separate but similar implementations). With this patch the transition from the old store layout to the new one is finished. This is accomplished mostly through the modification of install functions and semanage_get_modules_names. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/direct_api.c
rc/modules.c
rc/modules.h
rc/policy.h
rc/semanage_store.c
rc/semanage_store.h
|
f2c4e796af114de7c2776a7070b01687b416b7c7 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: provide function to get new base module path The base module is being moved in with the other modules so that it can benefit from the priority framework. This patch provides a utility function for getting the highest priority base module path. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/semanage_store.c
rc/semanage_store.h
|
d4048fa52268183cdd9a874e1178e17b25338765 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: get/set module info and enabled status This provides the functions for enabling/disabling modules via a semanage_module_key_t and getting/setting module info. Enabled/disabled status is indicated by the presence of an empty file in the disabled directory: /var/lib/selinux/<policy type>/disabled/<module name> The presence of a file there indicates that the module is disabled at all priorities. Enable/disabling of modules is done across all priorities simultaneously to avoid confusion that would likely arise from per priority settings. semanage_module_get_module_info gathers up the on disk information about a module indicated by the module key and puts the information into module info. In order to facilitate an easy mechanism for getting the highest priority module of a given name, the key's priority value may be 0 and the highest priority module with the given name will be located. semanage_direct_set_module_info is a helper function that writes module info to disk. The unused attribute is used to suppress warnings for compilation and is removed in the module install patch later in the series. semanage_module_list_all behaves similar to semanage_module_list except it returns all modules at all priorities. semanage_module_list will only include the highest priority, enabled, non-base modules (this is its current behavior). See the module install patch later in the series for the modified semanage_module_list. Adds a helper function for creating a directory if it doesn't already exist (used to automatically create the disabled, priority, and module dirs). Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/direct_api.c
rc/modules.c
rc/modules.h
rc/policy.h
|
d220f4910f2a7a765f7b3057606ed17689849782 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: augment semanage_module_info_t and provide semanage_module_key_t Adds priority, language ext, and enabled fields to semanage_module_info_t. Adds get/set functions for all semanage_module_info_t/key_t fields. This is necessary so that semanage_module_info_t/key_t can be used in the specifing meta data on source policies. Adds create, destroy, and init functions for semanage_module_info_t and semanage_module_key_t. Create initializes and allocates, destroy deallocates fields (but not struct), and init initializes fields. Provide several utility functions for converting a string priority to a uint16_t and validating fields. Adds semanage_module_get_path for getting module specific file paths. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/modules.c
rc/modules.h
|
73430e5542dc3f22eee54a41ad54318ad14d1cab |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: add default priority to semanage_handle_t For backwards compatiblity purposes we need to provide a default priority that the current set of module install/upgrade/remove functions can use. The default priority is 400. Adds semanage_module_validate_priority so that it can be used to verify the given priority. See next patch for other validation functions. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/handle.c
rc/handle.h
rc/modules.c
rc/modules.h
|
e57389343a2da3fa06090fc29fd7c741d17cc964 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: update unit tests for move to /var/lib/selinux This updates the unit tests to accommodate the change in layout (no top level 'modules' directory). Signed-off-by: Chad Sellers <csellers@tresys.com>
ests/test_semanage_store.c
|
e37fa2f63be89afab9b5f5ddfedbd589d0676c4e |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: split final files into /var/lib/selinux/tmp This patch moves the final files from inside /var/lib/selinux/<store>/[active|previous|tmp] to /var/lib/selinux/tmp/<store>. The move is done to facilitate using source control management on the /var/lib/selinux/<store> directory. If these files remain in /var/lib/selinux/<store> they will pose a size problem if an SCM like git is used as we'd be storing lots of binary diffs. We are suggesting making this change now, rather than later when source policy, SCM, and CIL[1] support are available, to ease the migration burden. These are the files that have been moved: /var/lib/selinux/<store>/active/... /var/lib/selinux/tmp/<store>/... file_contexts contexts/files/file_contexts file_contexts.homedirs contexts/files/file_contexts.homedirs file_contexts.local contexts/files/file_contexts.local netfilter_contexts contexts/netfilter_contexts policy.kern policy/policy.<policyversion> seusers.final seusers The layout of these files in /var/lib/selinux/tmp/<store> is designed to mirror their locations in /etc/selinux/<store>. This should help clarify the relationship between these final files and the files installed in etc. One consequence of this move is that reverting to the previous policy version requires a policy rebuild. Currently you can revert without rebuilding. [1] CIL RFC: http://marc.info/?l=selinux&m=124759244409438&w=2 Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/boolean_internal.h
rc/booleans_file.c
rc/booleans_policydb.c
rc/database_file.c
rc/database_file.h
rc/database_policydb.c
rc/database_policydb.h
rc/direct_api.c
rc/fcontext_internal.h
rc/fcontexts_file.c
rc/genhomedircon.c
rc/iface_internal.h
rc/interfaces_file.c
rc/interfaces_policydb.c
rc/node_internal.h
rc/nodes_file.c
rc/nodes_policydb.c
rc/port_internal.h
rc/ports_file.c
rc/ports_policydb.c
rc/semanage_store.c
rc/semanage_store.h
rc/seuser_internal.h
rc/seusers_file.c
rc/user_internal.h
rc/users_base_file.c
rc/users_base_policydb.c
rc/users_extra_file.c
|
aea047c76904a907c0acb15ab4a6399ffe32dd63 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: move the module store to /var/lib/selinux This patch moves the module store from /etc/selinux/<store>/modules to /var/lib/selinux/<store>. This move will allow for the use of a read-only /etc/selinux. Currently that is not possible with semanage because of the lock files. A consequence of this move is that packagers of libsemanage should create the /var/lib/selinux directory. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/direct_api.c
rc/semanage_store.c
rc/semanage_store.h
|
844810d9ace7a13257b7bf715d9d6acd7131e741 |
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "libsemanage: introduce semanage_set_root and friends" This reverts commit 9cd587f5533456e7b26601e27e65744272e2e783. Conflicts: libsemanage/include/semanage/handle.h
nclude/semanage/handle.h
an/man3/semanage_set_root.3
rc/conf-parse.y
rc/direct_api.c
rc/handle.c
rc/handle_internal.h
rc/libsemanage.map
rc/semanage_store.c
|
30a2df81eb8a03f1414b30d7a9783d378d08c53d |
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "Last attempt at upstreaming semodule_disable patch." This reverts commit 654dcb897e49908a958dae55cf29793412c4b390. Conflicts: policycoreutils/semodule/semodule.c
nclude/semanage/modules.h
rc/direct_api.c
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
rc/modules.h
rc/policy.h
rc/semanage_store.c
rc/semanage_store.h
|
147c0ec85821cd4be43afd07c57c9d53b52bbf5a |
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4" This reverts commit c1323f22c7ad93b975eb8b6a251b893bc88f240f.
rc/direct_api.c
rc/semanage_store.h
|
7475f818693f9153d6fb412cd0cd76804be592b7 |
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "libsemanage: change module disabled from rename to symlink" This reverts commit 60c780ffb6e7a48a2121e871ad20471a8fe0337d.
rc/direct_api.c
rc/semanage_store.c
rc/semanage_store.h
|
07e1c247cff83a084e9e39ba33ee1571e2c37e92 |
01-Aug-2013 |
Steve Lawrence <slawrence@tresys.com> |
Revert "libsemanage: Alternate path for semanage.conf" This reverts commit 66dd98b83a519840a26be7fa5644c982524f3bf7.
rc/handle.c
rc/handle.h
rc/semanage_store.c
rc/semanage_store.h
|
b5fe34deba6b97dd0692e941b4d69cd6ee04acd7 |
01-Aug-2013 |
Steve Lawrence <slawrence@tresys.com> |
Revert "libsemanage: Use default semanage.conf as a fallback" This reverts commit 4120df1c6ea85aa56ed602e46a4030d9e4e45ee6.
rc/handle.c
|
f43e4eba2477ce8fd066b2a808c8e2f8a79dc0af |
01-Aug-2013 |
Steve Lawrence <slawrence@tresys.com> |
Revert "libsemanage: Cleanup/fix enable/disable/remove module." This reverts commit c9b09be4244f3c90cee19d9e3feca324f0e0e636.
rc/direct_api.c
rc/semanage_store.c
|
8b6d00ba72c0328f974396bb17e5659d98b93225 |
04-Apr-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
libsemanage: fix memory leak when setting a custom store_path A strdup was setting store_path without freeing the original value in the semanage conf. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
rc/handle.c
|
fa095ad7a1c412de36d6f18cf4143f88182918ba |
20-May-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: only try to compile file contexts if they exist It is not a requirement that all file context files exists (e.g. file_contexts.local is not mandatory). However, sefcontext_compile is executed for all file contexts files regardless of existance, which results in an error when they do not exist and causes policy load to fail. This modifies libsemanage so that sefcontext_compile is only executed on file contexts that do exist. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/semanage_store.c
|
c74516b5a3e7f5340c947fd151edc51624d59bb2 |
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
libsemanage: fix typo in tests makefile -o -> -O Fixed typo in the tests Makefile where '-o' should have been '-O'. Signed-off-by: Chad Sellers <csellers@tresys.com>
ests/Makefile
|
52623801c4c614940b3005c30997d6ae78228beb |
25-Aug-2014 |
Steve Lawrence <slawrence@tresys.com> |
libsemanage: fix deprecation warning for bison The %name-prefix="foo" syntax was deprecated in bison 2.3b [1], which was released in 2006. This patches fixes the syntax to use the newer syntax. This breaks support for older versions of bison. [1] http://lists.gnu.org/archive/html/help-bison/2009-10/msg00018.html Reported-by: Ilya Frolov <ilya.a.frolov@gmail.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
rc/conf-parse.y
|
e5aaa01f81afa278cce79bd59ebfdb80a32e4e5a |
25-Jul-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Skip policy module re-link when only setting booleans. Since booleans are only set, not added/removed, we do not need to re-link modules when setting them. We can instead just take the existing binary policy and mutate it for the new values. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/direct_api.c
|
2eba8aa1f57bda20cbfe435844b400d2deccba37 |
14-Jun-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsemanage: use semanage_bool_get_value to print a boolean ... and not semanage_bool_set_value. This fixes "python2 pywrap-test.py -v -B -C"
rc/pywrap-test.py
|
49c738fc93ad917ed6e363f0c357074402ae1b60 |
14-Jun-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
libsemanage: fix src/pywrap-test.py -v -F Running "libsemanage/src/pywrap-test.py -v -F" gives following error: Traceback (most recent call last): File "pywrap-test.py", line 1139, in <module> sys.exit(main()) File "pywrap-test.py", line 1121, in main tests.run(sh) File "pywrap-test.py", line 107, in run self.test_writefcontext(handle) File "pywrap-test.py", line 622, in test_writefcontext if self.verbose: print "SEFContext type set: ", semanage.semanage_fcontext_get_type_str(fcon) TypeError: in method 'semanage_fcontext_get_type_str', argument 1 of type 'int' The argument of semanage_fcontext_get_type_str is the type recorded in fcon and not fcon itself. This type can be retrieved with semanage_fcontext_get_type.
rc/pywrap-test.py
|
1e6482134b9dc2e4480a1cecaf1d366c9d42b0e7 |
06-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Bump version and update ChangeLog for release. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
ERSION
|
fb5d2a5beab682bb83ad1cc9b5af708da8f0e613 |
31-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update ChangeLog and VERSION for rc1. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
ERSION
|
6263ad719c6c75a88dc6eee8e3973ba0ade36c98 |
28-Mar-2014 |
Thomas Hurd <thurd@tresys.com> |
libsemanage: fix memory leak in semanage_genhomedircon
rc/genhomedircon.c
|
7c4bb77999e6fab77547feb404a032ecc917e1b6 |
30-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Version bump for release. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
ERSION
|
9792099fd7847266377df151e7738f9b38ffc18d |
20-May-2013 |
Laurent Bigonville <bigon@bigon.be> |
Properly build the swig exception file even if the headers are missing During build if the headers are not installed in the system path, the generated swig exception (.i) file might be empty.
rc/exception.sh
|
a08010023b9fe66e8df5c187a53d93bfb0f2b939 |
25-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update ChangeLogs and bump VERSIONs to an intermediate value. 2.1.99 is just a placeholder to distinguish it from the prior release. 2.2 will be the released version. Switching to 2-component versions. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
hangeLog
ERSION
|
cfada081f412c1c81c1168118f80a9a515e43de4 |
24-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage gained a dependency on libaudit. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ests/Makefile
|
6f84cfd00ccd828cc87fae5ccbfd4cd5babad320 |
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
If you are pushing data onto the list that already exists, then return success. Do not push the data in a second time.
rc/utilities.c
|
56d9d20a647a52146494f0aef4494cafe328dc5d |
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Pull auditing into libsemanage. In the past we wrote audit into the semanage tool chain. But if a tool like useradd called dirreclty into libsemanage we did not get auditing. Now useradd calls directly, so we need this patch. Another fix in this patch is to default the login mappings MLS to the selected SELinux User. If a caller just specified the name staff_u, then the code will look up the range of staff_u and apply it to the mapping.
rc/Makefile
rc/seusers_local.c
rc/users_local.c
|
b14294c01f2848adcb3daaf6dfc74c671cb514e3 |
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Remove the policy.kern after policy is build and replace with symbolic link. We want to shink the space required by selinux-policy for small cloud images. This file has no purpose after policy is built.
rc/semanage_store.c
|
1fbb15eb11847f08188186784ab2bd444ab14707 |
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Add Laurent Bigonville fix to look at MAX_UID as well as MIN_UID in genhomedircon
rc/genhomedircon.c
|
2540b20096bed9a4f2581548ad37c3dae8654512 |
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Laurent Bigonville patch to fix various minor manpage issues and correct section numbering.
an/man3/semanage_bool_set_active.3
an/man3/semanage_count.3
an/man3/semanage_del.3
an/man3/semanage_exists.3
an/man3/semanage_iterate.3
an/man3/semanage_list.3
an/man3/semanage_modify.3
an/man3/semanage_query.3
an/man3/semanage_set_root.3
|
3f52a123af40bae33bde2a1f2ecfb2320b61f9ad |
06-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: fix segfault introduced to fix memory leak In the patch to fix a minor memory leak, I introduced a garuanteed segfault. The point to the stack variable will never be NULL, whereas the value on the stack will be. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
e9410c9b0622c05761002994dfbd0746bbe6aaf7 |
01-Feb-2013 |
Eric Paris <eparis@redhat.com> |
VERSION BUMP FOR UPSTREAM PUSH
hangeLog
ERSION
|
295abb370b4a78d36d30a0e35655e2a85608ed3e |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: do not leak memory in semanage_exec_prog If vork() failed we would leak the arguments created in split_args(). Reorder the function so it will hopefully be easy to read and will not leak memory. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
d1c606ba46f661b950d6a6b2b29dfc07a536fb0a |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: genhomedircon: remove useless conditional in get_home_dirs We have minuid_set = 0 at the top of the function and then do a test like: if (!minuid_set || something) But since minuid_set is always 0, we always call this code. Get rid of the pointless conditional. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/genhomedircon.c
|
e1400f04044e8405419ee4534f8ff4f45c5d532a |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: genhomedircon: double free in get_home_dirs Right before the call to semanage_list_sort() we do some cleanup. Including endpwent(); free(rbuf); semanage_list_destroy(&shells); If the call to the list sort fails we will go to fail: and will do those cleanups a second time. Whoops. Do the list sort before the generic cleanups so the failure code isn't run after the default cleanup. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/genhomedircon.c
|
d0c7f6ea4f4c5bf9e1e21b67231e5b1a88020501 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: fcontext_record: do not leak on error in semanage_fcontext_key_create If the strdup failed, we would return without freeing tmp_key. This is obviously a memory leak. So free that if we are finished with it. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/fcontext_record.c
|
7d83d86ba10e2fc251a249df4745c6f339e9c523 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: genhomedircon: do not leak on failure in write_gen_home_dir_context We generate a list of users, but we do not free that list on error. Just keep popping and freeing them on error. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/genhomedircon.c
|
06f2a7c3a92f9f945504159d4657b318f7237db3 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: do not leak fd We use creat to create the lock file needed later. But we never close that fd, so it just sits around until the program exits. After we create the file we don't need to hold onto the fd. close it. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
5812ec2fbbb9e9244e31525737ea967c7a795252 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: genhomedircon: do not leak shells list If get_home_dirs() was called without usepasswd we would generate the entire shell list, but would never use that list. We would then not free that list when we returned the homedir_list. Instead, do not create the list of shells until after we know it will be used. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/genhomedircon.c
|
78d618422bbf8774edaeaa3df549c2d4d1b06dd1 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: do not leak on strdup failure Inside split_args we do a = realloc(b) and strdup. If the realloc succeeds and then the strdup fails, we return NULL to the caller. The caller will then jump to an error code which will do a free(b). This is fine if the realloc failed, but is a big problem if realloc worked. If it worked b is now meaningless and a needs to be freed. I change the function interface to return an error and to update "b" from the caller. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
d16ebaace10b246f411d65caa83c7ebdafd0a300 |
05-Feb-2013 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: rewrite for readability We did a bunch of: if ((blah = function(a0, a1, a2)) == NULL) { goto err; } else { something = blah; } Which takes 5 lines and is a pain to read. Instead: blah = function(a0, a1, a2); if (blah == NULL) goto err; something = blah; Which takes 4 lines and is easier to read! Winning! Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
2276a2fa51517ead7f4cf028263dee4b5e2bb46a |
05-Dec-2012 |
Eric Paris <eparis@redhat.com> |
libsemanage: fixes from coverity Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/database_llist.c
rc/database_policydb.c
rc/debug.c
rc/semanage_store.c
|
6064f9672cbd805a9c51b60414f3711a499c45aa |
05-Dec-2012 |
Eric Paris <eparis@redhat.com> |
libsemange: redo genhomedircon minuid Just a little less code. No real change. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/genhomedircon.c
|
c9b09be4244f3c90cee19d9e3feca324f0e0e636 |
21-Nov-2012 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: Cleanup/fix enable/disable/remove module. If you specified a portion of the module name the code would disable the module rather then giving you an error. For example. semodule -d http Would disable the httpd module. As a matter of fact semodule -r h Would disable the first module file name that began with h. This patch gets the real file name out of the modules and compares it to the name specified. It also consolodates a bunch of duplicated code, and fixes a return code bug. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/direct_api.c
rc/semanage_store.c
|
28baa721e0f544d0899b68eb5eee070ed2b4b02b |
14-Sep-2012 |
rhatdan <dwalsh@redhat.com> |
libsemanage: Add sefcontext_compile to compile regex everytime policy is rebuilt Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/conf-parse.y
rc/conf-scan.l
rc/semanage_conf.h
rc/semanage_store.c
|
8638197342f77d66b3e21ee93009060886020064 |
13-Sep-2012 |
Eric Paris <eparis@redhat.com> |
Version bumps for upstream push
hangeLog
ERSION
|
18649484eee7e4ca7b0be572365aca368a3471b5 |
12-Jan-2012 |
Xin Ouyang <xinpascal@gmail.com> |
libsemanage: Fix segfault for building standard policies. If you are building "standard" policies(not MCS/MLS), libsemanage will crash, which caused by strdup() to "level" NULL pointers. For example, semodule -s refpolicy -b base.pp -i a.pp Signed-off-by: Eric Paris <eparis@redhat.com>
rc/genhomedircon.c
|
b0b22829eb0aa992462b9efd7b32e2fdc8604faf |
12-Sep-2012 |
Eric Paris <eparis@redhat.com> |
libsemanage: do boolean name substitution So people can use -P and it will work. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/boolean_record.c
|
1024ea34c6ff68625037fd8abbda5dc910ac31e5 |
01-Jun-2012 |
Eric Paris <eparis@redhat.com> |
libselinux: libsemanage: remove PYTHONLIBDIR and ruby equivalent We generate pkg-config --libs and use that to build the libselinux python so file. We do not use it to build the libsemanage versions. We also never use the ruby equivalent. So stop calling pkg-config uselessly. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/Makefile
|
b2523dc167b1b61ea3cc42a97c8da6ac60ad7550 |
01-Jun-2012 |
Eric Paris <eparis@redhat.com> |
libselinux: libsemanage: do not set soname needlessly We explicitly set the soname of the python and ruby files. We don't need this. We are using the -o name as the soname, so just let the toolchain do its thing. It just makes the Makefile nicer to read. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
f05a71b92d94771ed976a7c74e5fa378d02b590b |
28-Jun-2012 |
Eric Paris <eparis@redhat.com> |
Version bumps for upstream push
hangeLog
ERSION
|
c4f415c2444874488e9a9ae2e02a7cbeea583ba2 |
29-May-2012 |
Sven Vermeulen <sven.vermeulen@siphos.be> |
libsemanage: use after free in python bindings In python 3.2 we hit a problem where the fconext was garbage. We didn't see this in python 2.7. The reason is because python3.2 would free and reuse the memory and python 2.7 just happened to leave it alone. Instead of using memory that python might use for something else, use strdup() to get a local copy which we can free when we are finished with it. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/fcontext_record.c
|
4120df1c6ea85aa56ed602e46a4030d9e4e45ee6 |
05-Jan-2012 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: Use default semanage.conf as a fallback If the private semanage.conf file is unreadable for some reason (usually ENOENT) fallback to the default file. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/handle.c
|
fade75f1e2f2bda739214e079e27a50dadd61e64 |
07-Jun-2012 |
Eric Paris <eparis@redhat.com> |
libsemanage: semanage_store: fix snprintf length argument by using asprintf We calculated a length, allocated a space for the string, then used snprintf to fill the array giving it a different length. Rather than doing all that math ourselves, just use asprintf and let libraries get it right. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
a6c9140cbbe02c3dfb32798f9e5ba333297ba64b |
07-Jun-2012 |
Eric Paris <eparis@redhat.com> |
libsemanage: ignore 80 column limit for readability 80 columns just suck. Ignore it when we are only a little bit over. Signed-off-by: Eric Paris <eparis@redhat.com>
rc/semanage_store.c
|
824df4b60b8f3de26fb900ed5f74ca6379de6d99 |
01-Jun-2012 |
Eric Paris <eparis@redhat.com> |
libselinux: additional makefile support for rubywrap SELinux ruby bindings didn't build from the top level the swig generated .c file wasn't gitignored use pkg-config for ruby info like we do for python Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/.gitignore
rc/Makefile
|
5d19b707232718377e7378d43a677011e6f97a58 |
19-Apr-2012 |
Eric Paris <eparis@redhat.com> |
libselinux: libsemanage: remove build warning when build swig c files swig creates C files with warnings. Turn off the warnings so the build is clean. We can't help the code it produces anyway... Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
akefile
rc/Makefile
|
7a86fe1a3decc4c05598eb3f9339175251cd5447 |
28-Mar-2012 |
Eric Paris <eparis@redhat.com> |
bump version and changelog for upstream push
hangeLog
ERSION
|
38e93bad1ffd99e698d24541793148e1da587389 |
26-Mar-2012 |
Russell Coker <russell@coker.com.au> |
libsemanage: fallback-user-level Having magic numbers in the code is a bad idea, using a macro is better. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/genhomedircon.c
|
e55a295b1d53fdf0d37ede591e8df36d7a08fe7a |
26-Mar-2012 |
Laurent Bigonville <bigon@debian.org> |
libsemanage: Allow to build for several ruby version This allow to build the ruby module for both ruby 1.8 and 1.9.1 (the way it's done for the python module) Signed-off-by: Laurent Bigonville <bigon@debian.org> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
a8a766ac9fe21fe27fbb601c46fddb7629331e40 |
26-Mar-2012 |
Laurent Bigonville <bigon@debian.org> |
libsemanage: do not link against libpython, this is considered bad in Debian Do not link against libpython, the interpreter is already linked to it. In Debian this is usually considered bad practice. Signed-off-by: Author: Laurent Bigonville <bigon@debian.org> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
66dd98b83a519840a26be7fa5644c982524f3bf7 |
04-Jan-2012 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: Alternate path for semanage.conf Currently the semanage.conf file is hard coded to /etc/selinux/semanage.conf even when an alternate root path is specified. Use the semanage.conf found inside the altername root instead of the system global version. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/handle.c
rc/handle.h
rc/semanage_store.c
rc/semanage_store.h
|
339f8079d7b9dd1e0b0138e2d096dc7c60b2092e |
21-Dec-2011 |
Eric Paris <eparis@redhat.com> |
update VERSION and Changelog for public push
hangeLog
ERSION
|
5e46bb8647877acf8c7ff8253921c90ee50f3cdc |
12-Dec-2011 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: Fallback_user_level can be NULL if you are not using MLS If you build a distribution without MLS turned on, libsemanage will crash if given a user without a level. This patch allows users without levels to be passed in. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/genhomedircon.c
|
915b5f885f030aa24a2ca648a184fa02cb5bbdcd |
29-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: add ignoredirs config for genhomedircon For a long time /root has been treated differently in Red Hat Distributions then upstream policy. We do not want to label /root the same as a users homedir. Because of this we have carried a patch in libsemanage/genhomedircon.c to ignore /root. This patch adds a flag to semanage.conf, ignoredirs. That will allow distributions or users to specify directories that genhomedircon should ignore when setting up users homedir labeling. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
an/man5/semanage.conf.5
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/genhomedircon.c
rc/genhomedircon.h
rc/semanage_conf.h
|
14e4b70b933a330fc1e63bf0ac5ebab4f9664062 |
03-Nov-2011 |
Eric Paris <eparis@redhat.com> |
Bump Version and Changelog for commit
hangeLog
ERSION
|
2c4eca16dd4aaf2f7830012908aef66109106d82 |
19-Sep-2011 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: create man5dir if not exist Make new man page directory if it doesn't exist. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
an/Makefile
|
06f53004d93ddb6bd4e2b2f4d697c8cedf382e47 |
19-Sep-2011 |
Guido Trentalancia <guido@trentalancia.com> |
libsemanage: semanage.conf man page Add a new semanage.conf man page. Signed-off-by: Eric Paris <eparis@redhat.com>
an/Makefile
an/man5/semanage.conf.5
|
86e8daafc3755820272c0f36a3dd115f0b01c93d |
20-Oct-2011 |
Dan Walsh <dwalsh@redhat.com> |
libselinux: maintain mode even if umask is tighter When certain programs were run which created new files they would get default permissions based on the current users umask. However these files should get the same permissions as those files which they replaced. Do that. Patch from: Stephen Smalley Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/semanage_store.c
|
c81a43c753efbda6f2106dbf0a291005683474f8 |
28-Sep-2011 |
Eric Paris <eparis@redhat.com> |
libselinux: libsemanage: libsepol: regenerate .pc on VERSION change The makefile which generated the package config files did not have the VERSION file as a dependancy. Thus if you updated a tree you have previously build the .pc file wouldn't be rebuilt and the old version would be reinstalled. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
418dbc70e8e7b6b313a0a23455d24256c6807a46 |
16-Sep-2011 |
Eric Paris <eparis@redhat.com> |
Bump version and changelog for all components.
hangeLog
ERSION
|
6a530237403066293813ad03d575df2487db28d0 |
14-Sep-2011 |
Guido Trentalancia <guido@trentalancia.com> |
libsemanage: fix semanage_store_access_check calling arguments A few calls to semanage_store_access_check() in the libsemanage tests passed an argument even though it is a void function. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
ests/test_semanage_store.c
|
eb695e5a5618ede939af2f9c9daed7c53e14b50a |
14-Sep-2011 |
Guido Trentalancia <guido@trentalancia.com> |
whole tree: default make target to all not install Change the default "make" target for the libraries from "install" to "all" in the makefiles. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
nclude/Makefile
an/Makefile
|
e4bc1b223debcc6747fef4d7a2a0a320c0208a88 |
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: libsemanage: policycoreutils: Create a new preserve_tunables flag in sepol_handle_t. By default only the effective branch of a tunable conditional would be expanded and written to raw policy, while all needless unused branches would be discarded. Add a new option '-P' or "--preserve_tunables" to the semodule program. By default it is 0, if set to 1 then the above preserve_tunables flag in the sepol_handle_t would be set to 1 accordingly. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
nclude/semanage/handle.h
rc/direct_api.c
rc/handle.c
rc/libsemanage.map
rc/semanage_store.c
rc/semanage_store.h
|
60c780ffb6e7a48a2121e871ad20471a8fe0337d |
29-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: change module disabled from rename to symlink Change the way libsemanage handles disabled modules. In the current method libsemanage renames the FOO.pp file to FOO.pp.disabled and then the rebuild process ignores *.disabled modules. Since we want to start shipping /etc/selinux/targeted/modules/active/modules/*.pp within the payload of the rpm. If we continued this method, a policy update would re-enable a module. The new mechanism will just create a symbolic link between FOO.pp and FOO.pp.disabled. Then the library will check all modules, and if a module has a link, it will not be compiled into the policy. This solves the rpm update problem. and actually gives us an easier update capability since if FOO.pp.disabled already exists using the old method, it will continue to work with the new method. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/direct_api.c
rc/semanage_store.c
rc/semanage_store.h
|
1f8cf403be49dd8b918e2ff21969a6a47928d672 |
26-Aug-2011 |
Eric Paris <eparis@redhat.com> |
update changelog and versions for 2011-08-26
hangeLog
ERSION
|
acb4ecaa0111a428b2c443e0db937caa09696923 |
22-Aug-2011 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: python wrapper makefile changes Allow Change libsemanage Makefile to be able to build by default and to build if you change the version of Python Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
6b6b475dcfe77dbf3d37b4f6e4fee3539346f359 |
17-Aug-2011 |
Eric Paris <eparis@redhat.com> |
update changelog and VERSION for latest changes
hangeLog
ERSION
|
4b00b5c6a4876f3470b53252bad7a1e6f91899fc |
04-Aug-2011 |
Dan Walsh <dwalsh@redhat.com> |
libsemanage: print error debug info for buggy fc files Currently if you have a bug in a fc file, the store only reports that you have a problem but not the name of the module, or any hint of what is wrong. This patch will print out as much as been collected in the file_spec at the time of the error. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/semanage_store.c
|
9cd587f5533456e7b26601e27e65744272e2e783 |
29-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: introduce semanage_set_root and friends Allow applications to specify an alternate root for selinux stores. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
nclude/semanage/handle.h
an/man3/semanage_set_root.3
rc/conf-parse.y
rc/direct_api.c
rc/handle.c
rc/handle_internal.h
rc/libsemanage.map
rc/semanage_store.c
|
9406ace82b12780da84b2553cb74f88101978ea2 |
29-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: throw exceptions in python rather than return NULL Python doesn't really work on the basis of negative error code. It throws exceptions. This patch automatically generates little stub functions which will catch negative error codes and will throw exceptions in their place. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/.gitignore
rc/Makefile
rc/exception.sh
rc/semanageswig_python.i
|
78d58d73b4098ec56b6545abd9f9719563d0d587 |
24-Jun-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
libsemanage: python3 support. Dave Malcolm has been working on adding python3 support to libsemanage (and libselinux). Change to Makefile to: Support building the Python bindings multiple times, against various Python runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build targets with "PYPREFIX": Should build python2 version by default, without the user doing any changes. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
d784fd71b56cb8f57d5b9fcd784094e004bf7c6a |
05-Jan-2011 |
Russell Coker <russell@coker.com.au> |
libsemanage: patch for MCS/MLS in user files The attached patch makes the /etc/selinux/default/contexts/files/file_contexts.homedirs generation process include the MCS/MLS level. This means that if you have a user with a MCS/MLS level that isn't SystemLow then their home directory will be labeled such that they can have read/write access to it by default. Unless anyone has any better ideas for how to solve this problem I will upload this to Debian shortly. What do the MLS users do in this situation? Just relabel home directories manually? Finally it seems that when you run "semanage user -m" the file_contexts.homedirs doesn't get updated, it's only when you run "semanage login -m" that it takes affect. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Russell Coker <russell@coker.com.au> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/genhomedircon.c
|
510003b63f3abd3039b1d154cab24fc13be0c581 |
01-Aug-2011 |
Eric Paris <eparis@redhat.com> |
Minor version bump for updates as of 2011-08-01 checkpolicy libselinux libsemanage libsepol policycoreutils Signed-off-by: Eric Paris <eparis@redhat.com>
hangeLog
ERSION
|
d67b1ea1cbe30afb4894634f06ca25916b03cbd7 |
24-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: drop the -no-unused-parameter build flag Annote the couple of places they are needed and drop the flag Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
rc/database.c
rc/direct_api.c
rc/genhomedircon.c
rc/semanage_store.c
rc/semanage_store.h
|
dad5f79991eb04b5973c670c8566844a014a3a85 |
24-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: use -Werror libsemanage should use -Werror just like libselinux Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/Makefile
|
109dc801ec27fc4f850f6927617acd6da5e6a544 |
24-Jun-2011 |
Eric Paris <eparis@redhat.com> |
libsemanage: do not store generated files in git libsemanage/src/semanage.py and libselinux/src/semanageswig_wrap.c are both generated rather than being real code. Do not store them in git. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
rc/.gitignore
rc/semanage.py
rc/semanageswig_wrap.c
|
44121f662411dbc17bf2e196911c655ee6969d59 |
26-Jul-2011 |
Steve Lawrence <slawrence@tresys.com> |
Minor version bump for release Bump checkpolicy to 2.1.0 Bump libselinux to 2.1.0 Bump libsepol to 2.1.0 Bump libsemanage to 2.1.0 Bump policycoreutils to 2.1.0 Bump sepolgen to 1.1.0
hangeLog
ERSION
|
d17ed0d90d100acb4d270613d12988f909cc1c3f |
16-Dec-2010 |
Chad Sellers <csellers@tresys.com> |
bump checkpolicy to 2.0.23 bump libselinux to 2.0.98 bump libsepol to 2.0.42 bump libsemanage to 2.0.46 Signed-off-by: Chad Sellers <csellers@tresys.com>
hangeLog
ERSION
|
f7dd4ca760de5f2dfa962749dddf8a99587f2257 |
09-Dec-2010 |
Justin P. Mattock <justinmattock@gmail.com> |
Author: "Justin P. Mattock" Email: justinmattock@gmail.com Subject: libsemanage Fix warning: parameter 'key' set but not used(and others) Date: Tue, 6 Jul 2010 15:23:30 -0700 libsemanage produced no errors with the warnings, Im just noticing big hunks of sections with warning messages: database_llist.c: In function 'dbase_llist_add': database_llist.c:150:28: warning: parameter 'key' set but not used database_llist.c: In function 'dbase_llist_count': database_llist.c:221:50: warning: parameter 'handle' set but not used database_llist.c: In function 'dbase_llist_del': database_llist.c:278:41: warning: parameter 'handle' set but not used (and so on...) so add the GCC attribute to quiet these warnings since most go to NULL; Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/database_llist.c
rc/database_policydb.c
rc/debug.c
rc/direct_api.c
|
e6bfff4372a2bf5fe8dbd1de49ffb6cf366b39e0 |
07-Mar-2010 |
Joshua Brindle <method@manicmethod.com> |
bump libsemanage to 2.0.45 and libselinux to 2.0.92
hangeLog
ERSION
|
7420787817c4949276d7947202b49d78eba37c13 |
24-Feb-2010 |
Daniel J Walsh <dwalsh@redhat.com> |
updated libselinux pkgconfig does not work correctly on lib64 machines. On 02/24/2010 02:24 PM, Daniel J Walsh wrote: > Ignore the first patch it was missing pc.in files. Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov> Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/Makefile
rc/libsemanage.pc.in
|
d03b94113615c1751b8a074bbd4064d915c70ff9 |
06-Mar-2010 |
Joshua Brindle <method@manicmethod.com> |
regenerate swig wrappers
rc/semanage.py
rc/semanageswig_wrap.c
|
c1323f22c7ad93b975eb8b6a251b893bc88f240f |
06-Mar-2010 |
Joshua Brindle <method@manicmethod.com> |
fixes to commit 847d27b8385ce77ac71df8aa58a2d298b33d1ea4 - implicit declaration of semanage_module_enabled() - added nicer error messages when disabling or enabling modules already disabled or enabled - fix comment Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/direct_api.c
rc/semanage_store.h
|
654dcb897e49908a958dae55cf29793412c4b390 |
24-Feb-2010 |
Daniel J Walsh <dwalsh@redhat.com> |
Last attempt at upstreaming semodule_disable patch. This patch allows you to disable/Enable policy modules. It never seems to get upstreamed. :^( Signed-off-by: Joshua Brindle <method@manicmethod.com>
nclude/semanage/modules.h
rc/direct_api.c
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
rc/modules.h
rc/policy.h
rc/semanage_store.c
rc/semanage_store.h
|
c8d100bb03e0fe0501037b914fe3638afd593ee4 |
25-Feb-2010 |
Daniel J Walsh <dwalsh@redhat.com> |
Patch to run genhomedircon without looking at /etc/passwd I want to change the default of libsemanage to not look for home directories in getpwent. This patch allows you to set the flag usepasswd=false in the semanage.conf file. and genhomedircon will only setup the labeling of /home, /export/home and any confined users homedirs. If this patch is not acceptable because libsemanage is being rewritten, I would like the functionality to be added to the new libsemanage.
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/semanage_conf.h
|
9a1814832b7e3b046d8edd5d7691a7a3aae427f6 |
02-Feb-2010 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage 2.0.44
hangeLog
ERSION
|
0b2f9ef8f3f91cd6e202dc8bdfe8e1156ae6c01a |
25-Jan-2010 |
Stephen Smalley <sds@tycho.nsa.gov> |
bzip support in libsemanage and out of memory (userspace ticket 7) On Sun, 2010-01-24 at 21:29 +0100, Guido Trentalancia wrote: > Hi ! > > Has anybody had any time to look at this ticket: > http://userspace.selinuxproject.org/trac/ticket/7 ? > > I have experienced the same issue and verified that the problem is actually triggered by the bzip support (as pointed out by Stephen Smalley back in August). In fact, if I use bzip-blocksize=0 in semanage.conf then the problem disappears... > > Otherwise with a default semanage.conf and bzip enabled, I get: > > libsepol.module_package_read_offsets: offset greater than file size (at 4, offset 200478 -> 8192 (No such file or directory). > libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/base.pp. (No such file or directory). > semodule: Failed! > > I am using libsepol-2.0.41 and libsemanage-2.0.42. Looking into this more closely, I believe this is another manifestation of: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543915#17 which was ultimately traced down to two issues: 1) A missing offset check in libsepol (fixed in libsepol 2.0.38), and 2) A bug / lack of binary mode support in the fmemopen implementation in glibc that was later fixed, see: http://sourceware.org/bugzilla/show_bug.cgi?id=6544 Maybe you have the older glibc still? Looking at the libsemanage code though, I think we could in fact avoid any dependency on fmemopen by using the native libsepol support for operating on a memory region via sepol_policy_file_set_mem(), ala: Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/direct_api.c
rc/semanage_store.c
|
7b9904bef33264b16dd25e4c5d5018c8656d65f4 |
27-Nov-2009 |
Joshua Brindle <method@manicmethod.com> |
bump libsemanage to 2.0.43 and policycoreutils to 2.0.78
hangeLog
ERSION
|
a6700ba05f78b443ea2fca0971a5b555c1066470 |
17-Nov-2009 |
Manoj Srivastava <srivasta@debian.org> |
libsemanage: Fix the format of the NAME lines Each manual page should start with a "NAME" section, which lists the name and a brief description of the page separated by "\-". These sections are parsed by "mandb" and stored in a database for the use of "apropos" and "whatis", so they must be in a certain format. These manual pages apparently use the wrong format and cannot be parsed by "mandb". This commit fixes that. Signed-off-by: Manoj Srivastava <srivasta@debian.org> Signed-off-by: Joshua Brindle <method@manicmethod.com>
an/man3/semanage_bool.3
an/man3/semanage_bool_set_active.3
an/man3/semanage_count.3
an/man3/semanage_del.3
an/man3/semanage_exists.3
an/man3/semanage_fcontext.3
an/man3/semanage_iface.3
an/man3/semanage_iterate.3
an/man3/semanage_list.3
an/man3/semanage_modify.3
an/man3/semanage_node.3
an/man3/semanage_port.3
an/man3/semanage_query.3
an/man3/semanage_seuser.3
an/man3/semanage_user.3
|
55648ccca9bafbc243084b672f0ddf4fa294f993 |
13-Oct-2009 |
Joshua Brindle <method@manicmethod.com> |
/lib/libsemanage.so.1 links to /usr/lib/libustr-1.0.so.1 Manoj Srivastava wrote: > Hi, > > As demonstrated by > > $ ldd /lib/libsemanage.so.1 > linux-gate.so.1 => (0xb8092000) > libsepol.so.1 => /lib/libsepol.so.1 (0xb8015000) > libselinux.so.1 => /lib/libselinux.so.1 (0xb7ffa000) > libbz2.so.1.0 => /lib/libbz2.so.1.0 (0xb7fe9000) > libustr-1.0.so.1 => /usr/lib/libustr-1.0.so.1 (0xb7fbf000) > libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e60000) > libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7e5c000) > /lib/ld-linux.so.2 (0xb8093000) > > libsemanage1 links to libustr which is located under the, > possible separate or external, /usr partition, which would render > libsemanage unusable in such setups. (This dependency has been around > since 2.0.9). > > Should we move libsemanage1 to /usr/lib? The only reason for it > to be in /lib would be for early boot, where /usr might not be > available, but at this point, it is likely not usable without /usr > anyway. > > manoj Yes, I'm not sure why you'd need libsemanage during early boot, we probably should apply this: Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/Makefile
|
88a57ca14b1fc645648e63e6117a125d3af5ea55 |
18-Nov-2009 |
Chad Sellers <csellers@tresys.com> |
Bump policycoreutils to 2.0.76 Bump libsepol to 2.0.41 Bump libsemanage to 2.0.42
hangeLog
ERSION
|
eb014c79f11f01b25cbb44d81d5ed7fd9b90b836 |
18-Nov-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: Add modules support to semanage Date: Thu, 12 Nov 2009 11:23:15 -0500 On 11/11/2009 01:52 PM, Chad Sellers wrote: > On 9/30/09 2:33 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> Includes enable and disable. >> > I presume I should hold off on this patch until you have a chance to > resubmit the libsemanage support that it relies on. Let me know if that's > not the case. > > Thanks, > Chad > Lets do this patch. Moves load_policy from /usr/sbin to /sbin Removed cruft. Signed-off-by: Chad Sellers <csellers@tresys.com>
rc/conf-parse.y
|
7cdfd6e659dde3c7988e78ab2322a35e67ca8726 |
29-Oct-2009 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Bump libsepol to 2.0.40, libselinux to 2.0.89, libsemanage to 2.0.41.
hangeLog
ERSION
|
12777502c638698a9e1dd6748a2309cb87946a65 |
21-Oct-2009 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Add pkgconfig files for libsepol, libselinux, and libsemanage. Having a pkgconfig files allows the pkg-config tool to be used to query the presence of the library (or a particular version of it), and to obtain the C flags and linker arguments to build with it. Based on Debian patches by Manoj Srivastava <srivasta@debian.org>. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
rc/Makefile
rc/libsemanage.pc.in
|
6f4660679f0051e3608c11050b7a52882e667b52 |
22-Oct-2009 |
Chad Sellers <csellers@tresys.com> |
Bump libselinux to 2.0.88 and libsemanage to 2.0.40
hangeLog
ERSION
|
bd74c23c7beaf340d3e21f84a253e3c994fe3623 |
21-Oct-2009 |
Chad Sellers <csellers@tresys.com> |
libsemanage: Add function to turn off file contexts validation This patch adds a function to turn off file contexts validation. We need this for cross-installs in rpm, where we install policy into a chroot that has binaries of a different architecture which cannot be executed on the build system. So, we would like to use this function to disable executing setfiles. This of course means the file contexts could be invalid, but we're willing to take that risk. Signed-off-by: Chad Sellers <csellers@tresys.com>
nclude/semanage/handle.h
rc/handle.c
rc/handle.h
rc/libsemanage.map
rc/semanage_store.c
|
0857e3e4782789a326426e1284dce95ba6d6b851 |
21-Oct-2009 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
Add subdirectory .gitignore files. These take care of executables and generated source files. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
gitignore
|
0e421afd55407cf5e6e3793558e4449aef6fcf52 |
24-Sep-2009 |
Joshua Brindle <method@manicmethod.com> |
bump libselinux to 2.0.87 and libsemanage to 2.0.39
hangeLog
ERSION
|
94c51ba3b12e476c0b7108c9d83b939ed56b8359 |
24-Sep-2009 |
Joshua Brindle <method@manicmethod.com> |
make swigify
rc/semanage.py
rc/semanageswig_wrap.c
|
6e7e247f6c58365103895ae398914f791a7a8156 |
16-Sep-2009 |
Joshua Brindle <method@manicmethod.com> |
bump libsemanage to 2.0.38 and policycoreutils to 2.0.74
hangeLog
ERSION
|
faff0a77c679e8290bac6595c9764dc8929f32d6 |
16-Sep-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: libsemanage patch Date: Wed, 16 Sep 2009 13:27:25 -0400 Updated patch. Need check in two places. Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/genhomedircon.c
|
c282c4024de7321a2987e55c51f6b65c75344c83 |
11-Sep-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
I think I sent this patch before, it is the upgrade patch. Basically it makes semodule -u file.pp, install file.pp if it does not exist. This matches the rpm syntax, and allows us too update/install many packages with a transaction without know whether the package is updated or installed. Currently we can only do a -i which could hammer a newwer version. commit 3a5ed0fdf42200d0efd6cb1064eab91d2eb5ca52 Author: Dan Walsh <dwalsh@redhat.com> Date: Mon Aug 24 11:36:41 2009 -0400 i Upgrade patch
rc/direct_api.c
rc/modules.c
|
eaaafe2151b8321b4c2316b3a1bdeda9db79db25 |
04-Sep-2009 |
Joshua Brindle <method@manicmethod.com> |
bump policycoreutils to 2.0.73 and libsemanage to 2.0.37
hangeLog
ERSION
|
f3d9262568ce65b5cbc83a2c71c75c230a7aec0e |
20-Aug-2009 |
Chad Sellers <csellers@tresys.com> |
Fix semanage_direct_commit() to notice disable_dontaudit Add code to semanage_direct_commit() to notice that the disable_dontaudit flag has been changed and rebuild the policy if so. Currently, libsemanage doesn't notice that the disable_dontaudit flag is set so it does not rebuild the policy. semodule got around this by calling semanage_set_rebuild() explicitly, but libsemanage should really notice that this has changed and rebuild appropriately.
rc/direct_api.c
|
e376f725fce1d42b748d60b7db9a77263d69c19c |
24-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage 2.0.36
hangeLog
ERSION
|
c3c7ef9c65ae3d5b35b9e66caa92b152b550b4ff |
24-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage issue with bzip-blocksize=0 and compressed modules in store On Mon, 2009-08-24 at 10:57 -0400, Chris PeBenito wrote: > On Mon, 2009-08-24 at 10:04 -0400, Stephen Smalley wrote: > > On Mon, 2009-08-24 at 09:54 -0400, Chris PeBenito wrote: > > > I took the current release of libsemanage and added the patch to add a > > > bzip blocksize option[1]. The modules in my store were already > > > compressed with the stock release. I put bzip-blocksize=0 in my > > > semanage.conf and I do semodule -B and get: > > > > > > libsepol.module_package_read_offsets: wrong magic number for module > > > package: expected 0xf97cff8f, got 0x39685a42 (No such file or > > > directory). > > > libsemanage.semanage_load_module: Error while reading from module > > > file /etc/selinux/strict/modules/tmp/modules/apm.pp. (No such file or > > > directory). > > > semodule: Failed! > > > > > > If I do semodule -l, it will also get the magic number error. If I > > > remove the blocksize option, it works again. I was able to reinsert all > > > of the modules to get it working again with the blocksize 0 option. > > > > > > [1] http://userspace.selinuxproject.org/trac/changeset/ee9827000137fed2d3300124115fc1572acafe2f > > > > Yes, that's what I would expect. The expectation is that either one > > would set that option before installing the policy for the first time, > > or that one completely re-installs the policy after setting that option. > > Can we have a little better handling of this case? I don't mind > reinstalling the policy, but the error messages aren't helpful. In > addition, with semodule -l being broken, I have to look into the module > store to see what modules are installed or guess. Seems like it is just as easy to just support pre-existing compressed modules, see below. Explicitly probe for the bzip2 magic string prefix and fall through to BZ2_bzReadOpen() if the module is bzipped even if bzip-blocksize=0. Thus bzip-blocksize=0 will prevent any further compression of subsequently installed/updated modules, but will continue to function with existing compressed modules. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/direct_api.c
|
0fb9c99a4d005be1e50614ead5dd9e2df489a753 |
05-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage 2.0.35
hangeLog
ERSION
|
8edc3f9730aab6bd8f52dafb9686baddaac83954 |
05-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage: do not hard link files Remove the support for hard linking files in semanage_copy_file, as it is unsafe and can leave the active store corrupted if something goes wrong during the transaction. It also can leave the installed policy files with incorrect file modes or security contexts. To do this safely, we would need to change all functions that write to the sandbox files to first unlink the destination file. This was done in the original patch for the write_file helper but not for other cases. It would need to be done for all functions that open.*O_CREAT or fopen.*w on a file in the sandbox. We also don't want this applied to the installed policy files, as they need to be created with appropriate file modes and security contexts that may differ from the sandbox files. At present, the hard link support will only affect the installed policy files when they are first created; afterward the link() call will always fail with EEXIST since they are not unlinked prior to installation (nor would that be safe as it could leave the system without a policy - rename would make more sense in that situation). If we were to re-introduce hard link support, we ought to use different helpers or flags for installing the policy files than for copying the active store to the temporary sandbox to avoid affecting both. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/direct_api.c
rc/semanage_store.c
|
76412ffad682f0280e7bf4447d319f2c42573415 |
05-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage 2.0.34
hangeLog
ERSION
|
ee9827000137fed2d3300124115fc1572acafe2f |
04-Aug-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage: Enable configuration of bzip behavior Allow the administrator to customize the bzip block size and "small" flag via semanage.conf. After applying you can add entries like these to your /etc/selinux/semanage.conf to trade off memory vs disk space (block size) and to trade off memory vs runtime (small): bzip-blocksize=4 bzip-small=true You can also disable bzip compression altogether for your module store via: bzip-blocksize=0 The semanage.conf entries are now validated against legal value ranges at handle creation time. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rc/conf-parse.y
rc/conf-scan.l
rc/direct_api.c
rc/direct_api.h
rc/semanage_conf.h
rc/semanage_store.c
|
3ba84a9f7f68164539604a6e40ca45e33a69bb11 |
07-Jul-2009 |
Joshua Brindle <method@manicmethod.com> |
Merge branch 'master' of jbrindle@oss.tresys.com:/home/git/selinux
|
834253d13a00bfec2b2e54e62f635bd131478205 |
07-Jul-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: libsemanage direct_api can return errors < 0. Date: Mon, 08 Jun 2009 15:07:59 -0400 Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/direct_api.c
|
4d92b1f8d808947c63bb33487a5827e42ecf5190 |
07-Jul-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage 2.0.33
hangeLog
ERSION
|
200efad4cb63fb35eb8a063d4bb0b0a3672ff66c |
07-Jul-2009 |
Christopher Pardy <cpardy@redhat.com> |
libsemanage: maintain disable dontaudit state between handle commits Currently any changes made to the policy which require committing a handle cause dontaudit rules to be re-enabled. This is confusing, and frustrating for users who want to edit policy with dontaudit rules turned off. This patch allows semanage to remember the last state of the dontaudit rules and apply them as default whenever a handle is connected. Additionally other functions may check for the file semanage creates to determine if dontaudit rules are turned on. This knowledge can be useful for tools like SETroubleshoot which may want to change their behavior depending on the state of the dontaudit rules. In the event that a the file cannot be created a call to commit will fail. Signed-off-by: Christopher Pardy <cpardy@redhat.com> [sds: Removed duplicate from other patch and cleaned up style.] [sds: Changed uses of semanage_fname to semanage_path.] Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
nclude/semanage/handle.h
rc/direct_api.c
rc/handle.c
rc/libsemanage.map
rc/semanage_store.c
rc/semanage_store.h
|
a401a8762294d90e17fcaf83f4447ac6f246ba70 |
30-Jun-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: libsemanage spelling mistake in error code. Date: Mon, 08 Jun 2009 15:14:02 -0400 Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/handle.c
|
0b659be9a500a68b133c2d33102b9f4fcd14f60f |
28-May-2009 |
Stephen Smalley <sds@moss-clownfish.epoch.ncsc.mil> |
bump libsemanage to 2.0.32
hangeLog
ERSION
|
d7dfd88158ca20311bd5edec64daed94c53511bc |
07-May-2009 |
David P. Quigley <dpquigl@moss-guppy.epoch.ncsc.mil> |
libsemanage: Add Ruby Bindings This patch adds a SWIG specification file for ruby bindings for libsemanage. The spec file is almost identical to the python SWIG file with the exception that all list generating typemaps have been removed and the python related functions have been replaced with the corresponding ruby ones. Finally the Makefile is modified to be able to build the new bindings. Something to note is that on 64-bit systems ruby.h might be found somewhere under /usr/lib64 instead of /usr/lib so LIBDIR=/usr/lib64 will be needed to build the ruby bindings from source. Below is an example using the ruby bindings and produces the similar output to semodule -l #!/usr/bin/ruby require "semanage" handle = Semanage.semanage_handle_create Semanage.semanage_select_store(handle, "targeted", Semanage::SEMANAGE_CON_DIRECT) Semanage.semanage_connect(handle) module_info = Semanage.semanage_module_list(handle) modules = Array.new() module_info[2].times do |n| temp_module = Semanage.semanage_module_list_nth(module_info[1], n) mod_string = Semanage.semanage_module_get_name(temp_module).to_s + " " \ + Semanage.semanage_module_get_version(temp_module).to_s modules.push(mod_string) end puts "List of Installed Modules" modules.each do |str| puts str end Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
rc/Makefile
rc/semanageswig_ruby.i
|
10760735e9aaef2c7e88076f5f25c64d79b45edf |
12-Jan-2009 |
Joshua Brindle <method@manicmethod.com> |
bump libsemanage to 2.0.31
hangeLog
ERSION
|
844e23c77bb5c26ea536a925c98eadf6a5f2e5c3 |
05-Jan-2009 |
Joshua Brindle <method@manicmethod.com> |
regenerate swig bindings for compression support from commit 142bafa24900b5d9480818c9e81670bbeba2b44d
rc/semanage.py
rc/semanageswig_wrap.c
ests/Makefile
|
df77db47e5fffde8905dd7de006ab18ecd4b59f8 |
05-Jan-2009 |
Joshua Brindle <method@manicmethod.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: Now that F11 has started, I am putting in the compression support. Date: Mon, 12 Jan 2009 10:37:23 -0500 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Brindle wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> libsemanage patch to add compression. >> >> Uses bzip compression, all pp files in active/previous stored in >> compressed state. Added new interfaces to be user by policycoreutils to >> specify file rather then memory map. >> >> Also uses link instead of copy whenever possible to save disk space. >> Seeing about a 10 fold savings on policy footprint. > > resend > > Comments inline > >> diff --exclude-from=exclude -N -u -r > nsalibsemanage/include/semanage/modules.h > libsemanage-2.0.28/include/semanage/modules.h >> --- nsalibsemanage/include/semanage/modules.h 2008-08-28 > 09:34:24.000000000 -0400 >> +++ libsemanage-2.0.28/include/semanage/modules.h 2008-10-13 > 12:35:22.000000000 -0400 >> @@ -30,10 +30,16 @@ >> >> int semanage_module_install(semanage_handle_t *, >> char *module_data, size_t data_len); >> +int semanage_module_install_file(semanage_handle_t *, >> + const char *module_name); >> int semanage_module_upgrade(semanage_handle_t *, >> char *module_data, size_t data_len); >> +int semanage_module_upgrade_file(semanage_handle_t *, >> + const char *module_name); >> int semanage_module_install_base(semanage_handle_t *, >> char *module_data, size_t data_len); >> +int semanage_module_install_base_file(semanage_handle_t *, >> + const char *module_name); >> int semanage_module_remove(semanage_handle_t *, char *module_name); >> >> /* semanage_module_info is for getting information on installed >> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/Makefile > libsemanage-2.0.28/src/Makefile >> --- nsalibsemanage/src/Makefile 2008-08-28 09:34:24.000000000 -0400 >> +++ libsemanage-2.0.28/src/Makefile 2008-10-13 12:35:22.000000000 -0400 >> @@ -54,7 +54,7 @@ >> ranlib $@ >> >> $(LIBSO): $(LOBJS) >> - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lustr > -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs >> + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lbz2 > -lustr -L$(LIBDIR) > -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs >> ln -sf $@ $(TARGET) >> >> conf-scan.c: conf-scan.l conf-parse.h >> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c > libsemanage-2.0.28/src/direct_api.c >> --- nsalibsemanage/src/direct_api.c 2008-09-15 12:20:44.000000000 -0400 >> +++ libsemanage-2.0.28/src/direct_api.c 2008-10-13 16:36:51.000000000 > -0400 >> @@ -50,6 +50,7 @@ >> #include "semanage_store.h" >> #include "database_policydb.h" >> #include "policy.h" >> +#include <sys/mman.h> >> >> static void semanage_direct_destroy(semanage_handle_t * sh); >> static int semanage_direct_disconnect(semanage_handle_t * sh); >> @@ -57,10 +58,13 @@ >> static int semanage_direct_commit(semanage_handle_t * sh); >> static int semanage_direct_install(semanage_handle_t * sh, char *data, >> size_t data_len); >> +static int semanage_direct_install_file(semanage_handle_t * sh, const > char *module_name); >> static int semanage_direct_upgrade(semanage_handle_t * sh, char *data, >> size_t data_len); >> +static int semanage_direct_upgrade_file(semanage_handle_t * sh, const > char *module_name); >> static int semanage_direct_install_base(semanage_handle_t * sh, char > *base_data, >> size_t data_len); >> +static int semanage_direct_install_base_file(semanage_handle_t * sh, > const char *module_name); >> static int semanage_direct_remove(semanage_handle_t * sh, char > *module_name); >> static int semanage_direct_list(semanage_handle_t * sh, >> semanage_module_info_t ** modinfo, >> @@ -73,8 +77,11 @@ >> .begin_trans = semanage_direct_begintrans, >> .commit = semanage_direct_commit, >> .install = semanage_direct_install, >> + .install_file = semanage_direct_install_file, >> .upgrade = semanage_direct_upgrade, >> + .upgrade_file = semanage_direct_upgrade_file, >> .install_base = semanage_direct_install_base, >> + .install_base_file = semanage_direct_install_base_file, >> .remove = semanage_direct_remove, >> .list = semanage_direct_list >> }; >> @@ -378,12 +385,157 @@ >> return 0; >> } >> >> +#include <stdlib.h> >> +#include <bzlib.h> >> +#include <string.h> >> +#include <sys/sendfile.h> >> + >> +/* bzip() a file to '*data', returning the total number of > uncompressed bytes >> + * in the file. Returns 0 if file could not be decompressed. */ > > Why 0? Can we make this -1? > Fixed >> +static size_t bzip(const char *filename, char *data, size_t num_bytes) { >> + BZFILE* b; >> + size_t size = 1<<16; >> + int bzerror; >> + size_t total = 0; >> + size_t len = 0; >> + FILE *f; >> + >> + if ((f = fopen(filename, "wb")) == NULL) { >> + return 0; >> + } >> + >> + b = BZ2_bzWriteOpen( &bzerror, f, 9, 0, 0); >> + if (bzerror != BZ_OK) { >> + BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); >> + return 0; >> + } >> + >> + while ( num_bytes > total ) { >> + if (num_bytes - total > size) { >> + len = size; >> + } else { >> + len = num_bytes - total; >> + } >> + BZ2_bzWrite ( &bzerror, b, &data[total], len ); >> + if (bzerror == BZ_IO_ERROR) { >> + BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); >> + return 0; >> + } >> + total += len; >> + } >> + >> + BZ2_bzWriteClose ( &bzerror, b, 0, 0, 0 ); >> + fclose(f); >> + if (bzerror == BZ_IO_ERROR) { >> + return 0; >> + } >> + return total; >> +} >> + >> +/* bunzip() a file to '*data', returning the total number of > uncompressed bytes >> + * in the file. Returns 0 if file could not be decompressed. */ > > Same as above. > Fixed >> +size_t bunzip(FILE *f, char **data) { >> + BZFILE* b; >> + size_t nBuf; >> + char buf[1<<18]; >> + size_t size = sizeof(buf); >> + int bzerror; >> + size_t total=0; >> + >> + b = BZ2_bzReadOpen ( &bzerror, f, 0, 0, NULL, 0 ); >> + if ( bzerror != BZ_OK ) { >> + BZ2_bzReadClose ( &bzerror, b ); >> + return 0; >> + } >> + >> + char *uncompress = realloc(NULL, size); >> + >> + while ( bzerror == BZ_OK) { >> + nBuf = BZ2_bzRead ( &bzerror, b, buf, sizeof(buf)); >> + if (( bzerror == BZ_OK ) || ( bzerror == BZ_STREAM_END )) { >> + if (total + nBuf > size) { >> + size *= 2; >> + uncompress = realloc(uncompress, size); >> + } >> + memcpy(&uncompress[total], buf, nBuf); >> + total += nBuf; >> + } >> + } >> + if ( bzerror != BZ_STREAM_END ) { >> + BZ2_bzReadClose ( &bzerror, b ); >> + free(uncompress); >> + return 0; >> + } >> + BZ2_bzReadClose ( &bzerror, b ); >> + >> + *data = uncompress; >> + return total; >> +} >> + >> +/* mmap() a file to '*data', >> + * If the file is bzip compressed map_file will uncompress >> + * the file into '*data'. >> + * Returns the total number of bytes in memory . >> + * Returns 0 if file could not be opened or mapped. */ > > Same as above > Fixed >> +static size_t map_file(int fd, char **data, int *compressed) >> +{ >> + int size; >> + char *uncompress; >> + if ((size = bunzip(fdopen(fd, "r"), &uncompress)) > 0) { >> + *data = mmap(0, size, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); >> + if (*data == MAP_FAILED) { >> + free(uncompress); >> + return 0; >> + } else { >> + memcpy(*data, uncompress, size); >> + } >> + free(uncompress); >> + *compressed = 1; >> + } else { >> + struct stat sb; >> + if (fstat(fd, &sb) == -1 || >> + (*data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) == >> + MAP_FAILED) { >> + size = 0; >> + } else { >> + size = sb.st_size; >> + } >> + *compressed = 0; >> + } >> + >> + return size; >> +} >> + >> +static int dupfile( const char *dest, int src_fd) { >> + int dest_fd = -1; >> + int retval = 0; >> + int cnt; >> + char buf[1<<18]; >> + >> + if (lseek(src_fd, 0, SEEK_SET) == -1 ) return -1; >> + >> + if ((dest_fd = open(dest, O_WRONLY | O_CREAT | O_TRUNC, >> + S_IRUSR | S_IWUSR)) == -1) { >> + return -1; >> + } >> + >> + while (( retval == 0 ) && >> + ( cnt = read(src_fd, buf, sizeof(buf)))> 0 ) { >> + if (write(dest_fd, buf, cnt) < cnt) retval = -1; >> + } >> + close(dest_fd); >> + return retval; >> +} >> + >> /* Writes a block of data to a file. Returns 0 on success, -1 on >> * error. */ >> static int write_file(semanage_handle_t * sh, >> const char *filename, char *data, size_t num_bytes) >> { >> int out; >> + >> + /* Unlink no matter what, incase this file is a hard link, ignore > error */ >> + unlink(filename); >> if ((out = >> open(filename, O_WRONLY | O_CREAT | O_TRUNC, >> S_IRUSR | S_IWUSR)) == -1) { >> @@ -499,7 +651,7 @@ >> sepol_policydb_t *out = NULL; >> >> /* Declare some variables */ >> - int modified, fcontexts_modified, ports_modified, >> + int modified = 0, fcontexts_modified, ports_modified, >> seusers_modified, users_extra_modified; >> dbase_config_t *users = semanage_user_dbase_local(sh); >> dbase_config_t *users_base = semanage_user_base_dbase_local(sh); >> @@ -815,7 +967,9 @@ >> &filename)) != 0) { >> goto cleanup; >> } >> - if (write_file(sh, filename, data, data_len) == -1) { >> + >> + if (bzip(filename, data, data_len) == 0) { >> + ERR(sh, "Error while writing to %s.", filename); >> retval = -3; >> } >> retval = 0; > retval = -3 gets smashed immediately afterward > >> @@ -826,19 +980,60 @@ >> return retval; >> } >> >> -/* Similar to semanage_direct_install(), except that it checks that >> - * there already exists a module with the same name and that the >> - * module is an older version then the one in 'data'. Returns 0 on >> - * success, -1 if out of memory, -2 if the data does not represent a >> - * valid module file, -3 if error while writing file or reading >> - * modules directory, -4 if there does not exist an older module or if >> - * the previous module is same or newer than 'data'. >> - */ >> -static int semanage_direct_upgrade(semanage_handle_t * sh, >> - char *data, size_t data_len) >> +/* Attempts to link a module to the sandbox's module directory, > unlinking any >> + * previous module stored within. Returns 0 on success, -1 if out of > memory, -2 if the >> + * data does not represent a valid module file, -3 if error while >> + * writing file. */ >> + >> +static int semanage_direct_install_file(semanage_handle_t * sh, >> + const char *install_filename) >> { >> + >> + int retval = -1; >> + char *data = NULL; >> + size_t data_len = 0; >> + int compressed = 0; >> + int in_fd = -1; >> + >> + if ((in_fd = open(install_filename, O_RDONLY)) == -1) { >> + return 0; > > returning 0 on failure here > Fixed >> + } >> + >> + if ((data_len = map_file(in_fd, &data, &compressed)) == 0) { >> + goto cleanup; >> + } >> + >> + if (compressed) { >> + char *module_name = NULL, *version = NULL, *filename = NULL; >> + if ((retval = parse_module_headers(sh, data, data_len, >> + &module_name, &version, >> + &filename)) != 0) { >> + goto cleanup; > > Probably need to free module_name, version, filename here > Why these are cleaned up in cleanup and if it gets an error it should not have allocated memory? >> + } >> + >> + if (data_len > 0) munmap(data, data_len); >> + data_len = 0; >> + retval = dupfile(filename, in_fd); >> + free(version); >> + free(filename); >> + free(module_name); >> + >> + } else { >> + retval = semanage_direct_install(sh, data, data_len); >> + } >> + >> + cleanup: >> + close(in_fd); >> + if (data_len > 0) munmap(data, data_len); >> + >> + return retval; >> +} >> + >> + >> +static int get_direct_upgrade_filename(semanage_handle_t * sh, >> + char *data, size_t data_len, char **outfilename) { >> int i, retval, num_modules = 0; >> - char *module_name = NULL, *version = NULL, *filename = NULL; >> + char *filename = NULL, *module_name = NULL, *version = NULL; > > ? Removed > >> semanage_module_info_t *modinfo = NULL; >> if ((retval = parse_module_headers(sh, data, data_len, >> &module_name, &version, >> @@ -868,14 +1063,10 @@ >> if (retval == -4) { >> ERR(sh, "There does not already exist a module named %s.", >> module_name); >> - goto cleanup; >> - } >> - if (write_file(sh, filename, data, data_len) == -1) { >> - retval = -3; >> } >> + >> cleanup: >> free(version); >> - free(filename); >> free(module_name); >> for (i = 0; modinfo != NULL && i < num_modules; i++) { >> semanage_module_info_t *m = >> @@ -883,6 +1074,80 @@ >> semanage_module_info_datum_destroy(m); >> } >> free(modinfo); >> + if (retval == 0) { >> + *outfilename = filename; >> + } else { >> + free(filename); >> + } >> + return retval; >> +} >> + >> +/* Similar to semanage_direct_install(), except that it checks that >> + * there already exists a module with the same name and that the >> + * module is an older version then the one in 'data'. Returns 0 on >> + * success, -1 if out of memory, -2 if the data does not represent a >> + * valid module file, -3 if error while writing file or reading >> + * modules directory, -4 if there does not exist an older module or if >> + * the previous module is same or newer than 'data'. >> + */ >> +static int semanage_direct_upgrade(semanage_handle_t * sh, >> + char *data, size_t data_len) >> +{ >> + char *filename = NULL; >> + int retval = get_direct_upgrade_filename(sh, >> + data, data_len, >> + &filename); >> + if (retval == 0) { >> + if (bzip(filename, data, data_len) == 0) { >> + ERR(sh, "Error while writing to %s.", filename); >> + retval = -3; >> + } >> + free(filename); >> + } >> + return retval; >> +} >> + >> +/* Attempts to link a module to the sandbox's module directory, > unlinking any >> + * previous module stored within. >> + * Returns 0 on success, -1 if out of memory, -2 if the >> + * data does not represent a valid module file, -3 if error while >> + * writing file. */ >> + >> +static int semanage_direct_upgrade_file(semanage_handle_t * sh, >> + const char *module_filename) >> +{ >> + int retval = -1; >> + char *data = NULL; >> + size_t data_len = 0; >> + int compressed = 0; >> + int in_fd = -1; >> + >> + if ((in_fd = open(module_filename, O_RDONLY)) == -1) { >> + return 0; > > returning 0 on failure > Fixed >> + } >> + >> + if ((data_len = map_file(in_fd, &data, &compressed)) == 0) { >> + goto cleanup; >> + } >> + >> + if (compressed) { >> + char *filename = NULL; >> + retval = get_direct_upgrade_filename(sh, >> + data, data_len, >> + &filename); >> + >> + if (retval != 0) goto cleanup; >> + >> + retval = dupfile(filename, in_fd); >> + free(filename); >> + } else { >> + retval = semanage_direct_upgrade(sh, data, data_len); >> + } >> + >> + cleanup: >> + close(in_fd); >> + if (data_len > 0) munmap(data, data_len); >> + >> return retval; >> } >> >> @@ -903,7 +1168,8 @@ >> if ((filename = semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) { >> goto cleanup; >> } >> - if (write_file(sh, filename, base_data, data_len) == -1) { >> + if (bzip(filename, base_data, data_len) == 0) { >> + ERR(sh, "Error while writing to %s.", filename); >> retval = -3; >> } >> retval = 0; > > retval gets smashed > Fixed, this was an existing bug, BTW >> @@ -911,6 +1177,49 @@ >> return retval; >> } >> >> +/* Writes a base module into a sandbox, overwriting any previous base >> + * module. >> + * Returns 0 on success, -1 if out of memory, -2 if the data does not > represent >> + * a valid base module file, -3 if error while writing file. >> + */ >> +static int semanage_direct_install_base_file(semanage_handle_t * sh, >> + const char *install_filename) >> +{ >> + int retval = -1; >> + char *data = NULL; >> + size_t data_len = 0; >> + int compressed = 0; >> + int in_fd; >> + >> + if ((in_fd = open(install_filename, O_RDONLY)) == -1) { >> + return 0; > > returning 0 on failure > Fixed >> + } >> + >> + if ((data_len = map_file(in_fd, &data, &compressed)) == 0) { >> + goto cleanup; >> + } >> + >> + if (compressed) { >> + const char *filename = NULL; >> + if ((retval = parse_base_headers(sh, data, data_len)) != 0) { >> + goto cleanup; >> + } >> + if ((filename = semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) { >> + goto cleanup; >> + } >> + >> + retval = dupfile(filename, in_fd); >> + } else { >> + retval = semanage_direct_install_base(sh, data, data_len); >> + } >> + >> + cleanup: >> + close(in_fd); >> + if (data_len > 0) munmap(data, data_len); >> + >> + return retval; >> +} >> + >> /* Removes a module from the sandbox. Returns 0 on success, -1 if out >> * of memory, -2 if module not found or could not be removed. */ >> static int semanage_direct_remove(semanage_handle_t * sh, char > *module_name) >> @@ -1005,15 +1314,26 @@ >> * report it */ >> continue; >> } >> + size_t size; >> + char *data = NULL; >> + >> + if ((size = bunzip(fp, &data)) != 0) { >> + fclose(fp); >> + fp = fmemopen(data, size, "rb"); > > unhandled error from fclose and fmemopen > Fixed fmemopen failure, we don't check fclose failure anywhere in the code. >> + } >> + rewind(fp); >> + >> __fsetlocking(fp, FSETLOCKING_BYCALLER); >> sepol_policy_file_set_fp(pf, fp); >> if (sepol_module_package_info(pf, &type, &name, &version)) { >> fclose(fp); >> + free(data); >> free(name); >> free(version); >> continue; >> } >> fclose(fp); >> + free(data); >> if (type == SEPOL_POLICY_MOD) { >> (*modinfo)[*num_modules].name = name; >> (*modinfo)[*num_modules].version = version; >> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.h > libsemanage-2.0.28/src/direct_api.h >> --- nsalibsemanage/src/direct_api.h 2008-08-28 09:34:24.000000000 -0400 >> +++ libsemanage-2.0.28/src/direct_api.h 2008-10-13 12:35:22.000000000 > -0400 >> @@ -37,4 +37,7 @@ >> >> int semanage_direct_access_check(struct semanage_handle *sh); >> >> +#include <stdio.h> >> +size_t bunzip(FILE *f, char **data); >> + >> #endif >> diff --exclude-from=exclude -N -u -r > nsalibsemanage/src/libsemanage.map libsemanage-2.0.28/src/libsemanage.map >> --- nsalibsemanage/src/libsemanage.map 2008-08-28 09:34:24.000000000 > -0400 >> +++ libsemanage-2.0.28/src/libsemanage.map 2008-10-13 > 12:35:22.000000000 -0400 >> @@ -3,8 +3,10 @@ >> semanage_is_managed; semanage_connect; semanage_disconnect; >> semanage_msg_*; >> semanage_begin_transaction; semanage_commit; >> - semanage_module_install; semanage_module_upgrade; >> - semanage_module_install_base; semanage_module_remove; >> + semanage_module_install; semanage_module_install_file; >> + semanage_module_upgrade; semanage_module_upgrade_file; >> + semanage_module_install_base; semanage_module_install_base_file; >> + semanage_module_remove; >> semanage_module_list; semanage_module_info_datum_destroy; >> semanage_module_list_nth; semanage_module_get_name; >> semanage_module_get_version; semanage_select_store; >> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.c > libsemanage-2.0.28/src/modules.c >> --- nsalibsemanage/src/modules.c 2008-08-28 09:34:24.000000000 -0400 >> +++ libsemanage-2.0.28/src/modules.c 2008-10-13 12:35:22.000000000 -0400 >> @@ -52,6 +52,25 @@ >> return sh->funcs->install(sh, module_data, data_len); >> } >> >> +int semanage_module_install_file(semanage_handle_t * sh, >> + const char *module_name) { >> + >> + if (sh->funcs->install_file == NULL) { >> + ERR(sh, >> + "No install function defined for this connection type."); >> + return -1; >> + } else if (!sh->is_connected) { >> + ERR(sh, "Not connected."); >> + return -1; >> + } else if (!sh->is_in_transaction) { >> + if (semanage_begin_transaction(sh) < 0) { >> + return -1; >> + } >> + } >> + sh->modules_modified = 1; >> + return sh->funcs->install_file(sh, module_name); >> +} >> + >> int semanage_module_upgrade(semanage_handle_t * sh, >> char *module_data, size_t data_len) >> { >> @@ -71,6 +90,25 @@ >> return sh->funcs->upgrade(sh, module_data, data_len); >> } >> >> +int semanage_module_upgrade_file(semanage_handle_t * sh, >> + const char *module_name) { >> + >> + if (sh->funcs->upgrade_file == NULL) { >> + ERR(sh, >> + "No upgrade function defined for this connection type."); >> + return -1; >> + } else if (!sh->is_connected) { >> + ERR(sh, "Not connected."); >> + return -1; >> + } else if (!sh->is_in_transaction) { >> + if (semanage_begin_transaction(sh) < 0) { >> + return -1; >> + } >> + } >> + sh->modules_modified = 1; >> + return sh->funcs->upgrade_file(sh, module_name); >> +} >> + >> int semanage_module_install_base(semanage_handle_t * sh, >> char *module_data, size_t data_len) >> { >> @@ -90,6 +128,25 @@ >> return sh->funcs->install_base(sh, module_data, data_len); >> } >> >> +int semanage_module_install_base_file(semanage_handle_t * sh, >> + const char *module_name) { >> + >> + if (sh->funcs->install_base_file == NULL) { >> + ERR(sh, >> + "No install base function defined for this connection type."); >> + return -1; >> + } else if (!sh->is_connected) { >> + ERR(sh, "Not connected."); >> + return -1; >> + } else if (!sh->is_in_transaction) { >> + if (semanage_begin_transaction(sh) < 0) { >> + return -1; >> + } >> + } >> + sh->modules_modified = 1; >> + return sh->funcs->install_base_file(sh, module_name); >> +} >> + >> int semanage_module_remove(semanage_handle_t * sh, char *module_name) >> { >> if (sh->funcs->remove == NULL) { >> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/policy.h > libsemanage-2.0.28/src/policy.h >> --- nsalibsemanage/src/policy.h 2008-08-28 09:34:24.000000000 -0400 >> +++ libsemanage-2.0.28/src/policy.h 2008-10-13 12:35:22.000000000 -0400 >> @@ -49,8 +49,14 @@ >> /* Install a policy module */ >> int (*install) (struct semanage_handle *, char *, size_t); >> >> + /* Install a policy module */ >> + int (*install_file) (struct semanage_handle *, const char *); >> + >> /* Upgrade a policy module */ >> int (*upgrade) (struct semanage_handle *, char *, size_t); >> + >> + /* Upgrade a policy module */ >> + int (*upgrade_file) (struct semanage_handle *, const char *); >> >> /* Remove a policy module */ >> int (*remove) (struct semanage_handle *, char *); >> @@ -61,6 +67,9 @@ >> >> /* Install base policy */ >> int (*install_base) (struct semanage_handle *, char *, size_t); >> + >> + /* Install a base module */ >> + int (*install_base_file) (struct semanage_handle *, const char *); >> }; >> >> /* Should be backend independent */ >> diff --exclude-from=exclude -N -u -r > nsalibsemanage/src/semanage_store.c libsemanage-2.0.28/src/semanage_store.c >> --- nsalibsemanage/src/semanage_store.c 2008-09-15 12:20:44.000000000 > -0400 >> +++ libsemanage-2.0.28/src/semanage_store.c 2008-10-13 > 12:57:29.000000000 -0400 >> @@ -440,6 +440,8 @@ >> char tmp[PATH_MAX]; >> char buf[4192]; >> >> + if (link(src,dst) == 0) return 0; >> + >> n = snprintf(tmp, PATH_MAX, "%s.tmp", dst); >> if (n < 0 || n >= PATH_MAX) >> return -1; >> @@ -1522,16 +1524,26 @@ >> ERR(sh, "Could not open module file %s for reading.", filename); >> goto cleanup; >> } >> + size_t size; >> + char *data = NULL; >> + >> + if ((size = bunzip(fp, &data)) != 0) { >> + fclose(fp); >> + fp = fmemopen(data, size, "rb"); >> + } > > unhandled error from fclose and fmemopen > Fixed as above > >> + rewind(fp); >> __fsetlocking(fp, FSETLOCKING_BYCALLER); >> sepol_policy_file_set_fp(pf, fp); >> sepol_policy_file_set_handle(pf, sh->sepolh); >> if (sepol_module_package_read(*package, pf, 0) == -1) { >> ERR(sh, "Error while reading from module file %s.", filename); >> fclose(fp); >> + free(data); >> goto cleanup; >> } >> sepol_policy_file_free(pf); >> fclose(fp); >> + free(data); >> return retval; >> >> cleanup: > >
nclude/semanage/modules.h
rc/Makefile
rc/direct_api.c
rc/direct_api.h
rc/libsemanage.map
rc/modules.c
rc/policy.h
rc/semanage_store.c
|
46dc67016b13e43e0d3a0d53fbea85f9b8437ce6 |
12-Nov-2008 |
Stephen Smalley <sds@tycho.nsa.gov> |
Bump libsemanage to 2.0.30.
hangeLog
ERSION
|
0a515c461000f9b1f74b79714ccf0d1d4b775c8a |
10-Nov-2008 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsemanage: Add semanage_mls_enabled interface Add a semanage_mls_enabled() interface to libsemanage so that semanage/seobject can be rewritten to use it to test whether MLS is enabled for a given policy store rather than checking the runtime MLS enabled status, which can be misleading when using semanage on a SELinux-disabled host or when using semanage on a store other than the active one. Sample usage: from semanage import * handle = semanage_handle_create() rc = semanage_connect(handle) rc = semanage_mls_enabled(handle) Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
nclude/semanage/handle.h
rc/direct_api.c
rc/direct_api.h
rc/handle.c
rc/libsemanage.map
rc/semanage.py
rc/semanageswig_wrap.c
|
223bb406d85e29482ed075c4b4d8b2dd6cc743f8 |
09-Nov-2008 |
Joshua Brindle <method@manicmethod.com> |
Bump libsemanage to 2.0.29 and policycoreutils to 2.0.59
hangeLog
ERSION
|
9e2c58f924c074c3f2b644e4a4ec197e1b629431 |
11-Nov-2008 |
Christopher J. PeBenito <cpebenito@tresys.com> |
homedir_template generation skips USER lines The current libsemanage code does not correctly add lines which include USER in them into the homedir_template, for example: /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t This line was included in the past since it has ROLE. However, with the switch to UBAC separations, the line has changed to: /tmp/gconfd-USER -d system_u:object_r:user_tmp_t and is no longer included. The follwing patch fixes. Signed-off-by: Joshua Brindle <method@manicmethod.com>
rc/semanage_store.c
|
f187d4a56e43fe54a2f8f203d118cbc35cd0c2eb |
15-Sep-2008 |
Joshua Brindle <method@manicmethod.com> |
bump to libsemanage 2.0.28
hangeLog
ERSION
|
e319cd8538dca80c4a6f9ad2669b14e02f255853 |
15-Sep-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: libsemage patch to not compile modules for seusers and fcontext Date: Wed, 10 Sep 2008 10:30:08 -0400 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivan Gyurdiev wrote: > >>> I'm a little unclear on what this is doing - can you clarify? >>> >> This is clearing the existing seusers.final file, otherwise delete was >> not working. >> > I think the previous code was doing more - it was merging the local file > with the shipped base package file, like this: > > data = extract_file_from_policy_package( ) > write_file ( "seusers.final", data ) > if ( data != null ) { > seusers.clear_cache() // thereby forcing reload from > seusers.final when cache() is called again (in merge_components) > } else { > seusers.clear() > } > > It's also doing this three times (once for fcontexts, once for seusers, > once for seusers_extra). > The problem is that you're skipping the link_sandbox call, which builds > the base package, containing this information. > > Ivan > > Ok I found some problems with the previous patch and did some code reuse. I added a function that only read base.pp in order to handle the base user_extra and seusers problem. Signed-off-by: Joshua Brindle <method@manicmethod.com>
xample/test_fcontext.c
rc/direct_api.c
rc/semanage_store.c
rc/semanage_store.h
|
13cd4c8960688af11ad23b4c946149015c80d549 |
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
OPYING
hangeLog
akefile
ERSION
nclude/Makefile
nclude/semanage/boolean_record.h
nclude/semanage/booleans_active.h
nclude/semanage/booleans_local.h
nclude/semanage/booleans_policy.h
nclude/semanage/context_record.h
nclude/semanage/debug.h
nclude/semanage/fcontext_record.h
nclude/semanage/fcontexts_local.h
nclude/semanage/fcontexts_policy.h
nclude/semanage/handle.h
nclude/semanage/iface_record.h
nclude/semanage/interfaces_local.h
nclude/semanage/interfaces_policy.h
nclude/semanage/modules.h
nclude/semanage/node_record.h
nclude/semanage/nodes_local.h
nclude/semanage/nodes_policy.h
nclude/semanage/port_record.h
nclude/semanage/ports_local.h
nclude/semanage/ports_policy.h
nclude/semanage/semanage.h
nclude/semanage/seuser_record.h
nclude/semanage/seusers_local.h
nclude/semanage/seusers_policy.h
nclude/semanage/user_record.h
nclude/semanage/users_local.h
nclude/semanage/users_policy.h
an/Makefile
an/man3/semanage_bool.3
an/man3/semanage_bool_count.3
an/man3/semanage_bool_count_active.3
an/man3/semanage_bool_count_local.3
an/man3/semanage_bool_del_local.3
an/man3/semanage_bool_exists.3
an/man3/semanage_bool_exists_active.3
an/man3/semanage_bool_exists_local.3
an/man3/semanage_bool_iterate.3
an/man3/semanage_bool_iterate_active.3
an/man3/semanage_bool_iterate_local.3
an/man3/semanage_bool_list.3
an/man3/semanage_bool_list_active.3
an/man3/semanage_bool_list_local.3
an/man3/semanage_bool_modify_local.3
an/man3/semanage_bool_query.3
an/man3/semanage_bool_query_active.3
an/man3/semanage_bool_query_local.3
an/man3/semanage_bool_set_active.3
an/man3/semanage_count.3
an/man3/semanage_del.3
an/man3/semanage_exists.3
an/man3/semanage_fcontext.3
an/man3/semanage_fcontext_count.3
an/man3/semanage_fcontext_count_local.3
an/man3/semanage_fcontext_del_local.3
an/man3/semanage_fcontext_exists.3
an/man3/semanage_fcontext_exists_local.3
an/man3/semanage_fcontext_iterate.3
an/man3/semanage_fcontext_iterate_local.3
an/man3/semanage_fcontext_list.3
an/man3/semanage_fcontext_list_local.3
an/man3/semanage_fcontext_modify_local.3
an/man3/semanage_fcontext_query.3
an/man3/semanage_fcontext_query_local.3
an/man3/semanage_iface.3
an/man3/semanage_iface_count.3
an/man3/semanage_iface_count_local.3
an/man3/semanage_iface_del_local.3
an/man3/semanage_iface_exists.3
an/man3/semanage_iface_exists_local.3
an/man3/semanage_iface_iterate.3
an/man3/semanage_iface_iterate_local.3
an/man3/semanage_iface_list.3
an/man3/semanage_iface_list_local.3
an/man3/semanage_iface_modify_local.3
an/man3/semanage_iface_query.3
an/man3/semanage_iface_query_local.3
an/man3/semanage_iterate.3
an/man3/semanage_list.3
an/man3/semanage_modify.3
an/man3/semanage_node.3
an/man3/semanage_node_count.3
an/man3/semanage_node_count_local.3
an/man3/semanage_node_del_local.3
an/man3/semanage_node_exists.3
an/man3/semanage_node_exists_local.3
an/man3/semanage_node_iterate.3
an/man3/semanage_node_iterate_local.3
an/man3/semanage_node_list.3
an/man3/semanage_node_list_local.3
an/man3/semanage_node_modify_local.3
an/man3/semanage_node_query.3
an/man3/semanage_node_query_local.3
an/man3/semanage_port.3
an/man3/semanage_port_count.3
an/man3/semanage_port_count_local.3
an/man3/semanage_port_del_local.3
an/man3/semanage_port_exists.3
an/man3/semanage_port_exists_local.3
an/man3/semanage_port_iterate.3
an/man3/semanage_port_iterate_local.3
an/man3/semanage_port_list.3
an/man3/semanage_port_list_local.3
an/man3/semanage_port_modify_local.3
an/man3/semanage_port_query.3
an/man3/semanage_port_query_local.3
an/man3/semanage_query.3
an/man3/semanage_seuser.3
an/man3/semanage_seuser_count.3
an/man3/semanage_seuser_count_local.3
an/man3/semanage_seuser_del_local.3
an/man3/semanage_seuser_exists.3
an/man3/semanage_seuser_exists_local.3
an/man3/semanage_seuser_iterate.3
an/man3/semanage_seuser_iterate_local.3
an/man3/semanage_seuser_list.3
an/man3/semanage_seuser_list_local.3
an/man3/semanage_seuser_modify_local.3
an/man3/semanage_seuser_query.3
an/man3/semanage_seuser_query_local.3
an/man3/semanage_user.3
an/man3/semanage_user_count.3
an/man3/semanage_user_count_local.3
an/man3/semanage_user_del_local.3
an/man3/semanage_user_exists.3
an/man3/semanage_user_exists_local.3
an/man3/semanage_user_iterate.3
an/man3/semanage_user_iterate_local.3
an/man3/semanage_user_list.3
an/man3/semanage_user_list_local.3
an/man3/semanage_user_modify_local.3
an/man3/semanage_user_query.3
an/man3/semanage_user_query_local.3
rc/Makefile
rc/boolean_internal.h
rc/boolean_record.c
rc/booleans_active.c
rc/booleans_activedb.c
rc/booleans_file.c
rc/booleans_local.c
rc/booleans_policy.c
rc/booleans_policydb.c
rc/conf-parse.y
rc/conf-scan.l
rc/context_internal.h
rc/context_record.c
rc/database.c
rc/database.h
rc/database_activedb.c
rc/database_activedb.h
rc/database_file.c
rc/database_file.h
rc/database_join.c
rc/database_join.h
rc/database_llist.c
rc/database_llist.h
rc/database_policydb.c
rc/database_policydb.h
rc/debug.c
rc/debug.h
rc/direct_api.c
rc/direct_api.h
rc/dso.h
rc/fcontext_internal.h
rc/fcontext_record.c
rc/fcontexts_file.c
rc/fcontexts_local.c
rc/fcontexts_policy.c
rc/genhomedircon.c
rc/genhomedircon.h
rc/handle.c
rc/handle.h
rc/handle_internal.h
rc/iface_internal.h
rc/iface_record.c
rc/interfaces_file.c
rc/interfaces_local.c
rc/interfaces_policy.c
rc/interfaces_policydb.c
rc/libsemanage.map
rc/module_internal.h
rc/modules.c
rc/modules.h
rc/node_internal.h
rc/node_record.c
rc/nodes_file.c
rc/nodes_local.c
rc/nodes_policy.c
rc/nodes_policydb.c
rc/parse_utils.c
rc/parse_utils.h
rc/policy.h
rc/policy_components.c
rc/port_internal.h
rc/port_record.c
rc/ports_file.c
rc/ports_local.c
rc/ports_policy.c
rc/ports_policydb.c
rc/pywrap-test.py
rc/semanage.conf
rc/semanage.py
rc/semanage_conf.h
rc/semanage_store.c
rc/semanage_store.h
rc/semanageswig.i
rc/semanageswig_python.i
rc/semanageswig_wrap.c
rc/seuser_internal.h
rc/seuser_record.c
rc/seusers_file.c
rc/seusers_local.c
rc/seusers_policy.c
rc/user_base_record.c
rc/user_extra_record.c
rc/user_internal.h
rc/user_record.c
rc/users_base_file.c
rc/users_base_policydb.c
rc/users_extra_file.c
rc/users_join.c
rc/users_local.c
rc/users_policy.c
rc/utilities.c
rc/utilities.h
ests/Makefile
ests/README
ests/libsemanage-tests.c
ests/nc_sort_malformed
ests/nc_sort_sorted
ests/nc_sort_unsorted
ests/test_semanage_store.c
ests/test_semanage_store.h
ests/test_utilities.c
ests/test_utilities.h
ests/utilities.c
ests/utilities.h
|