9eb9c9327563014ad6a807814e7975424642d5b9 |
|
19-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Get rid of security_context_t and fix const declarations. In attempting to enable building various part of Android with -Wall -Werror, we found that the const security_context_t declarations in libselinux are incorrect; const char * was intended, but const security_context_t translates to char * const and triggers warnings on passing const char * from the caller. Easiest fix is to replace them all with const char *. And while we are at it, just get rid of all usage of security_context_t itself as it adds no value - there is no true encapsulation of the security context strings and callers already directly use string functions on them. typedef left to permit building legacy users until such a time as all are updated. This is a port of Change-Id I2f9df7bb9f575f76024c3e5f5b660345da2931a7 from Android, augmented to deal with all of the other code in upstream libselinux and updating the man pages too. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com>
/external/selinux/libselinux/src/label.c
|
22671378f1ace857be4697a3b3aaf1645076d398 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Fix label substituion to work with the equiv path of "/" Software collections are setting up equiv directories to the root directory.
/external/selinux/libselinux/src/label.c
|
fd56c5230cea6b81fbe74d1d0a228936a6797923 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Separate out the calling of local subs and dist subs in selabel_sub We want to allow users to setup their substitions to run fist and then run the distro subs second. This fixes the problem where a user defines a sub like /usr/local/foobar and we ignore it. We need this for software collections which is setting up local subs of /opt/src/foobar/root /
/external/selinux/libselinux/src/label.c
|
cfc492cf11e1b641e2a0478907d56a17b771a067 |
|
31-May-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
libselinux: New Android property labeling backend This is already in the android repo. This is here to prevent potential conflicts of the selabel indices, and possibly with an eye toward an eventual reunification of the two libselinuxes down the road. Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/label.c
|
2ca19f3f676a2747a38cf2d7dcf5037ccc8a9eb1 |
|
25-May-2012 |
Dan Walsh <dwalsh@redhat.com> |
libselinux: asprintf return code must be checked Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/label.c
|
16a37c9f94c1e2dfb865e17e4200d2824d4971f5 |
|
19-Dec-2011 |
Richard Haines <richard_c_haines@btinternet.com> |
libselinux - correct selabel invalid context logging When selabel_lookup found an invalid context with validation enabled, it always stated it was 'file_contexts' whether media, x, db or file. The fix is to store the spec file name in the selabel_lookup_rec on selabel_open and use this as output for logs. Also a minor fix if key is NULL to stop seg faults. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/label.c
|
023c9c1fdee963606d830b70db108bd9031390f4 |
|
03-Oct-2011 |
Eric Paris <eparis@redhat.com> |
libselinux: label: cosmetic cleanups Return early to save an indent. Clean up all memory on ENOMEM conditions. Use '\0' instead of 0 for nul terminiator. Style changes to make Eric happy. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/label.c
|
441cf2ea924c13ed5002012aadd128f71d9e9c9d |
|
18-Apr-2011 |
Richard Haines <richard_c_haines@btinternet.com> |
libselinux: selabel_open fix processing of substitution files libselinux selabel_open function always processed the substitution files (if installed) from the active policy contexts/files/file_contexts.subs and subs_dist irrespective of the backend type or SELABEL_OPT_PATH setting. This patch now processes the correct subs files when selabel_open is called with SELABEL_CTX_FILE. The other backends could also process their own substitution files if needed in their own areas. [move the init declaration to label_internal.h - eparis] Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libselinux/src/label.c
|
20b43b3fd3d392c4f12a963a4e46c264e7ed5163 |
|
06-Apr-2011 |
Daniel J Walsh <dwalsh@redhat.com> |
This patch adds a new subs_dist file. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The idea is to allow distributions to ship a subs file as well as let the user modify subs. In F16 we are looking at shipping a file_contexts.subs_dist file like this cat file_contexts.subs_dist /run /var/run /run/lock /var/lock /var/run/lock /var/lock /lib64 /lib /usr/lib64 /usr/lib The we will remove all (64)? from policy. This will allow us to make sure all /usr/lib/libBLAH is labeled the same as /usr/lib64/libBLAH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2c1ksACgkQrlYvE4MpobNXcQCgqgAiQJxmwa1+NdIq8E3tQRp6 QT0An0ihA60di9CRsEqEdVbSaHOwtte5 =LXgd -----END PGP SIGNATURE----- Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libselinux/src/label.c
|
a00fd94a46e92a233f4e613660e9962918f28207 |
|
03-Dec-2010 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
selabel: Store substitution data in the handle instead of globally. This is for thread safety. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/label.c
|
70aeeb918aa721ad90ed8e1b433a55c8ecf2cb83 |
|
15-Mar-2010 |
Eamon Walsh <ewalsh@tycho.nsa.gov> |
This patch allows selabel_*() interfaces to provide an expected security context for the given database object identified by its name and object class. It is necessary to implement a feature something like the restorecon on databases. The specfile shall be described as follows: ------------------------ # # The specfile for database objects # (for SE-PostgreSQL) # # <object class> <object name> <security context> # db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.pg_catalog system_u:obejct_r:sepgsql_sys_schema_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0 db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 db_table *.*.* system_u:object_r:sepgsql_table_t:s0 ------------------------ - All the characters after the '#' are ignored. - Wildcards ('*' and '?') are available. - It returns the first match security context. Note that hierarchy of the namespace of database objects depends on RDBMS. So, author of the specfile needs to write correct patterns which are suitable for the target RDBMS. The patched selabel_*() interfaces don't have any heuristics for the namespace hierarchy to be suitable for widespread RDBMSs. In the case of SE-PgSQL, when we lookup an expected security context for the 'my_table' table in the 'public' schema and 'postgres' database, the caller shall provide 'postgres.public.my_table' as a key. In the default, it tries to read a specfile which maps database objects and security context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts. Note that when another RDBMS uses this interface, it needs to give an explicit SELABEL_OPT_PATH option on the selabel_open(). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
/external/selinux/libselinux/src/label.c
|
20271d94ed2b26b94b052ba6ed90b63566cecbb7 |
|
04-Jun-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
Author: Daniel J Walsh Email: dwalsh@redhat.com Subject: SELinux context patch Date: Mon, 18 May 2009 14:16:12 -0400 This patch adds context files for virtual_domain and virtual_image, these are both being used to locat the default context to be executed by svirt. I also included the subs patch which I submitted before. This patch allows us to substitute prefixes to matchpathcon. So we can say /export/home == /home and /web == /var/www Author: Chad Sellers Email: csellers@tresys.com Flipped free()'s in original patch when strdup'd fail to proper order. Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/libselinux/src/label.c
|
13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libselinux/src/label.c
|