diff options
author | Xiao-Long Chen | 2015-06-08 20:46:57 -0400 |
---|---|---|
committer | Xiao-Long Chen | 2015-06-08 20:46:57 -0400 |
commit | 537b1a03857dd6a280f78ef2147b7d210afbc95d (patch) | |
tree | 49983cc4fd48d251d94d2c5e3c4da2cc3f0ed3f9 /0001_Remove_SELinux_support.patch | |
download | aur-537b1a03857dd6a280f78ef2147b7d210afbc95d.tar.gz |
Import from old AUR
Diffstat (limited to '0001_Remove_SELinux_support.patch')
-rw-r--r-- | 0001_Remove_SELinux_support.patch | 776 |
1 files changed, 776 insertions, 0 deletions
diff --git a/0001_Remove_SELinux_support.patch b/0001_Remove_SELinux_support.patch new file mode 100644 index 000000000000..88be2596796e --- /dev/null +++ b/0001_Remove_SELinux_support.patch @@ -0,0 +1,776 @@ +diff -Nru oddjob-0.31.2.orig/config.h.in oddjob-0.31.2/config.h.in +--- oddjob-0.31.2.orig/config.h.in 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/config.h.in 2012-11-12 13:37:01.532894421 -0500 +@@ -51,9 +51,6 @@ + /* Define to 1 if you have the `sasl2' library (-lsasl2). */ + #undef HAVE_LIBSASL2 + +-/* Define to 1 if you have the `selinux' library (-lselinux). */ +-#undef HAVE_LIBSELINUX +- + /* Define to 1 if you have the `matchpathcon_init' function. */ + #undef HAVE_MATCHPATHCON_INIT + +@@ -72,9 +69,6 @@ + /* Define to 1 if you have the <security/pam_modules.h> header file. */ + #undef HAVE_SECURITY_PAM_MODULES_H + +-/* Define to 1 if you have the <selinux/selinux.h> header file. */ +-#undef HAVE_SELINUX_SELINUX_H +- + /* Define to 1 if you have the <stdint.h> header file. */ + #undef HAVE_STDINT_H + +@@ -160,12 +154,6 @@ + /* Define to a directory in which oddjobd can find some of its helpers. */ + #undef PKGLIBEXECDIR + +-/* Define if you want SELinux ACL support in oddjobd. */ +-#undef SELINUX_ACLS +- +-/* Define to build SELinux label-aware helpers. */ +-#undef SELINUX_LABELS +- + /* Define to 1 if you have the ANSI C header files. */ + #undef STDC_HEADERS + +diff -Nru oddjob-0.31.2.orig/configure.ac oddjob-0.31.2/configure.ac +--- oddjob-0.31.2.orig/configure.ac 2012-11-12 13:36:56.516226652 -0500 ++++ oddjob-0.31.2/configure.ac 2012-11-12 13:37:01.532894421 -0500 +@@ -82,18 +82,6 @@ + experimental=no) + AM_CONDITIONAL(ENABLE_EXPERIMENTAL,test x$experimental = xyes) + +-selinux_labels=default +-AC_ARG_WITH(selinux-labels, +-AS_HELP_STRING(--with-selinux-labels,[Apply SELinux labels to files created by helpers.]), +-selinux_labels=$withval, +-selinux_labels=default) +- +-selinux_acls=default +-AC_ARG_WITH(selinux-acls, +-AS_HELP_STRING(--with-selinux-acls,[Recognize SELinux process attributes in oddjobd ACLs.]), +-selinux_acls=$withval, +-selinux_acls=default) +- + LIBSsave="$LIBS" + LIBS="$LIBS $DBUS_LIBS" + AC_CHECK_FUNCS(dbus_bus_release_name) +@@ -102,96 +90,6 @@ + fi + LIBS="$LIBSsave" + +-if test x$selinux_acls != xno ; then +- # Assume that if the "don't know what the client's context is" error +- # is defined, that the server supports being asked the question. +- CFLAGsave="$CFLAGS" +- CFLAGS="$CFLAGS $DBUS_CFLAGS" +- CPPFLAGsave="$CPPFLAGS" +- CPPFLAGS="$CPPFLAGS $DBUS_CFLAGS" +- AC_CHECK_DECL(DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN,,,[ +- #include <dbus/dbus.h> +- ]) +- CFLAGS="$CFLAGsave" +- CPPFLAGS="$CPPFLAGsave" +- if test x$ac_cv_have_decl_DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN != xyes ; then +- if test x$selinux_acls = xdefault ; then +- AC_MSG_WARN([D-Bus doesn't appear to provide GetConnectionSELinuxSecurityContext(), disabling SELinux ACL support.]) +- selinux_acls=no +- else +- AC_MSG_ERROR([D-Bus doesn't appear to provide GetConnectionSELinuxSecurityContext(), stopping.]) +- fi +- fi +-fi +- +-define_selinux_labels=false +-SELINUX_CFLAGS= +-SELINUX_LIBS= +-if test x$selinux_labels != xno ; then +- CFLAGsave="$CFLAGS" +- LIBsave="$LIBS" +- CFLAGS= +- LIBS= +- if test -d $withval ; then +- CFLAGS="-I$withval/include" +- LIBS="-L$withval/`basename $libdir`" +- fi +- AC_CHECK_HEADERS(selinux/selinux.h) +- if test x$ac_cv_header_selinux_selinux_h != xyes ; then +- if test x$selinux != default ; then +- AC_MSG_ERROR([Could not locate SELinux headers.]) +- else +- AC_MSG_WARN([Could not locate SELinux headers.]) +- fi +- fi +- AC_CHECK_FUNC(setfscreatecon,,AC_CHECK_LIB(selinux,setfscreatecon)) +- if test x$ac_cv_func_setfscreatecon != xyes ; then +- if test x$ac_cv_lib_selinux_setfscreatecon != xyes ; then +- if test x$selinux_labels != default ; then +- AC_MSG_ERROR([Could not locate SELinux library.]) +- else +- AC_MSG_WARN([Could not locate SELinux library.]) +- fi +- fi +- fi +- AC_CHECK_FUNCS(matchpathcon_init) +- if test x$ac_cv_header_selinux_selinux_h = xyes ; then +- if test x$ac_cv_func_setfscreatecon = xyes ; then +- define_selinux_labels=true +- fi +- if test x$ac_cv_lib_selinux_setfscreatecon = xyes ; then +- define_selinux_labels=true +- fi +- fi +- if $define_selinux_labels ; then +- AC_DEFINE(SELINUX_LABELS,1,[Define to build SELinux label-aware helpers.]) +- fi +- SELINUX_CFLAGS="$CFLAGS" +- SELINUX_LIBS="$LIBS" +- CFLAGS="$CFLAGsave" +- LIBS="$LIBsave" +-fi +-# +-# Even if we have libselinux, D-BUS itself might not be able to give us the +-# info we need for enforcing SELinux ACLS, so jump through a flaming hoop. +-# +-SELINUX_ACLS_XML_START="<!-- " +-SELINUX_ACLS_XML_END=" -->" +-SELINUX_ACLS_MAN_SPECIFIC=".\\ " +-if $define_selinux_labels ; then +- if test x$selinux_acls != xno ; then +- AC_DEFINE(SELINUX_ACLS,1,[Define if you want SELinux ACL support in oddjobd.]) +- SELINUX_ACLS_XML_START= +- SELINUX_ACLS_XML_END= +- SELINUX_ACLS_MAN_SPECIFIC= +- fi +-fi +-AC_SUBST(SELINUX_CFLAGS) +-AC_SUBST(SELINUX_LIBS) +-AC_SUBST(SELINUX_ACLS_XML_START) +-AC_SUBST(SELINUX_ACLS_XML_END) +-AC_SUBST(SELINUX_ACLS_MAN_SPECIFIC) +- + python=default + AC_ARG_WITH(python, + AS_HELP_STRING(--with-python,[Build Python bindings for liboddjob.]), +diff -Nru oddjob-0.31.2.orig/doc/oddjob.xml.in oddjob-0.31.2/doc/oddjob.xml.in +--- oddjob-0.31.2.orig/doc/oddjob.xml.in 2012-11-12 13:36:56.522893321 -0500 ++++ oddjob-0.31.2/doc/oddjob.xml.in 2012-11-12 13:37:01.536227756 -0500 +@@ -386,19 +386,6 @@ + be greater than or equal to</para></listitem> + <listitem><para>"max_uid", a UID which the user's UID must + be less than or equal to</para></listitem> +- @SELINUX_ACLS_XML_START@ +- <listitem><para>"selinux_enforcing", "yes" or +- "no", corresponding to whether SELinux is enabled and in +- enforcing mode</para></listitem> +- <listitem><para>"selinux_context", the SELinux context +- of the client process</para></listitem> +- <listitem><para>"selinux_user", the SELinux user +- of the client process</para></listitem> +- <listitem><para>"selinux_role", the SELinux role +- of the client process</para></listitem> +- <listitem><para>"selinux_type", the SELinux type +- of the client process</para></listitem> +- @SELINUX_ACLS_XML_END@ + </itemizedlist> + </para> + <para> +diff -Nru oddjob-0.31.2.orig/oddjobconfig.dtd.in oddjob-0.31.2/oddjobconfig.dtd.in +--- oddjob-0.31.2.orig/oddjobconfig.dtd.in 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/oddjobconfig.dtd.in 2012-11-12 13:37:01.536227756 -0500 +@@ -22,21 +22,11 @@ + <!ATTLIST allow user CDATA #IMPLIED> + <!ATTLIST allow min_uid CDATA #IMPLIED> + <!ATTLIST allow max_uid CDATA #IMPLIED> +-@SELINUX_ACLS_XML_START@<!ATTLIST allow selinux_enforcing CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST allow selinux_context CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST allow selinux_user CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST allow selinux_role CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST allow selinux_type CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ + + <!ELEMENT deny EMPTY> + <!ATTLIST deny user CDATA #IMPLIED> + <!ATTLIST deny min_uid CDATA #IMPLIED> + <!ATTLIST deny max_uid CDATA #IMPLIED> +-@SELINUX_ACLS_XML_START@<!ATTLIST deny selinux_enforcing CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST deny selinux_context CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST deny selinux_user CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST deny selinux_role CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ +-@SELINUX_ACLS_XML_START@<!ATTLIST deny selinux_type CDATA #IMPLIED>@SELINUX_ACLS_XML_END@ + + <!ELEMENT include (#PCDATA) > + <!ATTLIST include ignore_missing (yes|no) #REQUIRED > +diff -Nru oddjob-0.31.2.orig/src/Makefile.am oddjob-0.31.2/src/Makefile.am +--- oddjob-0.31.2.orig/src/Makefile.am 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/src/Makefile.am 2012-11-12 13:37:01.536227756 -0500 +@@ -7,7 +7,7 @@ + sigint.sh \ + sleep30.sh + +-AM_CFLAGS = @DBUS_CFLAGS@ @XML_CFLAGS@ @SELINUX_CFLAGS@ ++AM_CFLAGS = @DBUS_CFLAGS@ @XML_CFLAGS@ + if PIE + AM_CFLAGS += -fPIC + endif +@@ -95,7 +95,7 @@ + handlers.h \ + selinux.h \ + mkhomedir.c +-mkhomedir_LDADD = liboddcommon.la liboddselinux.la @SELINUX_LIBS@ ++mkhomedir_LDADD = liboddcommon.la liboddselinux.la + mkhomedir_LDFLAGS = + if PIE + mkhomedir_LDFLAGS += -fPIC -pie +@@ -134,7 +134,7 @@ + handlers.h \ + util.h \ + oddjobd.c +-oddjobd_LDADD = libodddbus.la liboddselinux.la liboddcommon.la @DBUS_LIBS@ @XML_LIBS@ @SELINUX_LIBS@ ++oddjobd_LDADD = libodddbus.la liboddselinux.la liboddcommon.la @DBUS_LIBS@ @XML_LIBS@ + oddjobd_LDFLAGS = + if PIE + oddjobd_LDFLAGS += -fPIC -pie +diff -Nru oddjob-0.31.2.orig/src/oddjob_dbus.c oddjob-0.31.2/src/oddjob_dbus.c +--- oddjob-0.31.2.orig/src/oddjob_dbus.c 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/src/oddjob_dbus.c 2012-11-12 13:37:01.536227756 -0500 +@@ -254,98 +254,11 @@ + return msg->selinux_context; + } + +-#ifdef SELINUX_ACLS +-static char * +-oddjob_dbus_get_selinux_context(DBusConnection *conn, +- const char *sender_bus_name) +-{ +- DBusMessage *query, *reply; +- char *ret; +- int length; +- DBusMessageIter iter, array; +- DBusError err; +- +- query = dbus_message_new_method_call(DBUS_SERVICE_DBUS, +- DBUS_PATH_DBUS, +- DBUS_INTERFACE_DBUS, +- "GetConnectionSELinuxSecurityContext"); +-#if DBUS_CHECK_VERSION(0,30,0) +- dbus_message_append_args(query, +- DBUS_TYPE_STRING, &sender_bus_name, +- DBUS_TYPE_INVALID); +-#elif DBUS_CHECK_VERSION(0,20,0) +- dbus_message_append_args(query, +- DBUS_TYPE_STRING, sender_bus_name, +- DBUS_TYPE_INVALID); +-#else +-#error "Don't know how to set message arguments with your version of D-Bus!" +-#endif +- +- memset(&err, 0, sizeof(err)); +- reply = dbus_connection_send_with_reply_and_block(conn, query, +- -1, &err); +- ret = NULL; +- if (dbus_error_is_set(&err)) { +-#if DBUS_CHECK_VERSION(0,30,0) +- if ((strcmp(err.name, DBUS_ERROR_NAME_HAS_NO_OWNER) != 0) && +- (strcmp(err.name, DBUS_ERROR_NO_REPLY) != 0)) { +- fprintf(stderr, "Error %s: %s.\n", +- err.name, err.message); +- } +-#elif DBUS_CHECK_VERSION(0,20,0) +- if ((strcmp(err.name, DBUS_ERROR_SERVICE_HAS_NO_OWNER) != 0) && +- (strcmp(err.name, DBUS_ERROR_NO_REPLY) != 0)) { +- fprintf(stderr, "Error %s: %s.\n", +- err.name, err.message); +- } +-#else +-#error "Don't know what unknown-service/name errors look like with your version of D-Bus!" +-#endif +- } +- if (reply != NULL) { +- if (dbus_message_iter_init(reply, &iter)) { +- switch (dbus_message_iter_get_arg_type(&iter)) { +- case DBUS_TYPE_ARRAY: +-#if DBUS_CHECK_VERSION(0,33,0) +- /* We can't sanity check the length. */ +- dbus_message_iter_recurse(&iter, &array); +- dbus_message_iter_get_fixed_array(&array, &ret, +- &length); +- if (ret != NULL) { +- ret = oddjob_strndup(ret, length); +- } +-#elif DBUS_CHECK_VERSION(0,20,0) +- /* We can't sanity check the length. */ +- dbus_message_iter_get_byte_array(&iter, +- (unsigned char **) &ret, +- &length); +- if (ret != NULL) { +- ret = oddjob_strndup(ret, length); +- } +-#else +-#error "Don't know how to retrieve message arguments with your version of D-Bus!" +-#endif +- break; +- case DBUS_TYPE_INVALID: +- break; +- default: +- break; +- } +- } +- } +- dbus_message_unref(query); +- if (reply != NULL) { +- dbus_message_unref(reply); +- } +- return ret; +-} +-#else + static char * + oddjob_dbus_get_selinux_context(DBusConnection *conn, const char *sender_bus_name) + { + return NULL; + } +-#endif + + static void + oddjob_dbus_message_set_selinux_context(struct oddjob_dbus_message *msg, +diff -Nru oddjob-0.31.2.orig/src/oddjobd.c oddjob-0.31.2/src/oddjobd.c +--- oddjob-0.31.2.orig/src/oddjobd.c 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/src/oddjobd.c 2012-11-12 13:37:01.539561092 -0500 +@@ -48,11 +48,6 @@ + #include <unistd.h> + #include <dbus/dbus.h> + #include <libxml/xmlreader.h> +-#ifdef SELINUX_ACLS +-#include <selinux/selinux.h> +-#include <selinux/context.h> +-#include <selinux/flask.h> +-#endif + #include "buffer.h" + #include "common.h" + #include "handlers.h" +@@ -108,20 +103,6 @@ + unsigned long min_uid; + dbus_bool_t apply_max_uid; + unsigned long max_uid; +-#ifdef SELINUX_ACLS +- dbus_bool_t apply_selinux_enforcing; +- dbus_bool_t selinux_enforcing; +- dbus_bool_t apply_selinux_context; +- char *selinux_context; +- dbus_bool_t apply_selinux_user; +- char *selinux_user; +- dbus_bool_t apply_selinux_role; +- char *selinux_role; +- dbus_bool_t apply_selinux_type; +- char *selinux_type; +- dbus_bool_t apply_selinux_range; +- char *selinux_range; +-#endif + struct oddjob_acl *next; + }; + +@@ -197,19 +178,12 @@ + int reload; + int quit; + const char *configfile; +-#ifdef SELINUX_ACLS +- dbus_bool_t selinux_enabled, selinux_enforcing; +-#endif + } globals = { + .config = NULL, + .debug = 0, + .reload = 0, + .quit = 0, + .configfile = SYSCONFDIR "/" PACKAGE "d.conf", +-#ifdef SELINUX_ACLS +- .selinux_enabled = FALSE, +- .selinux_enforcing = FALSE, +-#endif + }; + + static void oddjobd_exec_method(struct oddjob_dbus_context *ctx, +@@ -234,80 +208,12 @@ + const char *file, dbus_bool_t ignore_missing); + static void check_selinux_applicable(void); + +-#ifdef SELINUX_ACLS +-/* Check if we have an SELinux match with the fields defined in this AC entry. +- * Assumes that check_selinux_applicable() was called at least relatively +- * recently, because one of those clauses matches whether or not we're in +- * enforcing mode. */ +-static dbus_bool_t +-check_one_ac_selinux(struct oddjob_acl *acl, const char *selinux_context) +-{ +- char *ctx; +- const char *user, *role, *type, *range; +- dbus_bool_t ret; +- context_t context; +- +- /* If the ACL doesn't specify that we have to be in enforcing mode, and +- * we're either in non-SELinux or permissive mode, then go ahead and +- * return a success. */ +- if (!acl->apply_selinux_enforcing && +- (!globals.selinux_enabled || !globals.selinux_enforcing)) { +- return TRUE; +- } +- /* Break the context up. */ +- if (selinux_context != NULL) { +- context = context_new(selinux_context); +- ctx = context_str(context); +- user = context_user_get(context); +- role = context_role_get(context); +- type = context_type_get(context); +- range = context_range_get(context); +- } else { +- context = NULL; +- ctx = NULL; +- user = NULL; +- role = NULL; +- type = NULL; +- range = NULL; +- } +- /* Check all that apply. */ +- ret = ((!acl->apply_selinux_enforcing) || +- (!acl->selinux_enforcing == !globals.selinux_enforcing)) && +- ((!acl->apply_selinux_context) || +- ((ctx != NULL) && +- (fnmatch(acl->selinux_context, ctx, +- ODDJOB_SECONTEXT_FNMATCH_FLAGS) == 0))) && +- ((!acl->apply_selinux_user) || +- ((user != NULL) && +- (fnmatch(acl->selinux_user, user, +- ODDJOB_SEUSER_FNMATCH_FLAGS) == 0))) && +- ((!acl->apply_selinux_role) || +- ((role != NULL) && +- (fnmatch(acl->selinux_role, role, +- ODDJOB_SEROLE_FNMATCH_FLAGS) == 0))) && +- ((!acl->apply_selinux_type) || +- ((type != NULL) && +- (fnmatch(acl->selinux_type, type, +- ODDJOB_SETYPE_FNMATCH_FLAGS) == 0))) && +- ((!acl->apply_selinux_range) || +- ((range != NULL) && +- (fnmatch(acl->selinux_range, range, +- ODDJOB_SERANGE_FNMATCH_FLAGS) == 0))); +- /* Free the decomposed context. The other strings are "owned" by this +- * structure. */ +- if (context != NULL) { +- context_free(context); +- } +- return ret; +-} +-#else + /* Ignore SELinux rules, no matter what. */ + static dbus_bool_t + check_one_ac_selinux(struct oddjob_acl *acl, const char *selinux_context) + { + return TRUE; + } +-#endif + + /* Check if a single AC entry matches the given user and UID. */ + static dbus_bool_t +@@ -348,33 +254,6 @@ + fprintf(stderr, " max_uid=%lu ", + i->max_uid); + } +-#ifdef SELINUX_ACLS +- if (i->apply_selinux_enforcing) { +- fprintf(stderr, " seenforcing=%s ", +- i->selinux_enforcing ? +- "yes" : "no"); +- } +- if (i->apply_selinux_context) { +- fprintf(stderr, " secontext=%s ", +- i->selinux_context); +- } +- if (i->apply_selinux_user) { +- fprintf(stderr, " seuser=%s ", +- i->selinux_user); +- } +- if (i->apply_selinux_role) { +- fprintf(stderr, " serole=%s ", +- i->selinux_role); +- } +- if (i->apply_selinux_type) { +- fprintf(stderr, " setype=%s ", +- i->selinux_type); +- } +- if (i->apply_selinux_range) { +- fprintf(stderr, " serange=%s ", +- i->selinux_range); +- } +-#endif + fprintf(stderr, ")\n"); + } + return oddjob_acl_deny; +@@ -399,33 +278,6 @@ + fprintf(stderr, " max_uid=%lu ", + i->max_uid); + } +-#ifdef SELINUX_ACLS +- if (i->apply_selinux_enforcing) { +- fprintf(stderr, " enforcing=%s ", +- i->selinux_enforcing ? +- "yes" : "no"); +- } +- if (i->apply_selinux_context) { +- fprintf(stderr, " context=%s ", +- i->selinux_context); +- } +- if (i->apply_selinux_user) { +- fprintf(stderr, " user=%s ", +- i->selinux_user); +- } +- if (i->apply_selinux_role) { +- fprintf(stderr, " role=%s ", +- i->selinux_role); +- } +- if (i->apply_selinux_type) { +- fprintf(stderr, " type=%s ", +- i->selinux_type); +- } +- if (i->apply_selinux_range) { +- fprintf(stderr, " range=%s ", +- i->selinux_range); +- } +-#endif + fprintf(stderr, ")\n"); + } + return oddjob_acl_allow; +@@ -525,14 +377,6 @@ + static void + check_selinux_applicable(void) + { +-#ifdef SELINUX_ACLS +- globals.selinux_enabled = (is_selinux_enabled() != 0); +- if (globals.selinux_enabled) { +- globals.selinux_enforcing = (security_getenforce() != 0); +- } else { +- globals.selinux_enforcing = FALSE; +- } +-#endif + } + + /* Convenience functions for reading attributes and contents of XML nodes. */ +@@ -626,72 +470,6 @@ + ac->max_uid); + } + } +-#ifdef SELINUX_ACLS +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_enforcing")) { +- const char *enforcing; +- ac->apply_selinux_enforcing = TRUE; +- ac->selinux_enforcing = TRUE; +- enforcing = load_config_xml_attr_data(attr); +- if (enforcing != NULL) { +- if (strcmp(enforcing, "no") == 0) { +- ac->selinux_enforcing = FALSE; +- } else +- if (strcmp(enforcing, "yes") == 0) { +- ac->selinux_enforcing = TRUE; +- } else { +- fprintf(stderr, +- "Invalid selinux_enforcing " +- "\"%s\" (expected \"yes\" or " +- "\"no\")!\n", enforcing); +- return FALSE; +- } +- } +- if (globals.debug) { +- fprintf(stderr, "selinux_enforcing=\"%s\" ", +- ac->selinux_enforcing ? "yes" : "no"); +- } +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_context")) { +- ac->apply_selinux_context = TRUE; +- ac->selinux_context = oddjob_strdup(load_config_xml_attr_data(attr)); +- if (globals.debug) { +- fprintf(stderr, "selinux_context=\"%s\" ", +- ac->selinux_context); +- } +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_user")) { +- ac->apply_selinux_user = TRUE; +- ac->selinux_user = oddjob_strdup(load_config_xml_attr_data(attr)); +- if (globals.debug) { +- fprintf(stderr, "selinux_user=\"%s\" ", +- ac->selinux_user); +- } +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_role")) { +- ac->apply_selinux_role = TRUE; +- ac->selinux_role = oddjob_strdup(load_config_xml_attr_data(attr)); +- if (globals.debug) { +- fprintf(stderr, "selinux_role=\"%s\" ", +- ac->selinux_role); +- } +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_type")) { +- ac->apply_selinux_type = TRUE; +- ac->selinux_type = oddjob_strdup(load_config_xml_attr_data(attr)); +- if (globals.debug) { +- fprintf(stderr, "selinux_type=\"%s\" ", +- ac->selinux_type); +- } +- } else +- if (load_config_xml_attr_name_is(attr, "selinux_range")) { +- ac->apply_selinux_range = TRUE; +- ac->selinux_range = oddjob_strdup(load_config_xml_attr_data(attr)); +- if (globals.debug) { +- fprintf(stderr, "selinux_range=\"%s\" ", +- ac->selinux_range); +- } +-#endif + } else { + if (globals.debug) { + fprintf(stderr, "unknown attribute \"%s\" in " +@@ -1392,12 +1170,6 @@ + while (acl != NULL) { + tofree = acl; + acl = acl->next; +-#ifdef SELINUX_ACLS +- oddjob_free(tofree->selinux_context); +- oddjob_free(tofree->selinux_user); +- oddjob_free(tofree->selinux_role); +- oddjob_free(tofree->selinux_type); +-#endif + oddjob_free(tofree->user); + oddjob_free(tofree); + } +@@ -1943,50 +1715,6 @@ + putenv(task->interface); + putenv(task->method); + putenv(task->calling_user); +-#ifdef SELINUX_ACLS +- /* Set up the SELinux execution context. */ +- if (globals.selinux_enabled) { +- const char *client_secontext; +- security_context_t helper_context, exec_context; +- +- client_secontext = oddjob_dbus_message_get_selinux_context(msg); +- if (client_secontext == NULL) { +- /* Wha....? */ +- exec_errno = 0xff; +- write(3, &exec_errno, 1); +- _exit(-1); +- } +- if (getfilecon(method->argv[0], &helper_context) == -1) { +- switch (errno) { +- /* Not there? */ +- case ENOENT: +- exec_errno = errno; +- break; +- default: +- /* No label? */ +- exec_errno = 0xfd; +- break; +- } +- write(3, &exec_errno, 1); +- _exit(-1); +- } +- if (security_compute_create((char *) client_secontext, +- helper_context, +- SECCLASS_PROCESS, +- &exec_context) != 0) { +- /* Failed to compute exec context? */ +- exec_errno = 0xfe; +- write(3, &exec_errno, 1); +- _exit(-1); +- } +- if (setexeccon(exec_context) == -1) { +- /* Failed to set exec context? */ +- exec_errno = 0xfc; +- write(3, &exec_errno, 1); +- _exit(-1); +- } +- } +-#endif + /* run the helper */ + execv(method->argv[0], task->argv); + /* uh-oh. send errno to the caller and bail */ +diff -Nru oddjob-0.31.2.orig/src/oddjobd.conf.5.in oddjob-0.31.2/src/oddjobd.conf.5.in +--- oddjob-0.31.2.orig/src/oddjobd.conf.5.in 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/src/oddjobd.conf.5.in 2012-11-12 13:37:01.539561092 -0500 +@@ -34,9 +34,6 @@ + and \fI<deny>\fR. Each \fI<allow>\fR or \fI<deny>\fR rule specifies some + combination of a user name and/or a UID range which the invoking user must + match for the rule to apply. +-@SELINUX_ACLS_MAN_SPECIFIC@A rule can also specify the caller's SELinux context, +-@SELINUX_ACLS_MAN_SPECIFIC@user, role, or execution domain, and be applied or +-@SELINUX_ACLS_MAN_SPECIFIC@not based on whether or not policy is being enforced. + All \fI<deny>\fR rules for the method are checked first, followed by all of its + \fI<allow>\fR rules. If no matches are found, the \fI<deny>\fR rules for the + containing \fI<interface>\fR element are checked, followed by its \fI<allow>\fP +diff -Nru oddjob-0.31.2.orig/src/selinux.c oddjob-0.31.2/src/selinux.c +--- oddjob-0.31.2.orig/src/selinux.c 2012-11-12 13:36:56.512893317 -0500 ++++ oddjob-0.31.2/src/selinux.c 2012-11-12 13:37:55.142905336 -0500 +@@ -42,16 +42,6 @@ + #include "handlers.h" + #include "selinux.h" + +-#ifdef SELINUX_LABELS +- +-#include <selinux/selinux.h> +- +-#ifndef HAVE_MATCHPATHCON_INIT +-static void +-matchpathcon_init(const char *path) { +-} +-#endif +- + static dbus_bool_t + oddjob_check_selinux_enabled(void) + { +@@ -68,41 +58,6 @@ + void + oddjob_set_selinux_file_creation_context(const char *path, mode_t mode) + { +- security_context_t context; +- +- if (!oddjob_check_selinux_enabled()) { +- return; +- } +- +- context = NULL; +- if (matchpathcon(path, mode, &context) == 0) { +- if (context != NULL) { +- if (strcmp(context, "<<none>>") == 0) { +- oddjob_unset_selinux_file_creation_context(); +- } else { +- setfscreatecon(context); +- } +- freecon(context); +- } else { +- oddjob_unset_selinux_file_creation_context(); +- } +- } +-} +- +-void +-oddjob_unset_selinux_file_creation_context(void) +-{ +- if (!oddjob_check_selinux_enabled()) { +- return; +- } +- setfscreatecon(NULL); +-} +- +-#else +- +-void +-oddjob_set_selinux_file_creation_context(const char *path, mode_t mode) +-{ + } + + void +@@ -110,8 +65,6 @@ + { + } + +-#endif +- + /* Create a directory with the given permissions, and create leading + * directories as well. Any directories which are created will have contexts + * set as matchpathcon() dictates. The directory itself will be owned by the |