diff options
| author | Nicolas Iooss | 2016-02-27 12:50:46 +0100 |
|---|---|---|
| committer | Nicolas Iooss | 2016-02-27 12:50:46 +0100 |
| commit | 7f9ddc0fe345d7e45db7484cefd9664ad33e09c9 (patch) | |
| tree | 22c153c5b967b135f6a9a5549c0b07533d857e91 | |
| parent | aefda5187406d2329e32e285733ab00d624d4682 (diff) | |
| download | aur-7f9ddc0fe345d7e45db7484cefd9664ad33e09c9.tar.gz | |
libsemanage 2.5-1 update
| -rw-r--r-- | .SRCINFO | 24 | ||||
| -rw-r--r-- | 0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch | 213 | ||||
| -rw-r--r-- | 0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch | 318 | ||||
| -rw-r--r-- | 0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch | 265 | ||||
| -rw-r--r-- | 0004-libsemanage-save-homedir_template-in-the-policy-stor.patch | 54 | ||||
| -rw-r--r-- | 0005-libsemanage-store-users_extra-in-the-policy-store.patch | 57 | ||||
| -rw-r--r-- | PKGBUILD | 37 |
7 files changed, 15 insertions, 953 deletions
@@ -1,7 +1,9 @@ +# Generated by makepkg 5.0.0 +# Sat Feb 27 11:50:46 UTC 2016 pkgbase = libsemanage pkgdesc = SELinux binary policy manipulation library - pkgver = 2.4 - pkgrel = 2 + pkgver = 2.5 + pkgrel = 1 url = http://userspace.selinuxproject.org install = libsemanage.install arch = i686 @@ -13,27 +15,17 @@ pkgbase = libsemanage makedepends = python makedepends = swig depends = ustr-selinux - depends = libselinux>=2.4 + depends = libselinux>=2.5 depends = audit optdepends = python2: python2 bindings optdepends = python: python bindings - provides = selinux-usr-libsemanage=2.4-2 + provides = selinux-usr-libsemanage=2.5-1 conflicts = selinux-usr-libsemanage options = !emptydirs - source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/libsemanage-2.4.tar.gz + source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsemanage-2.5.tar.gz source = semanage.conf - source = 0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch - source = 0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch - source = 0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch - source = 0004-libsemanage-save-homedir_template-in-the-policy-stor.patch - source = 0005-libsemanage-store-users_extra-in-the-policy-store.patch - sha256sums = 1a4cace4ef16786531ec075c0e7b2f961e2fee5dc86c5f983a689058899a6484 + sha256sums = 46e2f36254369b6e91d1eea0460c262b139361b055a3a67d3ceea2d8ef72e006 sha256sums = 5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0 - sha256sums = 61a768144b740104fb2c17b6c15f10a207c0fa42d5faa611237f1df6b0a9c835 - sha256sums = 3ac9a961efde8cbc091688ca3e42058baf37919b572abd96d0a8f8167f4f283c - sha256sums = 0324cfc186b09b748c74a64c74f9990dc7ee5497b8d450d4146f8fc73d6a710c - sha256sums = bb83007a0cee3e2f3193c4935b2956e9c1894d08146c36a72505248e22c158cf - sha256sums = 3497602b0b5095c08711fd922160b9bdefdb74dff39910b2cddf8480795580bb pkgname = libsemanage diff --git a/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch b/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch deleted file mode 100644 index 35924370cdf9..000000000000 --- a/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch +++ /dev/null @@ -1,213 +0,0 @@ -From c79e3964b33fdb170bba900ba1f3c040f5f70312 Mon Sep 17 00:00:00 2001 -From: Jason Zaman <jason@perfinion.com> -Date: Wed, 22 Apr 2015 23:05:48 +0400 -Subject: [PATCH 1/5] libsemanage: do not copy contexts in - semanage_migrate_store - -The modules from the old store were previously copied to the new one -using setfscreatecon and shutil.copy2(). Now that refpolicy has rules -about the new policy location[1], copying the contexts is redundant. - -More importantly, the setcreatefscon caused a constraint violation[2] -which made the migration fail. In python3, shutil.copy2() copies xattrs -as well which again causes problems. shutil.copy() is enough for our -needs here as it will copy the file and permissions in both py2 and 3. -We do not need the extra things that copy2() does (mtime, xattr, etc). - -[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html - -[2] -type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 - constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED -allow semanage_t semanage_store_t:dir create; - -Signed-off-by: Jason Zaman <jason@perfinion.com> -Acked-by: Steve Lawrence <slawrence@tresys.com> - -Changes from v1: - - Changed some methods to not take a src param anymore. ---- - libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------ - 1 file changed, 18 insertions(+), 59 deletions(-) - -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index 03b492e05cbb..2f85e9c561ae 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -8,7 +8,6 @@ import shutil - import sys - from optparse import OptionParser - --import bz2 - import ctypes - - sepol = ctypes.cdll.LoadLibrary('libsepol.so') -@@ -21,41 +20,20 @@ except: - exit(1) - - -- -- --# For some reason this function doesn't exist in libselinux :\ --def copy_with_context(src, dst): -+def copy_file(src, dst): - if DEBUG: - print("copying %s to %s" % (src, dst)) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- except: -- print("Could not get file context of %s" % src, file=sys.stderr) -- exit(1) -- -- try: -- selinux.setfscreatecon_raw(con) -- except: -- print("Could not set fs create context: %s" %con, file=sys.stderr) -- exit(1) -- -- try: -- shutil.copy2(src, dst) -+ shutil.copy(src, dst) - except OSError as the_err: - (err, strerr) = the_err.args - print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def create_dir_from(src, dst, mode): -+def create_dir(dst, mode): - if DEBUG: print("Making directory %s" % dst) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- selinux.setfscreatecon_raw(con) - os.makedirs(dst, mode) - except OSError as the_err: - (err, stderr) = the_err.args -@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode): - print("Error creating %s" % dst, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def create_file_from(src, dst): -+def create_file(dst): - if DEBUG: print("Making file %s" % dst) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- selinux.setfscreatecon_raw(con) - open(dst, 'a').close() - except OSError as the_err: - (err, stderr) = the_err.args - print("Error creating %s" % dst, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def copy_module(store, name, con, base): -+def copy_module(store, name, base): - if DEBUG: print("Install module %s" % name) - (file, ext) = os.path.splitext(name) - if ext != ".pp": -@@ -94,8 +62,6 @@ def copy_module(store, name, con, base): - print("warning: %s has invalid extension, skipping" % name, file=sys.stderr) - return - try: -- selinux.setfscreatecon_raw(con) -- - if base: - root = oldstore_path(store) - else: -@@ -105,7 +71,7 @@ def copy_module(store, name, con, base): - - os.mkdir("%s/%s" % (bottomdir, file)) - -- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) -+ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) - - # This is the ext file that will eventually be used to choose a compiler - efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600) -@@ -116,15 +82,11 @@ def copy_module(store, name, con, base): - print("Error installing module %s" % name, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def disable_module(file, root, name, disabledmodules): -+def disable_module(file, name, disabledmodules): - if DEBUG: print("Disabling %s" % name) - (disabledname, disabledext) = os.path.splitext(file) -- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname)) -+ create_file("%s/%s" % (disabledmodules, disabledname)) - - def migrate_store(store): - -@@ -138,17 +100,14 @@ def migrate_store(store): - print("Migrating from %s to %s" % (oldstore, newstore)) - - # Build up new directory structure -- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755) -- create_dir_from(oldstore, newstore, 0o700) -- create_dir_from(oldstore, newmodules, 0o700) -- create_dir_from(oldstore, bottomdir, 0o700) -- create_dir_from(oldstore, disabledmodules, 0o700) -- -- # use whatever the file context of bottomdir is for the module directories -- con = selinux.lgetfilecon_raw(bottomdir)[1] -+ create_dir("%s/%s" % (newroot_path(), store), 0o755) -+ create_dir(newstore, 0o700) -+ create_dir(newmodules, 0o700) -+ create_dir(bottomdir, 0o700) -+ create_dir(disabledmodules, 0o700) - - # Special case for base since it was in a different location -- copy_module(store, "base.pp", con, 1) -+ copy_module(store, "base.pp", 1) - - # Dir structure built, start copying files - for root, dirs, files in os.walk(oldstore): -@@ -161,7 +120,7 @@ def migrate_store(store): - newname = "seusers.local" - else: - newname = name -- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname)) -+ copy_file(os.path.join(root, name), os.path.join(newstore, newname)) - - elif root == oldmodules: - # This should be the modules directory -@@ -171,9 +130,9 @@ def migrate_store(store): - print("Error installing module %s, name conflicts with base" % name, file=sys.stderr) - exit(1) - elif ext == ".disabled": -- disable_module(file, root, name, disabledmodules) -+ disable_module(file, name, disabledmodules) - else: -- copy_module(store, name, con, 0) -+ copy_module(store, name, 0) - - def rebuild_policy(): - # Ok, the modules are loaded, lets try to rebuild the policy -@@ -287,7 +246,7 @@ if __name__ == "__main__": - "preserve_tunables" ] - - -- create_dir_from(oldroot_path(), newroot_path(), 0o755) -+ create_dir(newroot_path(), 0o755) - - stores = None - if TYPE is not None: --- -2.5.1 - diff --git a/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch b/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch deleted file mode 100644 index af255c95f26b..000000000000 --- a/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch +++ /dev/null @@ -1,318 +0,0 @@ -From 24feb06f1620de854f7ac7ec9b86b004c155f489 Mon Sep 17 00:00:00 2001 -From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> -Date: Thu, 2 Jul 2015 09:27:36 -0400 -Subject: [PATCH 2/5] libsemanage: Add policy binary and file_contexts.local to - the store - -This patch writes policy.kern and file_contexts.local to the policy store as -well as /etc/selinux/. Additionally, policy.kern and file_contexts.local -are now parsed from the store rather than the final directory which was -the old behavior. This allows all policy related files to be kept in the -policy store. - -This patch also renames /var/lib/selinux/tmp to 'final' and changes -policy.kern in the store to longer be a symlink. - -Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> ---- - libsemanage/src/booleans_policydb.c | 6 ++-- - libsemanage/src/direct_api.c | 33 +++++++++++++++---- - libsemanage/src/interfaces_policydb.c | 6 ++-- - libsemanage/src/nodes_policydb.c | 6 ++-- - libsemanage/src/ports_policydb.c | 6 ++-- - libsemanage/src/semanage_store.c | 55 ++++++++++++++++++++++++-------- - libsemanage/src/semanage_store.h | 5 +++ - libsemanage/src/users_base_policydb.c | 6 ++-- - libsemanage/utils/semanage_migrate_store | 3 +- - 9 files changed, 86 insertions(+), 40 deletions(-) - -diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c -index 74af2a3300e3..6869d6cd0417 100644 ---- a/libsemanage/src/booleans_policydb.c -+++ b/libsemanage/src/booleans_policydb.c -@@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle, - { - - if (dbase_policydb_init(handle, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_KERNEL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - &SEMANAGE_BOOL_RTABLE, - &SEMANAGE_BOOL_POLICYDB_RTABLE, - &dconfig->dbase) < 0) -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index b0ed3388e27b..820d351c90ae 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh) - goto err; - - if (fcontext_file_dbase_init(sh, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_FC_LOCAL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_FC_LOCAL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), - semanage_fcontext_dbase_local(sh)) < 0) - goto err; - -@@ -959,7 +957,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) - size_t fc_buffer_len = 0; - const char *ofilename = NULL; - const char *path; -- int retval = -1, num_modinfos = 0, i; -+ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; - sepol_policydb_t *out = NULL; - struct cil_db *cildb = NULL; - semanage_module_info_t *modinfos = NULL; -@@ -1061,8 +1059,20 @@ static int semanage_direct_commit(semanage_handle_t * sh) - modified |= dontaudit_modified; - modified |= preserve_tunables_modified; - -+ /* This is for systems that have already migrated with an older version -+ * of semanage_migrate_store. The older version did not copy policy.kern so -+ * the policy binary must be rebuilt here. -+ */ -+ if (!sh->do_rebuild && !modified) { -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); -+ -+ if (access(path, F_OK) != 0) { -+ missing_policy_kern = 1; -+ } -+ } -+ - /* If there were policy changes, or explicitly requested, rebuild the policy */ -- if (sh->do_rebuild || modified) { -+ if (sh->do_rebuild || modified || missing_policy_kern) { - /* =================== Module expansion =============== */ - - retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); -@@ -1222,6 +1232,17 @@ static int semanage_direct_commit(semanage_handle_t * sh) - if (retval < 0) - goto cleanup; - -+ retval = semanage_copy_policydb(sh); -+ if (retval < 0) -+ goto cleanup; -+ -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); -+ if (access(path, F_OK) == 0) { -+ retval = semanage_copy_fc_local(sh); -+ if (retval < 0) -+ goto cleanup; -+ } -+ - /* run genhomedircon if its enabled, this should be the last operation - * which requires the out policydb */ - if (!sh->conf->disable_genhomedircon) { -diff --git a/libsemanage/src/interfaces_policydb.c b/libsemanage/src/interfaces_policydb.c -index 6a42eedf32bf..552ce7d50c5c 100644 ---- a/libsemanage/src/interfaces_policydb.c -+++ b/libsemanage/src/interfaces_policydb.c -@@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle, - { - - if (dbase_policydb_init(handle, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_KERNEL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - &SEMANAGE_IFACE_RTABLE, - &SEMANAGE_IFACE_POLICYDB_RTABLE, - &dconfig->dbase) < 0) -diff --git a/libsemanage/src/nodes_policydb.c b/libsemanage/src/nodes_policydb.c -index 56012fbf1c64..7224f0084758 100644 ---- a/libsemanage/src/nodes_policydb.c -+++ b/libsemanage/src/nodes_policydb.c -@@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle, - { - - if (dbase_policydb_init(handle, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_KERNEL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - &SEMANAGE_NODE_RTABLE, - &SEMANAGE_NODE_POLICYDB_RTABLE, - &dconfig->dbase) < 0) -diff --git a/libsemanage/src/ports_policydb.c b/libsemanage/src/ports_policydb.c -index b9600f056aad..37d7deb2735c 100644 ---- a/libsemanage/src/ports_policydb.c -+++ b/libsemanage/src/ports_policydb.c -@@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle, - { - - if (dbase_policydb_init(handle, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_KERNEL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - &SEMANAGE_PORT_RTABLE, - &SEMANAGE_PORT_POLICYDB_RTABLE, - &dconfig->dbase) < 0) -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 6051691bbb2f..2856aaf25685 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { - "/disable_dontaudit", - "/preserve_tunables", - "/modules/disabled", -+ "/policy.kern", -+ "/file_contexts.local" - }; - - static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { -- "/tmp", -+ "/final", - "", - }; - -@@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh) - goto cleanup; - } - -- /* Copy in exported databases. -- * i = 1 to avoid copying the top level directory. -- */ -+ // Build final directory structure - int i; - for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) { - if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) { -@@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh) - status = -1; - goto cleanup; - } -- -- semanage_copy_file( -- semanage_final_path(SEMANAGE_FINAL_SELINUX, i), -- semanage_final_path(SEMANAGE_FINAL_TMP, i), -- sh->conf->file_mode); -- /* ignore errors, these files may not exist */ - } - - cleanup: -@@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) - FILE *infile = NULL; - - if ((kernel_filename = -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL)) == NULL) { -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) { - goto cleanup; - } - if ((infile = fopen(kernel_filename, "r")) == NULL) { -@@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) - FILE *outfile = NULL; - - if ((kernel_filename = -- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) { -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) { - goto cleanup; - } - if ((outfile = fopen(kernel_filename, "wb")) == NULL) { -@@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, - - return 0; - } -+ -+int semanage_copy_policydb(semanage_handle_t *sh) -+{ -+ const char *src = NULL; -+ const char *dst = NULL; -+ int rc = -1; -+ -+ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); -+ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); -+ -+ rc = semanage_copy_file(src, dst, sh->conf->file_mode); -+ if (rc != 0) { -+ goto cleanup; -+ } -+ -+cleanup: -+ return rc; -+} -+ -+int semanage_copy_fc_local(semanage_handle_t *sh) -+{ -+ const char *src = NULL; -+ const char *dst = NULL; -+ int rc = -1; -+ -+ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); -+ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); -+ -+ rc = semanage_copy_file(src, dst, sh->conf->file_mode); -+ if (rc != 0) { -+ goto cleanup; -+ } -+ -+cleanup: -+ return rc; -+} -diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h -index 62c7079be12c..ade43f261ee0 100644 ---- a/libsemanage/src/semanage_store.h -+++ b/libsemanage/src/semanage_store.h -@@ -55,6 +55,8 @@ enum semanage_sandbox_defs { - SEMANAGE_DISABLE_DONTAUDIT, - SEMANAGE_PRESERVE_TUNABLES, - SEMANAGE_MODULES_DISABLED, -+ SEMANAGE_STORE_KERNEL, -+ SEMANAGE_STORE_FC_LOCAL, - SEMANAGE_STORE_NUM_PATHS - }; - -@@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh, - size_t buf_len, - char **sorted_buf, size_t * sorted_buf_len); - -+int semanage_copy_policydb(semanage_handle_t *sh); -+int semanage_copy_fc_local(semanage_handle_t *sh); -+ - #endif -diff --git a/libsemanage/src/users_base_policydb.c b/libsemanage/src/users_base_policydb.c -index 0a6ab9cde09e..b42279c86fcd 100644 ---- a/libsemanage/src/users_base_policydb.c -+++ b/libsemanage/src/users_base_policydb.c -@@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle, - { - - if (dbase_policydb_init(handle, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_KERNEL), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_KERNEL), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - &SEMANAGE_USER_BASE_RTABLE, - &SEMANAGE_USER_BASE_POLICYDB_RTABLE, - &dconfig->dbase) < 0) -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index 2f85e9c561ae..b170edad3927 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -243,7 +243,8 @@ if __name__ == "__main__": - "users.local", - "users_extra.local", - "disable_dontaudit", -- "preserve_tunables" ] -+ "preserve_tunables", -+ "policy.kern" ] - - - create_dir(newroot_path(), 0o755) --- -2.5.1 - diff --git a/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch b/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch deleted file mode 100644 index fdcfd87e6fc0..000000000000 --- a/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch +++ /dev/null @@ -1,265 +0,0 @@ -From b404a9391485a9642561ff48f1af4310c9054b50 Mon Sep 17 00:00:00 2001 -From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> -Date: Tue, 21 Jul 2015 15:08:15 -0400 -Subject: [PATCH 3/5] libsemanage: Add file_contexts and seusers to the store - -This patch writes file_contexts and seusers to the policy store as well as -/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the -store rather than the final directory which was the old behavior. This allows -all policy related files to be kept in the policy store. - -Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> ---- - libsemanage/src/direct_api.c | 69 +++++++++++++++++++++++++------- - libsemanage/src/semanage_store.c | 49 ++++------------------- - libsemanage/src/semanage_store.h | 5 ++- - libsemanage/utils/semanage_migrate_store | 3 +- - 4 files changed, 66 insertions(+), 60 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 820d351c90ae..fa4e0eed0603 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh) - goto err; - - if (fcontext_file_dbase_init(sh, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_FC), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_FC), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), - semanage_fcontext_dbase_policy(sh)) < 0) - goto err; - - if (seuser_file_dbase_init(sh, -- semanage_final_path(SEMANAGE_FINAL_SELINUX, -- SEMANAGE_SEUSERS), -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_SEUSERS), -+ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS), -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), - semanage_seuser_dbase_policy(sh)) < 0) - goto err; - -@@ -578,7 +574,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb - } - - if (size > 0) { -- ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS); -+ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); - if (ofilename == NULL) { - return -1; - } -@@ -957,7 +953,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) - size_t fc_buffer_len = 0; - const char *ofilename = NULL; - const char *path; -- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; -+ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0, -+ missing_seusers = 0, missing_fc = 0, missing = 0; - sepol_policydb_t *out = NULL; - struct cil_db *cildb = NULL; - semanage_module_info_t *modinfos = NULL; -@@ -1069,10 +1066,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) - if (access(path, F_OK) != 0) { - missing_policy_kern = 1; - } -+ -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); -+ -+ if (access(path, F_OK) != 0) { -+ missing_fc = 1; -+ } -+ -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); -+ -+ if (access(path, F_OK) != 0) { -+ missing_seusers = 1; -+ } - } - -+ missing |= missing_policy_kern; -+ missing |= missing_fc; -+ missing |= missing_seusers; -+ - /* If there were policy changes, or explicitly requested, rebuild the policy */ -- if (sh->do_rebuild || modified || missing_policy_kern) { -+ if (sh->do_rebuild || modified || missing) { - /* =================== Module expansion =============== */ - - retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); -@@ -1232,15 +1245,41 @@ static int semanage_direct_commit(semanage_handle_t * sh) - if (retval < 0) - goto cleanup; - -- retval = semanage_copy_policydb(sh); -- if (retval < 0) -+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), -+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL), -+ sh->conf->file_mode); -+ if (retval < 0) { - goto cleanup; -+ } - - path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); - if (access(path, F_OK) == 0) { -- retval = semanage_copy_fc_local(sh); -- if (retval < 0) -+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), -+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), -+ sh->conf->file_mode); -+ if (retval < 0) { - goto cleanup; -+ } -+ } -+ -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); -+ if (access(path, F_OK) == 0) { -+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), -+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), -+ sh->conf->file_mode); -+ if (retval < 0) { -+ goto cleanup; -+ } -+ } -+ -+ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); -+ if (access(path, F_OK) == 0) { -+ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), -+ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), -+ sh->conf->file_mode); -+ if (retval < 0) { -+ goto cleanup; -+ } - } - - /* run genhomedircon if its enabled, this should be the last operation -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 2856aaf25685..fa0876fa840d 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { - "/preserve_tunables", - "/modules/disabled", - "/policy.kern", -- "/file_contexts.local" -+ "/file_contexts.local", -+ "/file_contexts", -+ "/seusers" - }; - - static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { -@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d) - - /* Copies a file from src to dst. If dst already exists then - * overwrite it. Returns 0 on success, -1 on error. */ --static int semanage_copy_file(const char *src, const char *dst, mode_t mode) -+int semanage_copy_file(const char *src, const char *dst, mode_t mode) - { - int in, out, retval = 0, amount_read, n, errsv = errno; - char tmp[PATH_MAX]; -@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh) - goto cleanup; - } - -- fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), -+ fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), - O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); - if (fc < 0) { - ERR(sh, "Could not open %s for writing.", -- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)); -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); - goto cleanup; - } - hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL), -@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh) - } else { - if (write(fc, buf, strlen(buf)) < 0) { - ERR(sh, "Write to %s failed.", -- semanage_final_path(SEMANAGE_FINAL_TMP, -- SEMANAGE_FC)); -+ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); - goto cleanup; - } - } -@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, - - return 0; - } -- --int semanage_copy_policydb(semanage_handle_t *sh) --{ -- const char *src = NULL; -- const char *dst = NULL; -- int rc = -1; -- -- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); -- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); -- -- rc = semanage_copy_file(src, dst, sh->conf->file_mode); -- if (rc != 0) { -- goto cleanup; -- } -- --cleanup: -- return rc; --} -- --int semanage_copy_fc_local(semanage_handle_t *sh) --{ -- const char *src = NULL; -- const char *dst = NULL; -- int rc = -1; -- -- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); -- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); -- -- rc = semanage_copy_file(src, dst, sh->conf->file_mode); -- if (rc != 0) { -- goto cleanup; -- } -- --cleanup: -- return rc; --} -diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h -index ade43f261ee0..acb6e3fd26f8 100644 ---- a/libsemanage/src/semanage_store.h -+++ b/libsemanage/src/semanage_store.h -@@ -57,6 +57,8 @@ enum semanage_sandbox_defs { - SEMANAGE_MODULES_DISABLED, - SEMANAGE_STORE_KERNEL, - SEMANAGE_STORE_FC_LOCAL, -+ SEMANAGE_STORE_FC, -+ SEMANAGE_STORE_SEUSERS, - SEMANAGE_STORE_NUM_PATHS - }; - -@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh, - size_t buf_len, - char **sorted_buf, size_t * sorted_buf_len); - --int semanage_copy_policydb(semanage_handle_t *sh); --int semanage_copy_fc_local(semanage_handle_t *sh); -+int semanage_copy_file(const char *src, const char *dst, mode_t mode); - - #endif -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index b170edad3927..644300277b62 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -244,7 +244,8 @@ if __name__ == "__main__": - "users_extra.local", - "disable_dontaudit", - "preserve_tunables", -- "policy.kern" ] -+ "policy.kern", -+ "file_contexts"] - - - create_dir(newroot_path(), 0o755) --- -2.5.1 - diff --git a/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch b/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch deleted file mode 100644 index 490630642ab9..000000000000 --- a/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 95ea431f76b07b3e6c804b16cae8be38d2047d5a Mon Sep 17 00:00:00 2001 -From: Steve Lawrence <slawrence@tresys.com> -Date: Thu, 3 Sep 2015 09:28:08 -0400 -Subject: [PATCH 4/5] libsemanage: save homedir_template in the policy store - for genhomedircon - -We don't currently store homedir_template in the policy store, which -means genhomedircon only has a template file to use if the -homedir_template was generated from the file contexts in the same -transaction. But homedir_template isn't always generated, as in the -case with setsebool -P. In this and other cases, genhomedircon will not -have a template file resulting in an empty file_contexts.homedir file. - -This commit changes this so that homedir_template is always stored in -the policy store so it can be used by genhomedircon regardless of how -policy was built. Also add the homedir_template file to the migration -script. - -Signed-off by: Steve Lawrence <slawrence@tresys.com> -Acked-by: Stephen Smalley <sds@tycho.nsa.gov> ---- - libsemanage/src/direct_api.c | 1 - - libsemanage/utils/semanage_migrate_store | 3 ++- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index fa4e0eed0603..d77a3e2dff12 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1303,7 +1303,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) - - /* remove files that are automatically generated and no longer needed */ - unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); -- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL)); - unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); - - if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index 644300277b62..915471501174 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -245,7 +245,8 @@ if __name__ == "__main__": - "disable_dontaudit", - "preserve_tunables", - "policy.kern", -- "file_contexts"] -+ "file_contexts", -+ "homedir_template"] - - - create_dir(newroot_path(), 0o755) --- -2.5.1 - diff --git a/0005-libsemanage-store-users_extra-in-the-policy-store.patch b/0005-libsemanage-store-users_extra-in-the-policy-store.patch deleted file mode 100644 index e67c33943896..000000000000 --- a/0005-libsemanage-store-users_extra-in-the-policy-store.patch +++ /dev/null @@ -1,57 +0,0 @@ -From cee54248903f4560529eef7ca7051527dab51fd1 Mon Sep 17 00:00:00 2001 -From: Steve Lawrence <slawrence@tresys.com> -Date: Thu, 3 Sep 2015 13:07:36 -0400 -Subject: [PATCH 5/5] libsemanage: store users_extra in the policy store - -users_extra is needed by genhomedircon and when listing seusers, so it -must be kept in the policy store. Also move the FC_TMPL unlink() closer -to where the FC_TMPL is created; not a functional change, but eaiser to -follow. - -Signed-off-by: Steve Lawrence <slawrence@tresys.com> -Acked-by: Stephen Smalley <sds@tycho.nsa.gov> ---- - libsemanage/src/direct_api.c | 7 +++---- - libsemanage/utils/semanage_migrate_store | 1 + - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index d77a3e2dff12..0c6ed1f5703d 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1160,6 +1160,9 @@ static int semanage_direct_commit(semanage_handle_t * sh) - if (retval < 0) - goto cleanup; - -+ /* remove FC_TMPL now that it is now longer needed */ -+ unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); -+ - pfcontexts->dtable->drop_cache(pfcontexts->dbase); - - /* SEUsers */ -@@ -1301,10 +1304,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) - sepol_policydb_free(out); - out = NULL; - -- /* remove files that are automatically generated and no longer needed */ -- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); -- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); -- - if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { - retval = semanage_install_sandbox(sh); - } -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index 915471501174..dc02c27389f6 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -241,6 +241,7 @@ if __name__ == "__main__": - "file_contexts.local", - "seusers", - "users.local", -+ "users_extra", - "users_extra.local", - "disable_dontaudit", - "preserve_tunables", --- -2.5.1 - @@ -4,48 +4,25 @@ # Contributor: Sergej Pupykin (pupykin <dot> s+arch <at> gmail <dot> com) pkgname=libsemanage -pkgver=2.4 -pkgrel=2 +pkgver=2.5 +pkgrel=1 pkgdesc="SELinux binary policy manipulation library" arch=('i686' 'x86_64') url='http://userspace.selinuxproject.org' license=('GPL') groups=('selinux') makedepends=('flex' 'python2' 'python' 'swig') -depends=('ustr-selinux' 'libselinux>=2.4' 'audit') +depends=('ustr-selinux' 'libselinux>=2.5' 'audit') optdepends=('python2: python2 bindings' 'python: python bindings') options=(!emptydirs) install=libsemanage.install conflicts=("selinux-usr-${pkgname}") provides=("selinux-usr-${pkgname}=${pkgver}-${pkgrel}") -source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${pkgname}-${pkgver}.tar.gz" - "semanage.conf" - '0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch' - '0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch' - '0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch' - '0004-libsemanage-save-homedir_template-in-the-policy-stor.patch' - '0005-libsemanage-store-users_extra-in-the-policy-store.patch' - ) -sha256sums=('1a4cace4ef16786531ec075c0e7b2f961e2fee5dc86c5f983a689058899a6484' - '5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0' - '61a768144b740104fb2c17b6c15f10a207c0fa42d5faa611237f1df6b0a9c835' - '3ac9a961efde8cbc091688ca3e42058baf37919b572abd96d0a8f8167f4f283c' - '0324cfc186b09b748c74a64c74f9990dc7ee5497b8d450d4146f8fc73d6a710c' - 'bb83007a0cee3e2f3193c4935b2956e9c1894d08146c36a72505248e22c158cf' - '3497602b0b5095c08711fd922160b9bdefdb74dff39910b2cddf8480795580bb') - -prepare() { - cd "${pkgname}-${pkgver}" - - # Apply upstream patches backported by Gentoo developers - # Gentoo package: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libsemanage/ - patch -Np2 -i ../0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch - patch -Np2 -i ../0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch - patch -Np2 -i ../0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch - patch -Np2 -i ../0004-libsemanage-save-homedir_template-in-the-policy-stor.patch - patch -Np2 -i ../0005-libsemanage-store-users_extra-in-the-policy-store.patch -} +source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/${pkgname}-${pkgver}.tar.gz" + "semanage.conf") +sha256sums=('46e2f36254369b6e91d1eea0460c262b139361b055a3a67d3ceea2d8ef72e006' + '5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0') build() { cd "${pkgname}-${pkgver}" |