diff options
-rw-r--r-- | .SRCINFO | 17 | ||||
-rw-r--r-- | 0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch | 213 | ||||
-rw-r--r-- | 0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch | 318 | ||||
-rw-r--r-- | 0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch | 265 | ||||
-rw-r--r-- | 0004-libsemanage-save-homedir_template-in-the-policy-stor.patch | 54 | ||||
-rw-r--r-- | 0005-libsemanage-store-users_extra-in-the-policy-store.patch | 57 | ||||
-rw-r--r-- | PKGBUILD | 31 |
7 files changed, 949 insertions, 6 deletions
@@ -1,7 +1,7 @@ pkgbase = libsemanage pkgdesc = SELinux binary policy manipulation library pkgver = 2.4 - pkgrel = 1 + pkgrel = 2 url = http://userspace.selinuxproject.org install = libsemanage.install arch = i686 @@ -9,18 +9,31 @@ pkgbase = libsemanage groups = selinux license = GPL makedepends = flex + makedepends = python2 + makedepends = python + makedepends = swig depends = ustr depends = libselinux>=2.4 depends = audit optdepends = python2: python2 bindings optdepends = python: python bindings - provides = selinux-usr-libsemanage=2.4-1 + provides = selinux-usr-libsemanage=2.4-2 conflicts = selinux-usr-libsemanage options = !emptydirs source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/libsemanage-2.4.tar.gz source = semanage.conf + source = 0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch + source = 0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch + source = 0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch + source = 0004-libsemanage-save-homedir_template-in-the-policy-stor.patch + source = 0005-libsemanage-store-users_extra-in-the-policy-store.patch sha256sums = 1a4cace4ef16786531ec075c0e7b2f961e2fee5dc86c5f983a689058899a6484 sha256sums = 5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0 + sha256sums = 61a768144b740104fb2c17b6c15f10a207c0fa42d5faa611237f1df6b0a9c835 + sha256sums = 3ac9a961efde8cbc091688ca3e42058baf37919b572abd96d0a8f8167f4f283c + sha256sums = 0324cfc186b09b748c74a64c74f9990dc7ee5497b8d450d4146f8fc73d6a710c + sha256sums = bb83007a0cee3e2f3193c4935b2956e9c1894d08146c36a72505248e22c158cf + sha256sums = 3497602b0b5095c08711fd922160b9bdefdb74dff39910b2cddf8480795580bb pkgname = libsemanage diff --git a/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch b/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch new file mode 100644 index 000000000000..35924370cdf9 --- /dev/null +++ b/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch @@ -0,0 +1,213 @@ +From c79e3964b33fdb170bba900ba1f3c040f5f70312 Mon Sep 17 00:00:00 2001 +From: Jason Zaman <jason@perfinion.com> +Date: Wed, 22 Apr 2015 23:05:48 +0400 +Subject: [PATCH 1/5] libsemanage: do not copy contexts in + semanage_migrate_store + +The modules from the old store were previously copied to the new one +using setfscreatecon and shutil.copy2(). Now that refpolicy has rules +about the new policy location[1], copying the contexts is redundant. + +More importantly, the setcreatefscon caused a constraint violation[2] +which made the migration fail. In python3, shutil.copy2() copies xattrs +as well which again causes problems. shutil.copy() is enough for our +needs here as it will copy the file and permissions in both py2 and 3. +We do not need the extra things that copy2() does (mtime, xattr, etc). + +[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html + +[2] +type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 + constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED +allow semanage_t semanage_store_t:dir create; + +Signed-off-by: Jason Zaman <jason@perfinion.com> +Acked-by: Steve Lawrence <slawrence@tresys.com> + +Changes from v1: + - Changed some methods to not take a src param anymore. +--- + libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------ + 1 file changed, 18 insertions(+), 59 deletions(-) + +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 03b492e05cbb..2f85e9c561ae 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -8,7 +8,6 @@ import shutil + import sys + from optparse import OptionParser + +-import bz2 + import ctypes + + sepol = ctypes.cdll.LoadLibrary('libsepol.so') +@@ -21,41 +20,20 @@ except: + exit(1) + + +- +- +-# For some reason this function doesn't exist in libselinux :\ +-def copy_with_context(src, dst): ++def copy_file(src, dst): + if DEBUG: + print("copying %s to %s" % (src, dst)) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- except: +- print("Could not get file context of %s" % src, file=sys.stderr) +- exit(1) +- +- try: +- selinux.setfscreatecon_raw(con) +- except: +- print("Could not set fs create context: %s" %con, file=sys.stderr) +- exit(1) +- +- try: +- shutil.copy2(src, dst) ++ shutil.copy(src, dst) + except OSError as the_err: + (err, strerr) = the_err.args + print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def create_dir_from(src, dst, mode): ++def create_dir(dst, mode): + if DEBUG: print("Making directory %s" % dst) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- selinux.setfscreatecon_raw(con) + os.makedirs(dst, mode) + except OSError as the_err: + (err, stderr) = the_err.args +@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode): + print("Error creating %s" % dst, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def create_file_from(src, dst): ++def create_file(dst): + if DEBUG: print("Making file %s" % dst) + try: +- con = selinux.lgetfilecon_raw(src)[1] +- selinux.setfscreatecon_raw(con) + open(dst, 'a').close() + except OSError as the_err: + (err, stderr) = the_err.args + print("Error creating %s" % dst, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def copy_module(store, name, con, base): ++def copy_module(store, name, base): + if DEBUG: print("Install module %s" % name) + (file, ext) = os.path.splitext(name) + if ext != ".pp": +@@ -94,8 +62,6 @@ def copy_module(store, name, con, base): + print("warning: %s has invalid extension, skipping" % name, file=sys.stderr) + return + try: +- selinux.setfscreatecon_raw(con) +- + if base: + root = oldstore_path(store) + else: +@@ -105,7 +71,7 @@ def copy_module(store, name, con, base): + + os.mkdir("%s/%s" % (bottomdir, file)) + +- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) ++ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) + + # This is the ext file that will eventually be used to choose a compiler + efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600) +@@ -116,15 +82,11 @@ def copy_module(store, name, con, base): + print("Error installing module %s" % name, file=sys.stderr) + exit(1) + +- try: +- selinux.setfscreatecon_raw(None) +- except: +- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) + +-def disable_module(file, root, name, disabledmodules): ++def disable_module(file, name, disabledmodules): + if DEBUG: print("Disabling %s" % name) + (disabledname, disabledext) = os.path.splitext(file) +- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname)) ++ create_file("%s/%s" % (disabledmodules, disabledname)) + + def migrate_store(store): + +@@ -138,17 +100,14 @@ def migrate_store(store): + print("Migrating from %s to %s" % (oldstore, newstore)) + + # Build up new directory structure +- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755) +- create_dir_from(oldstore, newstore, 0o700) +- create_dir_from(oldstore, newmodules, 0o700) +- create_dir_from(oldstore, bottomdir, 0o700) +- create_dir_from(oldstore, disabledmodules, 0o700) +- +- # use whatever the file context of bottomdir is for the module directories +- con = selinux.lgetfilecon_raw(bottomdir)[1] ++ create_dir("%s/%s" % (newroot_path(), store), 0o755) ++ create_dir(newstore, 0o700) ++ create_dir(newmodules, 0o700) ++ create_dir(bottomdir, 0o700) ++ create_dir(disabledmodules, 0o700) + + # Special case for base since it was in a different location +- copy_module(store, "base.pp", con, 1) ++ copy_module(store, "base.pp", 1) + + # Dir structure built, start copying files + for root, dirs, files in os.walk(oldstore): +@@ -161,7 +120,7 @@ def migrate_store(store): + newname = "seusers.local" + else: + newname = name +- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname)) ++ copy_file(os.path.join(root, name), os.path.join(newstore, newname)) + + elif root == oldmodules: + # This should be the modules directory +@@ -171,9 +130,9 @@ def migrate_store(store): + print("Error installing module %s, name conflicts with base" % name, file=sys.stderr) + exit(1) + elif ext == ".disabled": +- disable_module(file, root, name, disabledmodules) ++ disable_module(file, name, disabledmodules) + else: +- copy_module(store, name, con, 0) ++ copy_module(store, name, 0) + + def rebuild_policy(): + # Ok, the modules are loaded, lets try to rebuild the policy +@@ -287,7 +246,7 @@ if __name__ == "__main__": + "preserve_tunables" ] + + +- create_dir_from(oldroot_path(), newroot_path(), 0o755) ++ create_dir(newroot_path(), 0o755) + + stores = None + if TYPE is not None: +-- +2.5.1 + diff --git a/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch b/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch new file mode 100644 index 000000000000..af255c95f26b --- /dev/null +++ b/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch @@ -0,0 +1,318 @@ +From 24feb06f1620de854f7ac7ec9b86b004c155f489 Mon Sep 17 00:00:00 2001 +From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +Date: Thu, 2 Jul 2015 09:27:36 -0400 +Subject: [PATCH 2/5] libsemanage: Add policy binary and file_contexts.local to + the store + +This patch writes policy.kern and file_contexts.local to the policy store as +well as /etc/selinux/. Additionally, policy.kern and file_contexts.local +are now parsed from the store rather than the final directory which was +the old behavior. This allows all policy related files to be kept in the +policy store. + +This patch also renames /var/lib/selinux/tmp to 'final' and changes +policy.kern in the store to longer be a symlink. + +Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +--- + libsemanage/src/booleans_policydb.c | 6 ++-- + libsemanage/src/direct_api.c | 33 +++++++++++++++---- + libsemanage/src/interfaces_policydb.c | 6 ++-- + libsemanage/src/nodes_policydb.c | 6 ++-- + libsemanage/src/ports_policydb.c | 6 ++-- + libsemanage/src/semanage_store.c | 55 ++++++++++++++++++++++++-------- + libsemanage/src/semanage_store.h | 5 +++ + libsemanage/src/users_base_policydb.c | 6 ++-- + libsemanage/utils/semanage_migrate_store | 3 +- + 9 files changed, 86 insertions(+), 40 deletions(-) + +diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c +index 74af2a3300e3..6869d6cd0417 100644 +--- a/libsemanage/src/booleans_policydb.c ++++ b/libsemanage/src/booleans_policydb.c +@@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_BOOL_RTABLE, + &SEMANAGE_BOOL_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index b0ed3388e27b..820d351c90ae 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh) + goto err; + + if (fcontext_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_FC_LOCAL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC_LOCAL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), + semanage_fcontext_dbase_local(sh)) < 0) + goto err; + +@@ -959,7 +957,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + size_t fc_buffer_len = 0; + const char *ofilename = NULL; + const char *path; +- int retval = -1, num_modinfos = 0, i; ++ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; + sepol_policydb_t *out = NULL; + struct cil_db *cildb = NULL; + semanage_module_info_t *modinfos = NULL; +@@ -1061,8 +1059,20 @@ static int semanage_direct_commit(semanage_handle_t * sh) + modified |= dontaudit_modified; + modified |= preserve_tunables_modified; + ++ /* This is for systems that have already migrated with an older version ++ * of semanage_migrate_store. The older version did not copy policy.kern so ++ * the policy binary must be rebuilt here. ++ */ ++ if (!sh->do_rebuild && !modified) { ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); ++ ++ if (access(path, F_OK) != 0) { ++ missing_policy_kern = 1; ++ } ++ } ++ + /* If there were policy changes, or explicitly requested, rebuild the policy */ +- if (sh->do_rebuild || modified) { ++ if (sh->do_rebuild || modified || missing_policy_kern) { + /* =================== Module expansion =============== */ + + retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); +@@ -1222,6 +1232,17 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + ++ retval = semanage_copy_policydb(sh); ++ if (retval < 0) ++ goto cleanup; ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_fc_local(sh); ++ if (retval < 0) ++ goto cleanup; ++ } ++ + /* run genhomedircon if its enabled, this should be the last operation + * which requires the out policydb */ + if (!sh->conf->disable_genhomedircon) { +diff --git a/libsemanage/src/interfaces_policydb.c b/libsemanage/src/interfaces_policydb.c +index 6a42eedf32bf..552ce7d50c5c 100644 +--- a/libsemanage/src/interfaces_policydb.c ++++ b/libsemanage/src/interfaces_policydb.c +@@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_IFACE_RTABLE, + &SEMANAGE_IFACE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/nodes_policydb.c b/libsemanage/src/nodes_policydb.c +index 56012fbf1c64..7224f0084758 100644 +--- a/libsemanage/src/nodes_policydb.c ++++ b/libsemanage/src/nodes_policydb.c +@@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_NODE_RTABLE, + &SEMANAGE_NODE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/ports_policydb.c b/libsemanage/src/ports_policydb.c +index b9600f056aad..37d7deb2735c 100644 +--- a/libsemanage/src/ports_policydb.c ++++ b/libsemanage/src/ports_policydb.c +@@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_PORT_RTABLE, + &SEMANAGE_PORT_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 6051691bbb2f..2856aaf25685 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { + "/disable_dontaudit", + "/preserve_tunables", + "/modules/disabled", ++ "/policy.kern", ++ "/file_contexts.local" + }; + + static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { +- "/tmp", ++ "/final", + "", + }; + +@@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh) + goto cleanup; + } + +- /* Copy in exported databases. +- * i = 1 to avoid copying the top level directory. +- */ ++ // Build final directory structure + int i; + for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) { + if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) { +@@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh) + status = -1; + goto cleanup; + } +- +- semanage_copy_file( +- semanage_final_path(SEMANAGE_FINAL_SELINUX, i), +- semanage_final_path(SEMANAGE_FINAL_TMP, i), +- sh->conf->file_mode); +- /* ignore errors, these files may not exist */ + } + + cleanup: +@@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) + FILE *infile = NULL; + + if ((kernel_filename = +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL)) == NULL) { ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) { + goto cleanup; + } + if ((infile = fopen(kernel_filename, "r")) == NULL) { +@@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) + FILE *outfile = NULL; + + if ((kernel_filename = +- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) { ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) { + goto cleanup; + } + if ((outfile = fopen(kernel_filename, "wb")) == NULL) { +@@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } ++ ++int semanage_copy_policydb(semanage_handle_t *sh) ++{ ++ const char *src = NULL; ++ const char *dst = NULL; ++ int rc = -1; ++ ++ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); ++ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); ++ ++ rc = semanage_copy_file(src, dst, sh->conf->file_mode); ++ if (rc != 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ return rc; ++} ++ ++int semanage_copy_fc_local(semanage_handle_t *sh) ++{ ++ const char *src = NULL; ++ const char *dst = NULL; ++ int rc = -1; ++ ++ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); ++ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); ++ ++ rc = semanage_copy_file(src, dst, sh->conf->file_mode); ++ if (rc != 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ return rc; ++} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index 62c7079be12c..ade43f261ee0 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -55,6 +55,8 @@ enum semanage_sandbox_defs { + SEMANAGE_DISABLE_DONTAUDIT, + SEMANAGE_PRESERVE_TUNABLES, + SEMANAGE_MODULES_DISABLED, ++ SEMANAGE_STORE_KERNEL, ++ SEMANAGE_STORE_FC_LOCAL, + SEMANAGE_STORE_NUM_PATHS + }; + +@@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh, + size_t buf_len, + char **sorted_buf, size_t * sorted_buf_len); + ++int semanage_copy_policydb(semanage_handle_t *sh); ++int semanage_copy_fc_local(semanage_handle_t *sh); ++ + #endif +diff --git a/libsemanage/src/users_base_policydb.c b/libsemanage/src/users_base_policydb.c +index 0a6ab9cde09e..b42279c86fcd 100644 +--- a/libsemanage/src/users_base_policydb.c ++++ b/libsemanage/src/users_base_policydb.c +@@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_USER_BASE_RTABLE, + &SEMANAGE_USER_BASE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 2f85e9c561ae..b170edad3927 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -243,7 +243,8 @@ if __name__ == "__main__": + "users.local", + "users_extra.local", + "disable_dontaudit", +- "preserve_tunables" ] ++ "preserve_tunables", ++ "policy.kern" ] + + + create_dir(newroot_path(), 0o755) +-- +2.5.1 + diff --git a/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch b/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch new file mode 100644 index 000000000000..fdcfd87e6fc0 --- /dev/null +++ b/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch @@ -0,0 +1,265 @@ +From b404a9391485a9642561ff48f1af4310c9054b50 Mon Sep 17 00:00:00 2001 +From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +Date: Tue, 21 Jul 2015 15:08:15 -0400 +Subject: [PATCH 3/5] libsemanage: Add file_contexts and seusers to the store + +This patch writes file_contexts and seusers to the policy store as well as +/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the +store rather than the final directory which was the old behavior. This allows +all policy related files to be kept in the policy store. + +Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +--- + libsemanage/src/direct_api.c | 69 +++++++++++++++++++++++++------- + libsemanage/src/semanage_store.c | 49 ++++------------------- + libsemanage/src/semanage_store.h | 5 ++- + libsemanage/utils/semanage_migrate_store | 3 +- + 4 files changed, 66 insertions(+), 60 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 820d351c90ae..fa4e0eed0603 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh) + goto err; + + if (fcontext_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_FC), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + semanage_fcontext_dbase_policy(sh)) < 0) + goto err; + + if (seuser_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_SEUSERS), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_SEUSERS), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), + semanage_seuser_dbase_policy(sh)) < 0) + goto err; + +@@ -578,7 +574,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb + } + + if (size > 0) { +- ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS); ++ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); + if (ofilename == NULL) { + return -1; + } +@@ -957,7 +953,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) + size_t fc_buffer_len = 0; + const char *ofilename = NULL; + const char *path; +- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; ++ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0, ++ missing_seusers = 0, missing_fc = 0, missing = 0; + sepol_policydb_t *out = NULL; + struct cil_db *cildb = NULL; + semanage_module_info_t *modinfos = NULL; +@@ -1069,10 +1066,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (access(path, F_OK) != 0) { + missing_policy_kern = 1; + } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); ++ ++ if (access(path, F_OK) != 0) { ++ missing_fc = 1; ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); ++ ++ if (access(path, F_OK) != 0) { ++ missing_seusers = 1; ++ } + } + ++ missing |= missing_policy_kern; ++ missing |= missing_fc; ++ missing |= missing_seusers; ++ + /* If there were policy changes, or explicitly requested, rebuild the policy */ +- if (sh->do_rebuild || modified || missing_policy_kern) { ++ if (sh->do_rebuild || modified || missing) { + /* =================== Module expansion =============== */ + + retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); +@@ -1232,15 +1245,41 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + +- retval = semanage_copy_policydb(sh); +- if (retval < 0) ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL), ++ sh->conf->file_mode); ++ if (retval < 0) { + goto cleanup; ++ } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); + if (access(path, F_OK) == 0) { +- retval = semanage_copy_fc_local(sh); +- if (retval < 0) ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), ++ sh->conf->file_mode); ++ if (retval < 0) { + goto cleanup; ++ } ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), ++ sh->conf->file_mode); ++ if (retval < 0) { ++ goto cleanup; ++ } ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), ++ sh->conf->file_mode); ++ if (retval < 0) { ++ goto cleanup; ++ } + } + + /* run genhomedircon if its enabled, this should be the last operation +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 2856aaf25685..fa0876fa840d 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { + "/preserve_tunables", + "/modules/disabled", + "/policy.kern", +- "/file_contexts.local" ++ "/file_contexts.local", ++ "/file_contexts", ++ "/seusers" + }; + + static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { +@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d) + + /* Copies a file from src to dst. If dst already exists then + * overwrite it. Returns 0 on success, -1 on error. */ +-static int semanage_copy_file(const char *src, const char *dst, mode_t mode) ++int semanage_copy_file(const char *src, const char *dst, mode_t mode) + { + int in, out, retval = 0, amount_read, n, errsv = errno; + char tmp[PATH_MAX]; +@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh) + goto cleanup; + } + +- fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), ++ fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); + if (fc < 0) { + ERR(sh, "Could not open %s for writing.", +- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)); ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); + goto cleanup; + } + hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL), +@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh) + } else { + if (write(fc, buf, strlen(buf)) < 0) { + ERR(sh, "Write to %s failed.", +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC)); ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); + goto cleanup; + } + } +@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } +- +-int semanage_copy_policydb(semanage_handle_t *sh) +-{ +- const char *src = NULL; +- const char *dst = NULL; +- int rc = -1; +- +- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); +- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); +- +- rc = semanage_copy_file(src, dst, sh->conf->file_mode); +- if (rc != 0) { +- goto cleanup; +- } +- +-cleanup: +- return rc; +-} +- +-int semanage_copy_fc_local(semanage_handle_t *sh) +-{ +- const char *src = NULL; +- const char *dst = NULL; +- int rc = -1; +- +- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); +- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); +- +- rc = semanage_copy_file(src, dst, sh->conf->file_mode); +- if (rc != 0) { +- goto cleanup; +- } +- +-cleanup: +- return rc; +-} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index ade43f261ee0..acb6e3fd26f8 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -57,6 +57,8 @@ enum semanage_sandbox_defs { + SEMANAGE_MODULES_DISABLED, + SEMANAGE_STORE_KERNEL, + SEMANAGE_STORE_FC_LOCAL, ++ SEMANAGE_STORE_FC, ++ SEMANAGE_STORE_SEUSERS, + SEMANAGE_STORE_NUM_PATHS + }; + +@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh, + size_t buf_len, + char **sorted_buf, size_t * sorted_buf_len); + +-int semanage_copy_policydb(semanage_handle_t *sh); +-int semanage_copy_fc_local(semanage_handle_t *sh); ++int semanage_copy_file(const char *src, const char *dst, mode_t mode); + + #endif +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index b170edad3927..644300277b62 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -244,7 +244,8 @@ if __name__ == "__main__": + "users_extra.local", + "disable_dontaudit", + "preserve_tunables", +- "policy.kern" ] ++ "policy.kern", ++ "file_contexts"] + + + create_dir(newroot_path(), 0o755) +-- +2.5.1 + diff --git a/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch b/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch new file mode 100644 index 000000000000..490630642ab9 --- /dev/null +++ b/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch @@ -0,0 +1,54 @@ +From 95ea431f76b07b3e6c804b16cae8be38d2047d5a Mon Sep 17 00:00:00 2001 +From: Steve Lawrence <slawrence@tresys.com> +Date: Thu, 3 Sep 2015 09:28:08 -0400 +Subject: [PATCH 4/5] libsemanage: save homedir_template in the policy store + for genhomedircon + +We don't currently store homedir_template in the policy store, which +means genhomedircon only has a template file to use if the +homedir_template was generated from the file contexts in the same +transaction. But homedir_template isn't always generated, as in the +case with setsebool -P. In this and other cases, genhomedircon will not +have a template file resulting in an empty file_contexts.homedir file. + +This commit changes this so that homedir_template is always stored in +the policy store so it can be used by genhomedircon regardless of how +policy was built. Also add the homedir_template file to the migration +script. + +Signed-off by: Steve Lawrence <slawrence@tresys.com> +Acked-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libsemanage/src/direct_api.c | 1 - + libsemanage/utils/semanage_migrate_store | 3 ++- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index fa4e0eed0603..d77a3e2dff12 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1303,7 +1303,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) + + /* remove files that are automatically generated and no longer needed */ + unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL)); + unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); + + if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 644300277b62..915471501174 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -245,7 +245,8 @@ if __name__ == "__main__": + "disable_dontaudit", + "preserve_tunables", + "policy.kern", +- "file_contexts"] ++ "file_contexts", ++ "homedir_template"] + + + create_dir(newroot_path(), 0o755) +-- +2.5.1 + diff --git a/0005-libsemanage-store-users_extra-in-the-policy-store.patch b/0005-libsemanage-store-users_extra-in-the-policy-store.patch new file mode 100644 index 000000000000..e67c33943896 --- /dev/null +++ b/0005-libsemanage-store-users_extra-in-the-policy-store.patch @@ -0,0 +1,57 @@ +From cee54248903f4560529eef7ca7051527dab51fd1 Mon Sep 17 00:00:00 2001 +From: Steve Lawrence <slawrence@tresys.com> +Date: Thu, 3 Sep 2015 13:07:36 -0400 +Subject: [PATCH 5/5] libsemanage: store users_extra in the policy store + +users_extra is needed by genhomedircon and when listing seusers, so it +must be kept in the policy store. Also move the FC_TMPL unlink() closer +to where the FC_TMPL is created; not a functional change, but eaiser to +follow. + +Signed-off-by: Steve Lawrence <slawrence@tresys.com> +Acked-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libsemanage/src/direct_api.c | 7 +++---- + libsemanage/utils/semanage_migrate_store | 1 + + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index d77a3e2dff12..0c6ed1f5703d 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1160,6 +1160,9 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + ++ /* remove FC_TMPL now that it is now longer needed */ ++ unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); ++ + pfcontexts->dtable->drop_cache(pfcontexts->dbase); + + /* SEUsers */ +@@ -1301,10 +1304,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) + sepol_policydb_free(out); + out = NULL; + +- /* remove files that are automatically generated and no longer needed */ +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); +- + if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { + retval = semanage_install_sandbox(sh); + } +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 915471501174..dc02c27389f6 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -241,6 +241,7 @@ if __name__ == "__main__": + "file_contexts.local", + "seusers", + "users.local", ++ "users_extra", + "users_extra.local", + "disable_dontaudit", + "preserve_tunables", +-- +2.5.1 + @@ -5,13 +5,13 @@ pkgname=libsemanage pkgver=2.4 -pkgrel=1 +pkgrel=2 pkgdesc="SELinux binary policy manipulation library" arch=('i686' 'x86_64') url='http://userspace.selinuxproject.org' license=('GPL') groups=('selinux') -makedepends=('flex') +makedepends=('flex' 'python2' 'python' 'swig') depends=('ustr' 'libselinux>=2.4' 'audit') optdepends=('python2: python2 bindings' 'python: python bindings') @@ -20,9 +20,32 @@ install=libsemanage.install conflicts=("selinux-usr-${pkgname}") provides=("selinux-usr-${pkgname}=${pkgver}-${pkgrel}") source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${pkgname}-${pkgver}.tar.gz" - "semanage.conf") + "semanage.conf" + '0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch' + '0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch' + '0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch' + '0004-libsemanage-save-homedir_template-in-the-policy-stor.patch' + '0005-libsemanage-store-users_extra-in-the-policy-store.patch' + ) sha256sums=('1a4cace4ef16786531ec075c0e7b2f961e2fee5dc86c5f983a689058899a6484' - '5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0') + '5b0e6929428e095b561701ccdfa9c8b0c3d70dad3fc46e667eb46a85b246a4a0' + '61a768144b740104fb2c17b6c15f10a207c0fa42d5faa611237f1df6b0a9c835' + '3ac9a961efde8cbc091688ca3e42058baf37919b572abd96d0a8f8167f4f283c' + '0324cfc186b09b748c74a64c74f9990dc7ee5497b8d450d4146f8fc73d6a710c' + 'bb83007a0cee3e2f3193c4935b2956e9c1894d08146c36a72505248e22c158cf' + '3497602b0b5095c08711fd922160b9bdefdb74dff39910b2cddf8480795580bb') + +prepare() { + cd "${pkgname}-${pkgver}" + + # Apply upstream patches backported by Gentoo developers + # Gentoo package: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/libsemanage/ + patch -Np2 -i ../0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch + patch -Np2 -i ../0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch + patch -Np2 -i ../0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch + patch -Np2 -i ../0004-libsemanage-save-homedir_template-in-the-policy-stor.patch + patch -Np2 -i ../0005-libsemanage-store-users_extra-in-the-policy-store.patch +} build() { cd "${pkgname}-${pkgver}" |