Hello community, here is the log from the commit of package libsemanage checked in at Tue Sep 2 12:29:51 CEST 2008. -------- --- libsemanage/libsemanage.changes 2008-08-01 17:32:23.000000000 +0200 +++ /mounts/work_src_done/STABLE/libsemanage/libsemanage.changes 2008-09-02 12:14:39.000000000 +0200 @@ -1,0 +2,11 @@ +Tue Sep 2 12:13:42 CEST 2008 - prusnak@suse.cz + +- updated to 2.0.27 + * Modify genhomedircon to skip %groupname entries. + Ultimately we need to expand them to the list of users to support + per-role homedir labeling when using the %groupname syntax. +- updated to 2.0.26 + * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. + Strip any trailing slash before appending /*$. + +------------------------------------------------------------------- Old: ---- libsemanage-2.0.25-rhat.patch libsemanage-2.0.25.tar.bz2 New: ---- libsemanage-2.0.27-rhat.patch libsemanage-2.0.27.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsemanage.spec ++++++ --- /var/tmp/diff_new_pack.N14046/_old 2008-09-02 12:29:45.000000000 +0200 +++ /var/tmp/diff_new_pack.N14046/_new 2008-09-02 12:29:45.000000000 +0200 @@ -1,10 +1,17 @@ # -# spec file for package libsemanage (Version 2.0.25) +# spec file for package libsemanage (Version 2.0.27) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -17,8 +24,8 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libsemanage -Version: 2.0.25 -Release: 2 +Version: 2.0.27 +Release: 1 Url: http://www.nsa.gov/selinux/ License: LGPL v2.1 only Group: System/Libraries @@ -29,14 +36,14 @@ %define debug_package_requires libsemanage1 = %{version} %description -Security-enhanced Linux is a feature of the Linux� kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement�, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. libsemanage provides an API for the manipulation of SELinux binary @@ -53,14 +60,14 @@ Summary: SELinux binary policy manipulation library %description -n libsemanage1 -Security-enhanced Linux is a feature of the Linux� kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement�, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. libsemanage provides an API for the manipulation of SELinux binary @@ -78,14 +85,14 @@ Requires: libsemanage1 = %{version}-%{release} libustr-devel %description devel -Security-enhanced Linux is a feature of the Linux� kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement�, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. libsemanage provides an API for the manipulation of SELinux binary @@ -161,6 +168,14 @@ %{_libdir}/python*/site-packages/* %changelog +* Tue Sep 02 2008 prusnak@suse.cz +- updated to 2.0.27 + * Modify genhomedircon to skip %%groupname entries. + Ultimately we need to expand them to the list of users to support + per-role homedir labeling when using the %%groupname syntax. +- updated to 2.0.26 + * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. + Strip any trailing slash before appending /*$. * Fri Aug 01 2008 ro@suse.de - fix requires for debuginfo package * Tue Jul 15 2008 prusnak@suse.cz ++++++ libsemanage-2.0.25-rhat.patch -> libsemanage-2.0.27-rhat.patch ++++++ --- libsemanage/libsemanage-2.0.25-rhat.patch 2008-01-29 14:36:49.000000000 +0100 +++ /mounts/work_src_done/STABLE/libsemanage/libsemanage-2.0.27-rhat.patch 2008-08-29 20:57:16.000000000 +0200 @@ -1,7 +1,91 @@ -diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.15/src/genhomedircon.c ---- nsalibsemanage/src/genhomedircon.c 2008-01-28 16:52:22.000000000 -0500 -+++ libsemanage-2.0.15/src/genhomedircon.c 2008-01-25 10:28:39.000000000 -0500 -@@ -406,7 +406,6 @@ +diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c +--- nsalibsemanage/src/direct_api.c 2008-06-12 23:25:16.000000000 -0400 ++++ libsemanage-2.0.27/src/direct_api.c 2008-08-26 10:25:38.000000000 -0400 +@@ -489,12 +489,6 @@ + modified |= ifaces->dtable->is_modified(ifaces->dbase); + modified |= nodes->dtable->is_modified(nodes->dbase); + +- /* FIXME: get rid of these, once we support loading the existing policy, +- * instead of rebuilding it */ +- modified |= seusers_modified; +- modified |= fcontexts_modified; +- modified |= users_extra_modified; +- + /* If there were policy changes, or explicitly requested, rebuild the policy */ + if (sh->do_rebuild || modified) { + +@@ -667,11 +661,33 @@ + retval = semanage_verify_kernel(sh); + if (retval < 0) + goto cleanup; +- } ++ } else { ++ retval = sepol_policydb_create(&out); ++ if (retval < 0) ++ goto cleanup; ++ ++ retval = semanage_read_policydb(sh, out); ++ if (retval < 0) ++ goto cleanup; ++ ++ /* dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out); ++ dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); ++ dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out); ++ dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out); ++ dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out); ++ */ ++ if (seusers_modified) { ++ retval = pseusers->dtable->clear(sh, pseusers->dbase); ++ if (retval < 0) ++ goto cleanup; ++ } + +- /* FIXME: else if !modified, but seusers_modified, +- * load the existing policy instead of rebuilding */ ++ retval = semanage_base_merge_components(sh); ++ if (retval < 0) ++ goto cleanup; + ++ /* Seusers */ ++ } + /* ======= Post-process: Validate non-policydb components ===== */ + + /* Validate local modifications to file contexts. +@@ -724,7 +740,8 @@ + sepol_policydb_free(out); + out = NULL; + +- if (sh->do_rebuild || modified) { ++ if (sh->do_rebuild || modified || ++ seusers_modified || fcontexts_modified || users_extra_modified) { + retval = semanage_install_sandbox(sh); + } + +@@ -733,12 +750,14 @@ + free(mod_filenames[i]); + } + +- /* Detach from policydb, so it can be freed */ +- dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); +- dbase_policydb_detach((dbase_policydb_t *) pports->dbase); +- dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); +- dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); +- dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); ++ if (modified) { ++ /* Detach from policydb, so it can be freed */ ++ dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase); ++ dbase_policydb_detach((dbase_policydb_t *) pports->dbase); ++ dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase); ++ dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase); ++ dbase_policydb_detach((dbase_policydb_t *) pbools->dbase); ++ } + + free(mod_filenames); + sepol_policydb_free(out); +diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c +--- nsalibsemanage/src/genhomedircon.c 2008-08-05 09:57:28.000000000 -0400 ++++ libsemanage-2.0.27/src/genhomedircon.c 2008-08-26 10:30:30.000000000 -0400 +@@ -487,7 +487,6 @@ const char *role_prefix) { replacement_pair_t repl[] = { @@ -9,7 +93,7 @@ {.search_for = TEMPLATE_HOME_DIR,.replace_with = home}, {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix}, {NULL, NULL} -@@ -466,7 +465,6 @@ +@@ -547,7 +546,6 @@ replacement_pair_t repl[] = { {.search_for = TEMPLATE_USER,.replace_with = user}, {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix}, @@ -17,12 +101,152 @@ {NULL, NULL} }; Ustr *line = USTR_NULL; -diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.15/src/semanage.conf ---- nsalibsemanage/src/semanage.conf 2007-07-16 14:20:38.000000000 -0400 -+++ libsemanage-2.0.15/src/semanage.conf 2008-01-25 10:28:39.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf +--- nsalibsemanage/src/semanage.conf 2008-06-12 23:25:16.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage.conf 2008-08-14 14:53:32.000000000 -0400 @@ -35,4 +35,4 @@ # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19 - +expand-check=0 +diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c +--- nsalibsemanage/src/semanage_store.c 2008-06-12 23:25:16.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage_store.c 2008-08-14 14:53:32.000000000 -0400 +@@ -1648,6 +1648,47 @@ + } + + /** ++ * Read the policy from the sandbox (kernel) ++ */ ++int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) ++{ ++ ++ int retval = STATUS_ERR; ++ const char *kernel_filename = NULL; ++ struct sepol_policy_file *pf = NULL; ++ FILE *infile = NULL; ++ ++ if ((kernel_filename = ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) { ++ goto cleanup; ++ } ++ if ((infile = fopen(kernel_filename, "r")) == NULL) { ++ ERR(sh, "Could not open kernel policy %s for reading.", ++ kernel_filename); ++ goto cleanup; ++ } ++ __fsetlocking(infile, FSETLOCKING_BYCALLER); ++ if (sepol_policy_file_create(&pf)) { ++ ERR(sh, "Out of memory!"); ++ goto cleanup; ++ } ++ sepol_policy_file_set_fp(pf, infile); ++ sepol_policy_file_set_handle(pf, sh->sepolh); ++ if (sepol_policydb_read(in, pf) == -1) { ++ ERR(sh, "Error while reading kernel policy from %s.", ++ kernel_filename); ++ goto cleanup; ++ } ++ retval = STATUS_SUCCESS; ++ ++ cleanup: ++ if (infile != NULL) { ++ fclose(infile); ++ } ++ sepol_policy_file_free(pf); ++ return retval; ++} ++/** + * Writes the final policy to the sandbox (kernel) + */ + int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) +diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h +--- nsalibsemanage/src/semanage_store.h 2008-06-12 23:25:16.000000000 -0400 ++++ libsemanage-2.0.27/src/semanage_store.h 2008-08-14 14:53:32.000000000 -0400 +@@ -97,6 +97,9 @@ + sepol_module_package_t * base, + sepol_policydb_t ** policydb); + ++int semanage_read_policydb(semanage_handle_t * sh, ++ sepol_policydb_t * policydb); ++ + int semanage_write_policydb(semanage_handle_t * sh, + sepol_policydb_t * policydb); + +diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c +--- nsalibsemanage/tests/test_fcontext.c 1969-12-31 19:00:00.000000000 -0500 ++++ libsemanage-2.0.27/tests/test_fcontext.c 2008-08-15 10:59:48.000000000 -0400 +@@ -0,0 +1,72 @@ ++#include <semanage/fcontext_record.h> ++#include <semanage/semanage.h> ++#include <semanage/fcontexts_local.h> ++#include <sepol/sepol.h> ++ ++#include <errno.h> ++#include <stdio.h> ++#include <stdlib.h> ++ ++int main(const int argc, const char **argv) { ++ semanage_handle_t *sh = NULL; ++ semanage_fcontext_t *fcontext; ++ semanage_context_t *con; ++ semanage_fcontext_key_t *k; ++ ++ int exist = 0; ++ sh = semanage_handle_create(); ++ if (sh == NULL) { ++ perror("Can't create semanage handle\n"); ++ return -1; ++ } ++ if (semanage_access_check(sh) < 0) { ++ perror("Semanage access check failed\n"); ++ return -1; ++ } ++ if (semanage_connect(sh) < 0) { ++ perror("Semanage connect failed\n"); ++ return -1; ++ } ++ ++ if (semanage_fcontext_key_create(sh, argv[2], SEMANAGE_FCONTEXT_REG, &k) < 0) { ++ fprintf(stderr, "Could not create key for %s", argv[2]); ++ return -1; ++ } ++ ++ if(semanage_fcontext_exists(sh, k, &exist) < 0) { ++ fprintf(stderr,"Could not check if key exists for %s", argv[2]); ++ return -1; ++ } ++ if (exist) { ++ fprintf(stderr,"Could create %s mapping already exists", argv[2]); ++ return -1; ++ } ++ ++ if (semanage_fcontext_create(sh, &fcontext) < 0) { ++ fprintf(stderr,"Could not create file context for %s", argv[2]); ++ return -1; ++ } ++ semanage_fcontext_set_expr(sh, fcontext, argv[2]); ++ ++ if (semanage_context_from_string(sh, argv[1], &con)) { ++ fprintf(stderr,"Could not create context using %s for file context %s", argv[1], argv[2]); ++ return -1; ++ } ++ ++ if (semanage_fcontext_set_con(sh, fcontext, con) < 0) { ++ fprintf(stderr,"Could not set file context for %s", argv[2]); ++ return -1; ++ } ++ ++ semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_REG); ++ ++ if(semanage_fcontext_modify_local(sh, k, fcontext) < 0) { ++ fprintf(stderr,"Could not add file context for %s", argv[2]); ++ return -1; ++ } ++ semanage_fcontext_key_free(k); ++ semanage_fcontext_free(fcontext); ++ ++ return 0; ++} ++ ++++++ libsemanage-2.0.25.tar.bz2 -> libsemanage-2.0.27.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/libsemanage-2.0.25/ChangeLog new/libsemanage-2.0.27/ChangeLog --- old/libsemanage-2.0.25/ChangeLog 2008-04-22 22:27:16.000000000 +0200 +++ new/libsemanage-2.0.27/ChangeLog 2008-08-05 15:58:36.000000000 +0200 @@ -1,3 +1,11 @@ +2.0.27 2008-08-05 + * Modify genhomedircon to skip %groupname entries. + Ultimately we need to expand them to the list of users to support per-role homedir labeling when using the %groupname syntax. + +2.0.26 2008-07-29 + * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. + Strip any trailing slash before appending /*$. + 2.0.25 2008-04-21 * Do not call genhomedircon if the policy was not rebuilt from Stephen Smalley. Fixes semanage boolean -D seg fault (bug 441379). diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/libsemanage-2.0.25/src/genhomedircon.c new/libsemanage-2.0.27/src/genhomedircon.c --- old/libsemanage-2.0.25/src/genhomedircon.c 2008-04-22 22:27:16.000000000 +0200 +++ new/libsemanage-2.0.27/src/genhomedircon.c 2008-08-05 15:58:37.000000000 +0200 @@ -192,6 +192,11 @@ goto done; } + if (ustr_cmp_suffix_cstr_eq(expr, "/")) { + if (!ustr_del(&expr, 1)) + goto done; + } + /* Append pattern to eat up trailing slashes */ if (!ustr_add_cstr(&expr, "/*$")) goto done; @@ -757,6 +762,10 @@ if (strcmp(name, TEMPLATE_SEUSER) == 0) continue; + /* %groupname syntax */ + if (name[0] == '%') + continue; + /* find the user structure given the name */ u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *), (int (*)(const void *, const void *)) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/libsemanage-2.0.25/src/Makefile new/libsemanage-2.0.27/src/Makefile --- old/libsemanage-2.0.25/src/Makefile 2008-04-22 22:27:15.000000000 +0200 +++ new/libsemanage-2.0.27/src/Makefile 2008-08-05 15:58:37.000000000 +0200 @@ -31,7 +31,7 @@ LIBSO=$(TARGET).$(LIBVERSION) OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c))) conf-scan.o conf-parse.o LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c))) conf-scan.lo conf-parse.lo -CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter +CFLAGS ?= -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/libsemanage-2.0.25/VERSION new/libsemanage-2.0.27/VERSION --- old/libsemanage-2.0.25/VERSION 2008-04-22 22:27:16.000000000 +0200 +++ new/libsemanage-2.0.27/VERSION 2008-08-05 15:58:37.000000000 +0200 @@ -1 +1 @@ -2.0.25 +2.0.27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de