Hello community,
here is the log from the commit of package libsemanage for openSUSE:Factory
checked in at Tue Mar 9 15:46:13 CET 2010.
--------
--- libsemanage/libsemanage.changes 2009-01-16 14:29:39.000000000 +0100
+++ /mounts/work_src_done/STABLE/libsemanage/libsemanage.changes 2010-02-25 15:59:56.000000000 +0100
@@ -1,0 +2,6 @@
+Thu Feb 25 14:59:32 UTC 2010 - prusnak@suse.cz
+
+- updated to 2.0.43
+ * changes too numerous to list
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
libsemanage-2.0.31-rhat.patch
libsemanage-2.0.31.tar.bz2
New:
----
libsemanage-2.0.43.tar.bz2
libsemanage-rhat.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsemanage.spec ++++++
--- /var/tmp/diff_new_pack.NTPOoP/_old 2010-03-09 15:46:01.000000000 +0100
+++ /var/tmp/diff_new_pack.NTPOoP/_new 2010-03-09 15:46:01.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package libsemanage (Version 2.0.31)
+# spec file for package libsemanage (Version 2.0.43)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,57 +17,54 @@
# norootforbuild
-%define libsepol_ver 2.0.20
+%define libsepol_ver 2.0.37
%define libselinux_ver 2.0.0
BuildRequires: bison flex libustr-devel python-devel swig
BuildRequires: libselinux-devel >= %{libselinux_ver}
BuildRequires: libsepol-devel >= %{libsepol_ver}
Name: libsemanage
-Version: 2.0.31
-Release: 3
+Version: 2.0.43
+Release: 1
Url: http://www.nsa.gov/selinux/
-License: LGPL v2.1 only
+License: LGPLv2.1
Group: System/Libraries
Summary: SELinux binary policy manipulation library
Source: %{name}-%{version}.tar.bz2
-Patch0: %{name}-%{version}-rhat.patch
+Patch0: %{name}-rhat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define debug_package_requires libsemanage1 = %{version}-%{release}
%description
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux. The Security-enhanced Linux
+Security-enhanced Linux is a feature of the Linux kernel and a number
+of utilities with enhanced security functionality designed to add
+mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libsemanage provides an API for the manipulation of SELinux binary
-policies. It is used by checkpolicy (the policy compiler) and similar
-tools, as well as by programs like load_policy that need to perform
-specific transformations on binary policies such as customizing policy
-boolean settings.
-
-
+improve the security of the Flask operating system. These
+architectural components provide general support for the enforcement
+of many kinds of mandatory access control policies, including those
+based on the concepts of Type Enforcement, Role-based Access
+Control, and Multi-level Security.
+
+libsemanage provides an API for the manipulation of SELinux binary policies.
+It is used by checkpolicy (the policy compiler) and similar tools, as well
+as by programs like load_policy that need to perform specific transformations
+on binary policies such as customizing policy boolean settings.
%package -n libsemanage1
-License: LGPL v2.1 only
+License: LGPLv2.1
Group: System/Libraries
Summary: SELinux binary policy manipulation library
%description -n libsemanage1
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
+Security-enhanced Linux is a feature of the Linux kernel and a
number of utilities with enhanced security functionality designed to
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
+concepts of Type Enforcement, Role-based Access Control, and
Multi-level Security.
libsemanage provides an API for the manipulation of SELinux binary
@@ -76,63 +73,43 @@
specific transformations on binary policies such as customizing policy
boolean settings.
-
-
%package devel
-License: LGPL v2.1 only
-Summary: SELinux binary policy manipulation library
-Group: System/Libraries
+License: LGPLv2.1
+Summary: Header files and libraries used to build policy manipulation tools
+Group: Development/Libraries
Requires: libsemanage1 = %{version} libustr-devel
%description devel
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux. The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
+The semanage-devel package contains the libraries and header files
+needed for developing applications that manipulate binary policies.
-libsemanage provides an API for the manipulation of SELinux binary
-policies. It is used by checkpolicy (the policy compiler) and similar
-tools, as well as by programs like load_policy that need to perform
-specific transformations on binary policies such as customizing policy
-boolean settings.
+%package devel-static
+License: LGPLv2.1
+Summary: SELinux binary policy manipulation library
+Group: System/Libraries
+Requires: libsemanage-devel
+%description devel-static
+The semanage-static package contains the static libraries
+needed for developing applications that manipulate binary policies.
%package -n python-semanage
-License: LGPL v2.1 only
-Summary: SELinux binary policy manipulation library
-Group: System/Libraries
+License: LGPLv2.1
+Summary: semanage python bindings for libsemanage
+Group: Development/Libraries
Requires: libsemanage1 = %{version}
%description -n python-semanage
-Security-enhanced Linux is a feature of the Linux� kernel and a number
-of utilities with enhanced security functionality designed to add
-mandatory access controls to Linux. The Security-enhanced Linux kernel
-contains new architectural components originally developed to improve
-the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement�, Role-based Access Control, and
-Multi-level Security.
-
-libsemanage provides an API for the manipulation of SELinux binary
-policies. It is used by checkpolicy (the policy compiler) and similar
-tools, as well as by programs like load_policy that need to perform
-specific transformations on binary policies such as customizing policy
-boolean settings.
-
-
+The libsemanage-python package contains the python bindings for developing
+SELinux management applications.
%prep
%setup -q
%patch0 -p1
%build
+make clean
make %{?jobs:-j%jobs} CFLAGS="$RPM_OPT_FLAGS" swigify
make %{?jobs:-j%jobs} CFLAGS="$RPM_OPT_FLAGS" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all pywrap
@@ -141,6 +118,7 @@
mkdir -p $RPM_BUILD_ROOT%{_libdir}
mkdir -p $RPM_BUILD_ROOT%{_includedir}
make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" install install-pywrap
+ln -sf /%{_lib}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so
%clean
rm -rf $RPM_BUILD_ROOT
@@ -157,12 +135,16 @@
%files devel
%defattr(-,root,root)
-%{_libdir}/libsemanage.a
%{_libdir}/libsemanage.so
+%{_libdir}/pkgconfig/libsemanage.pc
%dir %{_includedir}/semanage
%{_includedir}/semanage/*.h
%{_mandir}/man3/*
+%files devel-static
+%defattr(-,root,root)
+%{_libdir}/libsemanage.a
+
%files -n python-semanage
%defattr(-,root,root)
%{_libdir}/python*/site-packages/*
++++++ libsemanage-2.0.31.tar.bz2 -> libsemanage-2.0.43.tar.bz2 ++++++
++++ 7165 lines of diff (skipped)
++++++ libsemanage-rhat.patch ++++++
diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/modules.h libsemanage-2.0.43/include/semanage/modules.h
--- nsalibsemanage/include/semanage/modules.h 2009-01-13 08:45:35.000000000 -0500
+++ libsemanage-2.0.43/include/semanage/modules.h 2009-12-16 16:07:43.000000000 -0500
@@ -40,10 +40,12 @@
char *module_data, size_t data_len);
int semanage_module_install_base_file(semanage_handle_t *,
const char *module_name);
+int semanage_module_enable(semanage_handle_t *, char *module_name);
+int semanage_module_disable(semanage_handle_t *, char *module_name);
int semanage_module_remove(semanage_handle_t *, char *module_name);
/* semanage_module_info is for getting information on installed
- modules, only name and version at this time */
+ modules, only name and version, and enabled/disabled flag at this time */
typedef struct semanage_module_info semanage_module_info_t;
int semanage_module_list(semanage_handle_t *,
@@ -53,5 +55,6 @@
int n);
const char *semanage_module_get_name(semanage_module_info_t *);
const char *semanage_module_get_version(semanage_module_info_t *);
+int semanage_module_get_enabled(semanage_module_info_t *);
#endif
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.43/src/direct_api.c
--- nsalibsemanage/src/direct_api.c 2009-09-17 08:59:43.000000000 -0400
+++ libsemanage-2.0.43/src/direct_api.c 2009-12-16 16:07:43.000000000 -0500
@@ -66,6 +66,8 @@
static int semanage_direct_install_base(semanage_handle_t * sh, char *base_data,
size_t data_len);
static int semanage_direct_install_base_file(semanage_handle_t * sh, const char *module_name);
+static int semanage_direct_enable(semanage_handle_t * sh, char *module_name);
+static int semanage_direct_disable(semanage_handle_t * sh, char *module_name);
static int semanage_direct_remove(semanage_handle_t * sh, char *module_name);
static int semanage_direct_list(semanage_handle_t * sh,
semanage_module_info_t ** modinfo,
@@ -83,6 +85,8 @@
.upgrade_file = semanage_direct_upgrade_file,
.install_base = semanage_direct_install_base,
.install_base_file = semanage_direct_install_base_file,
+ .enable = semanage_direct_enable,
+ .disable = semanage_direct_disable,
.remove = semanage_direct_remove,
.list = semanage_direct_list
};
@@ -348,10 +352,17 @@
semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES)) == NULL) {
return -1;
}
- if (asprintf(filename, "%s/%s.pp", module_path, *module_name) == -1) {
+ if (asprintf(filename, "%s/%s.pp%s", module_path, *module_name, DISABLESTR) == -1) {
ERR(sh, "Out of memory!");
return -1;
}
+
+ if (access(*filename, F_OK) == -1) {
+ char *ptr = *filename;
+ int len = strlen(ptr) - strlen(DISABLESTR);
+ if (len > 0) ptr[len]='\0';
+ }
+
return 0;
}
@@ -1273,6 +1284,107 @@
return retval;
}
+/* Enables a module from the sandbox. Returns 0 on success, -1 if out
+ * of memory, -2 if module not found or could not be enabled. */
+static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
+{
+ int i, retval = -1;
+ char **module_filenames = NULL;
+ int num_mod_files;
+ size_t name_len = strlen(module_name);
+ if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) ==
+ -1) {
+ return -1;
+ }
+ for (i = 0; i < num_mod_files; i++) {
+ char *base = strrchr(module_filenames[i], '/');
+ if (base == NULL) {
+ ERR(sh, "Could not read module names.");
+ retval = -2;
+ goto cleanup;
+ }
+ base++;
+ if (memcmp(module_name, base, name_len) == 0 &&
+ strcmp(base + name_len + 3, DISABLESTR) == 0) {
+ int len = strlen(module_filenames[i]) - strlen(DISABLESTR);
+ char *enabled_name = calloc(1, len+1);
+ if (!enabled_name) {
+ ERR(sh, "Could not allocate memory");
+ retval = -1;
+ goto cleanup;
+ }
+
+ strncpy(enabled_name, module_filenames[i],len);
+
+ if (rename(module_filenames[i], enabled_name) == -1) {
+ ERR(sh, "Could not enable module file %s.",
+ enabled_name);
+ retval = -2;
+ }
+ retval = 0;
+ free(enabled_name);
+ goto cleanup;
+ }
+ }
+ ERR(sh, "Module %s was not found.", module_name);
+ retval = -2; /* module not found */
+ cleanup:
+ for (i = 0; module_filenames != NULL && i < num_mod_files; i++) {
+ free(module_filenames[i]);
+ }
+ free(module_filenames);
+ return retval;
+}
+
+/* Enables a module from the sandbox. Returns 0 on success, -1 if out
+ * of memory, -2 if module not found or could not be enabled. */
+static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
+{
+ int i, retval = -1;
+ char **module_filenames = NULL;
+ int num_mod_files;
+ size_t name_len = strlen(module_name);
+ if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) ==
+ -1) {
+ return -1;
+ }
+ for (i = 0; i < num_mod_files; i++) {
+ char *base = strrchr(module_filenames[i], '/');
+ if (base == NULL) {
+ ERR(sh, "Could not read module names.");
+ retval = -2;
+ goto cleanup;
+ }
+ base++;
+ if (memcmp(module_name, base, name_len) == 0 &&
+ strcmp(base + name_len, ".pp") == 0) {
+ char disabled_name[PATH_MAX];
+ if (snprintf(disabled_name, PATH_MAX, "%s%s",
+ module_filenames[i], DISABLESTR) == PATH_MAX) {
+ ERR(sh, "Could not disable module file %s.",
+ module_filenames[i]);
+ retval = -2;
+ goto cleanup;
+ }
+ if (rename(module_filenames[i], disabled_name) == -1) {
+ ERR(sh, "Could not disable module file %s.",
+ module_filenames[i]);
+ retval = -2;
+ }
+ retval = 0;
+ goto cleanup;
+ }
+ }
+ ERR(sh, "Module %s was not found.", module_name);
+ retval = -2; /* module not found */
+ cleanup:
+ for (i = 0; module_filenames != NULL && i < num_mod_files; i++) {
+ free(module_filenames[i]);
+ }
+ free(module_filenames);
+ return retval;
+}
+
/* Removes a module from the sandbox. Returns 0 on success, -1 if out
* of memory, -2 if module not found or could not be removed. */
static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
@@ -1293,8 +1405,7 @@
goto cleanup;
}
base++;
- if (memcmp(module_name, base, name_len) == 0 &&
- strcmp(base + name_len, ".pp") == 0) {
+ if (memcmp(module_name, base, name_len) == 0) {
if (unlink(module_filenames[i]) == -1) {
ERR(sh, "Could not remove module file %s.",
module_filenames[i]);
@@ -1369,6 +1480,7 @@
}
ssize_t size;
char *data = NULL;
+ int enabled = semanage_module_enabled(module_filenames[i]);
if ((size = bunzip(sh, fp, &data)) > 0) {
fclose(fp);
@@ -1393,6 +1505,7 @@
if (type == SEPOL_POLICY_MOD) {
(*modinfo)[*num_modules].name = name;
(*modinfo)[*num_modules].version = version;
+ (*modinfo)[*num_modules].enabled = enabled;
(*num_modules)++;
} else {
/* file was not a module, so don't report it */
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.43/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c 2009-09-17 08:59:43.000000000 -0400
+++ libsemanage-2.0.43/src/genhomedircon.c 2009-12-16 16:07:43.000000000 -0500
@@ -310,6 +310,10 @@
}
if (strcmp(pwbuf->pw_dir, "/") == 0)
continue;
+ if (strcmp(pwbuf->pw_dir, "/root") == 0) {
+ continue;
+ }
+
if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
continue;
if (!(path = strdup(pwbuf->pw_dir))) {
@@ -803,6 +807,9 @@
* /root */
continue;
}
+ if (strcmp(pwent->pw_dir, "/root") == 0) {
+ continue;
+ }
if (push_user_entry(&head, name, seuname,
prefix, pwent->pw_dir) != STATUS_SUCCESS) {
*errors = STATUS_ERR;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.43/src/libsemanage.map
--- nsalibsemanage/src/libsemanage.map 2009-10-29 15:21:39.000000000 -0400
+++ libsemanage-2.0.43/src/libsemanage.map 2009-12-16 16:07:43.000000000 -0500
@@ -6,10 +6,13 @@
semanage_module_install; semanage_module_install_file;
semanage_module_upgrade; semanage_module_upgrade_file;
semanage_module_install_base; semanage_module_install_base_file;
+ semanage_module_enable;
+ semanage_module_disable;
semanage_module_remove;
semanage_module_list; semanage_module_info_datum_destroy;
semanage_module_list_nth; semanage_module_get_name;
semanage_module_get_version; semanage_select_store;
+ semanage_module_get_enabled;
semanage_reload_policy; semanage_set_reload; semanage_set_rebuild;
semanage_user_*; semanage_bool_*; semanage_seuser_*;
semanage_iface_*; semanage_port_*; semanage_context_*;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/Makefile libsemanage-2.0.43/src/Makefile
--- nsalibsemanage/src/Makefile 2009-12-01 15:46:50.000000000 -0500
+++ libsemanage-2.0.43/src/Makefile 2009-12-16 16:07:47.000000000 -0500
@@ -47,7 +47,7 @@
LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
CFLAGS ?= -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -fPIC
SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/module_internal.h libsemanage-2.0.43/src/module_internal.h
--- nsalibsemanage/src/module_internal.h 2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.43/src/module_internal.h 2009-12-16 16:07:43.000000000 -0500
@@ -6,6 +6,7 @@
hidden_proto(semanage_module_get_name)
hidden_proto(semanage_module_get_version)
+ hidden_proto(semanage_module_get_enabled)
hidden_proto(semanage_module_info_datum_destroy)
hidden_proto(semanage_module_list_nth)
#endif
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.c libsemanage-2.0.43/src/modules.c
--- nsalibsemanage/src/modules.c 2009-09-17 08:59:43.000000000 -0400
+++ libsemanage-2.0.43/src/modules.c 2009-12-16 16:07:43.000000000 -0500
@@ -154,6 +154,40 @@
return sh->funcs->install_base_file(sh, module_name);
}
+int semanage_module_enable(semanage_handle_t * sh, char *module_name)
+{
+ if (sh->funcs->enable == NULL) {
+ ERR(sh, "No enable function defined for this connection type.");
+ return -1;
+ } else if (!sh->is_connected) {
+ ERR(sh, "Not connected.");
+ return -1;
+ } else if (!sh->is_in_transaction) {
+ if (semanage_begin_transaction(sh) < 0) {
+ return -1;
+ }
+ }
+ sh->modules_modified = 1;
+ return sh->funcs->enable(sh, module_name);
+}
+
+int semanage_module_disable(semanage_handle_t * sh, char *module_name)
+{
+ if (sh->funcs->disable == NULL) {
+ ERR(sh, "No disable function defined for this connection type.");
+ return -1;
+ } else if (!sh->is_connected) {
+ ERR(sh, "Not connected.");
+ return -1;
+ } else if (!sh->is_in_transaction) {
+ if (semanage_begin_transaction(sh) < 0) {
+ return -1;
+ }
+ }
+ sh->modules_modified = 1;
+ return sh->funcs->disable(sh, module_name);
+}
+
int semanage_module_remove(semanage_handle_t * sh, char *module_name)
{
if (sh->funcs->remove == NULL) {
@@ -209,6 +243,13 @@
hidden_def(semanage_module_get_name)
+int semanage_module_get_enabled(semanage_module_info_t * modinfo)
+{
+ return modinfo->enabled;
+}
+
+hidden_def(semanage_module_get_enabled)
+
const char *semanage_module_get_version(semanage_module_info_t * modinfo)
{
return modinfo->version;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.h libsemanage-2.0.43/src/modules.h
--- nsalibsemanage/src/modules.h 2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.43/src/modules.h 2009-12-16 16:07:43.000000000 -0500
@@ -26,6 +26,7 @@
struct semanage_module_info {
char *name; /* Key */
char *version;
+ int enabled;
};
#endif
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/policy.h libsemanage-2.0.43/src/policy.h
--- nsalibsemanage/src/policy.h 2009-01-13 08:45:35.000000000 -0500
+++ libsemanage-2.0.43/src/policy.h 2009-12-16 16:07:43.000000000 -0500
@@ -58,6 +58,12 @@
/* Upgrade a policy module */
int (*upgrade_file) (struct semanage_handle *, const char *);
+ /* Enable a policy module */
+ int (*enable) (struct semanage_handle *, char *);
+
+ /* Disable a policy module */
+ int (*disable) (struct semanage_handle *, char *);
+
/* Remove a policy module */
int (*remove) (struct semanage_handle *, char *);
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.43/src/semanage.conf
--- nsalibsemanage/src/semanage.conf 2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.43/src/semanage.conf 2009-12-16 16:07:43.000000000 -0500
@@ -35,4 +35,4 @@
# given in