diff options
Diffstat (limited to 'sys-libs/libsemanage')
5 files changed, 825 insertions, 0 deletions
diff --git a/sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch b/sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch new file mode 100644 index 000000000000..e5e821e6976e --- /dev/null +++ b/sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch @@ -0,0 +1,318 @@ +From 9638af24a1e890d673549f0b25d854458e07032e Mon Sep 17 00:00:00 2001 +From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +Date: Thu, 2 Jul 2015 09:27:36 -0400 +Subject: [PATCH] libsemanage: Add policy binary and file_contexts.local to the + store + +This patch writes policy.kern and file_contexts.local to the policy store as +well as /etc/selinux/. Additionally, policy.kern and file_contexts.local +are now parsed from the store rather than the final directory which was +the old behavior. This allows all policy related files to be kept in the +policy store. + +This patch also renames /var/lib/selinux/tmp to 'final' and changes +policy.kern in the store to longer be a symlink. + +Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +--- + libsemanage/src/booleans_policydb.c | 6 ++-- + libsemanage/src/direct_api.c | 33 +++++++++++++++---- + libsemanage/src/interfaces_policydb.c | 6 ++-- + libsemanage/src/nodes_policydb.c | 6 ++-- + libsemanage/src/ports_policydb.c | 6 ++-- + libsemanage/src/semanage_store.c | 55 ++++++++++++++++++++++++-------- + libsemanage/src/semanage_store.h | 5 +++ + libsemanage/src/users_base_policydb.c | 6 ++-- + libsemanage/utils/semanage_migrate_store | 3 +- + 9 files changed, 86 insertions(+), 40 deletions(-) + +diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c +index 74af2a3..6869d6c 100644 +--- a/libsemanage/src/booleans_policydb.c ++++ b/libsemanage/src/booleans_policydb.c +@@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_BOOL_RTABLE, + &SEMANAGE_BOOL_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index d57f934..3c6b168 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh) + goto err; + + if (fcontext_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_FC_LOCAL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC_LOCAL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), + semanage_fcontext_dbase_local(sh)) < 0) + goto err; + +@@ -1041,7 +1039,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + size_t fc_buffer_len = 0; + const char *ofilename = NULL; + const char *path; +- int retval = -1, num_modinfos = 0, i; ++ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; + sepol_policydb_t *out = NULL; + struct cil_db *cildb = NULL; + semanage_module_info_t *modinfos = NULL; +@@ -1143,8 +1141,20 @@ static int semanage_direct_commit(semanage_handle_t * sh) + modified |= dontaudit_modified; + modified |= preserve_tunables_modified; + ++ /* This is for systems that have already migrated with an older version ++ * of semanage_migrate_store. The older version did not copy policy.kern so ++ * the policy binary must be rebuilt here. ++ */ ++ if (!sh->do_rebuild && !modified) { ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); ++ ++ if (access(path, F_OK) != 0) { ++ missing_policy_kern = 1; ++ } ++ } ++ + /* If there were policy changes, or explicitly requested, rebuild the policy */ +- if (sh->do_rebuild || modified) { ++ if (sh->do_rebuild || modified || missing_policy_kern) { + /* =================== Module expansion =============== */ + + retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); +@@ -1302,6 +1312,17 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + ++ retval = semanage_copy_policydb(sh); ++ if (retval < 0) ++ goto cleanup; ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_fc_local(sh); ++ if (retval < 0) ++ goto cleanup; ++ } ++ + /* run genhomedircon if its enabled, this should be the last operation + * which requires the out policydb */ + if (!sh->conf->disable_genhomedircon) { +diff --git a/libsemanage/src/interfaces_policydb.c b/libsemanage/src/interfaces_policydb.c +index 6a42eed..552ce7d 100644 +--- a/libsemanage/src/interfaces_policydb.c ++++ b/libsemanage/src/interfaces_policydb.c +@@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_IFACE_RTABLE, + &SEMANAGE_IFACE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/nodes_policydb.c b/libsemanage/src/nodes_policydb.c +index 56012fb..7224f00 100644 +--- a/libsemanage/src/nodes_policydb.c ++++ b/libsemanage/src/nodes_policydb.c +@@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_NODE_RTABLE, + &SEMANAGE_NODE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/ports_policydb.c b/libsemanage/src/ports_policydb.c +index b9600f0..37d7deb 100644 +--- a/libsemanage/src/ports_policydb.c ++++ b/libsemanage/src/ports_policydb.c +@@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_PORT_RTABLE, + &SEMANAGE_PORT_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 6051691..2856aaf 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { + "/disable_dontaudit", + "/preserve_tunables", + "/modules/disabled", ++ "/policy.kern", ++ "/file_contexts.local" + }; + + static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { +- "/tmp", ++ "/final", + "", + }; + +@@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh) + goto cleanup; + } + +- /* Copy in exported databases. +- * i = 1 to avoid copying the top level directory. +- */ ++ // Build final directory structure + int i; + for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) { + if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) { +@@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh) + status = -1; + goto cleanup; + } +- +- semanage_copy_file( +- semanage_final_path(SEMANAGE_FINAL_SELINUX, i), +- semanage_final_path(SEMANAGE_FINAL_TMP, i), +- sh->conf->file_mode); +- /* ignore errors, these files may not exist */ + } + + cleanup: +@@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in) + FILE *infile = NULL; + + if ((kernel_filename = +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL)) == NULL) { ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) { + goto cleanup; + } + if ((infile = fopen(kernel_filename, "r")) == NULL) { +@@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out) + FILE *outfile = NULL; + + if ((kernel_filename = +- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) { ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) { + goto cleanup; + } + if ((outfile = fopen(kernel_filename, "wb")) == NULL) { +@@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } ++ ++int semanage_copy_policydb(semanage_handle_t *sh) ++{ ++ const char *src = NULL; ++ const char *dst = NULL; ++ int rc = -1; ++ ++ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); ++ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); ++ ++ rc = semanage_copy_file(src, dst, sh->conf->file_mode); ++ if (rc != 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ return rc; ++} ++ ++int semanage_copy_fc_local(semanage_handle_t *sh) ++{ ++ const char *src = NULL; ++ const char *dst = NULL; ++ int rc = -1; ++ ++ src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); ++ dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); ++ ++ rc = semanage_copy_file(src, dst, sh->conf->file_mode); ++ if (rc != 0) { ++ goto cleanup; ++ } ++ ++cleanup: ++ return rc; ++} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index 62c7079..ade43f2 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -55,6 +55,8 @@ enum semanage_sandbox_defs { + SEMANAGE_DISABLE_DONTAUDIT, + SEMANAGE_PRESERVE_TUNABLES, + SEMANAGE_MODULES_DISABLED, ++ SEMANAGE_STORE_KERNEL, ++ SEMANAGE_STORE_FC_LOCAL, + SEMANAGE_STORE_NUM_PATHS + }; + +@@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh, + size_t buf_len, + char **sorted_buf, size_t * sorted_buf_len); + ++int semanage_copy_policydb(semanage_handle_t *sh); ++int semanage_copy_fc_local(semanage_handle_t *sh); ++ + #endif +diff --git a/libsemanage/src/users_base_policydb.c b/libsemanage/src/users_base_policydb.c +index 0a6ab9c..b42279c 100644 +--- a/libsemanage/src/users_base_policydb.c ++++ b/libsemanage/src/users_base_policydb.c +@@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle, + { + + if (dbase_policydb_init(handle, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_KERNEL), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_KERNEL), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), + &SEMANAGE_USER_BASE_RTABLE, + &SEMANAGE_USER_BASE_POLICYDB_RTABLE, + &dconfig->dbase) < 0) +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 2f85e9c..b170eda 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -243,7 +243,8 @@ if __name__ == "__main__": + "users.local", + "users_extra.local", + "disable_dontaudit", +- "preserve_tunables" ] ++ "preserve_tunables", ++ "policy.kern" ] + + + create_dir(newroot_path(), 0o755) +-- +2.4.6 + diff --git a/sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch b/sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch new file mode 100644 index 000000000000..24e9778015ab --- /dev/null +++ b/sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch @@ -0,0 +1,265 @@ +From d56c2b434e99f60612c1290e82021ecbcbfaf5e6 Mon Sep 17 00:00:00 2001 +From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +Date: Tue, 21 Jul 2015 15:08:15 -0400 +Subject: [PATCH] libsemanage: Add file_contexts and seusers to the store + +This patch writes file_contexts and seusers to the policy store as well as +/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the +store rather than the final directory which was the old behavior. This allows +all policy related files to be kept in the policy store. + +Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +--- + libsemanage/src/direct_api.c | 69 +++++++++++++++++++++++++------- + libsemanage/src/semanage_store.c | 49 ++++------------------- + libsemanage/src/semanage_store.h | 5 ++- + libsemanage/utils/semanage_migrate_store | 3 +- + 4 files changed, 66 insertions(+), 60 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 3c6b168..b11f2ba 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh) + goto err; + + if (fcontext_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_FC), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + semanage_fcontext_dbase_policy(sh)) < 0) + goto err; + + if (seuser_file_dbase_init(sh, +- semanage_final_path(SEMANAGE_FINAL_SELINUX, +- SEMANAGE_SEUSERS), +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_SEUSERS), ++ semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS), ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), + semanage_seuser_dbase_policy(sh)) < 0) + goto err; + +@@ -602,7 +598,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb + } + + if (size > 0) { +- ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS); ++ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); + if (ofilename == NULL) { + return -1; + } +@@ -1039,7 +1035,8 @@ static int semanage_direct_commit(semanage_handle_t * sh) + size_t fc_buffer_len = 0; + const char *ofilename = NULL; + const char *path; +- int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0; ++ int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0, ++ missing_seusers = 0, missing_fc = 0, missing = 0; + sepol_policydb_t *out = NULL; + struct cil_db *cildb = NULL; + semanage_module_info_t *modinfos = NULL; +@@ -1151,10 +1148,26 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (access(path, F_OK) != 0) { + missing_policy_kern = 1; + } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); ++ ++ if (access(path, F_OK) != 0) { ++ missing_fc = 1; ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); ++ ++ if (access(path, F_OK) != 0) { ++ missing_seusers = 1; ++ } + } + ++ missing |= missing_policy_kern; ++ missing |= missing_fc; ++ missing |= missing_seusers; ++ + /* If there were policy changes, or explicitly requested, rebuild the policy */ +- if (sh->do_rebuild || modified || missing_policy_kern) { ++ if (sh->do_rebuild || modified || missing) { + /* =================== Module expansion =============== */ + + retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); +@@ -1312,15 +1325,41 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + +- retval = semanage_copy_policydb(sh); +- if (retval < 0) ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL), ++ sh->conf->file_mode); ++ if (retval < 0) { + goto cleanup; ++ } + + path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); + if (access(path, F_OK) == 0) { +- retval = semanage_copy_fc_local(sh); +- if (retval < 0) ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), ++ sh->conf->file_mode); ++ if (retval < 0) { + goto cleanup; ++ } ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), ++ sh->conf->file_mode); ++ if (retval < 0) { ++ goto cleanup; ++ } ++ } ++ ++ path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); ++ if (access(path, F_OK) == 0) { ++ retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), ++ semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), ++ sh->conf->file_mode); ++ if (retval < 0) { ++ goto cleanup; ++ } + } + + /* run genhomedircon if its enabled, this should be the last operation +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 2856aaf..fa0876f 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { + "/preserve_tunables", + "/modules/disabled", + "/policy.kern", +- "/file_contexts.local" ++ "/file_contexts.local", ++ "/file_contexts", ++ "/seusers" + }; + + static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = { +@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d) + + /* Copies a file from src to dst. If dst already exists then + * overwrite it. Returns 0 on success, -1 on error. */ +-static int semanage_copy_file(const char *src, const char *dst, mode_t mode) ++int semanage_copy_file(const char *src, const char *dst, mode_t mode) + { + int in, out, retval = 0, amount_read, n, errsv = errno; + char tmp[PATH_MAX]; +@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh) + goto cleanup; + } + +- fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), ++ fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); + if (fc < 0) { + ERR(sh, "Could not open %s for writing.", +- semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)); ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); + goto cleanup; + } + hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL), +@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh) + } else { + if (write(fc, buf, strlen(buf)) < 0) { + ERR(sh, "Write to %s failed.", +- semanage_final_path(SEMANAGE_FINAL_TMP, +- SEMANAGE_FC)); ++ semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC)); + goto cleanup; + } + } +@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } +- +-int semanage_copy_policydb(semanage_handle_t *sh) +-{ +- const char *src = NULL; +- const char *dst = NULL; +- int rc = -1; +- +- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL); +- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); +- +- rc = semanage_copy_file(src, dst, sh->conf->file_mode); +- if (rc != 0) { +- goto cleanup; +- } +- +-cleanup: +- return rc; +-} +- +-int semanage_copy_fc_local(semanage_handle_t *sh) +-{ +- const char *src = NULL; +- const char *dst = NULL; +- int rc = -1; +- +- src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); +- dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL); +- +- rc = semanage_copy_file(src, dst, sh->conf->file_mode); +- if (rc != 0) { +- goto cleanup; +- } +- +-cleanup: +- return rc; +-} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index ade43f2..acb6e3f 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -57,6 +57,8 @@ enum semanage_sandbox_defs { + SEMANAGE_MODULES_DISABLED, + SEMANAGE_STORE_KERNEL, + SEMANAGE_STORE_FC_LOCAL, ++ SEMANAGE_STORE_FC, ++ SEMANAGE_STORE_SEUSERS, + SEMANAGE_STORE_NUM_PATHS + }; + +@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh, + size_t buf_len, + char **sorted_buf, size_t * sorted_buf_len); + +-int semanage_copy_policydb(semanage_handle_t *sh); +-int semanage_copy_fc_local(semanage_handle_t *sh); ++int semanage_copy_file(const char *src, const char *dst, mode_t mode); + + #endif +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index b170eda..6443002 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -244,7 +244,8 @@ if __name__ == "__main__": + "users_extra.local", + "disable_dontaudit", + "preserve_tunables", +- "policy.kern" ] ++ "policy.kern", ++ "file_contexts"] + + + create_dir(newroot_path(), 0o755) +-- +2.4.6 + diff --git a/sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch b/sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch new file mode 100644 index 000000000000..3bc1370ccb10 --- /dev/null +++ b/sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch @@ -0,0 +1,54 @@ +From 75dd8c062d1f6f0e0a7a9f1856c0957b423e8a02 Mon Sep 17 00:00:00 2001 +From: Steve Lawrence <slawrence@tresys.com> +Date: Thu, 3 Sep 2015 09:28:08 -0400 +Subject: [PATCH 1/3] libsemanage: save homedir_template in the policy store + for genhomedircon + +We don't currently store homedir_template in the policy store, which +means genhomedircon only has a template file to use if the +homedir_template was generated from the file contexts in the same +transaction. But homedir_template isn't always generated, as in the +case with setsebool -P. In this and other cases, genhomedircon will not +have a template file resulting in an empty file_contexts.homedir file. + +This commit changes this so that homedir_template is always stored in +the policy store so it can be used by genhomedircon regardless of how +policy was built. Also add the homedir_template file to the migration +script. + +Signed-off by: Steve Lawrence <slawrence@tresys.com> +Acked-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libsemanage/src/direct_api.c | 1 - + libsemanage/utils/semanage_migrate_store | 3 ++- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 90a7b22..6e49cae 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1415,7 +1415,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) + + /* remove files that are automatically generated and no longer needed */ + unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL)); + unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); + + if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 539f469..297c71b 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -251,7 +251,8 @@ if __name__ == "__main__": + "disable_dontaudit", + "preserve_tunables", + "policy.kern", +- "file_contexts"] ++ "file_contexts", ++ "homedir_template"] + + + create_dir(newroot_path(), 0o755) +-- +2.4.6 + diff --git a/sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch b/sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch new file mode 100644 index 000000000000..1aca2addb67c --- /dev/null +++ b/sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch @@ -0,0 +1,57 @@ +From dbc639a35af71eec1a1b386b74a822d794bb59df Mon Sep 17 00:00:00 2001 +From: Steve Lawrence <slawrence@tresys.com> +Date: Thu, 3 Sep 2015 13:07:36 -0400 +Subject: [PATCH 2/3] libsemanage: store users_extra in the policy store + +users_extra is needed by genhomedircon and when listing seusers, so it +must be kept in the policy store. Also move the FC_TMPL unlink() closer +to where the FC_TMPL is created; not a functional change, but eaiser to +follow. + +Signed-off-by: Steve Lawrence <slawrence@tresys.com> +Acked-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libsemanage/src/direct_api.c | 7 +++---- + libsemanage/utils/semanage_migrate_store | 1 + + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 6e49cae..68dd0d1 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1272,6 +1272,9 @@ static int semanage_direct_commit(semanage_handle_t * sh) + if (retval < 0) + goto cleanup; + ++ /* remove FC_TMPL now that it is now longer needed */ ++ unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); ++ + pfcontexts->dtable->drop_cache(pfcontexts->dbase); + + /* SEUsers */ +@@ -1413,10 +1416,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) + sepol_policydb_free(out); + out = NULL; + +- /* remove files that are automatically generated and no longer needed */ +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)); +- unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA)); +- + if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) { + retval = semanage_install_sandbox(sh); + } +diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store +index 297c71b..b5eefaa 100755 +--- a/libsemanage/utils/semanage_migrate_store ++++ b/libsemanage/utils/semanage_migrate_store +@@ -247,6 +247,7 @@ if __name__ == "__main__": + "file_contexts.local", + "seusers", + "users.local", ++ "users_extra", + "users_extra.local", + "disable_dontaudit", + "preserve_tunables", +-- +2.4.6 + diff --git a/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild b/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild new file mode 100644 index 000000000000..5e14e7d668f9 --- /dev/null +++ b/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild @@ -0,0 +1,131 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="5" +PYTHON_COMPAT=( python2_7 python3_3 python3_4 ) + +inherit multilib python-r1 toolchain-funcs eutils multilib-minimal + +MY_P="${P//_/-}" + +SEPOL_VER="${PV}" +SELNX_VER="${PV}" + +DESCRIPTION="SELinux kernel and policy management library" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" +SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="python" + +RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}] + >=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}] + >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] + >=dev-libs/ustr-1.0.4-r2[${MULTILIB_USEDEP}] + " +DEPEND="${RDEPEND} + sys-devel/bison + sys-devel/flex + python? ( + >=dev-lang/swig-2.0.4-r1 + virtual/pkgconfig + ${PYTHON_DEPS} + )" + +# tests are not meant to be run outside of the +# full SELinux userland repo +RESTRICT="test" + +S="${WORKDIR}/${MY_P}" + +src_prepare() { + echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf" + echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf" + echo "# or debugging of policy." >> "${S}/src/semanage.conf" + echo "save-linked=false" >> "${S}/src/semanage.conf" + echo >> "${S}/src/semanage.conf" + echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf" + echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf" + echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf" + echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf" + echo "# would catch." >> "${S}/src/semanage.conf" + echo "expand-check=1" >> "${S}/src/semanage.conf" + echo >> "${S}/src/semanage.conf" + echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf" + echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf" + echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf" + echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf" + echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf" + echo "bzip-blocksize=0" >> "${S}/src/semanage.conf" + echo >> "${S}/src/semanage.conf" + echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf" + echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" + echo "bzip-small=true" >> "${S}/src/semanage.conf" + + epatch "${FILESDIR}/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch" \ + "${FILESDIR}/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch" \ + "${FILESDIR}/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch" \ + "${FILESDIR}/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch" \ + "${FILESDIR}/0005-libsemanage-store-users_extra-in-the-policy-store.patch" + + epatch_user + + multilib_copy_sources +} + +multilib_src_compile() { + emake \ + AR="$(tc-getAR)" \ + CC="$(tc-getCC)" \ + LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ + all + + if multilib_is_native_abi && use python; then + building_py() { + python_export PYTHON_INCLUDEDIR PYTHON_LIBPATH + emake CC="$(tc-getCC)" PYINC="-I${PYTHON_INCLUDEDIR}" PYTHONLBIDIR="${PYTHON_LIBPATH}" PYPREFIX="${EPYTHON##*/}" "$@" + } + python_foreach_impl building_py swigify + python_foreach_impl building_py pywrap + fi +} + +multilib_src_install() { + emake \ + LIBDIR="${ED}/usr/$(get_libdir)" \ + SHLIBDIR="${ED}/usr/$(get_libdir)" \ + DESTDIR="${ED}" install + + if multilib_is_native_abi && use python; then + installation_py() { + emake DESTDIR="${ED}" LIBDIR="${ED}/usr/$(get_libdir)" \ + SHLIBDIR="${ED}/usr/$(get_libdir)" install-pywrap + python_optimize # bug 531638 + } + python_foreach_impl installation_py + fi +} + +pkg_postinst() { + # Migrate the SELinux semanage configuration store if not done already + local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' /etc/selinux/config); + if [ -n "${selinuxtype}" ] && [ ! -d /var/lib/selinux/${mcs}/active ] ; then + ewarn "Since the 2.4 SELinux userspace, the policy module store is moved" + ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now." + ewarn "If there are any issues, it can be done manually by running:" + ewarn "/usr/libexec/selinux/semanage_migrate_store" + ewarn "For more information, please see" + ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration" + fi + + # Run the store migration without rebuilds + for POLICY_TYPE in ${POLICY_TYPES} ; do + if [ ! -d "${ROOT}/var/lib/selinux/${POLICY_TYPE}/active" ] ; then + einfo "Migrating store ${POLICY_TYPE} (without policy rebuild)." + /usr/libexec/selinux/semanage_migrate_store -n -s "${POLICY_TYPE}" || die "Failed to migrate store ${POLICY_TYPE}" + fi + done +} |