rpms/xinetd/devel xinetd-2.3.14-contextconf.patch, NONE, 1.1 xinetd.spec, 1.40, 1.41

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Dec 1 17:21:14 UTC 2006 

Author: jantill

Update of /cvs/dist/rpms/xinetd/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3313

Modified Files:
	xinetd.spec 
Added Files:
	xinetd-2.3.14-contextconf.patch 
Log Message:
* Fri Dec 01 2006 James Antill <james.antill at redhat.com> - 2:2.3.14-9
- Fix getpeercon() for LABELED networking MLS environments
- Resolves: rhbz#209379


xinetd-2.3.14-contextconf.patch:
 child.c |   72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---------
 1 files changed, 62 insertions(+), 10 deletions(-)

--- NEW FILE xinetd-2.3.14-contextconf.patch ---
diff -rup xinetd-2.3.14-orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
--- xinetd-2.3.14-orig/xinetd/child.c	2006-11-28 14:03:07.000000000 -0500
+++ xinetd-2.3.14/xinetd/child.c	2006-11-29 17:04:19.000000000 -0500
@@ -33,6 +33,8 @@
 #endif
 #ifdef LABELED_NET
 #include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
 #endif
 
 #include "str.h"
@@ -49,7 +51,7 @@
 
 /* Local declarations */
 #ifdef LABELED_NET
-static int set_context_from_socket( int fd );
+static int set_context_from_socket( const struct service_config *scp, int fd );
 #endif
 
 
@@ -158,7 +160,7 @@ void exec_server( const struct server *s
 #ifdef LABELED_NET
    if (SC_LABELED_NET(scp))
    {
-      if (set_context_from_socket( descriptor ) < 0) {
+      if (set_context_from_socket( scp, descriptor ) < 0) {
          msg( LOG_ERR, func,
              "Changing process context failed for %s", SC_ID( scp )) ;
          _exit( 1 ) ;
@@ -485,16 +487,11 @@ void child_exit(void)
 }
 
 #ifdef LABELED_NET
-static int set_context_from_socket( int fd )
+static int set_context( security_context_t cntx )
 {
-   const char *func = "set_context_from_socket" ;
-   security_context_t peer_context;
+   const char *func = "set_context" ;
 
-   if (getpeercon(fd, &peer_context) < 0)
-      return -1;
-
-   int retval = setexeccon(peer_context);
-   freecon( peer_context );
+   int retval = setexeccon(cntx);
 
    if (debug.on)
    {
@@ -513,4 +510,59 @@ static int set_context_from_socket( int 
 
    return retval;
 }
+
+static int set_context_from_socket( const struct service_config *scp, int fd )
+{
+   security_context_t curr_context = NULL;
+   security_context_t peer_context = NULL;
+   security_context_t exec_context = NULL;
+   context_t bcon = NULL;
+   context_t pcon = NULL;
+   security_context_t new_context = NULL;
+   security_context_t new_exec_context = NULL;
+   int retval = -1;
+   const char *exepath = NULL;
+
+   if (getcon(&curr_context) < 0)
+     goto fail;
+   
+   if (getpeercon(fd, &peer_context) < 0)
+     goto fail;
+
+   exepath = SC_SERVER_ARGV( scp )[0];
+   if (getfilecon(exepath, &exec_context) < 0)
+     goto fail;
+
+   if (!(bcon = context_new(curr_context)))
+     goto fail;
+
+   if (!(pcon = context_new(peer_context)))
+     goto fail;
+
+   if (!context_range_get(pcon))
+     goto fail;
+   
+   if (context_range_set(bcon, context_range_get(pcon)))
+     goto fail;
+
+   if (!(new_context = context_str(bcon)))
+     goto fail;
+   
+   if (security_compute_create(new_context, exec_context, SECCLASS_PROCESS,
+                               &new_exec_context) < 0)
+     goto fail;
+
+   retval = set_context(new_exec_context);
+
+   freecon(new_exec_context);
+
+ fail:
+   context_free(pcon);
+   context_free(bcon);
+   freecon(exec_context);   
+   freecon(peer_context);
+   freecon(curr_context);
+
+   return retval;
+}
 #endif


Index: xinetd.spec
===================================================================
RCS file: /cvs/dist/rpms/xinetd/devel/xinetd.spec,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- xinetd.spec	1 Oct 2006 20:21:29 -0000	1.40
+++ xinetd.spec	1 Dec 2006 17:21:12 -0000	1.41
@@ -4,7 +4,7 @@
 Summary: A secure replacement for inetd.
 Name: xinetd
 Version: 2.3.14
-Release: 8
+Release: 9
 License: Distributable (BSD-like)
 Group: System Environment/Daemons
 Epoch: 2
@@ -17,6 +17,7 @@
 Patch0: xinetd-2.3.11-pie.patch
 Patch1: xinetd-2.3.12-tcp_rpc.patch
 Patch2: xinetd-2.3.14-label.patch
+Patch3: xinetd-2.3.14-contextconf.patch
 BuildRequires: autoconf, automake
 BuildRequires: libselinux-devel >= 1.30
 Prereq: /sbin/chkconfig /etc/init.d /sbin/service
@@ -41,6 +42,7 @@
 %patch0 -p0 -b .pie
 %patch1 -p1 -b .tcp_rpc
 %patch2 -p1 -b .lspp
+%patch3 -p1 -b .confcntx
 
 aclocal
 autoconf
@@ -102,6 +104,10 @@
 %{_mandir}/*/*
 
 %changelog
+* Fri Dec 01 2006 James Antill <james.antill at redhat.com> - 2:2.3.14-9
+- Fix getpeercon() for LABELED networking MLS environments
+- Resolves: rhbz#209379
+
 * Sun Oct 01 2006 Jesse Keating <jkeating at redhat.com> - 2:2.3.14-8
 - rebuilt for unwind info generation, broken in gcc-4.1.1-21

More information about the fedora-cvs-commits mailing list