rpms/libselinux/FC-4 libselinux-rhat.patch, 1.44, 1.45 libselinux.spec, 1.103, 1.104

Tue Jan 17 03:13:53 UTC 2006

Author: dwalsh

Update of /cvs/dist/rpms/libselinux/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv28343

Modified Files:
	libselinux-rhat.patch libselinux.spec 
Log Message:
* Mon Jan 16 2006 Dan Walsh <dwalsh at redhat.com> 1.23.11-1.1
- Allow rpm_exec to continue on failure if permissive mode 


libselinux-rhat.patch:
 rpm.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

Index: libselinux-rhat.patch
===================================================================
RCS file: /cvs/dist/rpms/libselinux/FC-4/libselinux-rhat.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45

--- libselinux-rhat.patch	11 May 2005 15:00:11 -0000	1.44
+++ libselinux-rhat.patch	17 Jan 2006 03:13:48 -0000	1.45
@@ -1,66 +1,39 @@
---- libselinux-1.23.10/man/man8/selinux.8.rhat	2005-04-29 14:07:14.000000000 -0400
-+++ libselinux-1.23.10/man/man8/selinux.8	2005-05-11 10:56:10.000000000 -0400
-@@ -1,4 +1,4 @@
--.TH  "selinux"  "8"  "11 Aug 2004" "dwalsh at redhat.com" "SELinux Command Line documentation"
-+.TH  "selinux"  "8"  "29 Apr 2005" "dwalsh at redhat.com" "SELinux Command Line documentation"
- 
- .SH "NAME"
- selinux \- NSA Security-Enhanced Linux (SELinux)
-@@ -62,11 +62,22 @@
- .B system-config-securitylevel
- allows customization of these booleans and tunables.
- 
-+.br
-+Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.  
-+
-+.SH FILE LABELING
+diff --exclude-from=exclude -N -u -r nsalibselinux/src/rpm.c libselinux-1.23.11/src/rpm.c
+--- nsalibselinux/src/rpm.c	2005-05-20 13:15:53.000000000 -0400
++++ libselinux-1.23.11/src/rpm.c	2006-01-16 22:09:51.000000000 -0500
+@@ -11,7 +11,7 @@
+ {
+ 	security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
+ 	context_t con = NULL;
+-	int rc;
++	int rc = 0;
+ 
+ 	if (is_selinux_enabled() < 1)
+ 		return execve(filename, argv, envp);
+@@ -30,6 +30,7 @@
+ 
+ 	if (!strcmp(mycon, newcon)) {
+ 		/* No default transition, use rpm_script_t for now. */
++		rc = -1;
+ 		con = context_new(mycon);
+ 		if (!con)
+ 			goto out;
+@@ -39,13 +40,17 @@
+ 		newcon = strdup(context_str(con));
+ 		if (!newcon)
+ 			goto out;
++		rc = 0;
+ 	}
+ 
+ 	rc = setexeccon(newcon);
+ 	if (rc < 0) 
+ 		goto out;
+-	rc = execve(filename, argv, envp);
+ out:
 +
-+All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended attributes of the file system.
-+Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel.  If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.  
-+.br 
-+The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-securitylevel, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
-+  
- .SH AUTHOR	
- This manual page was written by Dan Walsh <dwalsh at redhat.com>.
- 
- .SH "SEE ALSO"
--booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8)
-+booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
++	if (rc >= 0 || !security_getenforce())
++		rc = execve(filename, argv, envp); 
 +
- 
- .SH FILES
- /etc/selinux/config
---- libselinux-1.23.10/utils/avcstat.c.rhat	2005-04-29 14:07:14.000000000 -0400
-+++ libselinux-1.23.10/utils/avcstat.c	2005-05-11 10:57:30.000000000 -0400
-@@ -90,12 +90,15 @@
- 
- int main(int argc, char **argv)
- {
-+	struct avc_cache_stats tot, rel, last;
- 	int fd, i, cumulative = 0;
- 	struct sigaction sa;
- 	char avcstatfile[PATH_MAX];
- 	snprintf(avcstatfile, sizeof avcstatfile, "%s%s", selinux_mnt, DEF_STAT_FILE);
- 	progname = basename(argv[0]);
- 	
-+	memset(&last, 0, sizeof(last));
-+		
- 	while((i = getopt(argc, argv, "cf:h?-")) != -1) {
- 		switch (i) {
- 		case 'c':
-@@ -144,7 +147,6 @@
- 	for (i = 0;; i++) {
- 		char *line;
- 		ssize_t ret, parsed = 0;
--		struct avc_cache_stats tot, rel, last;
- 		
- 		memset(buf, 0, DEF_BUF_SIZE);
- 		ret = read(fd, buf, DEF_BUF_SIZE);
-@@ -166,7 +168,6 @@
- 			       "hits", "misses", "allocs", "reclaims", "frees");
- 
- 		memset(&tot, 0, sizeof(tot));
--		memset(&last, 0, sizeof(last));
- 		
- 		while ((line = strtok(NULL, "\n"))) {
- 			struct avc_cache_stats tmp;
+ 	context_free(con);
+ 	freecon(newcon);
+ 	freecon(fcon);


Index: libselinux.spec
===================================================================
RCS file: /cvs/dist/rpms/libselinux/FC-4/libselinux.spec,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- libselinux.spec	20 May 2005 17:18:49 -0000	1.103
+++ libselinux.spec	17 Jan 2006 03:13:48 -0000	1.104
@@ -1,10 +1,11 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 1.23.11
-Release: 1
+Release: 1.1
 License: Public domain (uncopyrighted)
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
+Patch: libselinux-rhat.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
 
@@ -34,6 +35,7 @@
 
 %prep
 %setup -q
+%patch -p1 -b .rhat
 
 %build
 make CFLAGS="-g %{optflags}"
@@ -83,6 +85,9 @@
 %{_mandir}/man8/*
 
 %changelog
+* Mon Jan 16 2006 Dan Walsh <dwalsh at redhat.com> 1.23.11-1.1
+- Allow rpm_exec to continue on failure if permissive mode 
+
 * Fri May 20 2005 Dan Walsh <dwalsh at redhat.com> 1.23.11-1
 - Update from NSA
 	* Merged avcstat and selinux man page from Dan Walsh.


