update selinux code

author: Chris PeBenito <pebenito@gentoo.org> 2004-05-25 18:48:00 +0000
committer: Chris PeBenito <pebenito@gentoo.org> 2004-05-25 18:48:00 +0000
commit: 334110faf82eb0c4d8470d32c4895450183ec313 (patch)
tree: 782e631ad3057b3064ef66eedef1b71c45fe0f30 /sys-apps
parent: repoman: Trim trailing whitespace (diff)
download: historical-334110faf82eb0c4d8470d32c4895450183ec313.tar.gz
historical-334110faf82eb0c4d8470d32c4895450183ec313.tar.bz2
historical-334110faf82eb0c4d8470d32c4895450183ec313.zip
5 files changed, 265 insertions, 16 deletions
diff --git a/sys-apps/fcron/ChangeLog b/sys-apps/fcron/ChangeLog
index bb771a412c05..3f2a9eafa684 100644
--- a/sys-apps/fcron/ChangeLog
+++ b/sys-apps/fcron/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for sys-apps/fcron
 # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/ChangeLog,v 1.24 2004/04/19 18:36:52 avenj Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/ChangeLog,v 1.25 2004/05/25 18:48:00 pebenito Exp $
+
+  25 May 2004; Chris PeBenito <pebenito@gentoo.org>
+  +files/fcron-2.9.4-selinuxupdate.diff, fcron-2.9.4.ebuild:
+  Update SELinux support to 2.6 SELinux API.
 
   19 Apr 2004; Jon Portnoy <avenj@gentoo.org> files/crontab :
   Updated to do run-crons every ten minutes rather than every minute.
diff --git a/sys-apps/fcron/Manifest b/sys-apps/fcron/Manifest
index da1146d21b2c..ccca7a7b9bc5 100644
--- a/sys-apps/fcron/Manifest
+++ b/sys-apps/fcron/Manifest
@@ -1,16 +1,17 @@
-MD5 a6a4ab09189a2567b80252bead4f7c94 ChangeLog 3424
-MD5 d9e69febb96390efe8dd56e8c14148c7 fcron-2.9.4.ebuild 2811
 MD5 e8df61583266b38602213e4c777ffad5 fcron-2.0.0-r4.ebuild 2114
+MD5 2929a9bf86b74f4f2ae784e28741b648 ChangeLog 3586
+MD5 d0b772bf7d593c98388037be2cae1602 fcron-2.9.4.ebuild 2879
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
-MD5 23faec3a774b397e64484034f5d46bc8 files/fcron.allow 371
-MD5 ad4c86b2d6792a9ea371ae7ae6b30382 files/crontab 828
-MD5 068bd306e10da92d3c159ee12be338bb files/digest-fcron-2.9.4 67
-MD5 8331ba4de4f67517afa3af7c269bab22 files/fcron.conf-2.9.4 681
-MD5 618ee227782ad9a3939c89e932eb2d2e files/fcron.pam 296
-MD5 f659349d3f24fa1b57684af8f495efe6 files/fcrontab.pam 506
-MD5 4ca5f2b70a7519c6390c5b23c9d058b4 files/digest-fcron-2.0.0-r4 67
 MD5 f5fbd4d1733d97b08034756b0e9bf3c2 files/fcron-2.0.0-gentoo.diff 492
+MD5 f659349d3f24fa1b57684af8f495efe6 files/fcrontab.pam 506
 MD5 c7f8c59f172900cbaec5f6c401b8d879 files/fcron.conf 744
-MD5 f557de089d991b6b4db14e83b93cdef7 files/fcron.deny 373
+MD5 ad4c86b2d6792a9ea371ae7ae6b30382 files/crontab 828
 MD5 b79989a973d102f8259c27daf0a8ef02 files/fcron.rc6 709
+MD5 23faec3a774b397e64484034f5d46bc8 files/fcron.allow 371
+MD5 618ee227782ad9a3939c89e932eb2d2e files/fcron.pam 296
+MD5 d69c448b972f28fe669f2d70b7bf4c5b files/fcron-2.9.4-selinuxupdate.diff 6902
+MD5 068bd306e10da92d3c159ee12be338bb files/digest-fcron-2.9.4 67
+MD5 f557de089d991b6b4db14e83b93cdef7 files/fcron.deny 373
+MD5 8331ba4de4f67517afa3af7c269bab22 files/fcron.conf-2.9.4 681
 MD5 f74287027182d448b6022db116d87d24 files/2.9.4-braindead-configure-check.patch 366
+MD5 4ca5f2b70a7519c6390c5b23c9d058b4 files/digest-fcron-2.0.0-r4 67
diff --git a/sys-apps/fcron/fcron-2.9.4.ebuild b/sys-apps/fcron/fcron-2.9.4.ebuild
index 86530cd92194..dc8f541f4d0e 100644
--- a/sys-apps/fcron/fcron-2.9.4.ebuild
+++ b/sys-apps/fcron/fcron-2.9.4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Technologies, Inc.
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/fcron-2.9.4.ebuild,v 1.1 2004/04/18 22:22:55 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/fcron-2.9.4.ebuild,v 1.2 2004/05/25 18:48:00 pebenito Exp $
 
 inherit eutils
 
@@ -26,6 +26,7 @@ src_unpack() {
 	unpack ${A}
 	cd ${S}
 	epatch ${FILESDIR}/${PV}-braindead-configure-check.patch
+	use selinux && epatch ${FILESDIR}/fcron-2.9.4-selinuxupdate.diff
 	autoconf || die "autoconf failed"
 }
 
diff --git a/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff b/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff
new file mode 100644
index 000000000000..2b697a103c08
--- /dev/null
+++ b/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff
@@ -0,0 +1,243 @@
+--- fcron-2.9.4.orig/job.c
++++ fcron-2.9.4/job.c
+@@ -41,7 +41,7 @@
+ char env_shell[PATH_LEN];
+ #endif
+ 
+-#ifdef CONFIG_FLASK
++#ifdef WITH_SELINUX
+ extern char **environ;
+ #endif
+ 
+@@ -249,8 +249,8 @@
+  	int to_stdout = foreground && is_stdout(line->cl_option);
+ 	int pipe_fd[2];
+ 	short int mailpos = 0;	/* 'empty mail file' size */
+-#ifdef CONFIG_FLASK
+-	int flask_enabled = is_flask_enabled();
++#ifdef WITH_SELINUX
++	int flask_enabled = is_selinux_enabled();
+ #endif
+  
+ 	/* */
+@@ -352,10 +352,9 @@
+ 	    debug("Execing \"%s -c %s\"", curshell, line->cl_shell);
+ #endif /* CHECKJOBS */
+ 
+-#ifdef CONFIG_FLASK
+-	    if(flask_enabled)
+-		execle_secure(shell, line->cl_file->cf_user_sid, shell, "-c", line->cl_shell, NULL, environ);
+-	    else
++#ifdef WITH_SELINUX
++	    if(flask_enabled && setexeccon(line->cl_file->cf_user_context) )
++		die_e("Can't set execute context \"%s\".", line->cl_file->cf_user_context);
+ #endif
+ 	    execl(curshell, curshell, "-c", line->cl_shell, NULL);
+ 	    /* execl returns only on error */
+--- fcron-2.9.4.orig/configure.in
++++ fcron-2.9.4/configure.in
+@@ -44,7 +44,6 @@
+ AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h)
+ AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h)
+ AC_CHECK_HEADERS(sys/resource.h)
+-AC_CHECK_HEADERS(flask_util.h)
+ 
+ dnl Checks for typedefs, structures, and compiler characteristics.
+ AC_C_CONST
+@@ -61,7 +60,7 @@
+ AC_FUNC_STRFTIME
+ AC_FUNC_WAIT3
+ AC_CHECK_LIB(xnet, shutdown)
+-AC_CHECK_LIB(secure, getsecsid, [flaskavail=1], [flaskavail=0])
++AC_CHECK_LIB(selinux, getcon, [selinuxavail=1], [selinuxavail=0])
+ AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0])
+ AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0])
+ if test $getloadavg -eq 1; then
+@@ -925,7 +924,7 @@
+     AC_MSG_RESULT(no)
+     ;;
+   yes)
+-    if test "$flaskavail" -eq 1; then
++    if test "$selinuxavail" -eq 1; then
+ 	useselinux=1
+ 	AC_MSG_RESULT(yes)
+     else
+@@ -940,7 +939,7 @@
+     AC_MSG_ERROR(Must be set to either "yes" or "no".)
+     ;;
+   esac ],
+-  if test "$useselinux" != "0" && test "$flaskavail" -eq 1; then
++  if test "$useselinux" != "0" && test "$selinuxavail" -eq 1; then
+     useselinux=1
+     AC_MSG_RESULT(yes)
+   else
+@@ -949,8 +948,9 @@
+   fi
+ )
+ if test "$useselinux" -eq 1; then
+-  LIBS="$LIBS -lsecure"
+-  AC_DEFINE(CONFIG_FLASK)
++  LIBS="$LIBS -lselinux"
++  AC_DEFINE(WITH_SELINUX)
++  CFLAGS="$CFLAGS -I/usr/include/selinux"
+ fi
+ 
+ 
+@@ -1149,4 +1149,5 @@
+ echo
+ echo "You can now run 'make' to compile"
+ echo "and then (as root) 'make install' to install fcron."
+-echo
+\ No newline at end of file
++echo
++
+--- fcron-2.9.4.orig/global.h
++++ fcron-2.9.4/global.h
+@@ -43,12 +43,11 @@
+ #include <errno.h>
+ #endif
+ 
+-#ifdef CONFIG_FLASK
+-#include <flask_util.h>
+-#include <fs_secure.h>
+-#include <ss.h>
+-#include <linux/flask/av_permissions.h>
+-#include <get_sid_list.h>
++#ifdef WITH_SELINUX
++#include <selinux.h>
++#include <get_context_list.h>
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
+ #endif
+ 
+ #ifdef HAVE_GETOPT_H
+@@ -167,9 +166,9 @@
+     struct env_t *cf_env_base;  /* list of all env variables to set          */
+     int		  cf_running;	/* number of jobs running                    */
+     signed char	  cf_tzdiff;    /* time diff between system and local hour   */
+-#ifdef CONFIG_FLASK
+-    security_id_t cf_user_sid;
+-    security_id_t cf_file_sid;
++#ifdef WITH_SELINUX
++    security_context_t cf_user_context;
++    security_context_t cf_file_context;
+ #endif
+ } cf_t;
+ 
+--- fcron-2.9.4.orig/conf.c
++++ fcron-2.9.4/conf.c
+@@ -437,11 +437,10 @@
+     struct passwd *pass = NULL;
+     short int type = 0, size = 0;
+     int rc;
+-#ifdef CONFIG_FLASK
+-    int flask_enabled = is_flask_enabled();
+-    struct security_query qry;
+-    struct security_response rsp;
++#ifdef WITH_SELINUX
++    int flask_enabled = is_selinux_enabled();
+     int retval;
++    struct av_decision avd;
+     const char *user_name;
+ #endif
+ 
+@@ -453,16 +452,18 @@
+ 
+     /* check if this file is owned by root : otherwise, all runas fields
+      * of this field should be set to the owner */
+-#ifdef CONFIG_FLASK
+-    if(flask_enabled)
+-	rc = fstat_secure(fileno(ff), &file_stat, &cf->cf_file_sid);
+-    else
+-#endif
+     rc = fstat(fileno(ff), &file_stat);
+     if ( rc != 0 ) {
+ 	error_e("Could not stat %s", file_name);
+ 	goto err;
+     }
++#ifdef WITH_SELINUX
++    if(flask_enabled && fgetfilecon(fileno(ff), &cf->cf_file_context) < 0 )
++    {
++	error_e("Could not get context of %s", file_name);
++	goto err;
++    }
++#endif
+ 
+     if ( strncmp(file_name,"new.", 4) == 0 ) {
+ 	if ( file_stat.st_uid == ROOTUID ) {
+@@ -495,7 +496,7 @@
+ 	}
+     }
+ 
+-#ifdef CONFIG_FLASK
++#ifdef WITH_SELINUX
+     /*
+      * Since crontab files are not directly executed,
+      * crond must ensure that the crontab file has
+@@ -507,17 +508,19 @@
+ 	user_name = "system_u";
+     else
+ 	user_name = cf->cf_user;
+-    if(get_default_sid(user_name, 0, &cf->cf_user_sid))
+-	error_e("NO SID for user \"%s\"", cf->cf_user_sid);
+-    qry.ssid = cf->cf_user_sid;
+-    qry.tsid = cf->cf_file_sid;
+-    qry.tclass = SECCLASS_FILE;
+-    qry.requested = FILE__ENTRYPOINT;
+-    retval = security_compute_av(&qry, &rsp);
+-    if(retval || ((qry.requested & rsp.allowed) != qry.requested)) {
+-	syslog(LOG_ERR, "ENTRYPOINT FAILED for \"%s\" (SID %u) for file SID %u"
+-	       , cf->cf_user, cf->cf_user_sid, cf->cf_file_sid);
+-	goto err;
++    if(flask_enabled)
++    {
++	if(get_default_context(user_name, NULL, &cf->cf_user_context))
++	    error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context);
++	retval = security_compute_av(cf->cf_user_context, cf->cf_file_context
++		, SECCLASS_FILE, FILE__ENTRYPOINT, &avd);
++
++	if(retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))
++	{
++	    syslog(LOG_ERR, "ENTRYPOINT FAILED for user \"%s\" (CONTEXT %s) for file CONTEXT %s"
++		, cf->cf_user, cf->cf_user_context, cf->cf_file_context);
++	    goto err;
++	}
+     }
+ #endif
+ 
+--- fcron-2.9.4.orig/config.h.in
++++ fcron-2.9.4/config.h.in
+@@ -393,7 +393,7 @@
+ #undef HAVE_LIBSHADOW
+ 
+ /* Have SE Linux support */
+-#undef CONFIG_FLASK
++#undef WITH_SELINUX
+ 
+ /* Define if you have the xnet library (-lxnet).  */
+ #undef HAVE_LIBXNET
+--- fcron-2.9.4.orig/save.c
++++ fcron-2.9.4/save.c
+@@ -298,12 +298,18 @@
+     int fd;
+ 
+     /* open file */
+-#ifdef CONFIG_FLASK
+-    if ( is_flask_enabled() )
+-	fd = open_secure(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR, file->cf_file_sid);
+-    else
++#ifdef WITH_SELINUX
++    if ( is_selinux_enabled() && setfscreatecon(file->cf_file_context) )
++    {
++	error_e("Could not set create context for file %s", filename);
++	return ERR;
++    }
+ #endif
+     fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR|S_IWUSR);
++#ifdef WITH_SELINUX
++    if ( is_selinux_enabled() )
++	setfscreatecon(NULL);
++#endif
+     if ( fd == -1 ) {
+ 	error_e("Could not open %s", filename);
+ 	return ERR;
diff --git a/sys-apps/portage/Manifest b/sys-apps/portage/Manifest
index 1cb93c8909a2..a459f03449c4 100644
--- a/sys-apps/portage/Manifest
+++ b/sys-apps/portage/Manifest
@@ -1,14 +1,14 @@
 MD5 9e5a455de70177e3981c248e0f1b920f ChangeLog 907
+MD5 87b2925b38ae3e29892100e6443621bd portage-2.0.51_pre7.ebuild 14128
 MD5 4ec0f0ae9676b9d2d227d737d508306b metadata.xml 165
+MD5 ca93d127f054a5dff58ff66ff564ef9a portage-2.0.51_pre9.ebuild 14128
 MD5 bcd019fa6358547bff9b252942e77889 portage-2.0.50-r6.ebuild 11541
-MD5 2091543252389367b029cfdd33c7b43a portage-2.0.51_pre7.ebuild 14122
-MD5 a9428d82edbbb8141a8c0b6d6e8e061c portage-2.0.51_pre9.ebuild 14122
 MD5 74e6d2c3002dd2370ab9bd9f4fcb7dc6 files/README.RESCUE 1689
-MD5 3b35eb55c2810fa539f29b4242b4d18a files/digest-portage-2.0.50-r6 70
 MD5 9766a22aec69782a98fde2cc6022bf4b files/digest-portage-2.0.51_pre7 72
 MD5 37eec42337d60f4ef31bd9c19aa393d6 files/digest-portage-2.0.51_pre9 72
 MD5 73094a2d75dca36817b40611589ea226 files/portage-rescue-2.0.44-ppc.tbz2 168027
+MD5 3b35eb55c2810fa539f29b4242b4d18a files/digest-portage-2.0.50-r6 70
 MD5 b6989b04bc0ab44de75cf82ab47698fa files/portage-rescue-2.0.48-r1-sparc.tbz2 227629
 MD5 e2f7d2797f76d586452705abed1e515e files/portage-rescue-2.0.48-r1-sparc64.tbz2 227569
-MD5 fa4bfa4ee3ec778658dadf6a63864877 files/portage-rescue-2.0.49-r15-amd64.tbz2 289608
 MD5 35519288ced0c9c3a2893d16e666a5cf files/portage-rescue-2.0.49-r3-alpha.tbz2 284986
+MD5 fa4bfa4ee3ec778658dadf6a63864877 files/portage-rescue-2.0.49-r15-amd64.tbz2 289608
author	Chris PeBenito <pebenito@gentoo.org>	2004-05-25 18:48:00 +0000
committer	Chris PeBenito <pebenito@gentoo.org>	2004-05-25 18:48:00 +0000
commit	334110faf82eb0c4d8470d32c4895450183ec313 (patch)
tree	782e631ad3057b3064ef66eedef1b71c45fe0f30 /sys-apps
parent	repoman: Trim trailing whitespace (diff)
download	historical-334110faf82eb0c4d8470d32c4895450183ec313.tar.gz historical-334110faf82eb0c4d8470d32c4895450183ec313.tar.bz2 historical-334110faf82eb0c4d8470d32c4895450183ec313.zip