In the patch to fix a minor memory leak, I introduced a garuanteed
segfault. The point to the stack variable will never be NULL, whereas
the value on the stack will be.
Signed-off-by: Eric Paris <eparis@redhat.com>
We open the file which is to be used to write the binary format of file
contexts. If we hit an error actually writing things out, we return,
but never close the fd. Do not leak.
Signed-off-by: Eric Paris <eparis@redhat.com>
Every time matchmediacon is called we open the
selinux_media_context_path(). But we never close the file. Close the
file when we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd. Fix my using the
common error exit path rather than just returning.
Signed-off-by: Eric Paris <eparis@redhat.com>
The code did:
len = strlen(string);
new_string = malloc(len);
strncpy(new_string, string, len - 1)
Which is perfectly legal, but it pissed off coverity because 99/100
times if you do new_string = malloc(strlen(string)) you are doing it
wrong (you didn't leave room for the nul). I rewrote that area to just
use strdup and then to blank out the last character with a nul. It's
clear what's going on and nothing looks 'tricky'. It does cost us 1
byte of heap allocation. I think we can live with that to have safer
looking string handling code.
Signed-off-by: Eric Paris <eparis@redhat.com>
If vork() failed we would leak the arguments created in split_args().
Reorder the function so it will hopefully be easy to read and will not
leak memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have minuid_set = 0 at the top of the function and then do a test
like:
if (!minuid_set || something)
But since minuid_set is always 0, we always call this code. Get rid of
the pointless conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right before the call to semanage_list_sort() we do some cleanup.
Including endpwent(); free(rbuf); semanage_list_destroy(&shells); If
the call to the list sort fails we will go to fail: and will do those
cleanups a second time. Whoops. Do the list sort before the generic
cleanups so the failure code isn't run after the default cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
If the strdup failed, we would return without freeing tmp_key. This is
obviously a memory leak. So free that if we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate a list of users, but we do not free that list on error.
Just keep popping and freeing them on error.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use creat to create the lock file needed later. But we never close
that fd, so it just sits around until the program exits. After we
create the file we don't need to hold onto the fd. close it.
Signed-off-by: Eric Paris <eparis@redhat.com>
If get_home_dirs() was called without usepasswd we would generate the
entire shell list, but would never use that list. We would then not
free that list when we returned the homedir_list. Instead, do not
create the list of shells until after we know it will be used.
Signed-off-by: Eric Paris <eparis@redhat.com>
Inside split_args we do a = realloc(b) and strdup. If the realloc
succeeds and then the strdup fails, we return NULL to the caller. The
caller will then jump to an error code which will do a free(b). This is
fine if the realloc failed, but is a big problem if realloc worked. If
it worked b is now meaningless and a needs to be freed.
I change the function interface to return an error and to update "b"
from the caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
We did a bunch of:
if ((blah = function(a0, a1, a2)) == NULL) {
goto err;
} else {
something = blah;
}
Which takes 5 lines and is a pain to read. Instead:
blah = function(a0, a1, a2);
if (blah == NULL)
goto err;
something = blah;
Which takes 4 lines and is easier to read!
Winning!
Signed-off-by: Eric Paris <eparis@redhat.com>
setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Turn verbose on for full relabel
Add check to see if / has a label, if not then force a full relabel.
Add ability to record OPTIONS into the the /.autorelabel file.
fixfiles -F onboot
writes out /.autorelabel with -F
fixfiles -B onboot
writes on /autorelaebl with -N BOOTDATE recorded.
The goal is to allow boot up sequence that sees /.autorelabel to hand any
options store in it, to fixfiles restore
OPTIONS=`cat /.autorelabel`
fixfiles $OPTIONS restore
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use strdup to store the intended context when we have an mmap'd
file backend. We, however, skipped freeing those contexts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Set*con now caches the security context and only re-sets it if it changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/etc/mtab points to /proc/mounts in modern systems. Remove the entry to
try to update its label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds support for displaying SELinux context information in
colors defined by mcstrans(8)/secolor.conf(5). The new behavior is
enabled through the use of the "-C/--color" option and requires the
"-P" option also be specified.
The reason for this addition is that in some situations, notably MLS,
users find it helpful to add SELinux context information to their prompt:
# example taken from the RHEL6 CC certification bash scripts
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lP 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
With the added functionality provided by this patch we can also display
the associated color information (note the addition of the "C" option):
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lPC 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
Note that in the example above only the MLS range is colored, but the
patch does provide support for all of the color information provided
by mcstransd/secolor.conf (user,role,type,range).
Finally, one quick word on the colors themselves; the secolor.conf
configuration file allows 32-bit colors but the ANSI color coding only
allows 8-bit colors so the colors displayed by secon using the "-C"
option will be a bit lossy.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object. This implements
the same thing for types. The kernel will override this with type
transition rules and similar. This is just the default if nothing
specific is given.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Currently we ship other subs files with the _dist to indicate they come with
the distribution as opposed to being modified by the user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should be able to make changed to /etc/selinux/config without using lokkit
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We didn't handle sysconf(_SC_PAGESIZE) returning an error. It should be
very rare, obviously, be we should handle it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
EOPNOTSUPP means "operation not supoorted on socket", and ENOTSUP means
"not supported", although per POSIX they can be alised to the same
value and on Linux they do, ENOTSUP seems the more correct error code.
In addition these function are documented as returning ENOTSUP, and
given that they are implemented in means of getxattr(2) which does
return ENOTSUP too, this just consolidates their behaviour.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
- Add man page sections '(N)' to external references, and '()' on
functions described in the same man page.
- Escape minus signs when those are expected to be used on the command
line or files.
- Mark files and variables in italic; Note headings, function names,
constants, program options and man page references in bold.
- Do not justify and hyphenate SEE ALSO section, and avoid hyphenation
on symbol names by prepending them with \%.
- Remove trailing dot from NAME section description.
- Split sections with a no-op command '.', to visually distinguish them
but to avoid introducing spurious vertical space in the formatted
output.
- Add explicit .sp commands in the SYNOPSIS section between function
prototypes, and fix space placement in function protoypes.
- Split header includes with .br (instead of the explicit or implicit
.sp) so that they are vertically contiguous.
- Add missing {} around SELINUXTYPE and POLICYTYPE variable text in
paths.
- Remove unneeded formatting commands.
- Remove spurious blank lines.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix typos, or wrong function prototypes.
Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
