sys-libs/libsemanage: add patches to fix missing homedir contexts
authorJason Zaman <perfinion@gentoo.org>
Fri, 4 Sep 2015 02:54:45 +0000 (10:54 +0800)
committerJason Zaman <perfinion@gentoo.org>
Fri, 4 Sep 2015 02:54:45 +0000 (10:54 +0800)
Gentoo-Bug: https://bugs.gentoo.org/558686

Package-Manager: portage-2.2.20.1

sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch [new file with mode: 0644]
sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch [new file with mode: 0644]
sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch [new file with mode: 0644]
sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch [new file with mode: 0644]
sys-libs/libsemanage/libsemanage-2.4-r2.ebuild [new file with mode: 0644]

diff --git a/sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch b/sys-libs/libsemanage/files/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch
new file mode 100644 (file)
index 0000000..e5e821e
--- /dev/null
@@ -0,0 +1,318 @@
+From 9638af24a1e890d673549f0b25d854458e07032e Mon Sep 17 00:00:00 2001
+From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+Date: Thu, 2 Jul 2015 09:27:36 -0400
+Subject: [PATCH] libsemanage: Add policy binary and file_contexts.local to the
+ store
+
+This patch writes policy.kern and file_contexts.local to the policy store as
+well as /etc/selinux/. Additionally, policy.kern and file_contexts.local
+are now parsed from the store rather than the final directory which was
+the old behavior. This allows all policy related files to be kept in the
+policy store.
+
+This patch also renames /var/lib/selinux/tmp to 'final' and changes
+policy.kern in the store to longer be a symlink.
+
+Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+---
+ libsemanage/src/booleans_policydb.c      |  6 ++--
+ libsemanage/src/direct_api.c             | 33 +++++++++++++++----
+ libsemanage/src/interfaces_policydb.c    |  6 ++--
+ libsemanage/src/nodes_policydb.c         |  6 ++--
+ libsemanage/src/ports_policydb.c         |  6 ++--
+ libsemanage/src/semanage_store.c         | 55 ++++++++++++++++++++++++--------
+ libsemanage/src/semanage_store.h         |  5 +++
+ libsemanage/src/users_base_policydb.c    |  6 ++--
+ libsemanage/utils/semanage_migrate_store |  3 +-
+ 9 files changed, 86 insertions(+), 40 deletions(-)
+
+diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c
+index 74af2a3..6869d6c 100644
+--- a/libsemanage/src/booleans_policydb.c
++++ b/libsemanage/src/booleans_policydb.c
+@@ -55,10 +55,8 @@ int bool_policydb_dbase_init(semanage_handle_t * handle,
+ {
+       if (dbase_policydb_init(handle,
+-                              semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                  SEMANAGE_KERNEL),
+-                              semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                  SEMANAGE_KERNEL),
++                              semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
++                              semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+                               &SEMANAGE_BOOL_RTABLE,
+                               &SEMANAGE_BOOL_POLICYDB_RTABLE,
+                               &dconfig->dbase) < 0)
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index d57f934..3c6b168 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -196,10 +196,8 @@ int semanage_direct_connect(semanage_handle_t * sh)
+               goto err;
+       if (fcontext_file_dbase_init(sh,
+-                                   semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                       SEMANAGE_FC_LOCAL),
+-                                   semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                       SEMANAGE_FC_LOCAL),
++                                   semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_LOCAL),
++                                   semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+                                    semanage_fcontext_dbase_local(sh)) < 0)
+               goto err;
+@@ -1041,7 +1039,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       size_t fc_buffer_len = 0;
+       const char *ofilename = NULL;
+       const char *path;
+-      int retval = -1, num_modinfos = 0, i;
++      int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
+       sepol_policydb_t *out = NULL;
+       struct cil_db *cildb = NULL;
+       semanage_module_info_t *modinfos = NULL;
+@@ -1143,8 +1141,20 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       modified |= dontaudit_modified;
+       modified |= preserve_tunables_modified;
++      /* This is for systems that have already migrated with an older version
++       * of semanage_migrate_store. The older version did not copy policy.kern so
++       * the policy binary must be rebuilt here.
++       */
++      if (!sh->do_rebuild && !modified) {
++              path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
++
++              if (access(path, F_OK) != 0) {
++                      missing_policy_kern = 1;
++              }
++      }
++
+       /* If there were policy changes, or explicitly requested, rebuild the policy */
+-      if (sh->do_rebuild || modified) {
++      if (sh->do_rebuild || modified || missing_policy_kern) {
+               /* =================== Module expansion =============== */
+               retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
+@@ -1302,6 +1312,17 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       if (retval < 0)
+               goto cleanup;
++      retval = semanage_copy_policydb(sh);
++      if (retval < 0)
++              goto cleanup;
++
++      path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
++      if (access(path, F_OK) == 0) {
++              retval = semanage_copy_fc_local(sh);
++              if (retval < 0)
++                      goto cleanup;
++      }
++
+       /* run genhomedircon if its enabled, this should be the last operation
+        * which requires the out policydb */
+       if (!sh->conf->disable_genhomedircon) {
+diff --git a/libsemanage/src/interfaces_policydb.c b/libsemanage/src/interfaces_policydb.c
+index 6a42eed..552ce7d 100644
+--- a/libsemanage/src/interfaces_policydb.c
++++ b/libsemanage/src/interfaces_policydb.c
+@@ -51,10 +51,8 @@ int iface_policydb_dbase_init(semanage_handle_t * handle,
+ {
+       if (dbase_policydb_init(handle,
+-                              semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                  SEMANAGE_KERNEL),
+-                              semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                  SEMANAGE_KERNEL),
++                              semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
++                              semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+                               &SEMANAGE_IFACE_RTABLE,
+                               &SEMANAGE_IFACE_POLICYDB_RTABLE,
+                               &dconfig->dbase) < 0)
+diff --git a/libsemanage/src/nodes_policydb.c b/libsemanage/src/nodes_policydb.c
+index 56012fb..7224f00 100644
+--- a/libsemanage/src/nodes_policydb.c
++++ b/libsemanage/src/nodes_policydb.c
+@@ -50,10 +50,8 @@ int node_policydb_dbase_init(semanage_handle_t * handle,
+ {
+       if (dbase_policydb_init(handle,
+-                              semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                  SEMANAGE_KERNEL),
+-                              semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                  SEMANAGE_KERNEL),
++                              semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
++                              semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+                               &SEMANAGE_NODE_RTABLE,
+                               &SEMANAGE_NODE_POLICYDB_RTABLE,
+                               &dconfig->dbase) < 0)
+diff --git a/libsemanage/src/ports_policydb.c b/libsemanage/src/ports_policydb.c
+index b9600f0..37d7deb 100644
+--- a/libsemanage/src/ports_policydb.c
++++ b/libsemanage/src/ports_policydb.c
+@@ -50,10 +50,8 @@ int port_policydb_dbase_init(semanage_handle_t * handle,
+ {
+       if (dbase_policydb_init(handle,
+-                              semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                  SEMANAGE_KERNEL),
+-                              semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                  SEMANAGE_KERNEL),
++                              semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
++                              semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+                               &SEMANAGE_PORT_RTABLE,
+                               &SEMANAGE_PORT_POLICYDB_RTABLE,
+                               &dconfig->dbase) < 0)
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 6051691..2856aaf 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
+@@ -110,10 +110,12 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+       "/disable_dontaudit",
+       "/preserve_tunables",
+       "/modules/disabled",
++      "/policy.kern",
++      "/file_contexts.local"
+ };
+ static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
+-      "/tmp",
++      "/final",
+       "",
+ };
+@@ -943,9 +945,7 @@ int semanage_make_final(semanage_handle_t *sh)
+               goto cleanup;
+       }
+-      /* Copy in exported databases.
+-       * i = 1 to avoid copying the top level directory.
+-       */
++      // Build final directory structure
+       int i;
+       for (i = 1; i < SEMANAGE_FINAL_PATH_NUM; i++) {
+               if (strlen(semanage_final_path(SEMANAGE_FINAL_TMP, i)) >= sizeof(fn)) {
+@@ -959,12 +959,6 @@ int semanage_make_final(semanage_handle_t *sh)
+                       status = -1;
+                       goto cleanup;
+               }
+-
+-              semanage_copy_file(
+-                      semanage_final_path(SEMANAGE_FINAL_SELINUX, i),
+-                      semanage_final_path(SEMANAGE_FINAL_TMP, i),
+-                      sh->conf->file_mode);
+-              /* ignore errors, these files may not exist */
+       }
+ cleanup:
+@@ -2019,8 +2013,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+       FILE *infile = NULL;
+       if ((kernel_filename =
+-           semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                               SEMANAGE_KERNEL)) == NULL) {
++           semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL)) == NULL) {
+               goto cleanup;
+       }
+       if ((infile = fopen(kernel_filename, "r")) == NULL) {
+@@ -2061,7 +2054,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
+       FILE *outfile = NULL;
+       if ((kernel_filename =
+-           semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL)) == NULL) {
++           semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL)) == NULL) {
+               goto cleanup;
+       }
+       if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
+@@ -2921,3 +2914,39 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
+       return 0;
+ }
++
++int semanage_copy_policydb(semanage_handle_t *sh)
++{
++      const char *src = NULL;
++      const char *dst = NULL;
++      int rc = -1;
++
++      src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
++      dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
++
++      rc = semanage_copy_file(src, dst, sh->conf->file_mode);
++      if (rc != 0) {
++              goto cleanup;
++      }
++
++cleanup:
++      return rc;
++}
++
++int semanage_copy_fc_local(semanage_handle_t *sh)
++{
++      const char *src = NULL;
++      const char *dst = NULL;
++      int rc = -1;
++
++      src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
++      dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
++
++      rc = semanage_copy_file(src, dst, sh->conf->file_mode);
++      if (rc != 0) {
++              goto cleanup;
++      }
++
++cleanup:
++      return rc;
++}
+diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
+index 62c7079..ade43f2 100644
+--- a/libsemanage/src/semanage_store.h
++++ b/libsemanage/src/semanage_store.h
+@@ -55,6 +55,8 @@ enum semanage_sandbox_defs {
+       SEMANAGE_DISABLE_DONTAUDIT,
+       SEMANAGE_PRESERVE_TUNABLES,
+       SEMANAGE_MODULES_DISABLED,
++      SEMANAGE_STORE_KERNEL,
++      SEMANAGE_STORE_FC_LOCAL,
+       SEMANAGE_STORE_NUM_PATHS
+ };
+@@ -148,4 +150,7 @@ int semanage_nc_sort(semanage_handle_t * sh,
+                    size_t buf_len,
+                    char **sorted_buf, size_t * sorted_buf_len);
++int semanage_copy_policydb(semanage_handle_t *sh);
++int semanage_copy_fc_local(semanage_handle_t *sh);
++
+ #endif
+diff --git a/libsemanage/src/users_base_policydb.c b/libsemanage/src/users_base_policydb.c
+index 0a6ab9c..b42279c 100644
+--- a/libsemanage/src/users_base_policydb.c
++++ b/libsemanage/src/users_base_policydb.c
+@@ -50,10 +50,8 @@ int user_base_policydb_dbase_init(semanage_handle_t * handle,
+ {
+       if (dbase_policydb_init(handle,
+-                              semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                  SEMANAGE_KERNEL),
+-                              semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                  SEMANAGE_KERNEL),
++                              semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_KERNEL),
++                              semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
+                               &SEMANAGE_USER_BASE_RTABLE,
+                               &SEMANAGE_USER_BASE_POLICYDB_RTABLE,
+                               &dconfig->dbase) < 0)
+diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
+index 2f85e9c..b170eda 100755
+--- a/libsemanage/utils/semanage_migrate_store
++++ b/libsemanage/utils/semanage_migrate_store
+@@ -243,7 +243,8 @@ if __name__ == "__main__":
+               "users.local",
+               "users_extra.local",
+               "disable_dontaudit",
+-              "preserve_tunables" ]
++              "preserve_tunables",
++              "policy.kern" ]
+       create_dir(newroot_path(), 0o755)
+-- 
+2.4.6
+
diff --git a/sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch b/sys-libs/libsemanage/files/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch
new file mode 100644 (file)
index 0000000..24e9778
--- /dev/null
@@ -0,0 +1,265 @@
+From d56c2b434e99f60612c1290e82021ecbcbfaf5e6 Mon Sep 17 00:00:00 2001
+From: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+Date: Tue, 21 Jul 2015 15:08:15 -0400
+Subject: [PATCH] libsemanage: Add file_contexts and seusers to the store
+
+This patch writes file_contexts and seusers to the policy store as well as
+/etc/selinux/. Additionally, file_contexts and seusers are now parsed from the
+store rather than the final directory which was the old behavior. This allows
+all policy related files to be kept in the policy store.
+
+Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+---
+ libsemanage/src/direct_api.c             | 69 +++++++++++++++++++++++++-------
+ libsemanage/src/semanage_store.c         | 49 ++++-------------------
+ libsemanage/src/semanage_store.h         |  5 ++-
+ libsemanage/utils/semanage_migrate_store |  3 +-
+ 4 files changed, 66 insertions(+), 60 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 3c6b168..b11f2ba 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -248,18 +248,14 @@ int semanage_direct_connect(semanage_handle_t * sh)
+               goto err;
+       if (fcontext_file_dbase_init(sh,
+-                                   semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                       SEMANAGE_FC),
+-                                   semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                       SEMANAGE_FC),
++                                   semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC),
++                                   semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+                                    semanage_fcontext_dbase_policy(sh)) < 0)
+               goto err;
+       if (seuser_file_dbase_init(sh,
+-                                 semanage_final_path(SEMANAGE_FINAL_SELINUX,
+-                                                     SEMANAGE_SEUSERS),
+-                                 semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                     SEMANAGE_SEUSERS),
++                                 semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_SEUSERS),
++                                 semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+                                  semanage_seuser_dbase_policy(sh)) < 0)
+               goto err;
+@@ -602,7 +598,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
+       }
+       if (size > 0) {
+-              ofilename = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS);
++              ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
+               if (ofilename == NULL) {
+                       return -1;
+               }
+@@ -1039,7 +1035,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       size_t fc_buffer_len = 0;
+       const char *ofilename = NULL;
+       const char *path;
+-      int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0;
++      int retval = -1, num_modinfos = 0, i, missing_policy_kern = 0,
++              missing_seusers = 0, missing_fc = 0, missing = 0;
+       sepol_policydb_t *out = NULL;
+       struct cil_db *cildb = NULL;
+       semanage_module_info_t *modinfos = NULL;
+@@ -1151,10 +1148,26 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+               if (access(path, F_OK) != 0) {
+                       missing_policy_kern = 1;
+               }
++
++              path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
++
++              if (access(path, F_OK) != 0) {
++                      missing_fc = 1;
++              }
++
++              path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
++
++              if (access(path, F_OK) != 0) {
++                      missing_seusers = 1;
++              }
+       }
++      missing |= missing_policy_kern;
++      missing |= missing_fc;
++      missing |= missing_seusers;
++
+       /* If there were policy changes, or explicitly requested, rebuild the policy */
+-      if (sh->do_rebuild || modified || missing_policy_kern) {
++      if (sh->do_rebuild || modified || missing) {
+               /* =================== Module expansion =============== */
+               retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos);
+@@ -1312,15 +1325,41 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       if (retval < 0)
+               goto cleanup;
+-      retval = semanage_copy_policydb(sh);
+-      if (retval < 0)
++      retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL),
++                      semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL),
++                      sh->conf->file_mode);
++      if (retval < 0) {
+               goto cleanup;
++      }
+       path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
+       if (access(path, F_OK) == 0) {
+-              retval = semanage_copy_fc_local(sh);
+-              if (retval < 0)
++              retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
++                                                      semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
++                                                      sh->conf->file_mode);
++              if (retval < 0) {
+                       goto cleanup;
++              }
++      }
++
++      path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
++      if (access(path, F_OK) == 0) {
++              retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
++                                                      semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
++                                                      sh->conf->file_mode);
++              if (retval < 0) {
++                      goto cleanup;
++              }
++      }
++
++      path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
++      if (access(path, F_OK) == 0) {
++              retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
++                                                      semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
++                                                      sh->conf->file_mode);
++              if (retval < 0) {
++                      goto cleanup;
++              }
+       }
+       /* run genhomedircon if its enabled, this should be the last operation
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 2856aaf..fa0876f 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
+@@ -111,7 +111,9 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+       "/preserve_tunables",
+       "/modules/disabled",
+       "/policy.kern",
+-      "/file_contexts.local"
++      "/file_contexts.local",
++      "/file_contexts",
++      "/seusers"
+ };
+ static char const * const semanage_final_prefix[SEMANAGE_FINAL_NUM] = {
+@@ -666,7 +668,7 @@ static int semanage_filename_select(const struct dirent *d)
+ /* Copies a file from src to dst.  If dst already exists then
+  * overwrite it.  Returns 0 on success, -1 on error. */
+-static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
++int semanage_copy_file(const char *src, const char *dst, mode_t mode)
+ {
+       int in, out, retval = 0, amount_read, n, errsv = errno;
+       char tmp[PATH_MAX];
+@@ -1425,11 +1427,11 @@ int semanage_split_fc(semanage_handle_t * sh)
+               goto cleanup;
+       }
+-      fc = open(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
++      fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+                 O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+       if (fc < 0) {
+               ERR(sh, "Could not open %s for writing.",
+-                  semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC));
++                  semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
+               goto cleanup;
+       }
+       hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL),
+@@ -1454,8 +1456,7 @@ int semanage_split_fc(semanage_handle_t * sh)
+               } else {
+                       if (write(fc, buf, strlen(buf)) < 0) {
+                               ERR(sh, "Write to %s failed.",
+-                                  semanage_final_path(SEMANAGE_FINAL_TMP,
+-                                                      SEMANAGE_FC));
++                                  semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
+                               goto cleanup;
+                       }
+               }
+@@ -2914,39 +2915,3 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
+       return 0;
+ }
+-
+-int semanage_copy_policydb(semanage_handle_t *sh)
+-{
+-      const char *src = NULL;
+-      const char *dst = NULL;
+-      int rc = -1;
+-
+-      src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL);
+-      dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
+-
+-      rc = semanage_copy_file(src, dst, sh->conf->file_mode);
+-      if (rc != 0) {
+-              goto cleanup;
+-      }
+-
+-cleanup:
+-      return rc;
+-}
+-
+-int semanage_copy_fc_local(semanage_handle_t *sh)
+-{
+-      const char *src = NULL;
+-      const char *dst = NULL;
+-      int rc = -1;
+-
+-      src = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
+-      dst = semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL);
+-
+-      rc = semanage_copy_file(src, dst, sh->conf->file_mode);
+-      if (rc != 0) {
+-              goto cleanup;
+-      }
+-
+-cleanup:
+-      return rc;
+-}
+diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
+index ade43f2..acb6e3f 100644
+--- a/libsemanage/src/semanage_store.h
++++ b/libsemanage/src/semanage_store.h
+@@ -57,6 +57,8 @@ enum semanage_sandbox_defs {
+       SEMANAGE_MODULES_DISABLED,
+       SEMANAGE_STORE_KERNEL,
+       SEMANAGE_STORE_FC_LOCAL,
++      SEMANAGE_STORE_FC,
++      SEMANAGE_STORE_SEUSERS,
+       SEMANAGE_STORE_NUM_PATHS
+ };
+@@ -150,7 +152,6 @@ int semanage_nc_sort(semanage_handle_t * sh,
+                    size_t buf_len,
+                    char **sorted_buf, size_t * sorted_buf_len);
+-int semanage_copy_policydb(semanage_handle_t *sh);
+-int semanage_copy_fc_local(semanage_handle_t *sh);
++int semanage_copy_file(const char *src, const char *dst, mode_t mode);
+ #endif
+diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
+index b170eda..6443002 100755
+--- a/libsemanage/utils/semanage_migrate_store
++++ b/libsemanage/utils/semanage_migrate_store
+@@ -244,7 +244,8 @@ if __name__ == "__main__":
+               "users_extra.local",
+               "disable_dontaudit",
+               "preserve_tunables",
+-              "policy.kern" ]
++              "policy.kern",
++              "file_contexts"]
+       create_dir(newroot_path(), 0o755)
+-- 
+2.4.6
+
diff --git a/sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch b/sys-libs/libsemanage/files/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch
new file mode 100644 (file)
index 0000000..3bc1370
--- /dev/null
@@ -0,0 +1,54 @@
+From 75dd8c062d1f6f0e0a7a9f1856c0957b423e8a02 Mon Sep 17 00:00:00 2001
+From: Steve Lawrence <slawrence@tresys.com>
+Date: Thu, 3 Sep 2015 09:28:08 -0400
+Subject: [PATCH 1/3] libsemanage: save homedir_template in the policy store
+ for genhomedircon
+
+We don't currently store homedir_template in the policy store, which
+means genhomedircon only has a template file to use if the
+homedir_template was generated from the file contexts in the same
+transaction.  But homedir_template isn't always generated, as in the
+case with setsebool -P. In this and other cases, genhomedircon will not
+have a template file resulting in an empty file_contexts.homedir file.
+
+This commit changes this so that homedir_template is always stored in
+the policy store so it can be used by genhomedircon regardless of how
+policy was built. Also add the homedir_template file to the migration
+script.
+
+Signed-off by: Steve Lawrence <slawrence@tresys.com>
+Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libsemanage/src/direct_api.c             | 1 -
+ libsemanage/utils/semanage_migrate_store | 3 ++-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 90a7b22..6e49cae 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -1415,7 +1415,6 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       /* remove files that are automatically generated and no longer needed */
+       unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
+-      unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL));
+       unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA));
+       if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
+diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
+index 539f469..297c71b 100755
+--- a/libsemanage/utils/semanage_migrate_store
++++ b/libsemanage/utils/semanage_migrate_store
+@@ -251,7 +251,8 @@ if __name__ == "__main__":
+               "disable_dontaudit",
+               "preserve_tunables",
+               "policy.kern",
+-              "file_contexts"]
++              "file_contexts",
++              "homedir_template"]
+       create_dir(newroot_path(), 0o755)
+-- 
+2.4.6
+
diff --git a/sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch b/sys-libs/libsemanage/files/0005-libsemanage-store-users_extra-in-the-policy-store.patch
new file mode 100644 (file)
index 0000000..1aca2ad
--- /dev/null
@@ -0,0 +1,57 @@
+From dbc639a35af71eec1a1b386b74a822d794bb59df Mon Sep 17 00:00:00 2001
+From: Steve Lawrence <slawrence@tresys.com>
+Date: Thu, 3 Sep 2015 13:07:36 -0400
+Subject: [PATCH 2/3] libsemanage: store users_extra in the policy store
+
+users_extra is needed by genhomedircon and when listing seusers, so it
+must be kept in the policy store. Also move the FC_TMPL unlink() closer
+to where the FC_TMPL is created; not a functional change, but eaiser to
+follow.
+
+Signed-off-by: Steve Lawrence <slawrence@tresys.com>
+Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libsemanage/src/direct_api.c             | 7 +++----
+ libsemanage/utils/semanage_migrate_store | 1 +
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 6e49cae..68dd0d1 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -1272,6 +1272,9 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+               if (retval < 0)
+                       goto cleanup;
++              /* remove FC_TMPL now that it is now longer needed */
++              unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
++
+               pfcontexts->dtable->drop_cache(pfcontexts->dbase);
+               /* SEUsers */
+@@ -1413,10 +1416,6 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+       sepol_policydb_free(out);
+       out = NULL;
+-      /* remove files that are automatically generated and no longer needed */
+-      unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
+-      unlink(semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA));
+-
+       if (sh->do_rebuild || modified || bools_modified || fcontexts_modified) {
+               retval = semanage_install_sandbox(sh);
+       }
+diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store
+index 297c71b..b5eefaa 100755
+--- a/libsemanage/utils/semanage_migrate_store
++++ b/libsemanage/utils/semanage_migrate_store
+@@ -247,6 +247,7 @@ if __name__ == "__main__":
+               "file_contexts.local",
+               "seusers",
+               "users.local",
++              "users_extra",
+               "users_extra.local",
+               "disable_dontaudit",
+               "preserve_tunables",
+-- 
+2.4.6
+
diff --git a/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild b/sys-libs/libsemanage/libsemanage-2.4-r2.ebuild
new file mode 100644 (file)
index 0000000..5e14e7d
--- /dev/null
@@ -0,0 +1,131 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 python3_3 python3_4 )
+
+inherit multilib python-r1 toolchain-funcs eutils multilib-minimal
+
+MY_P="${P//_/-}"
+
+SEPOL_VER="${PV}"
+SELNX_VER="${PV}"
+
+DESCRIPTION="SELinux kernel and policy management library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="python"
+
+RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
+       >=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}]
+       >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
+       >=dev-libs/ustr-1.0.4-r2[${MULTILIB_USEDEP}]
+       "
+DEPEND="${RDEPEND}
+       sys-devel/bison
+       sys-devel/flex
+       python? (
+               >=dev-lang/swig-2.0.4-r1
+               virtual/pkgconfig
+               ${PYTHON_DEPS}
+       )"
+
+# tests are not meant to be run outside of the
+# full SELinux userland repo
+RESTRICT="test"
+
+S="${WORKDIR}/${MY_P}"
+
+src_prepare() {
+       echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf"
+       echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf"
+       echo "# or debugging of policy." >> "${S}/src/semanage.conf"
+       echo "save-linked=false" >> "${S}/src/semanage.conf"
+       echo >> "${S}/src/semanage.conf"
+       echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf"
+       echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf"
+       echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf"
+       echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf"
+       echo "# would catch." >> "${S}/src/semanage.conf"
+       echo "expand-check=1" >> "${S}/src/semanage.conf"
+       echo >> "${S}/src/semanage.conf"
+       echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf"
+       echo "# with bzip2.  Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf"
+       echo "# 1-9 when compressing.  The higher the number," >> "${S}/src/semanage.conf"
+       echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf"
+       echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf"
+       echo "bzip-blocksize=0" >> "${S}/src/semanage.conf"
+       echo >> "${S}/src/semanage.conf"
+       echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf"
+       echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf"
+       echo "bzip-small=true" >> "${S}/src/semanage.conf"
+
+       epatch "${FILESDIR}/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch" \
+               "${FILESDIR}/0002-libsemanage-Add-policy-binary-and-file_contexts.loca.patch" \
+               "${FILESDIR}/0003-libsemanage-Add-file_contexts-and-seusers-to-the-sto.patch" \
+               "${FILESDIR}/0004-libsemanage-save-homedir_template-in-the-policy-stor.patch" \
+               "${FILESDIR}/0005-libsemanage-store-users_extra-in-the-policy-store.patch"
+
+       epatch_user
+
+       multilib_copy_sources
+}
+
+multilib_src_compile() {
+       emake \
+               AR="$(tc-getAR)" \
+               CC="$(tc-getCC)" \
+               LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
+               all
+
+       if multilib_is_native_abi && use python; then
+               building_py() {
+                       python_export PYTHON_INCLUDEDIR PYTHON_LIBPATH
+                       emake CC="$(tc-getCC)" PYINC="-I${PYTHON_INCLUDEDIR}" PYTHONLBIDIR="${PYTHON_LIBPATH}" PYPREFIX="${EPYTHON##*/}" "$@"
+               }
+               python_foreach_impl building_py swigify
+               python_foreach_impl building_py pywrap
+       fi
+}
+
+multilib_src_install() {
+       emake \
+               LIBDIR="${ED}/usr/$(get_libdir)" \
+               SHLIBDIR="${ED}/usr/$(get_libdir)" \
+               DESTDIR="${ED}" install
+
+       if multilib_is_native_abi && use python; then
+               installation_py() {
+                       emake DESTDIR="${ED}" LIBDIR="${ED}/usr/$(get_libdir)" \
+                               SHLIBDIR="${ED}/usr/$(get_libdir)" install-pywrap
+                       python_optimize # bug 531638
+               }
+               python_foreach_impl installation_py
+       fi
+}
+
+pkg_postinst() {
+       # Migrate the SELinux semanage configuration store if not done already
+       local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' /etc/selinux/config);
+       if [ -n "${selinuxtype}" ] && [ ! -d /var/lib/selinux/${mcs}/active ] ; then
+               ewarn "Since the 2.4 SELinux userspace, the policy module store is moved"
+               ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now."
+               ewarn "If there are any issues, it can be done manually by running:"
+               ewarn "/usr/libexec/selinux/semanage_migrate_store"
+               ewarn "For more information, please see"
+               ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration"
+       fi
+
+       # Run the store migration without rebuilds
+       for POLICY_TYPE in ${POLICY_TYPES} ; do
+               if [ ! -d "${ROOT}/var/lib/selinux/${POLICY_TYPE}/active" ] ; then
+                       einfo "Migrating store ${POLICY_TYPE} (without policy rebuild)."
+                       /usr/libexec/selinux/semanage_migrate_store -n -s "${POLICY_TYPE}" || die "Failed to migrate store ${POLICY_TYPE}"
+               fi
+       done
+}