Stephen, Josh: I think this might address all your concerns.
Changes: No more code in libselinux, new handles have their
disable_dontaudit flag set to 0 upon creation (old way),
set_disable_dontaudit creates a file in the sandbox to make the setting
visible after commits.
Justification: After turning off dontaudit rules there is currently no
way for the system to see that this change has been made, this creates a
flag file which can be used as an indicator.
Note: still depends on patch 1/2
Signed-off-by: Christopher Pardy <cpardy@xxxxxxxxxx>
diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-02 11:29:20.740267205 -0400
@@ -29,6 +29,7 @@
#include<stdio.h>
#include<string.h>
#include<sys/time.h>
+#include<limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat
/* Set callback */
sh->msg_callback = semanage_msg_default_handler;
sh->msg_callback_arg = NULL;
-
+
+ /*set the flag to be deleted*/
+ char path[PATH_MAX];
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+ remove(path);
+
return sh;
err:
@@ -110,11 +116,27 @@ void semanage_set_create_store(semanage_
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
-
+
sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+
+ char path[PATH_MAX];
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+ if(disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else
+ remove(path);
return;
}
@@ -264,7 +286,7 @@ int semanage_commit(semanage_handle_t *
assert(sh != NULL&& sh->funcs != NULL&& sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h 2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h 2009-07-02 10:35:04.362488949 -0400
@@ -58,7 +58,8 @@ enum semanage_sandbox_defs {
SEMANAGE_USERS_EXTRA,
SEMANAGE_NC,
SEMANAGE_FC_HOMEDIRS,
- SEMANAGE_STORE_NUM_PATHS
+ SEMANAGE_STORE_NUM_PATHS,
+ SEMANAGE_DISABLE_DONTAUDIT
};
/* FIXME: this needs to be made a module store specific init and the
diff -urpN selinux.orig2/libsemanage/include/semanage/handle.h selinux/libsemanage/include/semanage/handle.h
--- selinux.orig2/libsemanage/include/semanage/handle.h 2009-07-01 21:15:17.224235939 -0400
+++ selinux/libsemanage/include/semanage/handle.h 2009-07-02 11:09:06.982262194 -0400
@@ -69,6 +69,9 @@ void semanage_set_rebuild(semanage_handl
* 1 for yes, 0 for no (default) */
void semanage_set_create_store(semanage_handle_t * handle, int create_store);
+/*Get whether or not to dontaudits will be disabled upon commit */
+int semanage_get_disable_dontaudit(semanage_handle_t * handle);
+
/* Set whether or not to disable dontaudits upon commit */
void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
--- selinux.orig2/libsemanage/src/handle.c 2009-07-01 21:15:17.288238017 -0400
+++ selinux/libsemanage/src/handle.c 2009-07-02 11:29:20.740267205 -0400
@@ -29,6 +29,7 @@
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
+#include <limits.h>
#include "direct_api.h"
#include "handle.h"
@@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat
/* Set callback */
sh->msg_callback = semanage_msg_default_handler;
sh->msg_callback_arg = NULL;
-
+
+ /*set the flag to be deleted*/
+ char path[PATH_MAX];
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+ remove(path);
+
return sh;
err:
@@ -110,11 +116,27 @@ void semanage_set_create_store(semanage_
return;
}
+int semanage_get_disable_dontaudit(semanage_handle_t * sh)
+{
+ assert(sh != NULL);
+
+ return sepol_get_disable_dontaudit(sh->sepolh);
+}
+
void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
{
assert(sh != NULL);
-
+
sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+
+ char path[PATH_MAX];
+ path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)
+ if(disable_dontaudit(sh) == 1){
+ FILE *touch;
+ touch = fopen(path,"w");
+ fclose(touch);
+ }else
+ remove(path);
return;
}
@@ -264,7 +286,7 @@ int semanage_commit(semanage_handle_t *
assert(sh != NULL && sh->funcs != NULL && sh->funcs->commit != NULL);
if (!sh->is_in_transaction) {
ERR(sh,
- "Will not commit because caller does not have a tranaction lock yet.");
+ "Will not commit because caller does not have a transaction lock yet.");
return -1;
}
retval = sh->funcs->commit(sh);
diff -urpN selinux.orig2/libsemanage/src/libsemanage.map selinux/libsemanage/src/libsemanage.map
--- selinux.orig2/libsemanage/src/libsemanage.map 2009-07-01 21:15:17.290237650 -0400
+++ selinux/libsemanage/src/libsemanage.map 2009-07-02 11:12:49.864242881 -0400
@@ -15,7 +15,7 @@ LIBSEMANAGE_1.0 {
semanage_iface_*; semanage_port_*; semanage_context_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
- semanage_is_connected; semanage_set_disable_dontaudit;
+ semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
semanage_mls_enabled;
local: *;
};
diff -urpN selinux.orig2/libsemanage/src/semanage_store.h selinux/libsemanage/src/semanage_store.h
--- selinux.orig2/libsemanage/src/semanage_store.h 2009-07-01 21:15:17.262235597 -0400
+++ selinux/libsemanage/src/semanage_store.h 2009-07-02 10:35:04.362488949 -0400
@@ -58,7 +58,8 @@ enum semanage_sandbox_defs {
SEMANAGE_USERS_EXTRA,
SEMANAGE_NC,
SEMANAGE_FC_HOMEDIRS,
- SEMANAGE_STORE_NUM_PATHS
+ SEMANAGE_STORE_NUM_PATHS,
+ SEMANAGE_DISABLE_DONTAUDIT
};
/* FIXME: this needs to be made a module store specific init and the
