-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch separates out the distro subs after the admin subs. Basically
apply the distro subs second. Fixes problems where users specify a label that
a distro sub would have covered.
Distro sub has /usr/local -> /usr
And user adds a sub from in /usr/local.
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJpJmEACgkQrlYvE4MpobNahgCfQS9r55tw0Dsh/a30GVBXkUpm
siUAoJUqjKfekwvQXDjIpsKEgX0+TP4/
=MgUC
-----END PGP SIGNATURE-----
>From 603e0a63e2b9a34b580464c6af0564dcd2908016 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 9 Oct 2013 15:22:54 -0400
Subject: [PATCH 12/74] Separate out the calling of local subs and dist subs in
selabel_sub
We want to allow users to setup their substitions to run fist and then run
the distro subs second. This fixes the problem where a user defines
a sub like /usr/local/foobar and we ignore it. We need this for
software collections which is setting up local subs of /opt/src/foobar/root /
---
libselinux/src/label.c | 17 +++++++++++++++--
libselinux/src/label_file.c | 4 ++--
libselinux/src/label_internal.h | 1 +
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 11f6e96..e629082 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -58,7 +58,7 @@ static char *selabel_sub(struct selabel_sub *ptr, const char *src)
return NULL;
}
-struct selabel_sub *selabel_subs_init(const char *path,struct selabel_sub *list)
+struct selabel_sub *selabel_subs_init(const char *path, struct selabel_sub *list)
{
char buf[1024];
FILE *cfg = fopen(path, "r");
@@ -171,6 +171,7 @@ struct selabel_handle *selabel_open(unsigned int backend,
rec->validating = selabel_is_validate_set(opts, nopts);
rec->subs = NULL;
+ rec->dist_subs = NULL;
if ((*initfuncs[backend])(rec, opts, nopts)) {
free(rec);
@@ -186,13 +187,24 @@ selabel_lookup_common(struct selabel_handle *rec, int translating,
const char *key, int type)
{
struct selabel_lookup_rec *lr;
+ char *ptr = NULL;
+ char *dptr = NULL;
if (key == NULL) {
errno = EINVAL;
return NULL;
}
- char *ptr = selabel_sub(rec->subs, key);
+ ptr = selabel_sub(rec->subs, key);
+ if (ptr) {
+ dptr = selabel_sub(rec->dist_subs, ptr);
+ if (dptr) {
+ free(ptr);
+ ptr = dptr;
+ }
+ } else {
+ ptr = selabel_sub(rec->dist_subs, key);
+ }
if (ptr) {
lr = rec->func_lookup(rec, ptr, type);
free(ptr);
@@ -241,6 +253,7 @@ int selabel_lookup_raw(struct selabel_handle *rec, security_context_t *con,
void selabel_close(struct selabel_handle *rec)
{
selabel_subs_fini(rec->subs);
+ selabel_subs_fini(rec->dist_subs);
rec->func_close(rec);
free(rec->spec_file);
free(rec);
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 5f697f3..e1c09ba 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -496,12 +496,12 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
/* Process local and distribution substitution files */
if (!path) {
- rec->subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->subs);
+ rec->dist_subs = selabel_subs_init(selinux_file_context_subs_dist_path(), rec->dist_subs);
rec->subs = selabel_subs_init(selinux_file_context_subs_path(), rec->subs);
path = selinux_file_context_path();
} else {
snprintf(subs_file, sizeof(subs_file), "%s.subs_dist", path);
- rec->subs = selabel_subs_init(subs_file, rec->subs);
+ rec->dist_subs = selabel_subs_init(subs_file, rec->dist_subs);
snprintf(subs_file, sizeof(subs_file), "%s.subs", path);
rec->subs = selabel_subs_init(subs_file, rec->subs);
}
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 435ecf2..b6ae140 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -68,6 +68,7 @@ struct selabel_handle {
char *spec_file;
/* substitution support */
+ struct selabel_sub *dist_subs;
struct selabel_sub *subs;
};
--
1.8.3.1
