From 66d07600075d53735197520e4a5bbe6796a89d25 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 16 Sep 2009 16:58:12 -0400 Subject: [PATCH] This patch fixes the exception handling in libselinux-python bindings On 09/16/2009 03:35 PM, Joshua Brindle wrote: > > > Joshua Brindle wrote: >> >> >> Daniel J Walsh wrote: >>> What do you think of this one. Removed excess swig cruft, >>> >>> You need to run >>> >>> make swigify to generate those changes. >>> >> >> Ok, looking at this now. I don't completely get how it works. I'm trying >> to reproduce what you are doing by hand but nothing comes out of gcc: >> >> [root@localhost src]# echo '#include "../include/selinux/selinux.h"' > >> temp.c >> [root@localhost src]# gcc -c temp.c -aux-info temp.aux >> [root@localhost src]# ls temp.* >> temp.c temp.o >> >> >> What is the purpose of the aux-info thing, and why doesn't it work on my >> F11 machine? >> >> also, I'm not sure if the best place for selinuxswig_exception.i is >> swigify or pywrap. In the swigify case it shouldn't be in the clean >> target because if you check out the repo and do make clean; make pywrap >> you'll get an error. (I can make these fixes, I'm just trying to figure >> out how it all works first). >> > > Oh, one more thing, should this be python specific? (E.g, should it be > named selinuxswig_python_exception.i ?) Changed name to selinux_python_exception.i WOrks for me on F11 and F12 dwalsh@localhost$ echo '#include "../include/selinux/selinux.h"' > temp.c dwalsh@localhost$ gcc -c temp.c -aux-info temp.aux dwalsh@localhost$ ls temp.* temp.aux temp.c temp.o cat temp.aux /* compiled from: . */ /* /usr/include/sys/select.h:109:NC */ extern int select (int, fd_set *, fd_set *, fd_set *, struct timeval *); /* /usr/include/sys/select.h:121:NC */ extern int pselect (int, fd_set *, fd_set *, fd_set *, const struct timespec *, const __sigset_t *); /* /usr/include/sys/sysmacros.h:31:NC */ extern unsigned int gnu_dev_major (long long unsigned int); /* /usr/include/sys/sysmacros.h:34:NC */ extern unsigned int gnu_dev_minor (long long unsigned int); /* /usr/include/sys/sysmacros.h:37:NC */ extern long long unsigned int gnu_dev_makedev (unsigned int, unsigned int); /* ../include/selinux/selinux.h:12:NC */ extern int is_selinux_enabled (void); /* ../include/selinux/selinux.h:14:NC */ extern int is_selinux_mls_enabled (void); /* ../include/selinux/selinux.h:19:NC */ extern void freecon (security_context_t); /* ../include/selinux/selinux.h:22:NC */ extern void freeconary (security_context_t *); ... commit 38d98bd958f42ea18c9376e624d733795665ee22 Author: Dan Walsh Date: Wed Sep 16 16:51:14 2009 -0400 Add exception code --- libselinux/include/selinux/selinux.h | 8 ++++---- libselinux/src/Makefile | 9 ++++++--- libselinux/src/exception.sh | 21 +++++++++++++++++++++ libselinux/src/selinuxswig.i | 18 ++++++++++++------ libselinux/src/selinuxswig_python.i | 10 ++++++++++ 5 files changed, 53 insertions(+), 13 deletions(-) create mode 100644 libselinux/src/exception.sh diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index 16cb7e28..56f79005 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -346,7 +346,7 @@ struct security_class_mapping { const char *perms[sizeof(access_vector_t) * 8 + 1]; }; -int selinux_set_mapping(struct security_class_mapping *map); +extern int selinux_set_mapping(struct security_class_mapping *map); /* Common helpers */ @@ -556,17 +556,17 @@ extern int getseuser(const char *username, const char *service, char **r_seuser, char **r_level); /* Compare two file contexts, return 0 if equivalent. */ -int selinux_file_context_cmp(const security_context_t a, +extern int selinux_file_context_cmp(const security_context_t a, const security_context_t b); /* * Verify the context of the file 'path' against policy. * Return 0 if correct. */ -int selinux_file_context_verify(const char *path, mode_t mode); +extern int selinux_file_context_verify(const char *path, mode_t mode); /* This function sets the file context on to the system defaults returns 0 on success */ -int selinux_lsetfilecon_default(const char *path); +extern int selinux_lsetfilecon_default(const char *path); #ifdef __cplusplus } diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index f5fd6307..928a1dff 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -82,6 +82,9 @@ $(LIBSO): $(LOBJS) $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) +selinuxswig_python_exception.i: ../include/selinux/selinux.h + sh exception.sh > $@ + audit2why.lo: audit2why.c $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< @@ -100,8 +103,8 @@ $(SWIGCOUT): $(SWIGIF) $(SWIGRUBYCOUT): $(SWIGRUBYIF) $(SWIGRUBY) $^ -swigify: $(SWIGIF) - $(SWIG) $^ +swigify: $(SWIGIF) selinuxswig_python_exception.i + $(SWIG) $< install: all test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) @@ -124,7 +127,7 @@ relabel: /sbin/restorecon $(SHLIBDIR)/$(LIBSO) clean: - -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ + -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ selinuxswig_python_exception.i distclean: clean rm -f $(GENERATED) $(SWIGFILES) diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh new file mode 100644 index 00000000..b2a37994 --- /dev/null +++ b/libselinux/src/exception.sh @@ -0,0 +1,21 @@ +function except() { +case $1 in + selinux_file_context_cmp) # ignore + ;; + *) +echo " +%exception $1 { + \$action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + return NULL; + } +} +" +;; +esac +} +echo '#include "../include/selinux/selinux.h"' > temp.c +gcc -c temp.c -aux-info temp.aux +for i in `awk '/..\/include\/selinux\/selinux.h.*extern int/ { print $6 }' temp.aux`; do except $i ; done +rm -f temp.c temp.aux temp.o diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i index 56b10a47..74b10322 100644 --- a/libselinux/src/selinuxswig.i +++ b/libselinux/src/selinuxswig.i @@ -4,11 +4,14 @@ %module selinux %{ - #include "selinux/selinux.h" #include "../include/selinux/avc.h" - #include "../include/selinux/selinux.h" - #include "../include/selinux/get_default_type.h" + #include "../include/selinux/av_permissions.h" + #include "../include/selinux/context.h" + #include "../include/selinux/flask.h" #include "../include/selinux/get_context_list.h" + #include "../include/selinux/get_default_type.h" + #include "../include/selinux/label.h" + #include "../include/selinux/selinux.h" %} %apply int *OUTPUT { int *enforce }; %apply int *OUTPUT { size_t * }; @@ -55,8 +58,11 @@ %ignore avc_netlink_release_fd; %ignore avc_netlink_check_nb; -%include "../include/selinux/selinux.h" %include "../include/selinux/avc.h" -%include "../include/selinux/get_default_type.h" +%include "../include/selinux/av_permissions.h" +%include "../include/selinux/context.h" +%include "../include/selinux/flask.h" %include "../include/selinux/get_context_list.h" - +%include "../include/selinux/get_default_type.h" +%include "../include/selinux/label.h" +%include "../include/selinux/selinux.h" diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i index c42b4dd6..8b34c995 100644 --- a/libselinux/src/selinuxswig_python.i +++ b/libselinux/src/selinuxswig_python.i @@ -21,6 +21,15 @@ def restorecon(path, recursive=False): map(restorecon, [os.path.join(dirname, fname) for fname in fnames]), None) +def copytree(src, dest): + """ An SELinux-friendly shutil.copytree method """ + shutil.copytree(src, dest) + restorecon(dest, recursive=True) + +def install(src, dest): + """ An SELinux-friendly shutil.move method """ + shutil.move(src, dest) + restorecon(dest, recursive=True) %} /* security_get_boolean_names() typemap */ @@ -150,4 +159,5 @@ def restorecon(path, recursive=False): free($1); } +%include "selinuxswig_python_exception.i" %include "selinuxswig.i"