Some non-Debian packages (like qmail, shudder) create
users not below MIN_UID, but above MAX_UID, in /etc/login.defs
(non-system users are supposed to have uids between MIN_UID and
MAX_UID.
genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
/etc/login.defs to exclude system users from generating homedir
contexts. But unfortunately it does not check it against MAX_UID
setting from the same file. This gets us lines like the following in
the contexts/files/file_contexts.homedirs file:
,----
| #
| # Home Context for user user_u
| #
| /var/qmail/[^/]*/.+ user_u:object_r:user_home_t:s0
| /var/qmail/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
| /var/qmail/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
| /var/qmail/[^/]* -d user_u:object_r:user_home_dir_t:s0
| /var/qmail/lost\+found/.* <<none>>
| /var/qmail -d system_u:object_r:home_root_t:s0
| /var/qmail/\.journal <<none>>
| /var/qmail/lost\+found -d system_u:object_r:lost_found_t:s0
| /tmp/gconfd-.* -d user_u:object_r:user_tmp_t:s0
`----
This commit adds checking uid value againt MAX_UID too.
If the RANLIB variable is defined by the user, use that value instead of
the /usr/bin/ranlib binary.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If /sys is not present, the attempt to mount selinuxfs will of course
fail. So we try to mount /sys first (and only if that fails fall back to
the /selinux mount point) and then try to mount selinuxfs.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In the patch to fix a minor memory leak, I introduced a garuanteed
segfault. The point to the stack variable will never be NULL, whereas
the value on the stack will be.
Signed-off-by: Eric Paris <eparis@redhat.com>
We open the file which is to be used to write the binary format of file
contexts. If we hit an error actually writing things out, we return,
but never close the fd. Do not leak.
Signed-off-by: Eric Paris <eparis@redhat.com>
Every time matchmediacon is called we open the
selinux_media_context_path(). But we never close the file. Close the
file when we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were opening the path, but if the fstat failed or it was not a
regular file we would return without closing the fd. Fix my using the
common error exit path rather than just returning.
Signed-off-by: Eric Paris <eparis@redhat.com>
The code did:
len = strlen(string);
new_string = malloc(len);
strncpy(new_string, string, len - 1)
Which is perfectly legal, but it pissed off coverity because 99/100
times if you do new_string = malloc(strlen(string)) you are doing it
wrong (you didn't leave room for the nul). I rewrote that area to just
use strdup and then to blank out the last character with a nul. It's
clear what's going on and nothing looks 'tricky'. It does cost us 1
byte of heap allocation. I think we can live with that to have safer
looking string handling code.
Signed-off-by: Eric Paris <eparis@redhat.com>
If vork() failed we would leak the arguments created in split_args().
Reorder the function so it will hopefully be easy to read and will not
leak memory.
Signed-off-by: Eric Paris <eparis@redhat.com>
We have minuid_set = 0 at the top of the function and then do a test
like:
if (!minuid_set || something)
But since minuid_set is always 0, we always call this code. Get rid of
the pointless conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Right before the call to semanage_list_sort() we do some cleanup.
Including endpwent(); free(rbuf); semanage_list_destroy(&shells); If
the call to the list sort fails we will go to fail: and will do those
cleanups a second time. Whoops. Do the list sort before the generic
cleanups so the failure code isn't run after the default cleanup.
Signed-off-by: Eric Paris <eparis@redhat.com>
If the strdup failed, we would return without freeing tmp_key. This is
obviously a memory leak. So free that if we are finished with it.
Signed-off-by: Eric Paris <eparis@redhat.com>
We generate a list of users, but we do not free that list on error.
Just keep popping and freeing them on error.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use creat to create the lock file needed later. But we never close
that fd, so it just sits around until the program exits. After we
create the file we don't need to hold onto the fd. close it.
Signed-off-by: Eric Paris <eparis@redhat.com>
If get_home_dirs() was called without usepasswd we would generate the
entire shell list, but would never use that list. We would then not
free that list when we returned the homedir_list. Instead, do not
create the list of shells until after we know it will be used.
Signed-off-by: Eric Paris <eparis@redhat.com>
Inside split_args we do a = realloc(b) and strdup. If the realloc
succeeds and then the strdup fails, we return NULL to the caller. The
caller will then jump to an error code which will do a free(b). This is
fine if the realloc failed, but is a big problem if realloc worked. If
it worked b is now meaningless and a needs to be freed.
I change the function interface to return an error and to update "b"
from the caller.
Signed-off-by: Eric Paris <eparis@redhat.com>
We did a bunch of:
if ((blah = function(a0, a1, a2)) == NULL) {
goto err;
} else {
something = blah;
}
Which takes 5 lines and is a pain to read. Instead:
blah = function(a0, a1, a2);
if (blah == NULL)
goto err;
something = blah;
Which takes 4 lines and is easier to read!
Winning!
Signed-off-by: Eric Paris <eparis@redhat.com>
setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Turn verbose on for full relabel
Add check to see if / has a label, if not then force a full relabel.
Add ability to record OPTIONS into the the /.autorelabel file.
fixfiles -F onboot
writes out /.autorelabel with -F
fixfiles -B onboot
writes on /autorelaebl with -N BOOTDATE recorded.
The goal is to allow boot up sequence that sees /.autorelabel to hand any
options store in it, to fixfiles restore
OPTIONS=`cat /.autorelabel`
fixfiles $OPTIONS restore
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
We use strdup to store the intended context when we have an mmap'd
file backend. We, however, skipped freeing those contexts.
Signed-off-by: Eric Paris <eparis@redhat.com>
