diff -Nru libselinux-2.2.2/ChangeLog libselinux-2.3/ChangeLog --- libselinux-2.2.2/ChangeLog 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/ChangeLog 2014-05-06 17:30:27.000000000 +0000 @@ -1,3 +1,7 @@ +2.3 2014-05-06 + * Get rid of security_context_t and fix const declarations. + * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. + 2.2.2 2013-12-30 * Fix userspace AVC handling of per-domain permissive mode. diff -Nru libselinux-2.2.2/debian/changelog libselinux-2.3/debian/changelog --- libselinux-2.2.2/debian/changelog 2014-04-28 13:56:24.000000000 +0000 +++ libselinux-2.3/debian/changelog 2014-05-14 18:14:11.000000000 +0000 @@ -1,9 +1,28 @@ -libselinux (2.2.2-1ubuntu1) utopic; urgency=high +libselinux (2.3-1) unstable; urgency=medium - * Correct libselinu1 postinst for re-executing upstart. (LP: #1313712) - * Fix FTBFS against ruby2.1. + * Team upload. + * New upstream release + - debian/control: Bump {build-}dependencies to match new release + - debian/libselinux1.symbols: Add new setexecfilecon() function + * debian/ruby.mk: Rework the makefile, it should handle changes in the + supported ruby versions by binNMU now (Closes: #747683) + * Add Built-Using field for python-selinux as audit2why.so is statically + linking against libsepol - -- Dimitri John Ledkov Mon, 28 Apr 2014 14:51:48 +0100 + -- Laurent Bigonville Wed, 14 May 2014 20:13:57 +0200 + +libselinux (2.2.2-2) unstable; urgency=medium + + * Team upload. + [ Laurent Bigonville ] + * debian/rules: Do not require ruby or python dh helpers when bootstrapping + thanks to Daniel Schepler (Closes: #738148) + + [ Hideki Yamane ] + * debian/{ruby.mk,ruby-selinux.install} + - drop related to ruby1.9.1 and add ruby2.1.0 instead (Closes: #746024) + + -- Laurent Bigonville Fri, 02 May 2014 01:47:58 +0200 libselinux (2.2.2-1) unstable; urgency=medium diff -Nru libselinux-2.2.2/debian/control libselinux-2.3/debian/control --- libselinux-2.2.2/debian/control 2014-04-28 13:51:55.000000000 +0000 +++ libselinux-2.3/debian/control 2014-05-14 18:14:11.000000000 +0000 @@ -3,15 +3,14 @@ VCS-Browser: http://anonscm.debian.org/gitweb/?p=selinux/libselinux.git;a=summary Priority: optional Section: libs -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Debian SELinux maintainers +Maintainer: Debian SELinux maintainers Uploaders: Manoj Srivastava , Russell Coker Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9), file, - gem2deb (>= 0.2.7~), - libsepol1-dev (>= 2.2), + gem2deb (>= 0.5.0~), + libsepol1-dev (>= 2.3), libpcre3-dev, pkg-config, python-all-dev (>= 2.6.6-3~), @@ -62,7 +61,7 @@ Package: libselinux1-dev Architecture: linux-any Depends: libselinux1 (= ${binary:Version}), - libsepol1-dev (>= 2.2), + libsepol1-dev (>= 2.3), libpcre3-dev, ${misc:Depends} Section: libdevel @@ -100,6 +99,7 @@ Package: python-selinux Architecture: linux-any Depends: ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} +Built-Using: ${Built-Using} Section: python Provides: ${python:Provides} Description: Python bindings to SELinux shared libraries diff -Nru libselinux-2.2.2/debian/libselinux1.postinst libselinux-2.3/debian/libselinux1.postinst --- libselinux-2.2.2/debian/libselinux1.postinst 2014-04-28 13:50:49.000000000 +0000 +++ libselinux-2.3/debian/libselinux1.postinst 2014-05-14 18:14:11.000000000 +0000 @@ -2,52 +2,10 @@ set -e -if [ "$1" = configure ]; then - # A dependent library of Upstart has changed, so restart Upstart - # such that it can safely unmount the root filesystem (LP: #740390) - - # Query running version of Upstart, but only when we know - # that initctl will work. - # - # The calculated version string may be the null string if - # Upstart is not running (where for example an alternative - # init is running outside a chroot environment) or if the - # query failed for some reason. However, the version check - # below handles a null version string correctly. - UPSTART_VERSION_RUNNING=$(initctl version 2>/dev/null |\ - awk '{print $3}'|tr -d ')' || :) - - if ischroot; then - # Do not honour re-exec when requested from within a - # chroot since: - # - # (a) The version of Upstart outside might not support it. - # (b) An isolated environment such as a chroot should - # not be able to modify its containing environment. - # - # A sufficiently new Upstart will actually handle a re-exec - # request coming from telinit within a chroot correctly (by - # doing nothing) but it's simple enough to perform the check - # here and save Upstart the effort. - : - elif dpkg --compare-versions "$UPSTART_VERSION_RUNNING" ge 1.6.1; then - # We are not running inside a chroot and the running version - # of Upstart supports stateful re-exec, so we can - # restart immediately. - # - # XXX: Note that the check on the running version must - # remain *indefinitely* since it's the only safe way to - # know if stateful re-exec is supported: simply checking - # packaged version numbers is not sufficient since - # the package could be upgraded multiple times without a - # reboot. - telinit u || : - else - # Before we shutdown or reboot, we need to re-exec so that we - # can safely remount the root filesystem; we can't just do that - # here because we lose state. - touch /var/run/init.upgraded || : - fi +if [ "$1" = "configure" ]; then + # Restart init. If it fails, there is nothing we can do, so + # just ignore the error (NOTE: Borrowed from libc6.postinst) + telinit u 2>/dev/null || true ; sleep 1 fi #DEBHELPER# diff -Nru libselinux-2.2.2/debian/libselinux1.symbols libselinux-2.3/debian/libselinux1.symbols --- libselinux-2.2.2/debian/libselinux1.symbols 2014-01-11 17:45:02.000000000 +0000 +++ libselinux-2.3/debian/libselinux1.symbols 2014-05-14 18:14:11.000000000 +0000 @@ -209,6 +209,7 @@ setcon_raw@Base 1.32 setexeccon@Base 1.32 setexeccon_raw@Base 1.32 + setexecfilecon@Base 2.3 setfilecon@Base 1.32 setfilecon_raw@Base 1.32 setfscreatecon@Base 1.32 diff -Nru libselinux-2.2.2/debian/ruby.mk libselinux-2.3/debian/ruby.mk --- libselinux-2.2.2/debian/ruby.mk 2014-04-28 14:02:13.000000000 +0000 +++ libselinux-2.3/debian/ruby.mk 2014-05-14 18:14:11.000000000 +0000 @@ -1,10 +1,7 @@ #! /usr/bin/make --no-print-directory -f -RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) - ## Default target -RUBY_VERSIONS := ruby2.0 ruby2.1 +RUBY_VERSIONS := $(shell dh_ruby --print-supported) all: $(RUBY_VERSIONS) ## Targets share the same output files, so must be run serially @@ -13,25 +10,17 @@ ## Helper variables RUBY_PLATFORM = $(shell $@ -e 'print RUBY_PLATFORM') -RUBY_ARCHLIB = /usr/lib/ruby/$*/$(RUBY_PLATFORM) -RUBY_VENDOR_ARCHLIB = /usr/lib/ruby/vendor_ruby/$*/$(RUBY_PLATFORM) +RUBY_HDRDIR = $(shell $@ -e 'print RbConfig::CONFIG["rubyhdrdir"]') +RUBY_ARCH_HDRDIR = $(shell $@ -e 'print RbConfig::CONFIG["rubyarchhdrdir"]') +RUBY_VENDOR_ARCHLIB = $(shell $@ -e 'print RbConfig::CONFIG["vendorarchdir"]') ## SELinux does not have a very nice build process extra_ruby_args = RUBYLIBVER=$* extra_ruby_args += RUBYPLATFORM=$(RUBY_PLATFORM) -extra_ruby_args += RUBYINC=-I$(RUBY_ARCHLIB) +extra_ruby_args += RUBYINC="-I$(RUBY_HDRDIR) -I$(RUBY_ARCH_HDRDIR)" extra_ruby_args += RUBYINSTALL=$(DESTDIR)$(RUBY_VENDOR_ARCHLIB) ## How to build and install each individually-versioned copy -#ruby1.9.1: ruby%: -# +$(MAKE) $(extra_ruby_args) clean-rubywrap -# +$(MAKE) $(extra_ruby_args) RUBYINC="-I/usr/include/ruby-1.9.1/ -I/usr/include/ruby-1.9.1/\$${RUBYPLATFORM}/" install-rubywrap - -ruby2.0: ruby%: - +$(MAKE) $(extra_ruby_args) clean-rubywrap - +$(MAKE) $(extra_ruby_args) RUBYINC="-I/usr/include/ruby-2.0.0/ -I/usr/include/\$${RUBYPLATFORM}/ruby-2.0.0/" \ - RUBYINSTALL="$(DESTDIR)/usr/lib/$(RUBY_PLATFORM)/ruby/vendor_ruby/2.0.0/" install-rubywrap -ruby2.1: ruby%: +$(RUBY_VERSIONS): ruby%: +$(MAKE) $(extra_ruby_args) clean-rubywrap - +$(MAKE) $(extra_ruby_args) RUBYINC="-I/usr/include/ruby-2.1.0/ -I/usr/include/\$${RUBYPLATFORM}/ruby-2.1.0/" \ - RUBYINSTALL="$(DESTDIR)/usr/lib/$(RUBY_PLATFORM)/ruby/vendor_ruby/2.1.0/" install-rubywrap + +$(MAKE) $(extra_ruby_args) install-rubywrap diff -Nru libselinux-2.2.2/debian/rules libselinux-2.3/debian/rules --- libselinux-2.2.2/debian/rules 2014-01-11 17:45:02.000000000 +0000 +++ libselinux-2.3/debian/rules 2014-05-14 18:14:11.000000000 +0000 @@ -12,6 +12,8 @@ PREFIX = /usr +BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W "libsepol1-dev") + ## Default target binary: @@ -31,7 +33,11 @@ ## By default, pass everything through debhelper automatically export DH_OPTIONS %: FORCE +ifeq ($(DEB_STAGE),stage1) + @dh $@ +else @dh $@ --with=python2,ruby +endif ## Don't try to rebuild the debian/rules file debian/rules: @@ -72,3 +78,6 @@ ## Generate a hard error for any upstream files we don't install override_dh_install: FORCE dh_install --fail-missing + +override_dh_gencontrol: + dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)" diff -Nru libselinux-2.2.2/include/selinux/avc.h libselinux-2.3/include/selinux/avc.h --- libselinux-2.2.2/include/selinux/avc.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/include/selinux/avc.h 2014-05-06 17:30:27.000000000 +0000 @@ -19,7 +19,7 @@ * SID format and operations */ struct security_id { - security_context_t ctx; + char * ctx; unsigned int refcnt; }; typedef struct security_id *security_id_t; @@ -37,8 +37,8 @@ * failure, with @errno set to %ENOMEM if insufficient memory was * available to make the copy, or %EINVAL if the input SID is invalid. */ -int avc_sid_to_context(security_id_t sid, security_context_t * ctx); -int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx); +int avc_sid_to_context(security_id_t sid, char ** ctx); +int avc_sid_to_context_raw(security_id_t sid, char ** ctx); /** * avc_context_to_sid - get SID for context. @@ -51,8 +51,8 @@ * to the SID structure into the memory referenced by @sid, * returning %0 on success or -%1 on error with @errno set. */ -int avc_context_to_sid(const security_context_t ctx, security_id_t * sid); -int avc_context_to_sid_raw(const security_context_t ctx, security_id_t * sid); +int avc_context_to_sid(const char * ctx, security_id_t * sid); +int avc_context_to_sid_raw(const char * ctx, security_id_t * sid); /** * sidget - increment SID reference counter. diff -Nru libselinux-2.2.2/include/selinux/get_context_list.h libselinux-2.3/include/selinux/get_context_list.h --- libselinux-2.2.2/include/selinux/get_context_list.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/include/selinux/get_context_list.h 2014-05-06 17:30:27.000000000 +0000 @@ -17,15 +17,15 @@ If 'fromcon' is NULL, defaults to current context. Caller must free via freeconary. */ extern int get_ordered_context_list(const char *user, - security_context_t fromcon, - security_context_t ** list); + char * fromcon, + char *** list); /* As above, but use the provided MLS level rather than the default level for the user. */ int get_ordered_context_list_with_level(const char *user, const char *level, - security_context_t fromcon, - security_context_t ** list); + char * fromcon, + char *** list); /* Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context @@ -35,23 +35,23 @@ Returns 0 on success or -1 otherwise. Caller must free via freecon. */ extern int get_default_context(const char *user, - security_context_t fromcon, - security_context_t * newcon); + char * fromcon, + char ** newcon); /* As above, but use the provided MLS level rather than the default level for the user. */ int get_default_context_with_level(const char *user, const char *level, - security_context_t fromcon, - security_context_t * newcon); + char * fromcon, + char ** newcon); /* Same as get_default_context, but only return a context that has the specified role. If no reachable context exists for the user with that role, then return -1. */ int get_default_context_with_role(const char *user, const char *role, - security_context_t fromcon, - security_context_t * newcon); + char * fromcon, + char ** newcon); /* Same as get_default_context, but only return a context that has the specified role and level. If no reachable context exists @@ -59,22 +59,22 @@ int get_default_context_with_rolelevel(const char *user, const char *level, const char *role, - security_context_t fromcon, - security_context_t * newcon); + char * fromcon, + char ** newcon); /* Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon. Returns 0 on sucess or -1 otherwise. */ - extern int query_user_context(security_context_t * list, - security_context_t * newcon); + extern int query_user_context(char ** list, + char ** newcon); /* Allow the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. Returns 0 on success or -1 otherwise. */ extern int manual_user_enter_context(const char *user, - security_context_t * newcon); + char ** newcon); #ifdef __cplusplus } diff -Nru libselinux-2.2.2/include/selinux/label.h libselinux-2.3/include/selinux/label.h --- libselinux-2.2.2/include/selinux/label.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/include/selinux/label.h 2014-05-06 17:30:27.000000000 +0000 @@ -92,9 +92,9 @@ * The result is returned in the memory pointed to by @con and must be freed * by the user with freecon(). */ -int selabel_lookup(struct selabel_handle *handle, security_context_t *con, +int selabel_lookup(struct selabel_handle *handle, char **con, const char *key, int type); -int selabel_lookup_raw(struct selabel_handle *handle, security_context_t *con, +int selabel_lookup_raw(struct selabel_handle *handle, char **con, const char *key, int type); /** diff -Nru libselinux-2.2.2/include/selinux/selinux.h libselinux-2.3/include/selinux/selinux.h --- libselinux-2.2.2/include/selinux/selinux.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/include/selinux/selinux.h 2014-05-06 17:30:27.000000000 +0000 @@ -13,20 +13,21 @@ /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */ extern int is_selinux_mls_enabled(void); +/* No longer used; here for compatibility with legacy callers. */ typedef char *security_context_t; /* Free the memory allocated for a context by any of the below get* calls. */ -extern void freecon(security_context_t con); +extern void freecon(char * con); /* Free the memory allocated for a context array by security_compute_user. */ -extern void freeconary(security_context_t * con); +extern void freeconary(char ** con); /* Wrappers for the /proc/pid/attr API. */ /* Get current context, and set *con to refer to it. Caller must free via freecon. */ -extern int getcon(security_context_t * con); -extern int getcon_raw(security_context_t * con); +extern int getcon(char ** con); +extern int getcon_raw(char ** con); /* Set the current security context to con. Note that use of this function requires that the entire application @@ -36,88 +37,88 @@ instead. Note that the application may lose access to its open descriptors as a result of a setcon() unless policy allows it to use descriptors opened by the old context. */ -extern int setcon(const security_context_t con); -extern int setcon_raw(const security_context_t con); +extern int setcon(const char * con); +extern int setcon_raw(const char * con); /* Get context of process identified by pid, and set *con to refer to it. Caller must free via freecon. */ -extern int getpidcon(pid_t pid, security_context_t * con); -extern int getpidcon_raw(pid_t pid, security_context_t * con); +extern int getpidcon(pid_t pid, char ** con); +extern int getpidcon_raw(pid_t pid, char ** con); /* Get previous context (prior to last exec), and set *con to refer to it. Caller must free via freecon. */ -extern int getprevcon(security_context_t * con); -extern int getprevcon_raw(security_context_t * con); +extern int getprevcon(char ** con); +extern int getprevcon_raw(char ** con); /* Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ -extern int getexeccon(security_context_t * con); -extern int getexeccon_raw(security_context_t * con); +extern int getexeccon(char ** con); +extern int getexeccon_raw(char ** con); /* Set exec security context for the next execve. Call with NULL if you want to reset to the default. */ -extern int setexeccon(const security_context_t con); -extern int setexeccon_raw(const security_context_t con); +extern int setexeccon(const char * con); +extern int setexeccon_raw(const char * con); /* Get fscreate context, and set *con to refer to it. Sets *con to NULL if no fs create context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ -extern int getfscreatecon(security_context_t * con); -extern int getfscreatecon_raw(security_context_t * con); +extern int getfscreatecon(char ** con); +extern int getfscreatecon_raw(char ** con); /* Set the fscreate security context for subsequent file creations. Call with NULL if you want to reset to the default. */ -extern int setfscreatecon(const security_context_t context); -extern int setfscreatecon_raw(const security_context_t context); +extern int setfscreatecon(const char * context); +extern int setfscreatecon_raw(const char * context); /* Get keycreate context, and set *con to refer to it. Sets *con to NULL if no key create context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ -extern int getkeycreatecon(security_context_t * con); -extern int getkeycreatecon_raw(security_context_t * con); +extern int getkeycreatecon(char ** con); +extern int getkeycreatecon_raw(char ** con); /* Set the keycreate security context for subsequent key creations. Call with NULL if you want to reset to the default. */ -extern int setkeycreatecon(const security_context_t context); -extern int setkeycreatecon_raw(const security_context_t context); +extern int setkeycreatecon(const char * context); +extern int setkeycreatecon_raw(const char * context); /* Get sockcreate context, and set *con to refer to it. Sets *con to NULL if no socket create context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ -extern int getsockcreatecon(security_context_t * con); -extern int getsockcreatecon_raw(security_context_t * con); +extern int getsockcreatecon(char ** con); +extern int getsockcreatecon_raw(char ** con); /* Set the sockcreate security context for subsequent socket creations. Call with NULL if you want to reset to the default. */ -extern int setsockcreatecon(const security_context_t context); -extern int setsockcreatecon_raw(const security_context_t context); +extern int setsockcreatecon(const char * context); +extern int setsockcreatecon_raw(const char * context); /* Wrappers for the xattr API. */ /* Get file context, and set *con to refer to it. Caller must free via freecon. */ -extern int getfilecon(const char *path, security_context_t * con); -extern int getfilecon_raw(const char *path, security_context_t * con); -extern int lgetfilecon(const char *path, security_context_t * con); -extern int lgetfilecon_raw(const char *path, security_context_t * con); -extern int fgetfilecon(int fd, security_context_t * con); -extern int fgetfilecon_raw(int fd, security_context_t * con); +extern int getfilecon(const char *path, char ** con); +extern int getfilecon_raw(const char *path, char ** con); +extern int lgetfilecon(const char *path, char ** con); +extern int lgetfilecon_raw(const char *path, char ** con); +extern int fgetfilecon(int fd, char ** con); +extern int fgetfilecon_raw(int fd, char ** con); /* Set file context */ -extern int setfilecon(const char *path, security_context_t con); -extern int setfilecon_raw(const char *path, security_context_t con); -extern int lsetfilecon(const char *path, security_context_t con); -extern int lsetfilecon_raw(const char *path, security_context_t con); -extern int fsetfilecon(int fd, security_context_t con); -extern int fsetfilecon_raw(int fd, security_context_t con); +extern int setfilecon(const char *path, const char * con); +extern int setfilecon_raw(const char *path, const char * con); +extern int lsetfilecon(const char *path, const char * con); +extern int lsetfilecon_raw(const char *path, const char * con); +extern int fsetfilecon(int fd, const char * con); +extern int fsetfilecon_raw(int fd, const char * con); /* Wrappers for the socket API */ /* Get context of peer socket, and set *con to refer to it. Caller must free via freecon. */ -extern int getpeercon(int fd, security_context_t * con); -extern int getpeercon_raw(int fd, security_context_t * con); +extern int getpeercon(int fd, char ** con); +extern int getpeercon_raw(int fd, char ** con); /* Wrappers for the selinuxfs (policy) API. */ @@ -156,7 +157,7 @@ int (*func_audit) (void *auditdata, security_class_t cls, char *msgbuf, size_t msgbufsize); /* validate the supplied context, modifying if necessary */ - int (*func_validate) (security_context_t *ctx); + int (*func_validate) (char **ctx); /* netlink callback for setenforce message */ int (*func_setenforce) (int enforcing); /* netlink callback for policyload message */ @@ -180,79 +181,79 @@ #define SELINUX_TRANS_DIR "/var/run/setrans" /* Compute an access decision. */ -extern int security_compute_av(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_av(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -extern int security_compute_av_raw(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_av_raw(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -extern int security_compute_av_flags(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_av_flags(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -extern int security_compute_av_flags_raw(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_av_flags_raw(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); /* Compute a labeling decision and set *newcon to refer to it. Caller must free via freecon. */ -extern int security_compute_create(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_create(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); -extern int security_compute_create_raw(const security_context_t scon, - const security_context_t tcon, + char ** newcon); +extern int security_compute_create_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); -extern int security_compute_create_name(const security_context_t scon, - const security_context_t tcon, + char ** newcon); +extern int security_compute_create_name(const char * scon, + const char * tcon, security_class_t tclass, const char *objname, - security_context_t * newcon); -extern int security_compute_create_name_raw(const security_context_t scon, - const security_context_t tcon, + char ** newcon); +extern int security_compute_create_name_raw(const char * scon, + const char * tcon, security_class_t tclass, const char *objname, - security_context_t * newcon); + char ** newcon); /* Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon. */ -extern int security_compute_relabel(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_relabel(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); -extern int security_compute_relabel_raw(const security_context_t scon, - const security_context_t tcon, + char ** newcon); +extern int security_compute_relabel_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); + char ** newcon); /* Compute a polyinstantiation member decision and set *newcon to refer to it. Caller must free via freecon. */ -extern int security_compute_member(const security_context_t scon, - const security_context_t tcon, +extern int security_compute_member(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); -extern int security_compute_member_raw(const security_context_t scon, - const security_context_t tcon, + char ** newcon); +extern int security_compute_member_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon); + char ** newcon); /* Compute the set of reachable user contexts and set *con to refer to the NULL-terminated array of contexts. Caller must free via freeconary. */ -extern int security_compute_user(const security_context_t scon, +extern int security_compute_user(const char * scon, const char *username, - security_context_t ** con); -extern int security_compute_user_raw(const security_context_t scon, + char *** con); +extern int security_compute_user_raw(const char * scon, const char *username, - security_context_t ** con); + char *** con); /* Load a policy configuration. */ extern int security_load_policy(void *data, size_t len); @@ -260,9 +261,9 @@ /* Get the context of an initial kernel security identifier by name. Caller must free via freecon */ extern int security_get_initial_context(const char *name, - security_context_t * con); + char ** con); extern int security_get_initial_context_raw(const char *name, - security_context_t * con); + char ** con); /* * Make a policy image and load it. @@ -312,14 +313,14 @@ extern int security_load_booleans(char *path); /* Check the validity of a security context. */ -extern int security_check_context(const security_context_t con); -extern int security_check_context_raw(const security_context_t con); +extern int security_check_context(const char * con); +extern int security_check_context_raw(const char * con); /* Canonicalize a security context. */ -extern int security_canonicalize_context(const security_context_t con, - security_context_t * canoncon); -extern int security_canonicalize_context_raw(const security_context_t con, - security_context_t * canoncon); +extern int security_canonicalize_context(const char * con, + char ** canoncon); +extern int security_canonicalize_context_raw(const char * con, + char ** canoncon); /* Get the enforce flag value. */ extern int security_getenforce(void); @@ -357,6 +358,25 @@ const char *perms[sizeof(access_vector_t) * 8 + 1]; }; +/** + * selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names + * @map: array of security_class_mapping structures + * + * The core avc_has_perm() API uses integers to represent security + * classes; previous to the introduction of this function, it was + * common for userspace object managers to be compiled using generated + * offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy. + * + * By using this function to map between integer offsets and security + * class names, it's possible to replace a system policies that have + * at least the same set of security class names as used by the + * userspace object managers. + * + * To correctly use this function, you should override the generated + * security class defines from the system policy in a local header, + * starting at 1, and have one security_class_mapping structure entry + * per define. + */ extern int selinux_set_mapping(struct security_class_mapping *map); /* Common helpers */ @@ -438,12 +458,12 @@ If matchpathcon_init has not already been called, then this function will call it upon its first invocation with a NULL path. */ extern int matchpathcon(const char *path, - mode_t mode, security_context_t * con); + mode_t mode, char ** con); /* Same as above, but return a specification index for later use in a matchpathcon_filespec_add() call - see below. */ extern int matchpathcon_index(const char *path, - mode_t mode, security_context_t * con); + mode_t mode, char ** con); /* Maintain an association between an inode and a specification index, and check whether a conflicting specification is already associated @@ -466,7 +486,7 @@ /* Match the specified media and against the media contexts configuration and set *con to refer to the resulting context. Caller must free con via freecon. */ -extern int matchmediacon(const char *media, security_context_t * con); +extern int matchmediacon(const char *media, char ** con); /* selinux_getenforcemode reads the /etc/selinux/config file and determines @@ -553,7 +573,7 @@ * If auditing or logging is configured the appropriate callbacks will be called * and passed the auditdata field */ -extern int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *tclass, const char *perm, void *auditdata); +extern int selinux_check_access(const char * scon, const char * tcon, const char *tclass, const char *perm, void *auditdata); /* Check a permission in the passwd class. Return 0 if granted or -1 otherwise. */ @@ -562,7 +582,7 @@ /* Check if the tty_context is defined as a securetty Return 0 if secure, < 0 otherwise. */ -extern int selinux_check_securetty_context(const security_context_t tty_context); +extern int selinux_check_securetty_context(const char * tty_context); /* Set the path to the selinuxfs mount point explicitly. Normally, this is determined automatically during libselinux @@ -576,6 +596,10 @@ /* clear selinuxmnt variable and free allocated memory */ void fini_selinuxmnt(void); +/* Set an appropriate security context based on the filename of a helper + * program, falling back to a new context with the specified type. */ +extern int setexecfilecon(const char *filename, const char *fallback_type); + /* Execute a helper for rpm in an appropriate security context. */ extern int rpm_execcon(unsigned int verified, const char *filename, @@ -583,24 +607,24 @@ /* Returns whether a file context is customizable, and should not be relabeled . */ -extern int is_context_customizable(const security_context_t scontext); +extern int is_context_customizable(const char * scontext); /* Perform context translation between the human-readable format ("translated") and the internal system format ("raw"). Caller must free the resulting context via freecon. Returns -1 upon an error or 0 otherwise. If passed NULL, sets the returned context to NULL and returns 0. */ -extern int selinux_trans_to_raw_context(const security_context_t trans, - security_context_t * rawp); -extern int selinux_raw_to_trans_context(const security_context_t raw, - security_context_t * transp); +extern int selinux_trans_to_raw_context(const char * trans, + char ** rawp); +extern int selinux_raw_to_trans_context(const char * raw, + char ** transp); /* Perform context translation between security contexts and display colors. Returns a space-separated list of ten ten hex RGB triples prefixed by hash marks, e.g. "#ff0000". Caller must free the resulting string via free. Returns -1 upon an error or 0 otherwise. */ -extern int selinux_raw_context_to_color(const security_context_t raw, +extern int selinux_raw_context_to_color(const char * raw, char **color_str); /* Get the SELinux username and level to use for a given Linux username. @@ -619,8 +643,8 @@ char **r_seuser, char **r_level); /* Compare two file contexts, return 0 if equivalent. */ -extern int selinux_file_context_cmp(const security_context_t a, - const security_context_t b); +extern int selinux_file_context_cmp(const char * a, + const char * b); /* * Verify the context of the file 'path' against policy. diff -Nru libselinux-2.2.2/Makefile libselinux-2.3/Makefile --- libselinux-2.2.2/Makefile 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/Makefile 2014-05-06 17:30:27.000000000 +0000 @@ -16,6 +16,9 @@ ifeq ($(DISABLE_BOOL),y) EMFLAGS+= -DDISABLE_BOOL endif +ifeq ($(DISABLE_RPM),y) + EMFLAGS+= -DDISABLE_RPM +endif ifeq ($(DISABLE_SETRANS),y) EMFLAGS+= -DDISABLE_SETRANS endif diff -Nru libselinux-2.2.2/man/man3/avc_context_to_sid.3 libselinux-2.3/man/man3/avc_context_to_sid.3 --- libselinux-2.2.2/man/man3/avc_context_to_sid.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/avc_context_to_sid.3 2014-05-06 17:30:27.000000000 +0000 @@ -10,9 +10,9 @@ .br .B #include .sp -.BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");" +.BI "int avc_context_to_sid(char * " ctx ", security_id_t *" sid ");" .sp -.BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");" +.BI "int avc_sid_to_context(security_id_t " sid ", char **" ctx ");" .sp .BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");" . diff -Nru libselinux-2.2.2/man/man3/getcon.3 libselinux-2.3/man/man3/getcon.3 --- libselinux-2.2.2/man/man3/getcon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getcon.3 2014-05-06 17:30:27.000000000 +0000 @@ -11,29 +11,29 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getcon(security_context_t *" context ); +.BI "int getcon(char **" context ); .sp -.BI "int getcon_raw(security_context_t *" context ); +.BI "int getcon_raw(char **" context ); .sp -.BI "int getprevcon(security_context_t *" context ); +.BI "int getprevcon(char **" context ); .sp -.BI "int getprevcon_raw(security_context_t *" context ); +.BI "int getprevcon_raw(char **" context ); .sp -.BI "int getpidcon(pid_t " pid ", security_context_t *" context ); +.BI "int getpidcon(pid_t " pid ", char **" context ); .sp -.BI "int getpidcon_raw(pid_t " pid ", security_context_t *" context ); +.BI "int getpidcon_raw(pid_t " pid ", char **" context ); .sp -.BI "int getpeercon(int " fd ", security_context_t *" context ); +.BI "int getpeercon(int " fd ", char **" context ); .sp -.BI "int getpeercon_raw(int " fd ", security_context_t *" context ); +.BI "int getpeercon_raw(int " fd ", char **" context ); .sp -.BI "void freecon(security_context_t "con ); +.BI "void freecon(char * "con ); .sp -.BI "void freeconary(security_context_t *" con ); +.BI "void freeconary(char **" con ); .sp -.BI "int setcon(security_context_t " context ); +.BI "int setcon(char * " context ); .sp -.BI "int setcon_raw(security_context_t " context ); +.BI "int setcon_raw(char * " context ); . .SH "DESCRIPTION" .BR getcon () diff -Nru libselinux-2.2.2/man/man3/getexeccon.3 libselinux-2.3/man/man3/getexeccon.3 --- libselinux-2.2.2/man/man3/getexeccon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getexeccon.3 2014-05-06 17:30:27.000000000 +0000 @@ -7,13 +7,15 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getexeccon(security_context_t *" context ); +.BI "int getexeccon(char **" context ); .sp -.BI "int getexeccon_raw(security_context_t *" context ); +.BI "int getexeccon_raw(char **" context ); .sp -.BI "int setexeccon(security_context_t "context ); +.BI "int setexeccon(char * "context ); .sp -.BI "int setexeccon_raw(security_context_t "context ); +.BI "int setexeccon_raw(char * "context ); +.sp +.BI "int setexecfilecon(const char *" filename ", const char *" fallback_type ); .sp .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); . @@ -62,7 +64,21 @@ must take care to save, reset, and restore the exec context to avoid unexpected behavior. +.BR setexecfilecon () +sets the context used for the next +.BR execve (2) +call, based on the policy for the +.IR filename , +and falling back to a new context with a +.I fallback_type +in case there is no transition. + .BR rpm_execcon () +is deprecated; please use +.BR setexecfilecon () +in conjunction with +.BR execve (2) +in all new code. This function runs a helper for rpm in an appropriate security context. The verified parameter should contain the return code from the signature verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 == @@ -76,10 +92,11 @@ On error \-1 is returned. On success -.BR getexeccon () -and +.BR getexeccon (), .BR setexeccon () -returns 0. +and +.BR setexecfilecon () +return 0. .BR rpm_execcon () only returns upon errors, as it calls .BR execve (2). diff -Nru libselinux-2.2.2/man/man3/getfilecon.3 libselinux-2.3/man/man3/getfilecon.3 --- libselinux-2.2.2/man/man3/getfilecon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getfilecon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,17 +5,17 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getfilecon(const char *" path ", security_context_t *" con ); +.BI "int getfilecon(const char *" path ", char **" con ); .sp -.BI "int getfilecon_raw(const char *" path ", security_context_t *" con ); +.BI "int getfilecon_raw(const char *" path ", char **" con ); .sp -.BI "int lgetfilecon(const char *" path ", security_context_t *" con ); +.BI "int lgetfilecon(const char *" path ", char **" con ); .sp -.BI "int lgetfilecon_raw(const char *" path ", security_context_t *" con ); +.BI "int lgetfilecon_raw(const char *" path ", char **" con ); .sp -.BI "int fgetfilecon(int "fd ", security_context_t *" con ); +.BI "int fgetfilecon(int "fd ", char **" con ); .sp -.BI "int fgetfilecon_raw(int "fd ", security_context_t *" con ); +.BI "int fgetfilecon_raw(int "fd ", char **" con ); . .SH "DESCRIPTION" .BR getfilecon () diff -Nru libselinux-2.2.2/man/man3/getfscreatecon.3 libselinux-2.3/man/man3/getfscreatecon.3 --- libselinux-2.2.2/man/man3/getfscreatecon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getfscreatecon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,13 +5,13 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getfscreatecon(security_context_t *" con ); +.BI "int getfscreatecon(char **" con ); .sp -.BI "int getfscreatecon_raw(security_context_t *" con ); +.BI "int getfscreatecon_raw(char **" con ); .sp -.BI "int setfscreatecon(security_context_t "context ); +.BI "int setfscreatecon(char * "context ); .sp -.BI "int setfscreatecon_raw(security_context_t "context ); +.BI "int setfscreatecon_raw(char * "context ); . .SH "DESCRIPTION" .BR getfscreatecon () diff -Nru libselinux-2.2.2/man/man3/getkeycreatecon.3 libselinux-2.3/man/man3/getkeycreatecon.3 --- libselinux-2.2.2/man/man3/getkeycreatecon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getkeycreatecon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,13 +5,13 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getkeycreatecon(security_context_t *" con ); +.BI "int getkeycreatecon(char **" con ); .sp -.BI "int getkeycreatecon_raw(security_context_t *" con ); +.BI "int getkeycreatecon_raw(char **" con ); .sp -.BI "int setkeycreatecon(security_context_t "context ); +.BI "int setkeycreatecon(char * "context ); .sp -.BI "int setkeycreatecon_raw(security_context_t "context ); +.BI "int setkeycreatecon_raw(char * "context ); . .SH "DESCRIPTION" .BR getkeycreatecon () diff -Nru libselinux-2.2.2/man/man3/get_ordered_context_list.3 libselinux-2.3/man/man3/get_ordered_context_list.3 --- libselinux-2.2.2/man/man3/get_ordered_context_list.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/get_ordered_context_list.3 2014-05-06 17:30:27.000000000 +0000 @@ -7,21 +7,21 @@ .br .B #include .sp -.BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list ); +.BI "int get_ordered_context_list(const char *" user ", char * "fromcon ", char ***" list ); .sp -.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t **" list ); +.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", char * "fromcon ", char ***" list ); .sp -.BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon ); +.BI "int get_default_context(const char *" user ", char * "fromcon ", char **" newcon ); .sp -.BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon ); +.BI "int get_default_context_with_level(const char *" user ", const char *" level ", char * "fromcon ", char **" newcon ); .sp -.BI "int get_default_context_with_role(const char *" user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); +.BI "int get_default_context_with_role(const char *" user ", const char *" role ", char * " fromcon ", char **" newcon "); .sp -.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); +.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" level ", const char *" role ", char * " fromcon ", char **" newcon "); .sp -.BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon ); +.BI "int query_user_context(char **" list ", char **" newcon ); .sp -.BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon ); +.BI "int manual_user_enter_context(const char *" user ", char **" newcon ); .sp .BI "int get_default_type(const char *" role ", char **" type ); . diff -Nru libselinux-2.2.2/man/man3/getsockcreatecon.3 libselinux-2.3/man/man3/getsockcreatecon.3 --- libselinux-2.2.2/man/man3/getsockcreatecon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/getsockcreatecon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,13 +5,13 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int getsockcreatecon(security_context_t *" con ); +.BI "int getsockcreatecon(char **" con ); .sp -.BI "int getsockcreatecon_raw(security_context_t *" con ); +.BI "int getsockcreatecon_raw(char **" con ); .sp -.BI "int setsockcreatecon(security_context_t "context ); +.BI "int setsockcreatecon(char * "context ); .sp -.BI "int setsockcreatecon_raw(security_context_t "context ); +.BI "int setsockcreatecon_raw(char * "context ); . .SH "DESCRIPTION" .BR getsockcreatecon () diff -Nru libselinux-2.2.2/man/man3/is_context_customizable.3 libselinux-2.3/man/man3/is_context_customizable.3 --- libselinux-2.2.2/man/man3/is_context_customizable.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/is_context_customizable.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,7 +5,7 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int is_context_customizable(security_context_t " scon ); +.BI "int is_context_customizable(char * " scon ); . .SH "DESCRIPTION" This function checks whether the type of scon is in the diff -Nru libselinux-2.2.2/man/man3/matchmediacon.3 libselinux-2.3/man/man3/matchmediacon.3 --- libselinux-2.2.2/man/man3/matchmediacon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/matchmediacon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,7 +5,7 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int matchmediacon(const char *" media ", security_context_t *" con ); +.BI "int matchmediacon(const char *" media ", char **" con ); . .SH "DESCRIPTION" .BR matchmediacon () diff -Nru libselinux-2.2.2/man/man3/matchpathcon.3 libselinux-2.3/man/man3/matchpathcon.3 --- libselinux-2.2.2/man/man3/matchpathcon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/matchpathcon.3 2014-05-06 17:30:27.000000000 +0000 @@ -11,9 +11,9 @@ .sp .BI "int matchpathcon_fini(void);" .sp -.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con "); +.BI "int matchpathcon(const char *" path ", mode_t " mode ", char **" con "); .sp -.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t *" con ");" +.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", char **" con ");" . .SH "DESCRIPTION" .BR matchpathcon_init () diff -Nru libselinux-2.2.2/man/man3/security_check_context.3 libselinux-2.3/man/man3/security_check_context.3 --- libselinux-2.2.2/man/man3/security_check_context.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/security_check_context.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,9 +5,9 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int security_check_context(security_context_t "con ); +.BI "int security_check_context(char * "con ); .sp -.BI "int security_check_context_raw(security_context_t "con ); +.BI "int security_check_context_raw(char * "con ); . .SH "DESCRIPTION" .BR security_check_context () diff -Nru libselinux-2.2.2/man/man3/security_compute_av.3 libselinux-2.3/man/man3/security_compute_av.3 --- libselinux-2.2.2/man/man3/security_compute_av.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/security_compute_av.3 2014-05-06 17:30:27.000000000 +0000 @@ -9,39 +9,39 @@ .br .B #include .sp -.BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); +.BI "int security_compute_av(char * "scon ", char * "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); .sp -.BI "int security_compute_av_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); +.BI "int security_compute_av_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); .sp -.BI "int security_compute_av_flags(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); +.BI "int security_compute_av_flags(char * "scon ", char * "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); .sp -.BI "int security_compute_av_flags_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); +.BI "int security_compute_av_flags_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); .sp -.BI "int security_compute_create(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_create(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_create_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_create_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_create_name(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); +.BI "int security_compute_create_name(char * "scon ", char * "tcon ", security_class_t "tclass ", const char *"objname ", char **" newcon ); .sp -.BI "int security_compute_create_name_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); +.BI "int security_compute_create_name_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", const char *"objname ", char **" newcon ); .sp -.BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_relabel(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_relabel_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_relabel_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_member(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_member(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_member_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +.BI "int security_compute_member_raw(char * "scon ", char * "tcon ", security_class_t "tclass ", char **" newcon ); .sp -.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con ); +.BI "int security_compute_user(char * "scon ", const char *" username ", char ***" con ); .sp -.BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con ); +.BI "int security_compute_user_raw(char * "scon ", const char *" username ", char ***" con ); .sp -.BI "int security_get_initial_context(const char *" name ", security_context_t *" con ); +.BI "int security_get_initial_context(const char *" name ", char **" con ); .sp -.BI "int security_get_initial_context_raw(const char *" name ", security_context_t *" con ); +.BI "int security_get_initial_context_raw(const char *" name ", char **" con ); .sp -.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata); +.BI "int selinux_check_access(const char * " scon ", const char * " tcon ", const char *" class ", const char *" perm ", void *" auditdata); .sp .BI "int selinux_check_passwd_access(access_vector_t " requested ); .sp diff -Nru libselinux-2.2.2/man/man3/selabel_lookup.3 libselinux-2.3/man/man3/selabel_lookup.3 --- libselinux-2.2.2/man/man3/selabel_lookup.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/selabel_lookup.3 2014-05-06 17:30:27.000000000 +0000 @@ -12,14 +12,14 @@ .sp .BI "int selabel_lookup(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" key ", int " type ");" .in .sp .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , .in +\w'int selabel_lookup_raw('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" key ", int " type ");" .in diff -Nru libselinux-2.2.2/man/man3/selinux_check_securetty_context.3 libselinux-2.3/man/man3/selinux_check_securetty_context.3 --- libselinux-2.2.2/man/man3/selinux_check_securetty_context.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/selinux_check_securetty_context.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,7 +5,7 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int selinux_check_securetty_context(security_context_t "tty_context ); +.BI "int selinux_check_securetty_context(char * "tty_context ); . .SH "DESCRIPTION" .BR selinux_check_securetty_context () diff -Nru libselinux-2.2.2/man/man3/selinux_file_context_cmp.3 libselinux-2.3/man/man3/selinux_file_context_cmp.3 --- libselinux-2.2.2/man/man3/selinux_file_context_cmp.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/selinux_file_context_cmp.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,9 +5,9 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int selinux_file_context_cmp(const security_context_t " a ", " +.BI "int selinux_file_context_cmp(const char * " a ", " .RS -.BI "const security_context_t " b ");" +.BI "const char * " b ");" .RE . .SH "DESCRIPTION" diff -Nru libselinux-2.2.2/man/man3/selinux_raw_context_to_color.3 libselinux-2.3/man/man3/selinux_raw_context_to_color.3 --- libselinux-2.2.2/man/man3/selinux_raw_context_to_color.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/selinux_raw_context_to_color.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,7 +5,7 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int selinux_raw_context_to_color(security_context_t " raw ", " +.BI "int selinux_raw_context_to_color(char * " raw ", " .RS .BI "char **" color_str ");" .RE diff -Nru libselinux-2.2.2/man/man3/selinux_set_callback.3 libselinux-2.3/man/man3/selinux_set_callback.3 --- libselinux-2.2.2/man/man3/selinux_set_callback.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/selinux_set_callback.3 2014-05-06 17:30:27.000000000 +0000 @@ -68,7 +68,7 @@ . .TP .B SELINUX_CB_VALIDATE -.BI "int (*" func_validate ") (security_context_t *" ctx ");" +.BI "int (*" func_validate ") (char **" ctx ");" This callback is used for context validation. The callback may optionally modify the input context by setting the target of the .I ctx diff -Nru libselinux-2.2.2/man/man3/setfilecon.3 libselinux-2.3/man/man3/setfilecon.3 --- libselinux-2.2.2/man/man3/setfilecon.3 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man3/setfilecon.3 2014-05-06 17:30:27.000000000 +0000 @@ -5,17 +5,17 @@ .SH "SYNOPSIS" .B #include .sp -.BI "int setfilecon(const char *" path ", security_context_t "con ); +.BI "int setfilecon(const char *" path ", char * "con ); .sp -.BI "int setfilecon_raw(const char *" path ", security_context_t "con ); +.BI "int setfilecon_raw(const char *" path ", char * "con ); .sp -.BI "int lsetfilecon(const char *" path ", security_context_t "con ); +.BI "int lsetfilecon(const char *" path ", char * "con ); .sp -.BI "int lsetfilecon_raw(const char *" path ", security_context_t "con ); +.BI "int lsetfilecon_raw(const char *" path ", char * "con ); .sp -.BI "int fsetfilecon(int "fd ", security_context_t "con ); +.BI "int fsetfilecon(int "fd ", char * "con ); .sp -.BI "int fsetfilecon_raw(int "fd ", security_context_t "con ); +.BI "int fsetfilecon_raw(int "fd ", char * "con ); . .SH "DESCRIPTION" .BR setfilecon () diff -Nru libselinux-2.2.2/man/man5/selabel_db.5 libselinux-2.3/man/man5/selabel_db.5 --- libselinux-2.2.2/man/man5/selabel_db.5 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man5/selabel_db.5 2014-05-06 17:30:27.000000000 +0000 @@ -10,14 +10,14 @@ .sp .BI "int selabel_lookup(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" object_name ", int " object_type ");" .in .sp .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" object_name ", int " object_type ");" . diff -Nru libselinux-2.2.2/man/man5/selabel_file.5 libselinux-2.3/man/man5/selabel_file.5 --- libselinux-2.2.2/man/man5/selabel_file.5 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man5/selabel_file.5 2014-05-06 17:30:27.000000000 +0000 @@ -10,14 +10,14 @@ .sp .BI "int selabel_lookup(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" path ", int " mode ");" .in .sp .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" path ", int " mode ");" . diff -Nru libselinux-2.2.2/man/man5/selabel_media.5 libselinux-2.3/man/man5/selabel_media.5 --- libselinux-2.2.2/man/man5/selabel_media.5 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man5/selabel_media.5 2014-05-06 17:30:27.000000000 +0000 @@ -10,14 +10,14 @@ .sp .BI "int selabel_lookup(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" device_name ", int " unused ");" .in .sp .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" device_name ", int " unused ");" . diff -Nru libselinux-2.2.2/man/man5/selabel_x.5 libselinux-2.3/man/man5/selabel_x.5 --- libselinux-2.2.2/man/man5/selabel_x.5 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/man/man5/selabel_x.5 2014-05-06 17:30:27.000000000 +0000 @@ -10,14 +10,14 @@ .sp .BI "int selabel_lookup(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" object_name ", int " object_type ");" .in .sp .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , .in +\w'int selabel_lookup('u -.BI "security_context_t *" context , +.BI "char **" context , .br .BI "const char *" object_name ", int " object_type ");" . diff -Nru libselinux-2.2.2/src/audit2why.c libselinux-2.3/src/audit2why.c --- libselinux-2.2.2/src/audit2why.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/audit2why.c 2014-05-06 17:30:27.000000000 +0000 @@ -300,8 +300,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) { char *reason_buf = NULL; - security_context_t scon; - security_context_t tcon; + char * scon; + char * tcon; char *tclassstr; PyObject *listObj; PyObject *strObj; diff -Nru libselinux-2.2.2/src/avc.c libselinux-2.3/src/avc.c --- libselinux-2.2.2/src/avc.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/avc.c 2014-05-06 17:30:27.000000000 +0000 @@ -67,7 +67,7 @@ & (AVC_CACHE_SLOTS - 1); } -int avc_context_to_sid_raw(const security_context_t ctx, security_id_t * sid) +int avc_context_to_sid_raw(const char * ctx, security_id_t * sid) { int rc; /* avc_init needs to be called before this function */ @@ -79,10 +79,10 @@ return rc; } -int avc_context_to_sid(const security_context_t ctx, security_id_t * sid) +int avc_context_to_sid(const char * ctx, security_id_t * sid) { int ret; - security_context_t rctx; + char * rctx; if (selinux_trans_to_raw_context(ctx, &rctx)) return -1; @@ -94,7 +94,7 @@ return ret; } -int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx) +int avc_sid_to_context_raw(security_id_t sid, char ** ctx) { int rc; *ctx = NULL; @@ -105,10 +105,10 @@ return rc; } -int avc_sid_to_context(security_id_t sid, security_context_t * ctx) +int avc_sid_to_context(security_id_t sid, char ** ctx) { int ret; - security_context_t rctx; + char * rctx; ret = avc_sid_to_context_raw(sid, &rctx); @@ -133,7 +133,7 @@ int avc_get_initial_sid(const char * name, security_id_t * sid) { int rc; - security_context_t con; + char * con; rc = security_get_initial_context_raw(name, &con); if (rc < 0) @@ -843,7 +843,7 @@ int rc; struct avc_entry_ref aeref; struct avc_entry entry; - security_context_t ctx; + char * ctx; *newsid = NULL; avc_entry_ref_init(&aeref); @@ -891,7 +891,7 @@ security_class_t tclass, security_id_t *newsid) { int rc; - security_context_t ctx = NULL; + char * ctx = NULL; *newsid = NULL; /* avc_init needs to be called before this function */ assert(avc_running); diff -Nru libselinux-2.2.2/src/avc_sidtab.c libselinux-2.3/src/avc_sidtab.c --- libselinux-2.2.2/src/avc_sidtab.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/avc_sidtab.c 2014-05-06 17:30:27.000000000 +0000 @@ -13,7 +13,7 @@ #include "avc_sidtab.h" #include "avc_internal.h" -static inline unsigned sidtab_hash(security_context_t key) +static inline unsigned sidtab_hash(const char * key) { char *p, *keyp; unsigned int size; @@ -46,18 +46,18 @@ return rc; } -int sidtab_insert(struct sidtab *s, const security_context_t ctx) +int sidtab_insert(struct sidtab *s, const char * ctx) { int hvalue, rc = 0; struct sidtab_node *newnode; - security_context_t newctx; + char * newctx; newnode = (struct sidtab_node *)avc_malloc(sizeof(*newnode)); if (!newnode) { rc = -1; goto out; } - newctx = (security_context_t) strdup(ctx); + newctx = (char *) strdup(ctx); if (!newctx) { rc = -1; avc_free(newnode); @@ -76,7 +76,7 @@ int sidtab_context_to_sid(struct sidtab *s, - const security_context_t ctx, security_id_t * sid) + const char * ctx, security_id_t * sid) { int hvalue, rc = 0; struct sidtab_node *cur; diff -Nru libselinux-2.2.2/src/avc_sidtab.h libselinux-2.3/src/avc_sidtab.h --- libselinux-2.2.2/src/avc_sidtab.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/avc_sidtab.h 2014-05-06 17:30:27.000000000 +0000 @@ -25,10 +25,10 @@ }; int sidtab_init(struct sidtab *s) hidden; -int sidtab_insert(struct sidtab *s, security_context_t ctx) hidden; +int sidtab_insert(struct sidtab *s, const char * ctx) hidden; int sidtab_context_to_sid(struct sidtab *s, - security_context_t ctx, security_id_t * sid) hidden; + const char * ctx, security_id_t * sid) hidden; void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden; void sidtab_destroy(struct sidtab *s) hidden; diff -Nru libselinux-2.2.2/src/callbacks.c libselinux-2.3/src/callbacks.c --- libselinux-2.2.2/src/callbacks.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/callbacks.c 2014-05-06 17:30:27.000000000 +0000 @@ -33,7 +33,7 @@ } static int -default_selinux_validate(security_context_t *ctx) +default_selinux_validate(char **ctx) { return security_check_context(*ctx); } @@ -60,7 +60,7 @@ default_selinux_audit; int -(*selinux_validate)(security_context_t *ctx) = +(*selinux_validate)(char **ctx) = default_selinux_validate; int diff -Nru libselinux-2.2.2/src/callbacks.h libselinux-2.3/src/callbacks.h --- libselinux-2.2.2/src/callbacks.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/callbacks.h 2014-05-06 17:30:27.000000000 +0000 @@ -19,7 +19,7 @@ (*selinux_audit) (void *, security_class_t, char *, size_t) hidden; extern int -(*selinux_validate)(security_context_t *ctx) hidden; +(*selinux_validate)(char **ctx) hidden; extern int (*selinux_netlink_setenforce) (int enforcing) hidden; diff -Nru libselinux-2.2.2/src/canonicalize_context.c libselinux-2.3/src/canonicalize_context.c --- libselinux-2.2.2/src/canonicalize_context.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/canonicalize_context.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,8 +9,8 @@ #include "policy.h" #include -int security_canonicalize_context_raw(const security_context_t con, - security_context_t * canoncon) +int security_canonicalize_context_raw(const char * con, + char ** canoncon) { char path[PATH_MAX]; char *buf; @@ -62,12 +62,12 @@ hidden_def(security_canonicalize_context_raw) -int security_canonicalize_context(const security_context_t con, - security_context_t * canoncon) +int security_canonicalize_context(const char * con, + char ** canoncon) { int ret; - security_context_t rcon; - security_context_t rcanoncon; + char * rcon; + char * rcanoncon; if (selinux_trans_to_raw_context(con, &rcon)) return -1; diff -Nru libselinux-2.2.2/src/checkAccess.c libselinux-2.3/src/checkAccess.c --- libselinux-2.2.2/src/checkAccess.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/checkAccess.c 2014-05-06 17:30:27.000000000 +0000 @@ -15,7 +15,7 @@ avc_open(NULL, 0); } -int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) { +int selinux_check_access(const char *scon, const char *tcon, const char *class, const char *perm, void *aux) { int rc; security_id_t scon_id; security_id_t tcon_id; @@ -59,7 +59,7 @@ int selinux_check_passwd_access(access_vector_t requested) { int status = -1; - security_context_t user_context; + char *user_context; if (is_selinux_enabled() == 0) return 0; if (getprevcon_raw(&user_context) == 0) { diff -Nru libselinux-2.2.2/src/check_context.c libselinux-2.3/src/check_context.c --- libselinux-2.2.2/src/check_context.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/check_context.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,7 +9,7 @@ #include "policy.h" #include -int security_check_context_raw(const security_context_t con) +int security_check_context_raw(const char * con) { char path[PATH_MAX]; int fd, ret; @@ -33,10 +33,10 @@ hidden_def(security_check_context_raw) -int security_check_context(const security_context_t con) +int security_check_context(const char * con) { int ret; - security_context_t rcon; + char * rcon; if (selinux_trans_to_raw_context(con, &rcon)) return -1; diff -Nru libselinux-2.2.2/src/compute_av.c libselinux-2.3/src/compute_av.c --- libselinux-2.2.2/src/compute_av.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/compute_av.c 2014-05-06 17:30:27.000000000 +0000 @@ -10,8 +10,8 @@ #include "policy.h" #include "mapping.h" -int security_compute_av_flags_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_av_flags_raw(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd) @@ -74,8 +74,8 @@ hidden_def(security_compute_av_flags_raw) -int security_compute_av_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_av_raw(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd) @@ -101,14 +101,14 @@ hidden_def(security_compute_av_raw) -int security_compute_av_flags(const security_context_t scon, - const security_context_t tcon, +int security_compute_av_flags(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd) { - security_context_t rscon; - security_context_t rtcon; + char * rscon; + char * rtcon; int ret; if (selinux_trans_to_raw_context(scon, &rscon)) @@ -128,8 +128,8 @@ hidden_def(security_compute_av_flags) -int security_compute_av(const security_context_t scon, - const security_context_t tcon, +int security_compute_av(const char * scon, + const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd) { diff -Nru libselinux-2.2.2/src/compute_create.c libselinux-2.3/src/compute_create.c --- libselinux-2.2.2/src/compute_create.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/compute_create.c 2014-05-06 17:30:27.000000000 +0000 @@ -48,11 +48,11 @@ return 0; } -int security_compute_create_name_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_create_name_raw(const char * scon, + const char * tcon, security_class_t tclass, const char *objname, - security_context_t * newcon) + char ** newcon) { char path[PATH_MAX]; char *buf; @@ -107,26 +107,26 @@ } hidden_def(security_compute_create_name_raw) -int security_compute_create_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_create_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { return security_compute_create_name_raw(scon, tcon, tclass, NULL, newcon); } hidden_def(security_compute_create_raw) -int security_compute_create_name(const security_context_t scon, - const security_context_t tcon, +int security_compute_create_name(const char * scon, + const char * tcon, security_class_t tclass, const char *objname, - security_context_t * newcon) + char ** newcon) { int ret; - security_context_t rscon; - security_context_t rtcon; - security_context_t rnewcon; + char * rscon; + char * rtcon; + char * rnewcon; if (selinux_trans_to_raw_context(scon, &rscon)) return -1; @@ -148,10 +148,10 @@ } hidden_def(security_compute_create_name) -int security_compute_create(const security_context_t scon, - const security_context_t tcon, +int security_compute_create(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { return security_compute_create_name(scon, tcon, tclass, NULL, newcon); } diff -Nru libselinux-2.2.2/src/compute_member.c libselinux-2.3/src/compute_member.c --- libselinux-2.2.2/src/compute_member.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/compute_member.c 2014-05-06 17:30:27.000000000 +0000 @@ -10,10 +10,10 @@ #include "policy.h" #include "mapping.h" -int security_compute_member_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_member_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { char path[PATH_MAX]; char *buf; @@ -62,15 +62,15 @@ hidden_def(security_compute_member_raw) -int security_compute_member(const security_context_t scon, - const security_context_t tcon, +int security_compute_member(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { int ret; - security_context_t rscon; - security_context_t rtcon; - security_context_t rnewcon; + char * rscon; + char * rtcon; + char * rnewcon; if (selinux_trans_to_raw_context(scon, &rscon)) return -1; diff -Nru libselinux-2.2.2/src/compute_relabel.c libselinux-2.3/src/compute_relabel.c --- libselinux-2.2.2/src/compute_relabel.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/compute_relabel.c 2014-05-06 17:30:27.000000000 +0000 @@ -10,10 +10,10 @@ #include "policy.h" #include "mapping.h" -int security_compute_relabel_raw(const security_context_t scon, - const security_context_t tcon, +int security_compute_relabel_raw(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { char path[PATH_MAX]; char *buf; @@ -62,15 +62,15 @@ hidden_def(security_compute_relabel_raw) -int security_compute_relabel(const security_context_t scon, - const security_context_t tcon, +int security_compute_relabel(const char * scon, + const char * tcon, security_class_t tclass, - security_context_t * newcon) + char ** newcon) { int ret; - security_context_t rscon; - security_context_t rtcon; - security_context_t rnewcon; + char * rscon; + char * rtcon; + char * rnewcon; if (selinux_trans_to_raw_context(scon, &rscon)) return -1; diff -Nru libselinux-2.2.2/src/compute_user.c libselinux-2.3/src/compute_user.c --- libselinux-2.2.2/src/compute_user.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/compute_user.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,8 +9,8 @@ #include "policy.h" #include -int security_compute_user_raw(const security_context_t scon, - const char *user, security_context_t ** con) +int security_compute_user_raw(const char * scon, + const char *user, char *** con) { char path[PATH_MAX]; char **ary; @@ -79,11 +79,11 @@ hidden_def(security_compute_user_raw) -int security_compute_user(const security_context_t scon, - const char *user, security_context_t ** con) +int security_compute_user(const char * scon, + const char *user, char *** con) { int ret; - security_context_t rscon; + char * rscon; if (selinux_trans_to_raw_context(scon, &rscon)) return -1; @@ -92,7 +92,7 @@ freecon(rscon); if (!ret) { - security_context_t *ptr, tmpcon; + char **ptr, *tmpcon; for (ptr = *con; *ptr; ptr++) { if (selinux_raw_to_trans_context(*ptr, &tmpcon)) { freeconary(*con); diff -Nru libselinux-2.2.2/src/enabled.c libselinux-2.3/src/enabled.c --- libselinux-2.2.2/src/enabled.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/enabled.c 2014-05-06 17:30:27.000000000 +0000 @@ -12,7 +12,7 @@ int is_selinux_enabled(void) { int enabled = 0; - security_context_t con; + char * con; /* init_selinuxmnt() gets called before this function. We * will assume that if a selinux file system is mounted, then diff -Nru libselinux-2.2.2/src/fgetfilecon.c libselinux-2.3/src/fgetfilecon.c --- libselinux-2.2.2/src/fgetfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/fgetfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,7 +7,7 @@ #include "selinux_internal.h" #include "policy.h" -int fgetfilecon_raw(int fd, security_context_t * context) +int fgetfilecon_raw(int fd, char ** context) { char *buf; ssize_t size; @@ -51,9 +51,9 @@ hidden_def(fgetfilecon_raw) -int fgetfilecon(int fd, security_context_t * context) +int fgetfilecon(int fd, char ** context) { - security_context_t rcontext; + char * rcontext; int ret; *context = NULL; diff -Nru libselinux-2.2.2/src/freeconary.c libselinux-2.3/src/freeconary.c --- libselinux-2.2.2/src/freeconary.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/freeconary.c 2014-05-06 17:30:27.000000000 +0000 @@ -3,7 +3,7 @@ #include #include -void freeconary(security_context_t * con) +void freeconary(char ** con) { char **ptr; diff -Nru libselinux-2.2.2/src/freecon.c libselinux-2.3/src/freecon.c --- libselinux-2.2.2/src/freecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/freecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -3,7 +3,7 @@ #include #include -void freecon(security_context_t con) +void freecon(char * con) { free(con); } diff -Nru libselinux-2.2.2/src/fsetfilecon.c libselinux-2.3/src/fsetfilecon.c --- libselinux-2.2.2/src/fsetfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/fsetfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,12 +7,12 @@ #include "selinux_internal.h" #include "policy.h" -int fsetfilecon_raw(int fd, const security_context_t context) +int fsetfilecon_raw(int fd, const char * context) { int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { - security_context_t ccontext = NULL; + char * ccontext = NULL; int err = errno; if ((fgetfilecon_raw(fd, &ccontext) >= 0) && (strcmp(context,ccontext) == 0)) { @@ -27,10 +27,10 @@ hidden_def(fsetfilecon_raw) -int fsetfilecon(int fd, const security_context_t context) +int fsetfilecon(int fd, const char *context) { int ret; - security_context_t rcontext; + char * rcontext; if (selinux_trans_to_raw_context(context, &rcontext)) return -1; diff -Nru libselinux-2.2.2/src/get_context_list.c libselinux-2.3/src/get_context_list.c --- libselinux-2.2.2/src/get_context_list.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/get_context_list.c 2014-05-06 17:30:27.000000000 +0000 @@ -12,10 +12,10 @@ int get_default_context_with_role(const char *user, const char *role, - security_context_t fromcon, - security_context_t * newcon) + char * fromcon, + char ** newcon) { - security_context_t *conary; + char **conary; char **ptr; context_t con; const char *role2; @@ -56,8 +56,8 @@ int get_default_context_with_rolelevel(const char *user, const char *role, const char *level, - security_context_t fromcon, - security_context_t * newcon) + char * fromcon, + char ** newcon) { int rc = 0; @@ -98,9 +98,9 @@ } int get_default_context(const char *user, - security_context_t fromcon, security_context_t * newcon) + char * fromcon, char ** newcon) { - security_context_t *conary; + char **conary; int rc; rc = get_ordered_context_list(user, fromcon, &conary); @@ -114,7 +114,7 @@ return 0; } -static int find_partialcon(security_context_t * list, +static int find_partialcon(char ** list, unsigned int nreach, char *part) { const char *conrole, *contype; @@ -155,8 +155,8 @@ } static int get_context_order(FILE * fp, - security_context_t fromcon, - security_context_t * reachable, + char * fromcon, + char ** reachable, unsigned int nreach, unsigned int *ordering, unsigned int *nordered) { @@ -268,7 +268,7 @@ return rc; } -static int get_failsafe_context(const char *user, security_context_t * newcon) +static int get_failsafe_context(const char *user, char ** newcon) { FILE *fp; char buf[255], *ptr; @@ -314,7 +314,7 @@ } struct context_order { - security_context_t con; + char * con; unsigned int order; }; @@ -330,8 +330,8 @@ int get_ordered_context_list_with_level(const char *user, const char *level, - security_context_t fromcon, - security_context_t ** list) + char * fromcon, + char *** list) { int rc; int freefrom = 0; @@ -373,10 +373,10 @@ int get_default_context_with_level(const char *user, const char *level, - security_context_t fromcon, - security_context_t * newcon) + char * fromcon, + char ** newcon) { - security_context_t *conary; + char **conary; int rc; rc = get_ordered_context_list_with_level(user, level, fromcon, &conary); @@ -391,10 +391,10 @@ } int get_ordered_context_list(const char *user, - security_context_t fromcon, - security_context_t ** list) + char * fromcon, + char *** list) { - security_context_t *reachable = NULL; + char **reachable = NULL; unsigned int *ordering = NULL; struct context_order *co = NULL; char **ptr; @@ -507,7 +507,7 @@ the "failsafe" context to at least permit root login for emergency recovery if possible. */ freeconary(reachable); - reachable = malloc(2 * sizeof(security_context_t)); + reachable = malloc(2 * sizeof(char *)); if (!reachable) { rc = -1; goto out; diff -Nru libselinux-2.2.2/src/getfilecon.c libselinux-2.3/src/getfilecon.c --- libselinux-2.2.2/src/getfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/getfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,7 +7,7 @@ #include #include "policy.h" -int getfilecon_raw(const char *path, security_context_t * context) +int getfilecon_raw(const char *path, char ** context) { char *buf; ssize_t size; @@ -51,10 +51,10 @@ hidden_def(getfilecon_raw) -int getfilecon(const char *path, security_context_t * context) +int getfilecon(const char *path, char ** context) { int ret; - security_context_t rcontext; + char * rcontext; *context = NULL; diff -Nru libselinux-2.2.2/src/get_initial_context.c libselinux-2.3/src/get_initial_context.c --- libselinux-2.2.2/src/get_initial_context.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/get_initial_context.c 2014-05-06 17:30:27.000000000 +0000 @@ -11,7 +11,7 @@ #define SELINUX_INITCON_DIR "/initial_contexts/" -int security_get_initial_context_raw(const char * name, security_context_t * con) +int security_get_initial_context_raw(const char * name, char ** con) { char path[PATH_MAX]; char *buf; @@ -55,10 +55,10 @@ hidden_def(security_get_initial_context_raw) -int security_get_initial_context(const char * name, security_context_t * con) +int security_get_initial_context(const char * name, char ** con) { int ret; - security_context_t rcon; + char * rcon; ret = security_get_initial_context_raw(name, &rcon); if (!ret) { diff -Nru libselinux-2.2.2/src/getpeercon.c libselinux-2.3/src/getpeercon.c --- libselinux-2.2.2/src/getpeercon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/getpeercon.c 2014-05-06 17:30:27.000000000 +0000 @@ -11,7 +11,7 @@ #define SO_PEERSEC 31 #endif -int getpeercon_raw(int fd, security_context_t * context) +int getpeercon_raw(int fd, char ** context) { char *buf; socklen_t size; @@ -45,10 +45,10 @@ hidden_def(getpeercon_raw) -int getpeercon(int fd, security_context_t * context) +int getpeercon(int fd, char ** context) { int ret; - security_context_t rcontext; + char * rcontext; ret = getpeercon_raw(fd, &rcontext); diff -Nru libselinux-2.2.2/src/is_customizable_type.c libselinux-2.3/src/is_customizable_type.c --- libselinux-2.2.2/src/is_customizable_type.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/is_customizable_type.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,12 +9,12 @@ #include "selinux_internal.h" #include "context_internal.h" -static int get_customizable_type_list(security_context_t ** retlist) +static int get_customizable_type_list(char *** retlist) { FILE *fp; char *buf; unsigned int ctr = 0, i; - security_context_t *list = NULL; + char **list = NULL; fp = fopen(selinux_customizable_types_path(), "r"); if (!fp) @@ -31,14 +31,14 @@ rewind(fp); if (ctr) { list = - (security_context_t *) calloc(sizeof(security_context_t), + (char **) calloc(sizeof(char *), ctr + 1); if (list) { i = 0; while (fgets_unlocked(buf, selinux_page_size, fp) && i < ctr) { buf[strlen(buf) - 1] = 0; - list[i] = (security_context_t) strdup(buf); + list[i] = (char *) strdup(buf); if (!list[i]) { unsigned int j; for (j = 0; j < i; j++) @@ -59,9 +59,9 @@ return 0; } -static security_context_t *customizable_list = NULL; +static char **customizable_list = NULL; -int is_context_customizable(const security_context_t scontext) +int is_context_customizable(const char * scontext) { int i; const char *type; diff -Nru libselinux-2.2.2/src/label.c libselinux-2.3/src/label.c --- libselinux-2.2.2/src/label.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/label.c 2014-05-06 17:30:27.000000000 +0000 @@ -230,7 +230,7 @@ return lr; } -int selabel_lookup(struct selabel_handle *rec, security_context_t *con, +int selabel_lookup(struct selabel_handle *rec, char **con, const char *key, int type) { struct selabel_lookup_rec *lr; @@ -243,7 +243,7 @@ return *con ? 0 : -1; } -int selabel_lookup_raw(struct selabel_handle *rec, security_context_t *con, +int selabel_lookup_raw(struct selabel_handle *rec, char **con, const char *key, int type) { struct selabel_lookup_rec *lr; diff -Nru libselinux-2.2.2/src/label_internal.h libselinux-2.3/src/label_internal.h --- libselinux-2.2.2/src/label_internal.h 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/label_internal.h 2014-05-06 17:30:27.000000000 +0000 @@ -42,8 +42,8 @@ struct selabel_sub *list); struct selabel_lookup_rec { - security_context_t ctx_raw; - security_context_t ctx_trans; + char * ctx_raw; + char * ctx_trans; int validated; }; diff -Nru libselinux-2.2.2/src/lgetfilecon.c libselinux-2.3/src/lgetfilecon.c --- libselinux-2.2.2/src/lgetfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/lgetfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,7 +7,7 @@ #include "selinux_internal.h" #include "policy.h" -int lgetfilecon_raw(const char *path, security_context_t * context) +int lgetfilecon_raw(const char *path, char ** context) { char *buf; ssize_t size; @@ -51,10 +51,10 @@ hidden_def(lgetfilecon_raw) -int lgetfilecon(const char *path, security_context_t * context) +int lgetfilecon(const char *path, char ** context) { int ret; - security_context_t rcontext; + char * rcontext; *context = NULL; diff -Nru libselinux-2.2.2/src/lsetfilecon.c libselinux-2.3/src/lsetfilecon.c --- libselinux-2.2.2/src/lsetfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/lsetfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,12 +7,12 @@ #include "selinux_internal.h" #include "policy.h" -int lsetfilecon_raw(const char *path, const security_context_t context) +int lsetfilecon_raw(const char *path, const char * context) { int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { - security_context_t ccontext = NULL; + char * ccontext = NULL; int err = errno; if ((lgetfilecon_raw(path, &ccontext) >= 0) && (strcmp(context,ccontext) == 0)) { @@ -27,10 +27,10 @@ hidden_def(lsetfilecon_raw) -int lsetfilecon(const char *path, const security_context_t context) +int lsetfilecon(const char *path, const char *context) { int ret; - security_context_t rcontext; + char * rcontext; if (selinux_trans_to_raw_context(context, &rcontext)) return -1; diff -Nru libselinux-2.2.2/src/Makefile libselinux-2.3/src/Makefile --- libselinux-2.2.2/src/Makefile 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/Makefile 2014-05-06 17:30:27.000000000 +0000 @@ -45,9 +45,6 @@ ifeq ($(DISABLE_BOOL),y) UNUSED_SRCS+=booleans.c endif -ifeq ($(DISABLE_RPM),y) - UNUSED_SRCS+=rpm.c -endif GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c)) diff -Nru libselinux-2.2.2/src/matchmediacon.c libselinux-2.3/src/matchmediacon.c --- libselinux-2.2.2/src/matchmediacon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/matchmediacon.c 2014-05-06 17:30:27.000000000 +0000 @@ -11,7 +11,7 @@ #include #include -int matchmediacon(const char *media, security_context_t * con) +int matchmediacon(const char *media, char ** con) { const char *path = selinux_media_context_path(); FILE *infile; diff -Nru libselinux-2.2.2/src/matchpathcon.c libselinux-2.3/src/matchpathcon.c --- libselinux-2.2.2/src/matchpathcon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/matchpathcon.c 2014-05-06 17:30:27.000000000 +0000 @@ -406,7 +406,7 @@ return rc; } -int matchpathcon(const char *path, mode_t mode, security_context_t * con) +int matchpathcon(const char *path, mode_t mode, char ** con) { char stackpath[PATH_MAX + 1]; char *p = NULL; @@ -427,7 +427,7 @@ selabel_lookup(hnd, con, path, mode); } -int matchpathcon_index(const char *name, mode_t mode, security_context_t * con) +int matchpathcon_index(const char *name, mode_t mode, char ** con) { int i = matchpathcon(name, mode, con); @@ -444,8 +444,8 @@ /* Compare two contexts to see if their differences are "significant", * or whether the only difference is in the user. */ -int selinux_file_context_cmp(const security_context_t a, - const security_context_t b) +int selinux_file_context_cmp(const char * a, + const char * b) { char *rest_a, *rest_b; /* Rest of the context after the user */ if (!a && !b) @@ -467,8 +467,8 @@ int selinux_file_context_verify(const char *path, mode_t mode) { - security_context_t con = NULL; - security_context_t fcontext = NULL; + char * con = NULL; + char * fcontext = NULL; int rc = 0; rc = lgetfilecon_raw(path, &con); @@ -506,7 +506,7 @@ { struct stat st; int rc = -1; - security_context_t scontext = NULL; + char * scontext = NULL; if (lstat(path, &st) != 0) return rc; diff -Nru libselinux-2.2.2/src/procattr.c libselinux-2.3/src/procattr.c --- libselinux-2.2.2/src/procattr.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/procattr.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,15 +9,15 @@ #include "selinux_internal.h" #include "policy.h" -#define UNSET (const security_context_t) -1 +#define UNSET (char *) -1 static __thread pid_t cpid; static __thread pid_t tid; -static __thread security_context_t prev_current = UNSET; -static __thread security_context_t prev_exec = UNSET; -static __thread security_context_t prev_fscreate = UNSET; -static __thread security_context_t prev_keycreate = UNSET; -static __thread security_context_t prev_sockcreate = UNSET; +static __thread char *prev_current = UNSET; +static __thread char * prev_exec = UNSET; +static __thread char * prev_fscreate = UNSET; +static __thread char * prev_keycreate = UNSET; +static __thread char * prev_sockcreate = UNSET; static pthread_once_t once = PTHREAD_ONCE_INIT; static pthread_key_t destructor_key; @@ -107,7 +107,7 @@ return fd; } -static int getprocattrcon_raw(security_context_t * context, +static int getprocattrcon_raw(char ** context, pid_t pid, const char *attr) { char *buf; @@ -115,7 +115,7 @@ int fd; ssize_t ret; int errno_hold; - security_context_t prev_context; + char * prev_context; __selinux_once(once, init_procattr); init_thread_destructor(); @@ -193,11 +193,11 @@ return ret; } -static int getprocattrcon(security_context_t * context, +static int getprocattrcon(char ** context, pid_t pid, const char *attr) { int ret; - security_context_t rcontext; + char * rcontext; ret = getprocattrcon_raw(&rcontext, pid, attr); @@ -209,13 +209,13 @@ return ret; } -static int setprocattrcon_raw(security_context_t context, +static int setprocattrcon_raw(const char * context, pid_t pid, const char *attr) { int fd; ssize_t ret; int errno_hold; - security_context_t *prev_context; + char **prev_context, *context2 = NULL; __selinux_once(once, init_procattr); init_thread_destructor(); @@ -255,11 +255,11 @@ return -1; if (context) { ret = -1; - context = strdup(context); - if (!context) + context2 = strdup(context); + if (!context2) goto out; do { - ret = write(fd, context, strlen(context) + 1); + ret = write(fd, context2, strlen(context2) + 1); } while (ret < 0 && errno == EINTR); } else { do { @@ -271,21 +271,21 @@ close(fd); errno = errno_hold; if (ret < 0) { - free(context); + free(context2); return -1; } else { if (*prev_context != UNSET) free(*prev_context); - *prev_context = context; + *prev_context = context2; return 0; } } -static int setprocattrcon(const security_context_t context, +static int setprocattrcon(const char * context, pid_t pid, const char *attr) { int ret; - security_context_t rcontext; + char * rcontext; if (selinux_trans_to_raw_context(context, &rcontext)) return -1; @@ -298,21 +298,21 @@ } #define getselfattr_def(fn, attr) \ - int get##fn##_raw(security_context_t *c) \ + int get##fn##_raw(char **c) \ { \ return getprocattrcon_raw(c, 0, #attr); \ } \ - int get##fn(security_context_t *c) \ + int get##fn(char **c) \ { \ return getprocattrcon(c, 0, #attr); \ } #define setselfattr_def(fn, attr) \ - int set##fn##_raw(const security_context_t c) \ + int set##fn##_raw(const char * c) \ { \ return setprocattrcon_raw(c, 0, #attr); \ } \ - int set##fn(const security_context_t c) \ + int set##fn(const char * c) \ { \ return setprocattrcon(c, 0, #attr); \ } @@ -322,11 +322,11 @@ setselfattr_def(fn, attr) #define getpidattr_def(fn, attr) \ - int get##fn##_raw(pid_t pid, security_context_t *c) \ + int get##fn##_raw(pid_t pid, char **c) \ { \ return getprocattrcon_raw(c, pid, #attr); \ } \ - int get##fn(pid_t pid, security_context_t *c) \ + int get##fn(pid_t pid, char **c) \ { \ return getprocattrcon(c, pid, #attr); \ } diff -Nru libselinux-2.2.2/src/query_user_context.c libselinux-2.3/src/query_user_context.c --- libselinux-2.2.2/src/query_user_context.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/query_user_context.c 2014-05-06 17:30:27.000000000 +0000 @@ -9,7 +9,7 @@ * to the user. Returns the number (position in the list) of * the user selected context. */ -static int context_menu(security_context_t * list) +static int context_menu(char ** list) { int i; /* array index */ int choice = 0; /* index of the user's choice */ @@ -35,7 +35,7 @@ * default is the first context in the list. Returns 0 on * success, -1 on failure */ -int query_user_context(security_context_t * list, security_context_t * usercon) +int query_user_context(char ** list, char ** usercon) { char response[10]; /* The user's response */ int choice; /* The index in the list of the sid chosen by @@ -103,7 +103,7 @@ * context chosen by the user into usercon. Returns 0 * on success. */ -int manual_user_enter_context(const char *user, security_context_t * newcon) +int manual_user_enter_context(const char *user, char ** newcon) { char response[10]; /* Used to get yes or no answers from user */ char role[100]; /* The role requested by the user */ diff -Nru libselinux-2.2.2/src/rpm.c libselinux-2.3/src/rpm.c --- libselinux-2.2.2/src/rpm.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/rpm.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -#include -#include -#include -#include -#include "selinux_internal.h" -#include "context_internal.h" - -int rpm_execcon(unsigned int verified __attribute__ ((unused)), - const char *filename, char *const argv[], char *const envp[]) -{ - security_context_t mycon = NULL, fcon = NULL, newcon = NULL; - context_t con = NULL; - int rc = 0; - - if (is_selinux_enabled() < 1) - return execve(filename, argv, envp); - - rc = getcon(&mycon); - if (rc < 0) - goto out; - - rc = getfilecon(filename, &fcon); - if (rc < 0) - goto out; - - rc = security_compute_create(mycon, fcon, SECCLASS_PROCESS, &newcon); - if (rc < 0) - goto out; - - if (!strcmp(mycon, newcon)) { - /* No default transition, use rpm_script_t for now. */ - rc = -1; - con = context_new(mycon); - if (!con) - goto out; - if (context_type_set(con, "rpm_script_t")) - goto out; - freecon(newcon); - newcon = strdup(context_str(con)); - if (!newcon) - goto out; - rc = 0; - } - - rc = setexeccon(newcon); - if (rc < 0) - goto out; - out: - - if (rc >= 0 || security_getenforce() < 1) - rc = execve(filename, argv, envp); - - context_free(con); - freecon(newcon); - freecon(fcon); - freecon(mycon); - return rc < 0 ? rc : 0; -} diff -Nru libselinux-2.2.2/src/selinux_check_securetty_context.c libselinux-2.3/src/selinux_check_securetty_context.c --- libselinux-2.2.2/src/selinux_check_securetty_context.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/selinux_check_securetty_context.c 2014-05-06 17:30:27.000000000 +0000 @@ -6,7 +6,7 @@ #include "selinux_internal.h" #include "context_internal.h" -int selinux_check_securetty_context(const security_context_t tty_context) +int selinux_check_securetty_context(const char * tty_context) { char *line = NULL; char *start, *end = NULL; diff -Nru libselinux-2.2.2/src/selinuxswig.i libselinux-2.3/src/selinuxswig.i --- libselinux-2.2.2/src/selinuxswig.i 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/selinuxswig.i 2014-05-06 17:30:27.000000000 +0000 @@ -34,11 +34,11 @@ } } -%typemap(in, numinputs=0) (security_context_t **) (security_context_t *temp) { +%typemap(in, numinputs=0) (char ***) (char **temp) { $1 = &temp; } -%typemap(freearg) (security_context_t **) { +%typemap(freearg) (char ***) { if (*$1) freeconary(*$1); } diff -Nru libselinux-2.2.2/src/selinuxswig_python.i libselinux-2.3/src/selinuxswig_python.i --- libselinux-2.2.2/src/selinuxswig_python.i 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/selinuxswig_python.i 2014-05-06 17:30:27.000000000 +0000 @@ -83,7 +83,7 @@ } /* Makes security_compute_user() return a Python list of contexts */ -%typemap(argout) (security_context_t **con) { +%typemap(argout) (char ***con) { PyObject* plist; int i, len = 0; @@ -104,7 +104,7 @@ } /* Makes functions in get_context_list.h return a Python list of contexts */ -%typemap(argout) (security_context_t **list) { +%typemap(argout) (char ***list) { PyObject* plist; int i; @@ -122,11 +122,11 @@ $result = plist; } -%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) { +%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) { $1 = &temp; } -%typemap(freearg,match="in") security_context_t * ""; -%typemap(argout,noblock=1) security_context_t * { +%typemap(freearg,match="in") char ** ""; +%typemap(argout,noblock=1) char ** { if (*$1) { %append_output(SWIG_FromCharPtr(*$1)); freecon(*$1); diff -Nru libselinux-2.2.2/src/selinuxswig_ruby.i libselinux-2.3/src/selinuxswig_ruby.i --- libselinux-2.2.2/src/selinuxswig_ruby.i 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/selinuxswig_ruby.i 2014-05-06 17:30:27.000000000 +0000 @@ -18,11 +18,11 @@ $1 = &temp; } -%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) { +%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) { $1 = &temp; } -%typemap(freearg,match="in") security_context_t * ""; -%typemap(argout,noblock=1) security_context_t * { +%typemap(freearg,match="in") char ** ""; +%typemap(argout,noblock=1) char ** { if (*$1) { %append_output(SWIG_FromCharPtr(*$1)); freecon(*$1); diff -Nru libselinux-2.2.2/src/setexecfilecon.c libselinux-2.3/src/setexecfilecon.c --- libselinux-2.2.2/src/setexecfilecon.c 1970-01-01 00:00:00.000000000 +0000 +++ libselinux-2.3/src/setexecfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -0,0 +1,71 @@ +#include +#include +#include +#include +#include "selinux_internal.h" +#include "context_internal.h" + +int setexecfilecon(const char *filename, const char *fallback_type) +{ + char * mycon = NULL, *fcon = NULL, *newcon = NULL; + context_t con = NULL; + int rc = 0; + + if (is_selinux_enabled() < 1) + return 0; + + rc = getcon(&mycon); + if (rc < 0) + goto out; + + rc = getfilecon(filename, &fcon); + if (rc < 0) + goto out; + + rc = security_compute_create(mycon, fcon, SECCLASS_PROCESS, &newcon); + if (rc < 0) + goto out; + + if (!strcmp(mycon, newcon)) { + /* No default transition, use fallback_type for now. */ + rc = -1; + con = context_new(mycon); + if (!con) + goto out; + if (context_type_set(con, fallback_type)) + goto out; + freecon(newcon); + newcon = strdup(context_str(con)); + if (!newcon) + goto out; + rc = 0; + } + + rc = setexeccon(newcon); + if (rc < 0) + goto out; + out: + + if (rc < 0 && security_getenforce() == 0) + rc = 0; + + context_free(con); + freecon(newcon); + freecon(fcon); + freecon(mycon); + return rc < 0 ? rc : 0; +} + +#ifndef DISABLE_RPM +int rpm_execcon(unsigned int verified __attribute__ ((unused)), + const char *filename, char *const argv[], char *const envp[]) +{ + int rc; + + rc = setexecfilecon(filename, "rpm_script_t"); + if (rc < 0) + return rc; + + return execve(filename, argv, envp); +} +#endif diff -Nru libselinux-2.2.2/src/setfilecon.c libselinux-2.3/src/setfilecon.c --- libselinux-2.2.2/src/setfilecon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/setfilecon.c 2014-05-06 17:30:27.000000000 +0000 @@ -7,12 +7,12 @@ #include "selinux_internal.h" #include "policy.h" -int setfilecon_raw(const char *path, const security_context_t context) +int setfilecon_raw(const char *path, const char * context) { int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { - security_context_t ccontext = NULL; + char * ccontext = NULL; int err = errno; if ((getfilecon_raw(path, &ccontext) >= 0) && (strcmp(context,ccontext) == 0)) { @@ -27,10 +27,10 @@ hidden_def(setfilecon_raw) -int setfilecon(const char *path, const security_context_t context) +int setfilecon(const char *path, const char *context) { int ret; - security_context_t rcontext; + char * rcontext; if (selinux_trans_to_raw_context(context, &rcontext)) return -1; diff -Nru libselinux-2.2.2/src/setrans_client.c libselinux-2.3/src/setrans_client.c --- libselinux-2.2.2/src/setrans_client.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/src/setrans_client.c 2014-05-06 17:30:27.000000000 +0000 @@ -26,12 +26,12 @@ static int mls_enabled = -1; // Simple cache -static __thread security_context_t prev_t2r_trans = NULL; -static __thread security_context_t prev_t2r_raw = NULL; -static __thread security_context_t prev_r2t_trans = NULL; -static __thread security_context_t prev_r2t_raw = NULL; +static __thread char * prev_t2r_trans = NULL; +static __thread char * prev_t2r_raw = NULL; +static __thread char * prev_r2t_trans = NULL; +static __thread char * prev_r2t_raw = NULL; static __thread char *prev_r2c_trans = NULL; -static __thread security_context_t prev_r2c_raw = NULL; +static __thread char * prev_r2c_raw = NULL; static pthread_once_t once = PTHREAD_ONCE_INIT; static pthread_key_t destructor_key; @@ -281,8 +281,8 @@ mls_enabled = is_selinux_mls_enabled(); } -int selinux_trans_to_raw_context(const security_context_t trans, - security_context_t * rawp) +int selinux_trans_to_raw_context(const char * trans, + char ** rawp) { if (!trans) { *rawp = NULL; @@ -323,8 +323,8 @@ hidden_def(selinux_trans_to_raw_context) -int selinux_raw_to_trans_context(const security_context_t raw, - security_context_t * transp) +int selinux_raw_to_trans_context(const char * raw, + char ** transp) { if (!raw) { *transp = NULL; @@ -365,7 +365,7 @@ hidden_def(selinux_raw_to_trans_context) -int selinux_raw_context_to_color(const security_context_t raw, char **transp) +int selinux_raw_context_to_color(const char * raw, char **transp) { if (!raw) { *transp = NULL; @@ -402,8 +402,8 @@ hidden_def(selinux_raw_context_to_color) #else /*DISABLE_SETRANS*/ -int selinux_trans_to_raw_context(const security_context_t trans, - security_context_t * rawp) +int selinux_trans_to_raw_context(const char * trans, + char ** rawp) { if (!trans) { *rawp = NULL; @@ -417,8 +417,8 @@ hidden_def(selinux_trans_to_raw_context) -int selinux_raw_to_trans_context(const security_context_t raw, - security_context_t * transp) +int selinux_raw_to_trans_context(const char * raw, + char ** transp) { if (!raw) { *transp = NULL; diff -Nru libselinux-2.2.2/utils/getconlist.c libselinux-2.3/utils/getconlist.c --- libselinux-2.2.2/utils/getconlist.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/utils/getconlist.c 2014-05-06 17:30:27.000000000 +0000 @@ -19,7 +19,7 @@ int main(int argc, char **argv) { - security_context_t *list, usercon = NULL, cur_context = NULL; + char **list, *usercon = NULL, *cur_context = NULL; char *user = NULL, *level = NULL; int ret, i, opt; diff -Nru libselinux-2.2.2/utils/getdefaultcon.c libselinux-2.3/utils/getdefaultcon.c --- libselinux-2.2.2/utils/getdefaultcon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/utils/getdefaultcon.c 2014-05-06 17:30:27.000000000 +0000 @@ -19,7 +19,7 @@ int main(int argc, char **argv) { - security_context_t usercon = NULL, cur_context = NULL; + char * usercon = NULL, *cur_context = NULL; char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL; char *service = NULL; int ret, opt; diff -Nru libselinux-2.2.2/utils/getseuser.c libselinux-2.3/utils/getseuser.c --- libselinux-2.2.2/utils/getseuser.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/utils/getseuser.c 2014-05-06 17:30:27.000000000 +0000 @@ -8,7 +8,7 @@ int main(int argc, char **argv) { char *seuser = NULL, *level = NULL; - security_context_t *contextlist; + char **contextlist; int rc, n, i; if (argc != 3) { diff -Nru libselinux-2.2.2/utils/matchpathcon.c libselinux-2.3/utils/matchpathcon.c --- libselinux-2.2.2/utils/matchpathcon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/utils/matchpathcon.c 2014-05-06 17:30:27.000000000 +0000 @@ -173,7 +173,7 @@ } else if (rc == 1) { printf("%s verified.\n", path); } else { - security_context_t con; + char * con; error = 1; if (notrans) rc = lgetfilecon_raw(path, &con); diff -Nru libselinux-2.2.2/utils/selinuxexeccon.c libselinux-2.3/utils/selinuxexeccon.c --- libselinux-2.2.2/utils/selinuxexeccon.c 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/utils/selinuxexeccon.c 2014-05-06 17:30:27.000000000 +0000 @@ -17,8 +17,8 @@ exit(rc); } -static security_context_t get_selinux_proc_context(const char *command, security_context_t execcon) { - security_context_t fcon = NULL, newcon = NULL; +static char * get_selinux_proc_context(const char *command, char * execcon) { + char * fcon = NULL, *newcon = NULL; int ret = getfilecon(command, &fcon); if (ret < 0) goto err; @@ -33,7 +33,7 @@ int main(int argc, char **argv) { int ret = -1; - security_context_t proccon = NULL, con = NULL; + char * proccon = NULL, *con = NULL; if (argc < 2 || argc > 3) usage(argv[0], "Invalid number of arguments", -1); diff -Nru libselinux-2.2.2/VERSION libselinux-2.3/VERSION --- libselinux-2.2.2/VERSION 2013-12-30 19:39:59.000000000 +0000 +++ libselinux-2.3/VERSION 2014-05-06 17:30:27.000000000 +0000 @@ -1 +1 @@ -2.2.2 +2.3