From be6478d45d2d5c57bc30ca83d14b7b1ef6ed5ce6 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 27 Oct 2006 10:42:44 +0000
Subject: Incorporate Manoj's NMU: * NMU to update SELinux patch, bringing it
 in line with current selinux   releases.  The patch for this NMU is simply
 the Bug#394795 patch,   and no other changes.                       (closes:
 #394795)

---
 selinux.c | 150 ++++++++++++++++++++++++++++----------------------------------
 1 file changed, 67 insertions(+), 83 deletions(-)

(limited to 'selinux.c')

diff --git a/selinux.c b/selinux.c
index 6625c71d8..2811a9b80 100644
--- a/selinux.c
+++ b/selinux.c
@@ -1,10 +1,8 @@
 #include "includes.h"
-
 #include "auth.h"
 #include "log.h"
 
 #ifdef WITH_SELINUX
-
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 #include <selinux/context.h>
@@ -13,99 +11,85 @@
 
 extern Authctxt *the_authctxt;
 
-static security_context_t
+static const security_context_t 
 selinux_get_user_context(const char *name)
 {
-	security_context_t user_context = NULL;
-	char *role = NULL;
-	int ret = 0;
-
-	if (the_authctxt)
-		role = the_authctxt->role;
-	if (role != NULL && role[0])
-		ret = get_default_context_with_role(name, role, NULL,
-		    &user_context);
-	else
-		ret = get_default_context(name, NULL, &user_context);
-	if (ret < 0) {
-		if (security_getenforce() > 0)
-			fatal("Failed to get default security context for %s.",
-			    name);
-		else
-			error("Failed to get default security context for %s. "
-			    "Continuing in permissive mode",
-			    name);
+	security_context_t user_context=NULL;
+	char *role=NULL;
+	int ret = -1;
+	char *seuser=NULL;
+	char *level=NULL;
+
+	if (the_authctxt) 
+          role=the_authctxt->role;
+        if (getseuserbyname(name, &seuser, &level)==0) {
+          if (role != NULL && role[0])
+            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
+                                                   &user_context);
+          else
+            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+        }
+	if ( ret < 0 ) {
+          if (security_getenforce() > 0)
+            fatal("Failed to get default security context for %s.",
+                  name);
+          else
+            error("Failed to get default security context for %s."
+                  "Continuing in permissive mode",
+                  name);
 	}
 	return user_context;
 }
 
-void
+void 
 setup_selinux_pty(const char *name, const char *tty)
 {
-	security_context_t new_tty_context, user_context, old_tty_context;
-
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	new_tty_context = old_tty_context = NULL;
-	user_context = selinux_get_user_context(name);
-
-	if (getfilecon(tty, &old_tty_context) < 0) {
-		error("getfilecon(%.100s) failed: %.100s",
-		    tty, strerror(errno));
-	} else {
-		if (security_compute_relabel(user_context, old_tty_context,
-		    SECCLASS_CHR_FILE, &new_tty_context) != 0) {
-			error("security_compute_relabel(%.100s) failed: "
-			    "%.100s", tty, strerror(errno));
-		} else {
-			if (setfilecon(tty, new_tty_context) != 0)
-				error("setfilecon(%.100s, %s) failed: %.100s",
-				    tty, new_tty_context, strerror(errno));
-			freecon(new_tty_context);
-		}
-		freecon(old_tty_context);
-	}
-	if (user_context)
-		freecon(user_context);
-}
-
-void
-setup_selinux_exec_context(const char *name)
-{
-	security_context_t user_context;
-
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	user_context = selinux_get_user_context(name);
-
-	if (setexeccon(user_context)) {
-		if (security_getenforce() > 0)
-			fatal("Failed to set exec security context %s for %s.",
-			    user_context, name);
-		else
-			error("Failed to set exec security context %s for %s. "
-			    "Continuing in permissive mode",
-			    user_context, name);
-	}
-	if (user_context)
-		freecon(user_context);
+  if (is_selinux_enabled() > 0) {
+    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
+
+    user_context=selinux_get_user_context(name);
+
+    if (getfilecon(tty, &old_tty_context) < 0) {
+      error("getfilecon(%.100s) failed: %.100s",
+            tty, strerror(errno));
+    } else {
+      if (security_compute_relabel(user_context,old_tty_context,
+                                   SECCLASS_CHR_FILE, &new_tty_context) != 0) {
+        error("security_compute_relabel(%.100s) failed: "
+              "%.100s", tty, strerror(errno));
+      } else {
+        if (setfilecon (tty, new_tty_context) != 0)
+          error("setfilecon(%.100s, %s) failed: %.100s",
+                tty, new_tty_context, strerror(errno));
+        freecon(new_tty_context);
+      }
+      freecon(old_tty_context);
+    }
+    if (user_context) {
+      freecon(user_context);
+    }
+  }
 }
 
-#else /* WITH_SELINUX */
-
-void
-setup_selinux_pty(const char *name, const char *tty)
+void 
+setup_selinux_exec_context(char *name)
 {
-	(void) name;
-	(void) tty;
-}
 
-void
-setup_selinux_exec_context(const char *name)
-{
-	(void) name;
+  if (is_selinux_enabled() > 0) {
+    security_context_t user_context=selinux_get_user_context(name);
+    if (setexeccon(user_context)) {
+      if (security_getenforce() > 0)
+        fatal("Failed to set exec security context %s for %s.",
+              user_context, name);
+      else
+        error("Failed to set exec security context %s for %s. "
+              "Continuing in permissive mode",
+              user_context, name);
+    }
+    if (user_context) {
+      freecon(user_context);
+    }
+  }
 }
 
 #endif /* WITH_SELINUX */
-- 
cgit v1.2.3