PERFORCE change 70100 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Feb 1 17:44:08 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=70100
Change 70100 by areisse at areisse_tislabs on 2005/02/01 17:43:39
Begin the process of converting sebsd-specific include files and
interfaces to match those of selinux (wherever possible). The
conversion is not complete, but the system builds and runs with
these changes.
Import policycoreutils from selinux version 2004081908.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/include/selinux/avc.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/include/selinux/selinux.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/avc_internal.h#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/COPYING#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/ChangeLog#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/VERSION#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.8#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.c#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in.in#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES.in#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/da.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/de.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/es.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/et.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/fr.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/gl.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/id.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/it.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ko.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/nl.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pl.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/policycoreutils.pot#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pt_BR.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ru.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/sv.po#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/policycoreutils.spec#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.8#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.c#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.8#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.c#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.pamd#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.8.gz#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.cron#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/genhomedircon#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.8#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.c#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.conf#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/Makefile#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.8#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.c#1 branch
.. //depot/projects/trustedbsd/sebsd/crypto/openssh/sshd_config#10 edit
.. //depot/projects/trustedbsd/sebsd/etc/mtree/BSD.include.dist#13 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#6 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/context.c#3 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/get_default_type.c#2 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd.h#6 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#1 add
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_context.h#3 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_fs.h#2 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_proc.h#2 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_ss.h#3 delete
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_change_context.c#2 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_compute_av.c#3 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/system.c#4 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsepol/Makefile#3 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask_types.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_syscall.c#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_syscalls.h#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#6 edit
.. //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#8 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#4 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#6 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_loadpolicy/sebsd_loadpolicy.c#2 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_newrole/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_newrole/sebsd_newrole.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/include/selinux/avc.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/include/selinux/selinux.h#2 (text+ko) ====
@@ -3,13 +3,16 @@
#include <sys/types.h>
+#define _LINUX_FLASK_TYPES_H_
+typedef unsigned short security_class_t;
+typedef unsigned long long access_vector_t;
+typedef char *security_context_t;
+
/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
extern int is_selinux_enabled(void);
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
extern int is_selinux_mls_enabled(void);
-typedef char* security_context_t;
-
/* Free the memory allocated for a context by any of the below get* calls. */
extern void freecon(security_context_t con);
@@ -72,9 +75,6 @@
/* Wrappers for the selinuxfs (policy) API. */
-typedef unsigned int access_vector_t;
-typedef unsigned short security_class_t;
-
struct av_decision {
access_vector_t allowed;
access_vector_t decided;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/avc_internal.h#2 (text+ko) ====
@@ -14,9 +14,11 @@
#include <string.h>
#include <selinux/avc.h>
+/*
typedef u_int32_t u32;
typedef u_int16_t u16;
typedef u_int8_t u8;
+*/
/* SID reference counter manipulation */
static inline int sid_inc_refcnt(security_id_t sid) {
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.c#2 (text+ko) ====
@@ -65,8 +65,7 @@
#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
#include <signal.h>
#include <locale.h> /* for setlocale() */
-#include <libintl.h> /* for gettext() */
-#define _(msgid) gettext (msgid)
+#define _(msgid) msgid
#ifndef PACKAGE
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
@@ -99,7 +98,7 @@
#include <unistd.h> /* for getuid(), exit(), getopt() */
#include <security/pam_appl.h> /* for PAM functions */
-#include <security/pam_misc.h> /* for misc_conv PAM utility function */
+#include <security/openpam.h> /* for misc_conv PAM utility function */
#define SERVICE_NAME "newrole" /* the name of this program for PAM */
@@ -130,7 +129,7 @@
* communicate with the user. We'll be using misc_conv(), which is *
* provided for us via pam_misc.h. */
struct pam_conv pam_conversation = {
- misc_conv,
+ openpam_ttyconv,
NULL
};
@@ -265,10 +264,6 @@
/* Terminate on SIGHUP. */
signal(SIGHUP, SIG_DFL);
- setlocale (LC_ALL, "");
- bindtextdomain (PACKAGE, LOCALEDIR);
- textdomain (PACKAGE);
-
/*
*
* Step 1: Handle command-line arguments.
==== //depot/projects/trustedbsd/sebsd/crypto/openssh/sshd_config#10 (text+ko) ====
@@ -91,7 +91,7 @@
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
-UseLogin no
+UseLogin yes
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
==== //depot/projects/trustedbsd/sebsd/etc/mtree/BSD.include.dist#13 (text+ko) ====
@@ -207,6 +207,8 @@
..
..
..
+ selinux
+ ..
sepol
..
sys
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#6 (text+ko) ====
@@ -2,12 +2,11 @@
# $FreeBSD: $
#
-.PATH: ${.CURDIR} ${.CURDIR}/../../sys/security/sebsd
+.PATH: ${.CURDIR} ${.CURDIR}/../../contrib/sebsd/libselinux/src ${.CURDIR}/../../contrib/sebsd/libselinux/include ${.CURDIR}/../../sys/security/sebsd ${.CURDIR}/../../contrib/sebsd/policy/flask
MAINTAINER= cboss at nai.com
LIB= sebsd
-LINKS= selinux
-CFLAGS+= -I${.CURDIR}/../../sys/security/sebsd
+CFLAGS+= -I${.CURDIR}/../../sys/security/sebsd -I${.CURDIR}/../../contrib/sebsd/libselinux/include
CFLAGS+=-I${.CURDIR}/../../sys
LDADD+= -L${.OBJDIR}/../libpam/libpam ${MINUSLPAM}
DPADD+= ${LIBPAM}
@@ -16,9 +15,13 @@
SRCS= system.c security_get_user_contexts.c get_ordered_context_list.c \
getseccontext.c query_user_context.c security_change_context.c \
string_to_security_class.c security_compute_av.c context.c \
- get_default_type.c filecon.c
-INCS= sebsd_context.h sebsd_ss.h sebsd_proc.h sebsd_fs.h sebsd.h \
- sebsd_syscalls.h flask_types.h
+ get_default_type.c filecon.c sebsd_config.c \
+ freecon.c freeconary.c
+
+INCSDIR=${INCLUDEDIR}/selinux
+INCS= selinux/selinux.h selinux/context.h selinux/get_context_list.h \
+ selinux/get_default_type.h sebsd.h sebsd_syscalls.h \
+ flask.h av_permissions.h
.include <bsd.lib.mk>
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd.h#6 (text+ko) ====
@@ -39,55 +39,14 @@
#include <sys/types.h>
#include <security/pam_types.h>
-
+#include <selinux/selinux.h>
#include "flask_types.h"
#include "sebsd_syscalls.h"
-#include "sebsd_context.h"
-#include "sebsd_ss.h"
-#include "sebsd_proc.h"
-#include "sebsd_fs.h"
#define SEBSD_ID_STRING "sebsd"
-char *getseccontext(void);
-int get_ordered_context_list(const char *user_name, const char *from_context,
- char ***ordered_list, size_t *length);
-int get_default_context(const char *username, const char *from_context,
- char **default_context);
-int query_user_context(pam_handle_t *pamh, char **ordered_context_list,
- size_t length, char **retcontext);
-security_class_t string_to_security_class(const char *s);
-
-int sebsd_avc_toggle(void);
-int sebsd_enabled(void);
-int sebsd_enforcing(void);
int sebsd_load_policy(const char *path);
-int security_get_user_contexts(const char *fromcontext, const char *username,
- char ***retcontexts, size_t *ncontexts);
-int security_change_context(const char *domain, const char *ocontext,
- security_class_t oclass, char **newcontext);
-int security_compute_av(struct security_query *query,
- struct security_response *response);
-
-
-/* Get file context, and set *con to refer to it.
- Caller must free via freecon. */
-int getfilecon(const char *path, security_context_t *con);
-int lgetfilecon(const char *path, security_context_t *con);
-int fgetfilecon(int fd, security_context_t *con);
-
-/* Set file context */
-int setfilecon(const char *path, security_context_t con);
-int lsetfilecon(const char *path, security_context_t con);
-int fsetfilecon(int fd, security_context_t con);
-
-/*
- * Get the default type (domain) for 'role' and set 'type' to refer to it.
- * Caller must free via free().
- * Return 0 on success or -1 otherwise.
- */
#define _DEFTYPE_PATH "/etc/security/default_type"
-int get_default_type (const char* role, char** type);
#endif /* _SEBSD_H */
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_change_context.c#2 (text+ko) ====
@@ -42,7 +42,7 @@
#include <stdlib.h>
#include <string.h>
-#include "sebsd.h"
+#include <selinux/selinux.h>
typedef char __assert_class_size[sizeof(security_class_t) == 2 ? 1 : -1];
@@ -51,8 +51,8 @@
* relabel an object to when transitioning to a given context.
*/
int
-security_change_context(const char *domain, const char *ocontext,
- security_class_t oclass, char **newcontext)
+security_compute_relabel(security_context_t domain, security_context_t ocontext,
+ security_class_t oclass, security_context_t *newcontext)
{
char *arguments;
ssize_t arguments_len;
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/security_compute_av.c#3 (text+ko) ====
@@ -51,22 +51,23 @@
* Return the decisions SEBSD makes given a specific access vector.
*/
int
-security_compute_av(struct security_query *query,
- struct security_response *response)
+security_compute_av(security_context_t scontext, security_context_t tcontext,
+ security_class_t tclass, access_vector_t requested,
+ struct av_decision *response)
{
char *arguments;
size_t response_len;
ssize_t arguments_len;
int error;
- arguments_len = asprintf(&arguments, "%s%c%s%c%s", query->scontext, 0,
- query->tcontext, 0, "1212345678");
+ arguments_len = asprintf(&arguments, "%s%c%s%c%s", scontext, 0,
+ tcontext, 0, "1212345678");
if (arguments_len == -1)
return (-1);
- memcpy(&arguments[arguments_len - (2 + 8)], &query->tclass,
- sizeof(query->tclass));
- memcpy(&arguments[arguments_len - 2], &query->requested,
- sizeof(query->requested));
+ memcpy(&arguments[arguments_len - (2 + 8)], &tclass,
+ sizeof(tclass));
+ memcpy(&arguments[arguments_len - 2], &requested,
+ sizeof(requested));
response_len = sizeof(*response);
if (sysctlbyname("security.mac.sebsd.compute_av", response,
&response_len, arguments, arguments_len) == -1) {
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/system.c#4 (text+ko) ====
@@ -37,10 +37,10 @@
#include <stdio.h>
#include <sys/fcntl.h>
#include <stdlib.h>
+#include <selinux/selinux.h>
#include "sebsd.h"
-
-int sebsd_enabled()
+int is_selinux_enabled()
{
int error, i;
error = sysctlbyname ("security.mac.sebsd.enforcing",
@@ -49,7 +49,7 @@
}
int
-sebsd_enforcing()
+security_getenforce()
{
int i, error;
error = sysctlbyname ("security.mac.sebsd.enforcing",
@@ -84,3 +84,13 @@
return mac_syscall(SEBSD_ID_STRING, SEBSDCALL_LOAD_POLICY, &la);
}
+
+int
+security_load_policy(void *data, size_t len)
+{
+ struct lp_args la;
+
+ la.len = len;
+ la.data = data;
+ return mac_syscall(SEBSD_ID_STRING, SEBSDCALL_LOAD_POLICY, &la);
+}
==== //depot/projects/trustedbsd/sebsd/lib/libsepol/Makefile#3 (text+ko) ====
@@ -6,7 +6,7 @@
MAINTAINER= cboss at nai.com
LIB= sepol
-CFLAGS+= -I${.CURDIR}/../../contrib/sebsd/libsepol/include
+CFLAGS+= -g -I${.CURDIR}/../../contrib/sebsd/libsepol/include
NOMAN=
SRCS= avtab.c conditional.c ebitmap.c genbools.c hashtab.c mls.c policydb.c \
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/flask_types.h#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_syscall.c#5 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_syscalls.h#5 (text+ko) ====
@@ -1,6 +1,8 @@
#ifndef _SEBSD_SYSCALLS_H_
#define _SEBSD_SYSCALLS_H_
+#include <security/sebsd/linux-compat.h>
+
/*
* TBD: Should we really try to line up with SELinux?
*/
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd_sysctl.c#6 (text+ko) ====
@@ -246,7 +246,6 @@
static int
sysctl_compute_av(SYSCTL_HANDLER_ARGS)
{
- struct security_response resp;
security_id_t sid, tsid;
security_class_t tclass;
access_vector_t av;
@@ -287,13 +286,8 @@
error = security_compute_av(sid, tsid, tclass, av, &avd);
if (error)
goto out;
- resp.allowed = avd.allowed;
- resp.auditallow = avd.auditallow;
- resp.auditdeny = avd.auditdeny;
- resp.decided = avd.decided;
- resp.seqno = avd.seqno;
- error = SYSCTL_OUT(req, &resp, sizeof(resp));
+ error = SYSCTL_OUT(req, &avd, sizeof(avd));
out:
sebsd_free(scontext, M_SEBSD);
return (error);
==== //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#4 (text+ko) ====
@@ -3,6 +3,10 @@
PROG= login
SRCS= login.c login_fbtab.c
+CFLAGS+=-I${.CURDIR}/../../lib/libsebsd
+CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include
+CFLAGS+=-I${.CURDIR}/../../sys
+CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd
CFLAGS+=-DLOGALL
DPADD= ${LIBUTIL} ${LIBPAM} ${LIBSEBSD}
LDADD= -lutil ${MINUSLPAM} -lsebsd
==== //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#8 (text+ko) ====
@@ -80,7 +80,8 @@
#include <security/pam_appl.h>
#include <security/openpam.h>
-#include <security/sebsd/flask.h>
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
#include "login.h"
#include "pathnames.h"
@@ -514,7 +515,7 @@
* When using SEBSD, the terminal device needs to be relabeled
* according to what the security server reports.
*/
- if (sebsd_enabled()) {
+ if (is_selinux_enabled()) {
char *labeltext, *queried, *oldttylabeltext, *tty_queried=NULL,
**contexts;
size_t ncontexts;
@@ -571,7 +572,7 @@
"%s: %m", ttyn);
bail(NO_SLEEP_EXIT, 1);
}
- if (security_change_context(queried, oldttylabeltext +
+ if (security_compute_relabel(queried, oldttylabeltext +
sizeof("sebsd/") - 1, SECCLASS_CHR_FILE,
&tty_queried) != 0 ||
asprintf(&labeltext, "sebsd/%s", tty_queried) == -1) {
==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#4 (text+ko) ====
@@ -30,12 +30,9 @@
#include <sys/file.h>
#include <sys/mac.h>
-#include <security/sebsd/flask.h>
-#include <security/sebsd/flask_types.h>
-#include <security/sebsd/sebsd_syscalls.h>
-#include <security/sebsd/avc/av_permissions.h>
-#include <sebsd.h>
-
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
#define TMAX(a,b) ((a)>(b)?(a):(b))
@@ -256,14 +253,13 @@
free_user(u);
log_it(fname, getpid(), "RELOAD", tabname);
}
- if (sebsd_enabled()) {
+ if (is_selinux_enabled()) {
/*
* Perform a virtual entrypoint access decision on
* the user's crontab as if it were the script
* being executed.
*/
- struct security_query q;
- struct security_response r;
+ struct av_decision r;
char *context, *file_context;
mac_t filelabel;
int error;
@@ -293,14 +289,12 @@
free(file_context);
goto next_crontab;
}
- q.scontext = context;
- q.tcontext = file_context + sizeof("sebsd/") - 1;
- q.tclass = SECCLASS_FILE;
- q.requested = FILE__ENTRYPOINT;
- error = security_compute_av(&q, &r);
+ access_vector_t requested = FILE__ENTRYPOINT;
+ error = security_compute_av(context, file_context + sizeof("sebsd/") - 1,
+ SECCLASS_FILE, requested, &r);
free(file_context);
free(context);
- if (error || ((q.requested & r.allowed) != q.requested)) {
+ if (error || ((requested & r.allowed) != requested)) {
log_it(fname, getpid(), "SEBSD entrypoint failed",
tabname);
goto next_crontab;
==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#6 (text+ko) ====
@@ -33,8 +33,7 @@
# include <login_cap.h>
#endif
#include <sys/mac.h>
-#include <security/sebsd/flask_types.h>
-#include <sebsd.h>
+#include <selinux/selinux.h>
static void child_process __P((entry *, user *)),
@@ -275,7 +274,7 @@
_exit(OK_EXIT);
}
# endif /*DEBUGGING*/
- if (sebsd_enabled()) {
+ if (is_selinux_enabled()) {
mac_t mac;
char *context, *labeltext, *argv[4];
==== //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_loadpolicy/sebsd_loadpolicy.c#2 (text+ko) ====
@@ -31,7 +31,7 @@
* $FreeBSD$
*/
-#include <sebsd.h>
+#include <selinux/selinux.h>
#include <stdlib.h>
#include <string.h>
==== //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_newrole/Makefile#2 (text+ko) ====
@@ -1,8 +1,18 @@
# @(#)Makefile 8.1 (Berkeley) 6/6/93
# $FreeBSD: src/usr.bin/nice/Makefile,v 1.4 2002/02/08 22:31:43 markm Exp $
+#.PATH: ${.CURDIR}/../../contrib/sebsd/policycoreutils/newrole
+
PROG= sebsd_newrole
CFLAGS+= -g
LDADD= -lsebsd
+#SRCS= newrole.c
+
+CFLAGS+=-DUSE_PAM
+CFLAGS+=-I${.CURDIR}/../../lib/libsebsd
+CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include
+#CFLAGS+=-I${.CURDIR}/../../sys
+#CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd
+
.include <bsd.prog.mk>
==== //depot/projects/trustedbsd/sebsd/usr.sbin/sebsd_newrole/sebsd_newrole.c#4 (text+ko) ====
@@ -25,9 +25,9 @@
#include <security/pam_appl.h>
#include <security/openpam.h>
-#include <security/sebsd/flask.h>
+#include <selinux/flask.h>
#include <sys/mac.h>
-#include <sebsd.h>
+#include <selinux/selinux.h>
#define SEBSD_SERVICE_NAME "sebsd_newrole"
@@ -96,13 +96,13 @@
char *role = NULL;
char *type = NULL;
char *old_context, *new_context, *labeltext;
- context_t context;
+ security_context_t context;
struct passwd *pw;
struct passwd pw_copy;
mac_t execlabel, oldtty, newtty;
char *ttyn;
- if (!sebsd_enabled()) {
+ if (!is_selinux_enabled()) {
fprintf(stderr, "Sorry, sebsd_newrole may only be used when "
"the SEBSD security module is loaded\n");
exit(1);
@@ -216,7 +216,7 @@
perror(ttyn);
exit(1);
}
- if (security_change_context(new_context, oldttys +
+ if (security_compute_relabel(new_context, oldttys +
sizeof("sebsd/") - 1, SECCLASS_CHR_FILE,
&newttys) != 0 ||
asprintf(&newttyslabel, "sebsd/%s", newttys) == -1) {
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list