Compare commits
No commits in common. 'c9' and 'c8' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/mcstrans-3.5.tar.gz
|
||||
SOURCES/mcstrans-2.9.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
a8b1d4758ab1b1a80a4eb1ffe06cd7cbd1336527 SOURCES/mcstrans-3.5.tar.gz
|
||||
64bea2c1cd56e0550049a548dde0ac2e53f71714 SOURCES/mcstrans-2.9.tar.gz
|
||||
|
||||
@ -0,0 +1,126 @@
|
||||
From eeac35fa98b8b2d323741703a2e59593d1ad200a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 28 Nov 2018 18:28:05 +0100
|
||||
Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan
|
||||
defects
|
||||
|
||||
---
|
||||
mcstrans/src/mcstrans.c | 17 ++++++++++++++++-
|
||||
mcstrans/src/mcstransd.c | 4 +++-
|
||||
2 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
|
||||
index 96bdbdff..29cadb78 100644
|
||||
--- a/mcstrans/src/mcstrans.c
|
||||
+++ b/mcstrans/src/mcstrans.c
|
||||
@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) {
|
||||
|
||||
map->raw = strdup(raw);
|
||||
if (!map->raw) {
|
||||
+ free(map);
|
||||
goto err;
|
||||
}
|
||||
map->trans = strdup(trans);
|
||||
if (!map->trans) {
|
||||
+ free(map->raw);
|
||||
+ free(map);
|
||||
goto err;
|
||||
}
|
||||
|
||||
log_debug(" add_cache (%s,%s)\n", raw, trans);
|
||||
- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0)
|
||||
+ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) {
|
||||
+ free(map->trans);
|
||||
+ free(map->raw);
|
||||
+ free(map);
|
||||
goto err;
|
||||
+ }
|
||||
|
||||
if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0)
|
||||
goto err;
|
||||
@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
trans = compute_trans_from_raw(range, domain);
|
||||
if (trans)
|
||||
if (add_cache(domain, range, trans) < 0) {
|
||||
+ free(trans);
|
||||
free(range);
|
||||
return -1;
|
||||
}
|
||||
@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
ltrans = compute_trans_from_raw(lrange, domain);
|
||||
if (ltrans) {
|
||||
if (add_cache(domain, lrange, ltrans) < 0) {
|
||||
+ free(ltrans);
|
||||
free(range);
|
||||
return -1;
|
||||
}
|
||||
@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
utrans = compute_trans_from_raw(urange, domain);
|
||||
if (utrans) {
|
||||
if (add_cache(domain, urange, utrans) < 0) {
|
||||
+ free(utrans);
|
||||
free(ltrans);
|
||||
free(range);
|
||||
return -1;
|
||||
@@ -1647,7 +1657,9 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
canonical = compute_trans_from_raw(raw, domain);
|
||||
if (canonical && strcmp(canonical, range))
|
||||
if (add_cache(domain, raw, canonical) < 0) {
|
||||
+ free(canonical);
|
||||
free(range);
|
||||
+ free(raw);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -1655,6 +1667,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
free(canonical);
|
||||
if (add_cache(domain, raw, range) < 0) {
|
||||
free(range);
|
||||
+ free(raw);
|
||||
return -1;
|
||||
}
|
||||
} else {
|
||||
@@ -1672,6 +1685,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
canonical = compute_trans_from_raw(lraw, domain);
|
||||
if (canonical)
|
||||
if (add_cache(domain, lraw, canonical) < 0) {
|
||||
+ free(canonical);
|
||||
free(lraw);
|
||||
free(range);
|
||||
return -1;
|
||||
@@ -1703,6 +1717,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
|
||||
canonical = compute_trans_from_raw(uraw, domain);
|
||||
if (canonical)
|
||||
if (add_cache(domain, uraw, canonical) < 0) {
|
||||
+ free(canonical);
|
||||
free(uraw);
|
||||
free(lraw);
|
||||
free(range);
|
||||
diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c
|
||||
index 85899493..a1ec81ac 100644
|
||||
--- a/mcstrans/src/mcstransd.c
|
||||
+++ b/mcstrans/src/mcstransd.c
|
||||
@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds)
|
||||
/* Setup pollfd for deletion later. */
|
||||
(*ufds)[ii].fd = -1;
|
||||
close(connfd);
|
||||
+ connfd = -1;
|
||||
/* So we don't get bothered later */
|
||||
revents = revents & ~(POLLHUP);
|
||||
}
|
||||
@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds)
|
||||
/* Set the pollfd up for deletion later. */
|
||||
(*ufds)[ii].fd = -1;
|
||||
close(connfd);
|
||||
+ connfd = -1;
|
||||
|
||||
revents = revents & ~(POLLHUP);
|
||||
}
|
||||
- if (revents) {
|
||||
+ if (revents && connfd != -1) {
|
||||
syslog(LOG_ERR, "Unknown/error events (%x) encountered"
|
||||
" for fd (%d)\n", revents, connfd);
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,59 @@
|
||||
From 659cb59cd6cfe36c954c77f945c06a0cd8218287 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 15 Apr 2019 15:22:51 +0200
|
||||
Subject: [PATCH] mcstrans: Do not accept incomplete contexts
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes:
|
||||
$ python3
|
||||
> import selinux
|
||||
> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:")
|
||||
|
||||
Traceback (most recent call last):
|
||||
File "<stdin>", line 2, in <module>
|
||||
OSError: [Errno 0] Error
|
||||
|
||||
:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status'
|
||||
Redirecting to /bin/systemctl status mcstransd.service
|
||||
● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form
|
||||
Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled)
|
||||
Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago
|
||||
Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV)
|
||||
Main PID: 16681 (code=dumped, signal=SEGV)
|
||||
|
||||
systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV
|
||||
systemd[1]: mcstrans.service: Failed with result 'core-dump'.
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
mcstrans/src/mcscolor.c | 12 ++++++++----
|
||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c
|
||||
index 6ea1aa97..79fc1c8b 100644
|
||||
--- a/mcstrans/src/mcscolor.c
|
||||
+++ b/mcstrans/src/mcscolor.c
|
||||
@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = {
|
||||
static const secolor_t default_color = { 0x000000, 0xffffff };
|
||||
|
||||
static int parse_components(context_t con, char **components) {
|
||||
- components[COLOR_USER] = (char *)context_user_get(con);
|
||||
- components[COLOR_ROLE] = (char *)context_role_get(con);
|
||||
- components[COLOR_TYPE] = (char *)context_type_get(con);
|
||||
- components[COLOR_RANGE] = (char *)context_range_get(con);
|
||||
+ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL)
|
||||
+ return -1;
|
||||
+ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL)
|
||||
+ return -1;
|
||||
+ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL)
|
||||
+ return -1;
|
||||
+ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL)
|
||||
+ return -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,56 @@
|
||||
From 7426ba3f8d9edc5222db5663c8a9e5312f489e92 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 2 Jul 2019 14:09:04 +0200
|
||||
Subject: [PATCH] Revert "mcstransd select correct colour range."
|
||||
|
||||
This reverts commit fe17b3d2d924018750386c5ee74f12ca4b054136.
|
||||
|
||||
MLS ranges should be compared based on dominance.
|
||||
|
||||
This fixes mlscolor-test on mcstrans examples.
|
||||
|
||||
Eg. mlscolor-test using /usr/share/mcstrans/examples/urcsts when executed on mls
|
||||
machine fails as follows:
|
||||
|
||||
\#pushd /usr/share/mcstrans/examples/urcsts
|
||||
\#cp -f secolor.conf /etc/selinux/mls/secolor.conf
|
||||
\#cp -f setrans.conf /etc/selinux/mls/setrans.conf
|
||||
\#systemctl restart mcstransd
|
||||
\#python3 /usr/share/mcstrans/util/mlscolor-test urcsts.color
|
||||
For 'system_u:system_r:inetd_t:SystemLow' got
|
||||
'#000000 #000000 #000000 #000000 #000000 #000000 #000000 #000000' expected
|
||||
'#000000 #000000 #000000 #000000 #000000 #000000 #000000 #008000'
|
||||
...
|
||||
mlscolor-test done with 19 errors
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
mcstrans/src/mcscolor.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c
|
||||
index 79fc1c8b..f9c64da3 100644
|
||||
--- a/mcstrans/src/mcscolor.c
|
||||
+++ b/mcstrans/src/mcscolor.c
|
||||
@@ -134,12 +134,12 @@ static const secolor_t *find_color(int idx, const char *component,
|
||||
}
|
||||
|
||||
while (ptr) {
|
||||
- if (fnmatch(ptr->pattern, component, 0) == 0) {
|
||||
- if (idx == COLOR_RANGE) {
|
||||
- if (check_dominance(ptr->pattern, raw) == 0)
|
||||
- return &ptr->color;
|
||||
- } else
|
||||
- return &ptr->color;
|
||||
+ if (idx == COLOR_RANGE) {
|
||||
+ if (check_dominance(ptr->pattern, raw) == 0)
|
||||
+ return &ptr->color;
|
||||
+ } else {
|
||||
+ if (fnmatch(ptr->pattern, component, 0) == 0)
|
||||
+ return &ptr->color;
|
||||
}
|
||||
ptr = ptr->next;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,44 @@
|
||||
From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 2 Jul 2019 14:09:05 +0200
|
||||
Subject: [PATCH] Fix mcstrans secolor examples
|
||||
|
||||
According to "check_dominance" function:
|
||||
Range defined as "s15:c0.c1023" does not dominate any other range than
|
||||
"s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
|
||||
While range defined as "s15-s15:c0.c1023" dominates all of the above.
|
||||
|
||||
This is either a bug, or "s15:c0.c1023" should not be used in the
|
||||
examples.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +-
|
||||
mcstrans/share/examples/urcsts/secolor.conf | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf
|
||||
index d35b3c67..3b3f5430 100644
|
||||
--- a/mcstrans/share/examples/urcsts-via-include/secolor.conf
|
||||
+++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf
|
||||
@@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan
|
||||
range s5-s5:c0.c1023 = white blue
|
||||
range s7-s7:c0.c1023 = black red
|
||||
range s9-s9:c0.c1023 = black orange
|
||||
-range s15:c0.c1023 = black yellow
|
||||
+range s15-s15:c0.c1023 = black yellow
|
||||
|
||||
diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf
|
||||
index d35b3c67..3b3f5430 100644
|
||||
--- a/mcstrans/share/examples/urcsts/secolor.conf
|
||||
+++ b/mcstrans/share/examples/urcsts/secolor.conf
|
||||
@@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan
|
||||
range s5-s5:c0.c1023 = white blue
|
||||
range s7-s7:c0.c1023 = black red
|
||||
range s9-s9:c0.c1023 = black orange
|
||||
-range s15:c0.c1023 = black yellow
|
||||
+range s15-s15:c0.c1023 = black yellow
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
Loading…
Reference in new issue