Bug#307139: marked as done (dpkg: Please pull from srivasta@debian.org--2005-selinux/dpkg--selinux--1.13)
Your message dated Sun, 12 Jun 2005 12:02:22 -0400
with message-id <E1DhUuk-0005hN-00@newraff.debian.org>
and subject line Bug#307139: fixed in dpkg 1.13.9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 May 2005 05:35:08 +0000
>From srivasta@acm.org Sat Apr 30 22:34:55 2005
Return-path: <srivasta@acm.org>
Received: from host-12-107-230-171.dtccom.net (glaurung.internal.golden-gryphon.com) [12.107.230.171]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DS76T-0003Wz-00; Sat, 30 Apr 2005 22:34:53 -0700
Received: from glaurung.internal.golden-gryphon.com (srivasta@localhost [127.0.0.1])
by glaurung.internal.golden-gryphon.com (8.13.4/8.13.4/Debian-2) with ESMTP id j415QSoj030335
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <submit@bugs.debian.org>; Sun, 1 May 2005 00:26:28 -0500
Received: (from srivasta@localhost)
by glaurung.internal.golden-gryphon.com (8.13.4/8.13.4/Submit) id j415QRm9030334;
Sun, 1 May 2005 00:26:27 -0500
X-Authentication-Warning: glaurung.internal.golden-gryphon.com: srivasta set sender to srivasta@acm.org using -f
From: Manoj Srivastava <srivasta@acm.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dpkg: Please pull from srivasta@debian.org--2005-selinux/dpkg--selinux--1.13
Organization: Manoj Srivastava's Home
X-Debbugs-CC: Manoj Srivastava <srivasta@acm.org>
Mail-Copies-To: nobody
X-Face: #q.#]5@vq!Jz+E0t_/;Y^gTjR\T^"B'fbeuVGiyKrvbfKJl!^e|e:iu(kJ6c|QYB57LP*|t
&YlP~HF/=h:GA6o6W@I#deQL-%#.6]!z:6Cj0kd#4]>*D,|0djf'CVlXkI,>aV4\}?d_KEqsN{Nnt7
78"OsbQ["56/!nisvyB/uA5Q.{)gm6?q.j71ww.>b9b]-sG8zNt%KkIa>xWg&1VcjZk[hBQ>]j~`Wq
Xl,y1a!(>6`UM{~'X[Y_,Bv+}=L\SS*mA8=s;!=O`ja|@PEzb&i0}Qp,`Z\:6:OmRi*
X-Hashcash: 1:25:050501:submit@bugs.debian.org::endtGA5qk4GI84gx:000000000000000000000000000000000000001XeLJ
Date: Sun, 01 May 2005 00:26:26 -0500
Message-ID: <87y8az8qkd.fsf@glaurung.internal.golden-gryphon.com>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-CRM114-Score: -113.9445
X-CRM114-Status: Good ( pR: -113.9445 )
X-SA-Orig: -9.899, -113.9445
X-Spam-Value: -26.87125
X-SA-Rep: -26.87125 ALL_TRUSTED,BAYES_00,HASHCASH_25
X-Scanned-By: MIMEDefang version 2.51 (www . roaringpenguin . com / mimedefang) on 192.168.1.10
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--=-=-=
Package: dpkg
Version: 1.13.5~
Severity: wishlist
Tags: patch
Hi,
I have created a small (68 lines addition in lib/star.c) patch
for SELinux support in dpkg. This is against the version pulled from
scott@netsplit.com--2005/dpkg--devel--1.13--patch-137. Adding in
changes to configure, Makefile.am's for the binaries, ChangeLog, and
./debian/changelog, we have 188 lines of addtions, 7 deletions over
10 files (the bulk being 68 lines of code change and 30 lines of
ChangeLog).
There is no change in the generated binaries unless configure
is called with the --enable-selinux option, and then no change in
behaviour on a non-selinux system. You can browse the branch at:
http://www.golden-gryphon.com/cgi-bin/archzoom.cgi/srivasta@debian.org--2005-selinux/dpkg--selinux?expand?
I have tested the build on SELinux UMLs, and on non-selinux machines.
Pre-build binaries are available from
----------------------------------------------------------------
deb http://people.debian.org/~srivasta/ packages/
deb-src http://people.debian.org/~srivasta/ packages/source/
----------------------------------------------------------------
Thanks,
manoj
,----[ diffstat /tmp/selinux.patch ]
| ChangeLog | 29 ++++++++++++++++++++
| configure.ac | 7 +++++
| debian/changelog | 8 +++++
| debian/control | 2 -
| debian/rules | 1
| dpkg-deb/Makefile.am | 2 -
| dpkg-split/Makefile.am | 2 -
| dselect/Makefile.am | 2 -
| lib/star.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++
| src/Makefile.am | 4 +-
| 10 files changed, 118 insertions(+), 7 deletions(-)
`----
--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=selinux.patch
Content-Description: SELinux patch
--- orig/ChangeLog
+++ mod/ChangeLog
@@ -1,3 +1,32 @@
+2005-04-30 Manoj Srivastava <srivasta@debian.org>
+
+ * lib/star.c Include <selinux/selinux.h> if compiling with selinux
+ support
+ (ExtractFile): Add code (inside a #ifdef WITH_Se-Linux) to
+ test if Se-Linux is enabled, and, if so, to find out what the
+ security context of a file is, given its path. We only test for
+ SELinux being enabled once, and not for every file. If we can
+ determine what the security context of the file ought to be, we
+ try and set the security context. If not, let the default security
+ context for the process be applied.
+ (SetModes): ditto.
+
+ * configure.ac: Add a --enable-selinux option, and have it set the
+ WITH_SELINUX cpp var, as well as set LIB_SELINUX.
+
+ * debian/control (Build-Depends): Add libselinux1-dev as a build
+ dependency.
+
+ * debian/rules: Add --enable-selinux to the configure command.
+
+ * dpkg-deb/Makefile.am (dpkg_deb_LDADD): Add @LIB_SELINUX@ to the binary
+ link command for dpkg_deb
+ * dpkg-split/Makefile.am (dpkg_split_LDADD): ditto for dpkg-split
+ * dselect/Makefile.am (dselect_LDADD): ditto for dselect
+ * src/Makefile.am (dpkg_LDADD): ditto for dpkg
+ (dpkg_query_LDADD): ditto for dpkg_query
+
+
2005-04-03 Scott James Remnant <scott@netsplit.com>
* scripts/dpkg-architecture.pl (gnu_to_debian): Check cputable
--- orig/configure.ac
+++ mod/configure.ac
@@ -11,6 +11,13 @@
AM_INIT_AUTOMAKE([1.8 gnu])
+dnl Give the chance to enable SELINUX
+AC_ARG_ENABLE(selinux, dnl
+[ --enable-selinux Enable use of the SELINUX libraries],
+[AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELINUX])
+LIB_SELINUX="-lselinux"
+AC_SUBST(LIB_SELINUX)])
+
AM_GNU_GETTEXT_VERSION(0.14.1)
AM_GNU_GETTEXT()
--- orig/debian/changelog
+++ mod/debian/changelog
@@ -1,6 +1,12 @@
dpkg (1.13.5~) experimental; urgency=low
- *
+ * Added SELinux awareness to dpkg. This includeas adding libselinux1-dev
+ to the build dependencies, and adding a --enable-selinux switch to
+ configure, and adding -lselinux to the link command for various
+ binaries (anything that uses libdpkg, actually). If the
+ --enable-selinux switch is not invoked in ./debian/rules, there is no
+ SELinux dependency, and there is no run time performance hit (all the
+ code in lib/star.c would be compiled out). -- Manoj
--
--- orig/debian/control
+++ mod/debian/control
@@ -6,7 +6,7 @@
Origin: debian
Bugs: debbugs://bugs.debian.org
Standards-Version: 3.6.1.0
-Build-Depends: debhelper (>= 4.1.81), libncurses5-dev | libncurses-dev, zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev
+Build-Depends: debhelper (>= 4.1.81), libncurses5-dev | libncurses-dev, zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev, libselinux1-dev
Package: dpkg
Architecture: any
--- orig/debian/rules
+++ mod/debian/rules
@@ -45,6 +45,7 @@
--sysconfdir=/etc \
--localstatedir=/var/lib \
--with-zlib=static \
+ --enable-selinux \
--with-bz2=static
# Build the package in build-tree
--- orig/dpkg-deb/Makefile.am
+++ mod/dpkg-deb/Makefile.am
@@ -16,4 +16,4 @@
info.c \
main.c
-dpkg_deb_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS)
+dpkg_deb_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS) @LIB_SELINUX@
--- orig/dpkg-split/Makefile.am
+++ mod/dpkg-split/Makefile.am
@@ -17,7 +17,7 @@
queue.c \
split.c
-dpkg_split_LDADD = $(LIBINTL) ../lib/libdpkg.a
+dpkg_split_LDADD = $(LIBINTL) ../lib/libdpkg.a @LIB_SELINUX@
pkglib_SCRIPTS = mksplit
--- orig/dselect/Makefile.am
+++ mod/dselect/Makefile.am
@@ -31,7 +31,7 @@
pkgsublist.cc \
pkgtop.cc
-dselect_LDADD = $(LIBINTL) ../lib/libdpkg.a $(CURSES_LIBS)
+dselect_LDADD = $(LIBINTL) ../lib/libdpkg.a $(CURSES_LIBS) @LIB_SELINUX@
EXTRA_DIST = keyoverride mkcurkeys.pl
--- orig/lib/star.c
+++ mod/lib/star.c
@@ -11,6 +11,10 @@
#include <errno.h>
#include <string.h>
#include <time.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+static int selinux_enabled=-1;
+#endif
static int
Read(void * userData, char * buffer, int length)
@@ -68,6 +72,38 @@
/* fchown() and fchmod() are cheaper than chown() and chmod(). */
fchown(fd, i->UserID, i->GroupID);
fchmod(fd, i->Mode & ~S_IFMT);
+#ifdef WITH_SELINUX
+ /* Set selinux_enabled if it is not already set (singleton) */
+ if(selinux_enabled < 0) {
+ selinux_enabled = (is_selinux_enabled()>0);
+ } /* end of if(selinux_enabled < 0) */
+
+ /* Since selinux is enabled, try and set the context */
+ if(selinux_enabled == 1) {
+ security_context_t scontext = NULL;
+ /*
+ * well, we could use
+ * void set_matchpathcon_printf(void (*f)(const char *fmt, ...));
+ * to redirect the errors from the following bit, but that
+ * seems too much effort.
+ */
+
+ /*
+ * Do nothing if we can't figure out what the context is,
+ * or if it has no context; in which case the default
+ * context shall be applied.
+ */
+ if( ! ((matchpathcon(i->Name, i->Mode & ~S_IFMT, &scontext) != 0) ||
+ (strcmp(scontext, "<<none>>") == 0)))
+ {
+ if(fsetfilecon(fd, scontext) < 0)
+ {
+ perror("Error setting File context:");
+ }
+ }
+ freecon(scontext);
+ } /* end of if(selinux_enabled == 1) */
+#endif /* WITH_SELINUX */
close(fd);
t.actime = time(0);
t.modtime = i->ModTime;
@@ -85,6 +121,38 @@
chown(i->Name, i->UserID, i->GroupID);
#endif
chmod(i->Name, i->Mode & ~S_IFMT);
+#ifdef WITH_SELINUX
+ /* Set selinux_enabled if it is not already set (singleton) */
+ if(selinux_enabled < 0) {
+ selinux_enabled = (is_selinux_enabled()>0);
+ } /* end of if(selinux_enabled < 0) */
+
+ /* Since selinux is enabled, try and set the context */
+ if(selinux_enabled == 1) {
+ security_context_t scontext = NULL;
+ /*
+ * well, we could use
+ * void set_matchpathcon_printf(void (*f)(const char *fmt, ...));
+ * to redirect the errors from the following bit, but that
+ * seems too much effort.
+ */
+
+ /*
+ * Do nothing if we can't figure out what the context is,
+ * or if it has no context; in which case the default
+ * context shall be applied.
+ */
+ if( ! ((matchpathcon(i->Name, i->Mode & ~S_IFMT, &scontext) != 0) ||
+ (strcmp(scontext, "<<none>>") == 0)))
+ {
+ if(lsetfilecon(i->Name, scontext) < 0)
+ {
+ perror("Error setting File context:");
+ }
+ }
+ freecon(scontext);
+ } /* end of if(selinux_enabled == 1) */
+#endif /* WITH_SELINUX */
t.actime = time(0);
t.modtime = i->ModTime;
utime(i->Name, &t);
--- orig/src/Makefile.am
+++ mod/src/Makefile.am
@@ -25,14 +25,14 @@
select.c \
update.c
-dpkg_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS)
+dpkg_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS) @LIB_SELINUX@
dpkg_query_SOURCES = \
errors.c \
filesdb.c filesdb.h \
query.c
-dpkg_query_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS)
+dpkg_query_LDADD = $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS) @LIB_SELINUX@
install-data-local:
--=-=-=
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.2-skas3-v8-rc2
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages dpkg depends on:
ii dselect 1.10.27 a user tool to manage Debian packa
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
-- no debconf information
--
The clash of ideas is the sound of freedom.
Manoj Srivastava <manoj.srivastava@stdc.com> <srivasta@acm.org>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--=-=-=--
---------------------------------------
Received: (at 307139-close) by bugs.debian.org; 12 Jun 2005 16:09:25 +0000
>From katie@ftp-master.debian.org Sun Jun 12 09:09:25 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DhV1Y-0003sk-00; Sun, 12 Jun 2005 09:09:24 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DhUuk-0005hN-00; Sun, 12 Jun 2005 12:02:22 -0400
From: Scott James Remnant <scott@netsplit.com>
To: 307139-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#307139: fixed in dpkg 1.13.9
Message-Id: <E1DhUuk-0005hN-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 12 Jun 2005 12:02:22 -0400
Delivered-To: 307139-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 8
Source: dpkg
Source-Version: 1.13.9
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive:
dpkg-dev_1.13.9_all.deb
to pool/main/d/dpkg/dpkg-dev_1.13.9_all.deb
dpkg_1.13.9.dsc
to pool/main/d/dpkg/dpkg_1.13.9.dsc
dpkg_1.13.9.tar.gz
to pool/main/d/dpkg/dpkg_1.13.9.tar.gz
dpkg_1.13.9_i386.deb
to pool/main/d/dpkg/dpkg_1.13.9_i386.deb
dselect_1.13.9_i386.deb
to pool/main/d/dpkg/dselect_1.13.9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 307139@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott James Remnant <scott@netsplit.com> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 12 Jun 2005 15:52:43 +0100
Source: dpkg
Binary: dpkg dselect dpkg-dev
Architecture: source i386 all
Version: 1.13.9
Distribution: unstable
Urgency: low
Maintainer: Scott James Remnant <scott@netsplit.com>
Changed-By: Scott James Remnant <scott@netsplit.com>
Description:
dpkg - Package maintenance system for Debian
dpkg-dev - Package building tools for Debian
dselect - a user tool to manage Debian packages
Closes: 21236 156317 193653 246802 249496 282323 304297 307139
Changes:
dpkg (1.13.9) unstable; urgency=low
.
The "On like Donkey Kong" Release.
.
* Only open the log file when we first need to write to it, this avoids
the need to suppress errors when not root which fakeroot defeated anyway.
* Stop dpkg-source clobbering an existing .orig directory during unpacking.
Closes: #21236.
* Allow an alternate output directory to be specified to dpkg-source by
giving a second argument to -x. Closes: #246802, #282323.
* Added .arch-inventory to default diff ignore regexp. Closes: #304297.
.
SELinux support (Manoj Srivastava):
* On SELinux-enabled systems, try to set the security context when the
package is unpacked. Closes: #193653, #249496, #307139.
* Added build-dependancy on libselinux1-dev.
.
Improvements to dpkg-source (Brendan O'Dea):
* Support unpacking of "Wig And Pen" (Format 2.0) source packages.
* Multiple pristine upstream tarballs allowed.
* Native and upstream tarballs may be bzip2-compressed instead of gzip,
as may the debian diff or tarball.
* Unsupported format error fixed to output the unsupported format
rather than the supported one. Closes: #156317.
Files:
3de37042afe8c16293e23402936dba18 622 base required dpkg_1.13.9.dsc
11351b33bcd380f849e3ce1e24b1ce2e 3557423 base required dpkg_1.13.9.tar.gz
7c534ffbcdb85a133f33cfc5f60332e3 1781280 base required dpkg_1.13.9_i386.deb
88135455172d9144ca78cdd06784cd1a 120494 base required dselect_1.13.9_i386.deb
2450a224892ab56d6d9a9c19f10e7650 162762 utils standard dpkg-dev_1.13.9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCrFjDIexP3IStZ2wRAkmIAJ0RPWcgEXgPIVo/qxUdkvIg4XT95QCgq5HA
6knfxRHT+I65fJDZ57H35rs=
=2sT8
-----END PGP SIGNATURE-----
Reply to: