Loading ...
Sorry, an error occurred while loading the content.

Patch 7.1.296

Expand Messages
  • Bram Moolenaar
    Patch 7.1.296 Problem: SELinux is not supported. Solution: Detect the selinux library and use mch_copy_sec(). (James Vega) Files: src/auto/configure,
    Message 1 of 4 , May 7 10:07 AM
    • 0 Attachment
      Patch 7.1.296
      Problem: SELinux is not supported.
      Solution: Detect the selinux library and use mch_copy_sec(). (James Vega)
      Files: src/auto/configure, src/config.h.in, src/configure.in,
      src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro


      *** ../vim-7.1.295/src/auto/configure Wed Feb 20 12:43:05 2008
      --- src/auto/configure Wed May 7 18:16:09 2008
      ***************
      *** 845,850 ****
      --- 845,851 ----
      --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
      --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
      --disable-darwin Disable Darwin (Mac OS X) support.
      + --disable-selinux Don't check for SELinux support.
      --disable-xsmp Disable XSMP session management
      --disable-xsmp-interact Disable XSMP interaction
      --enable-mzschemeinterp Include MzScheme interpreter.
      ***************
      *** 3611,3616 ****
      --- 3612,3705 ----
      esac
      fi

      + echo "$as_me:$LINENO: checking --disable-selinux argument" >&5
      + echo $ECHO_N "checking --disable-selinux argument... $ECHO_C" >&6
      + # Check whether --enable-selinux or --disable-selinux was given.
      + if test "${enable_selinux+set}" = set; then
      + enableval="$enable_selinux"
      +
      + else
      + enable_selinux="yes"
      + fi;
      + if test "$enable_selinux" = "yes"; then
      + echo "$as_me:$LINENO: result: no" >&5
      + echo "${ECHO_T}no" >&6
      + echo "$as_me:$LINENO: checking for is_selinux_enabled in -lselinux" >&5
      + echo $ECHO_N "checking for is_selinux_enabled in -lselinux... $ECHO_C" >&6
      + if test "${ac_cv_lib_selinux_is_selinux_enabled+set}" = set; then
      + echo $ECHO_N "(cached) $ECHO_C" >&6
      + else
      + ac_check_lib_save_LIBS=$LIBS
      + LIBS="-lselinux $LIBS"
      + cat >conftest.$ac_ext <<_ACEOF
      + /* confdefs.h. */
      + _ACEOF
      + cat confdefs.h >>conftest.$ac_ext
      + cat >>conftest.$ac_ext <<_ACEOF
      + /* end confdefs.h. */
      +
      + /* Override any gcc2 internal prototype to avoid an error. */
      + #ifdef __cplusplus
      + extern "C"
      + #endif
      + /* We use char because int might match the return type of a gcc2
      + builtin and then its argument prototype would still apply. */
      + char is_selinux_enabled ();
      + int
      + main ()
      + {
      + is_selinux_enabled ();
      + ;
      + return 0;
      + }
      + _ACEOF
      + rm -f conftest.$ac_objext conftest$ac_exeext
      + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
      + (eval $ac_link) 2>conftest.er1
      + ac_status=$?
      + grep -v '^ *+' conftest.er1 >conftest.err
      + rm -f conftest.er1
      + cat conftest.err >&5
      + echo "$as_me:$LINENO: \$? = $ac_status" >&5
      + (exit $ac_status); } &&
      + { ac_try='test -z "$ac_c_werror_flag"
      + || test ! -s conftest.err'
      + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
      + (eval $ac_try) 2>&5
      + ac_status=$?
      + echo "$as_me:$LINENO: \$? = $ac_status" >&5
      + (exit $ac_status); }; } &&
      + { ac_try='test -s conftest$ac_exeext'
      + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
      + (eval $ac_try) 2>&5
      + ac_status=$?
      + echo "$as_me:$LINENO: \$? = $ac_status" >&5
      + (exit $ac_status); }; }; then
      + ac_cv_lib_selinux_is_selinux_enabled=yes
      + else
      + echo "$as_me: failed program was:" >&5
      + sed 's/^/| /' conftest.$ac_ext >&5
      +
      + ac_cv_lib_selinux_is_selinux_enabled=no
      + fi
      + rm -f conftest.err conftest.$ac_objext \
      + conftest$ac_exeext conftest.$ac_ext
      + LIBS=$ac_check_lib_save_LIBS
      + fi
      + echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_is_selinux_enabled" >&5
      + echo "${ECHO_T}$ac_cv_lib_selinux_is_selinux_enabled" >&6
      + if test $ac_cv_lib_selinux_is_selinux_enabled = yes; then
      + LIBS="$LIBS -lselinux"
      + cat >>confdefs.h <<\_ACEOF
      + #define HAVE_SELINUX 1
      + _ACEOF
      +
      + fi
      +
      + else
      + echo "$as_me:$LINENO: result: yes" >&5
      + echo "${ECHO_T}yes" >&6
      + fi


      echo "$as_me:$LINENO: checking --with-features argument" >&5
      *** ../vim-7.1.295/src/config.h.in Tue May 1 13:37:23 2007
      --- src/config.h.in Wed May 7 18:10:49 2008
      ***************
      *** 156,161 ****
      --- 156,162 ----
      #undef HAVE_READLINK
      #undef HAVE_RENAME
      #undef HAVE_SELECT
      + #undef HAVE_SELINUX
      #undef HAVE_SETENV
      #undef HAVE_SETPGID
      #undef HAVE_SETSID
      *** ../vim-7.1.295/src/configure.in Wed Feb 20 12:43:05 2008
      --- src/configure.in Wed May 7 18:15:40 2008
      ***************
      *** 299,304 ****
      --- 299,317 ----
      esac
      fi

      + dnl Link with -lselinux for SELinux stuff; if not found
      + AC_MSG_CHECKING(--disable-selinux argument)
      + AC_ARG_ENABLE(selinux,
      + [ --disable-selinux Don't check for SELinux support.],
      + , enable_selinux="yes")
      + if test "$enable_selinux" = "yes"; then
      + AC_MSG_RESULT(no)
      + AC_CHECK_LIB(selinux, is_selinux_enabled,
      + [LIBS="$LIBS -lselinux"
      + AC_DEFINE(HAVE_SELINUX)])
      + else
      + AC_MSG_RESULT(yes)
      + fi

      dnl Check user requested features.

      *** ../vim-7.1.295/src/fileio.c Tue Mar 11 22:01:16 2008
      --- src/fileio.c Wed May 7 18:17:45 2008
      ***************
      *** 3651,3656 ****
      --- 3660,3668 ----
      )
      mch_setperm(backup,
      (perm & 0707) | ((perm & 07) << 3));
      + # ifdef HAVE_SELINUX
      + mch_copy_sec(fname, backup);
      + # endif
      #endif

      /*
      ***************
      *** 3687,3692 ****
      --- 3699,3707 ----
      #ifdef HAVE_ACL
      mch_set_acl(backup, acl);
      #endif
      + #ifdef HAVE_SELINUX
      + mch_copy_sec(fname, backup);
      + #endif
      break;
      }
      }
      ***************
      *** 4309,4314 ****
      --- 4324,4335 ----
      }
      #endif

      + #ifdef HAVE_SELINUX
      + /* Probably need to set the security context. */
      + if (!backup_copy)
      + mch_copy_sec(backup, wfname);
      + #endif
      +
      #ifdef UNIX
      /* When creating a new file, set its owner/group to that of the original
      * file. Get the new device and inode number. */
      *** ../vim-7.1.295/src/memfile.c Fri May 11 20:15:45 2007
      --- src/memfile.c Wed May 7 18:10:49 2008
      ***************
      *** 1346,1350 ****
      --- 1346,1355 ----
      mfp->mf_ffname = NULL;
      }
      else
      + {
      + #ifdef HAVE_SELINUX
      + mch_copy_sec(fname, mfp->mf_fname);
      + #endif
      mch_hide(mfp->mf_fname); /* try setting the 'hidden' flag */
      + }
      }
      *** ../vim-7.1.295/src/os_unix.c Wed Mar 12 13:16:37 2008
      --- src/os_unix.c Wed May 7 18:24:46 2008
      ***************
      *** 45,50 ****
      --- 45,55 ----
      # include <X11/SM/SMlib.h>
      #endif

      + #ifdef HAVE_SELINUX
      + # include <selinux/selinux.h>
      + static int selinux_enabled = -1;
      + #endif
      +
      /*
      * Use this prototype for select, some include files have a wrong prototype
      */
      ***************
      *** 2557,2562 ****
      --- 2562,2623 ----
      } vim_acl_solaris_T;
      # endif

      + #if defined(HAVE_SELINUX) || defined(PROTO)
      + /*
      + * Copy security info from "from_file" to "to_file".
      + */
      + void
      + mch_copy_sec(from_file, to_file)
      + char_u *from_file;
      + char_u *to_file;
      + {
      + if (from_file == NULL)
      + return;
      +
      + if (selinux_enabled == -1)
      + selinux_enabled = is_selinux_enabled();
      +
      + if (selinux_enabled > 0)
      + {
      + security_context_t from_context = NULL;
      + security_context_t to_context = NULL;
      +
      + if (getfilecon((char *)from_file, &from_context) < 0)
      + {
      + /* If the filesystem doesn't support extended attributes,
      + the original had no special security context and the
      + target cannot have one either. */
      + if (errno == EOPNOTSUPP)
      + return;
      +
      + MSG_PUTS(_("\nCould not get security context for "));
      + msg_outtrans(from_file);
      + msg_putchar('\n');
      + return;
      + }
      + if (getfilecon((char *)to_file, &to_context) < 0)
      + {
      + MSG_PUTS(_("\nCould not get security context for "));
      + msg_outtrans(to_file);
      + msg_putchar('\n');
      + freecon (from_context);
      + return ;
      + }
      + if (strcmp(from_context, to_context) != 0)
      + {
      + if (setfilecon((char *)to_file, from_context) < 0)
      + {
      + MSG_PUTS(_("\nCould not set security context for "));
      + msg_outtrans(to_file);
      + msg_putchar('\n');
      + }
      + }
      + freecon(to_context);
      + freecon(from_context);
      + }
      + }
      + #endif /* HAVE_SELINUX */
      +
      /*
      * Return a pointer to the ACL of file "fname" in allocated memory.
      * Return NULL if the ACL is not available for whatever reason.
      *** ../vim-7.1.295/src/proto/os_unix.pro Sat May 5 20:23:37 2007
      --- src/proto/os_unix.pro Wed May 7 18:25:14 2008
      ***************
      *** 34,39 ****
      --- 34,40 ----
      void fname_case __ARGS((char_u *name, int len));
      long mch_getperm __ARGS((char_u *name));
      int mch_setperm __ARGS((char_u *name, long perm));
      + void mch_copy_sec __ARGS((char_u *from_file, char_u *to_file));
      vim_acl_T mch_get_acl __ARGS((char_u *fname));
      void mch_set_acl __ARGS((char_u *fname, vim_acl_T aclent));
      void mch_free_acl __ARGS((vim_acl_T aclent));
      *** ../vim-7.1.295/src/version.c Wed May 7 17:39:17 2008
      --- src/version.c Wed May 7 18:50:01 2008
      ***************
      *** 668,669 ****
      --- 673,676 ----
      { /* Add new patch number below this line */
      + /**/
      + 296,
      /**/

      --
      Michael: There is no such thing as a dump question.
      Bernard: Sure there is. For example "what is a core dump?"

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ download, build and distribute -- http://www.A-A-P.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Karsten Hopp
      ... ..... This looks like the patch we currently have in Fedora. There s one minor patch missing, though. When editing a file with a security context the .swp
      Message 2 of 4 , May 8 3:52 AM
      • 0 Attachment
        Bram Moolenaar schrieb:
        >
        > Patch 7.1.296
        > Problem: SELinux is not supported.
        > Solution: Detect the selinux library and use mch_copy_sec(). (James Vega)
        > Files: src/auto/configure, src/config.h.in, src/configure.in,
        > src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro
        >
        .....

        This looks like the patch we currently have in Fedora. There's one minor patch missing, though.
        When editing a file with a security context the .swp file should have the same context. It
        currently looks like this while editing a file in /tmp:
        $ ls -lZ test.c .test.c.swp
        -rw------- rjc rjc rjc:object_r:src_t test.c
        -rw------- rjc rjc rjc:object_r:tmp_t .test.c.swp
        $

        The file .test.c.swp should have the type src_t. I think the attached patch fixes this.

        Karsten



        --
        Karsten Hopp | Mail: karsten@...
        Red Hat Deutschland | Tel: +49-711-96437-0
        Hauptstaetterstr.58 | Fax: +49-711-613590
        D-70178 Stuttgart | http://www.redhat.de

        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      • James Vega
        ... I made sure to let Bram know that when I sent him the patch. Wouldn t want to take credit for other people s work. :) I had someone request its
        Message 3 of 4 , May 8 7:02 AM
        • 0 Attachment
          On Thu, May 08, 2008 at 12:52:14PM +0200, Karsten Hopp wrote:
          > Bram Moolenaar schrieb:
          > >
          > > Patch 7.1.296
          > > Problem: SELinux is not supported.
          > > Solution: Detect the selinux library and use mch_copy_sec(). (James Vega)
          > > Files: src/auto/configure, src/config.h.in, src/configure.in,
          > > src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro
          > >
          > .....
          >
          > This looks like the patch we currently have in Fedora.

          I made sure to let Bram know that when I sent him the patch. Wouldn't
          want to take credit for other people's work. :) I had someone request
          its inclusion in the Debian package, so I figured it would be better to
          get it merged upstream than having everyone carrying around the patch on
          their own.

          > There's one minor patch missing, though.
          > When editing a file with a security context the .swp file should have the same context. It
          > currently looks like this while editing a file in /tmp:
          > $ ls -lZ test.c .test.c.swp
          > -rw------- rjc rjc rjc:object_r:src_t test.c
          > -rw------- rjc rjc rjc:object_r:tmp_t .test.c.swp
          > $
          >
          > The file .test.c.swp should have the type src_t. I think the attached patch fixes this.

          The memfile.c changes are already in the patch Bram sent out.

          --
          James
          GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@...>
        • Karsten Hopp
          ... I didn t want to imply that you ve taken credit for someone elses work and I should add that I didn t write that patch either. I think it was written by
          Message 4 of 4 , May 9 2:14 AM
          • 0 Attachment
            James Vega schrieb:
            > On Thu, May 08, 2008 at 12:52:14PM +0200, Karsten Hopp wrote:
            >> Bram Moolenaar schrieb:
            >>> Patch 7.1.296
            >>> Problem: SELinux is not supported.
            >>> Solution: Detect the selinux library and use mch_copy_sec(). (James Vega)
            >>> Files: src/auto/configure, src/config.h.in, src/configure.in,
            >>> src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro
            >>>
            >> .....
            >>
            >> This looks like the patch we currently have in Fedora.
            >
            > I made sure to let Bram know that when I sent him the patch. Wouldn't
            > want to take credit for other people's work. :) I had someone request
            > its inclusion in the Debian package, so I figured it would be better to
            > get it merged upstream than having everyone carrying around the patch on
            > their own.

            I didn't want to imply that you've taken credit for someone elses work and I should add
            that I didn't write that patch either. I think it was written by Daniel Walsh, one of our
            selinux experts.
            Instead I'd like to apologize for not doing my job properly. I should have sent this patch
            upstream long ago.

            >
            >> There's one minor patch missing, though.
            >> When editing a file with a security context the .swp file should have the same context. It
            >> currently looks like this while editing a file in /tmp:
            >> $ ls -lZ test.c .test.c.swp
            >> -rw------- rjc rjc rjc:object_r:src_t test.c
            >> -rw------- rjc rjc rjc:object_r:tmp_t .test.c.swp
            >> $
            >>
            >> The file .test.c.swp should have the type src_t. I think the attached patch fixes this.
            >
            > The memfile.c changes are already in the patch Bram sent out.
            >


            I stand corrected, I've missed that one...

            Karsten

            --~--~---------~--~----~------------~-------~--~----~
            You received this message from the "vim_dev" maillist.
            For more information, visit http://www.vim.org/maillist.php
            -~----------~----~----~----~------~----~------~--~---
          Your message has been successfully submitted and would be delivered to recipients shortly.