To: vim-dev@vim.org Subject: Patch 7.1.296 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit ------------ Patch 7.1.296 Problem: SELinux is not supported. Solution: Detect the selinux library and use mch_copy_sec(). (James Vega) Files: src/auto/configure, src/config.h.in, src/configure.in, src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro *** ../vim-7.1.295/src/auto/configure Wed Feb 20 12:43:05 2008 --- src/auto/configure Wed May 7 18:16:09 2008 *************** *** 845,850 **** --- 845,851 ---- --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-darwin Disable Darwin (Mac OS X) support. + --disable-selinux Don't check for SELinux support. --disable-xsmp Disable XSMP session management --disable-xsmp-interact Disable XSMP interaction --enable-mzschemeinterp Include MzScheme interpreter. *************** *** 3611,3616 **** --- 3612,3705 ---- esac fi + echo "$as_me:$LINENO: checking --disable-selinux argument" >&5 + echo $ECHO_N "checking --disable-selinux argument... $ECHO_C" >&6 + # Check whether --enable-selinux or --disable-selinux was given. + if test "${enable_selinux+set}" = set; then + enableval="$enable_selinux" + + else + enable_selinux="yes" + fi; + if test "$enable_selinux" = "yes"; then + echo "$as_me:$LINENO: result: no" >&5 + echo "${ECHO_T}no" >&6 + echo "$as_me:$LINENO: checking for is_selinux_enabled in -lselinux" >&5 + echo $ECHO_N "checking for is_selinux_enabled in -lselinux... $ECHO_C" >&6 + if test "${ac_cv_lib_selinux_is_selinux_enabled+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + else + ac_check_lib_save_LIBS=$LIBS + LIBS="-lselinux $LIBS" + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + /* Override any gcc2 internal prototype to avoid an error. */ + #ifdef __cplusplus + extern "C" + #endif + /* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ + char is_selinux_enabled (); + int + main () + { + is_selinux_enabled (); + ; + return 0; + } + _ACEOF + rm -f conftest.$ac_objext conftest$ac_exeext + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_selinux_is_selinux_enabled=yes + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_selinux_is_selinux_enabled=no + fi + rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS=$ac_check_lib_save_LIBS + fi + echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_is_selinux_enabled" >&5 + echo "${ECHO_T}$ac_cv_lib_selinux_is_selinux_enabled" >&6 + if test $ac_cv_lib_selinux_is_selinux_enabled = yes; then + LIBS="$LIBS -lselinux" + cat >>confdefs.h <<\_ACEOF + #define HAVE_SELINUX 1 + _ACEOF + + fi + + else + echo "$as_me:$LINENO: result: yes" >&5 + echo "${ECHO_T}yes" >&6 + fi echo "$as_me:$LINENO: checking --with-features argument" >&5 *** ../vim-7.1.295/src/config.h.in Tue May 1 13:37:23 2007 --- src/config.h.in Wed May 7 18:10:49 2008 *************** *** 156,161 **** --- 156,162 ---- #undef HAVE_READLINK #undef HAVE_RENAME #undef HAVE_SELECT + #undef HAVE_SELINUX #undef HAVE_SETENV #undef HAVE_SETPGID #undef HAVE_SETSID *** ../vim-7.1.295/src/configure.in Wed Feb 20 12:43:05 2008 --- src/configure.in Wed May 7 18:15:40 2008 *************** *** 299,304 **** --- 299,317 ---- esac fi + dnl Link with -lselinux for SELinux stuff; if not found + AC_MSG_CHECKING(--disable-selinux argument) + AC_ARG_ENABLE(selinux, + [ --disable-selinux Don't check for SELinux support.], + , enable_selinux="yes") + if test "$enable_selinux" = "yes"; then + AC_MSG_RESULT(no) + AC_CHECK_LIB(selinux, is_selinux_enabled, + [LIBS="$LIBS -lselinux" + AC_DEFINE(HAVE_SELINUX)]) + else + AC_MSG_RESULT(yes) + fi dnl Check user requested features. *** ../vim-7.1.295/src/fileio.c Tue Mar 11 22:01:16 2008 --- src/fileio.c Wed May 7 18:17:45 2008 *************** *** 3651,3656 **** --- 3660,3668 ---- ) mch_setperm(backup, (perm & 0707) | ((perm & 07) << 3)); + # ifdef HAVE_SELINUX + mch_copy_sec(fname, backup); + # endif #endif /* *************** *** 3687,3692 **** --- 3699,3707 ---- #ifdef HAVE_ACL mch_set_acl(backup, acl); #endif + #ifdef HAVE_SELINUX + mch_copy_sec(fname, backup); + #endif break; } } *************** *** 4309,4314 **** --- 4324,4335 ---- } #endif + #ifdef HAVE_SELINUX + /* Probably need to set the security context. */ + if (!backup_copy) + mch_copy_sec(backup, wfname); + #endif + #ifdef UNIX /* When creating a new file, set its owner/group to that of the original * file. Get the new device and inode number. */ *** ../vim-7.1.295/src/memfile.c Fri May 11 20:15:45 2007 --- src/memfile.c Wed May 7 18:10:49 2008 *************** *** 1346,1350 **** --- 1346,1355 ---- mfp->mf_ffname = NULL; } else + { + #ifdef HAVE_SELINUX + mch_copy_sec(fname, mfp->mf_fname); + #endif mch_hide(mfp->mf_fname); /* try setting the 'hidden' flag */ + } } *** ../vim-7.1.295/src/os_unix.c Wed Mar 12 13:16:37 2008 --- src/os_unix.c Wed May 7 18:24:46 2008 *************** *** 45,50 **** --- 45,55 ---- # include #endif + #ifdef HAVE_SELINUX + # include + static int selinux_enabled = -1; + #endif + /* * Use this prototype for select, some include files have a wrong prototype */ *************** *** 2557,2562 **** --- 2562,2623 ---- } vim_acl_solaris_T; # endif + #if defined(HAVE_SELINUX) || defined(PROTO) + /* + * Copy security info from "from_file" to "to_file". + */ + void + mch_copy_sec(from_file, to_file) + char_u *from_file; + char_u *to_file; + { + if (from_file == NULL) + return; + + if (selinux_enabled == -1) + selinux_enabled = is_selinux_enabled(); + + if (selinux_enabled > 0) + { + security_context_t from_context = NULL; + security_context_t to_context = NULL; + + if (getfilecon((char *)from_file, &from_context) < 0) + { + /* If the filesystem doesn't support extended attributes, + the original had no special security context and the + target cannot have one either. */ + if (errno == EOPNOTSUPP) + return; + + MSG_PUTS(_("\nCould not get security context for ")); + msg_outtrans(from_file); + msg_putchar('\n'); + return; + } + if (getfilecon((char *)to_file, &to_context) < 0) + { + MSG_PUTS(_("\nCould not get security context for ")); + msg_outtrans(to_file); + msg_putchar('\n'); + freecon (from_context); + return ; + } + if (strcmp(from_context, to_context) != 0) + { + if (setfilecon((char *)to_file, from_context) < 0) + { + MSG_PUTS(_("\nCould not set security context for ")); + msg_outtrans(to_file); + msg_putchar('\n'); + } + } + freecon(to_context); + freecon(from_context); + } + } + #endif /* HAVE_SELINUX */ + /* * Return a pointer to the ACL of file "fname" in allocated memory. * Return NULL if the ACL is not available for whatever reason. *** ../vim-7.1.295/src/proto/os_unix.pro Sat May 5 20:23:37 2007 --- src/proto/os_unix.pro Wed May 7 18:25:14 2008 *************** *** 34,39 **** --- 34,40 ---- void fname_case __ARGS((char_u *name, int len)); long mch_getperm __ARGS((char_u *name)); int mch_setperm __ARGS((char_u *name, long perm)); + void mch_copy_sec __ARGS((char_u *from_file, char_u *to_file)); vim_acl_T mch_get_acl __ARGS((char_u *fname)); void mch_set_acl __ARGS((char_u *fname, vim_acl_T aclent)); void mch_free_acl __ARGS((vim_acl_T aclent)); *** ../vim-7.1.295/src/version.c Wed May 7 17:39:17 2008 --- src/version.c Wed May 7 18:50:01 2008 *************** *** 668,669 **** --- 673,676 ---- { /* Add new patch number below this line */ + /**/ + 296, /**/ -- Michael: There is no such thing as a dump question. Bernard: Sure there is. For example "what is a core dump?" /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///