Bug#474102: vim: SE Linux support for VIM
Vaclav Ovsik
vaclav.ovsik at i.cz
Thu Apr 3 11:38:37 UTC 2008
Package: vim
Version: 1:7.1.285-1
Severity: normal
Tags: selinux patch
Hi,
could be the SE Linux support included in a next VIM release please? The
problem with the current VIM is, that it does not save security context.
When SE Linux policy defines different security context (file context by
path pattern) than security context obtained by transition rules, than
editor without SE Linux support brings the latter context. This could be
very annoying to check SE Linux context after every editing and run
restorecon after.
The presented problem:
sid:/etc# dpkg -l 'vim*'|grep '^ii'
ii vim 1:7.1.285-1 Vi IMproved - enhanced vi editor
ii vim-common 1:7.1.285-1 Vi IMproved - Common files
ii vim-runtime 1:7.1.285-1 Vi IMproved - Runtime files
sid:/etc# restorecon syslog.conf
sid:/etc# ls -laZ syslog.conf
-rw-r--r-- 1 root root system_u:object_r:syslog_conf_t:s0 1614 Apr 3 12:23 syslog.conf
sid:/etc# vim -c write -c quit syslog.conf
sid:/etc# ls -laZ syslog.conf
-rw-r--r-- 1 root root staff_u:object_r:etc_t:s0 1614 Apr 3 12:53 syslog.conf
# /etc/syslog.conf context was changed to staff_u:object_r:etc_t:s0
# this is the problem
sid:/etc# dpkg -l 'vim*'|grep '^ii'
ii vim 1:7.1.285-2~icz+2 Vi IMproved - enhanced vi editor
ii vim-common 1:7.1.285-2~icz+2 Vi IMproved - Common files
ii vim-runtime 1:7.1.285-2~icz+2 Vi IMproved - Runtime files
sid:/etc# restorecon syslog.conf
sid:/etc# vim -c write -c quit syslog.conf
sid:/etc# ls -laZ syslog.conf
-rw-r--r-- 1 root root system_u:object_r:syslog_conf_t:s0 1614 Apr 3 12:56 syslog.conf
# The patched version is OK :)
The Fedora already has VIM patched for some time, so I prepared the
change for the VIM package based on the Fedora source RPM.
Could you be so kind to include the attached change in some form?
Best Regards
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash
Versions of packages vim depends on:
ii libacl1 2.2.45-1 Access control list shared library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libgpmg1 1.20.3~pre3-3 General Purpose Mouse - shared lib
ii libncurses5 5.6+20080308-1 Shared libraries for terminal hand
ii libselinux1 2.0.59-1 SELinux shared libraries
ii vim-common 1:7.1.285-1 Vi IMproved - Common files
ii vim-runtime 1:7.1.285-1 Vi IMproved - Runtime files
vim recommends no packages.
-- no debconf information
-------------- next part --------------
>From 999894c95638478dd1646a78b3e58f241852e11a Mon Sep 17 00:00:00 2001
From: Vaclav Ovsik <vaclav.ovsik at i.cz>
Date: Wed, 2 Apr 2008 09:43:47 +0200
Subject: [PATCH] Added patch to support SE Linux.
---
debian/changelog | 12 +++++++++---
debian/control | 2 +-
debian/rules | 15 +++++++++++++--
src/config.h.in | 1 +
src/configure.in | 15 +++++++++++++++
src/fileio.c | 13 +++++++++++++
src/memfile.c | 5 +++++
src/os_unix.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 110 insertions(+), 6 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 42a5ce4..ffd5046 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,14 @@
-vim (1:7.1.285-2) UNRELEASED; urgency=low
+vim (1:7.1.285-2~icz+2) unstable; urgency=low
- * NOT RELEASED YET
+ * Added patch to support SE Linux.
+ - The original patch vim-selinux.patch and vim-selinux2.patch are
+ taken from the Fedora source package vim-7.1.211-1.fc8.src.rpm.
+ * debian/control:
+ - Build-Depend on libselinux1-dev, autoconf
+ * debian/rules:
+ - Rule & dependecy added for rebuilding src/auto/configure & cleanup
- -- James Vega <jamessan at debian.org> Sun, 30 Mar 2008 17:41:57 -0400
+ -- Vaclav Ovsik <vaclav.ovsik at i.cz> Thu, 03 Apr 2008 10:57:29 +0200
vim (1:7.1.285-1) unstable; urgency=low
diff --git a/debian/control b/debian/control
index 0b6393a..a04fcf9 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper, bzip2, libperl-dev, tcl-dev, libacl1-dev,
libgpmg1-dev [!hurd-i386] | not+linux-gnu, python-dev, libxpm-dev,
libncurses5-dev, ruby, ruby1.8-dev, libgtk2.0-dev, lynx,
libgnomeui-dev, lesstif2-dev, make (>= 3.80+3.81.b4), docbook-xml,
- docbook-utils
+ docbook-utils, libselinux1-dev, autoconf
Vcs-Git: git://git.debian.org/git/pkg-vim/vim.git
Vcs-Browser: http://git.debian.org/?p=pkg-vim/vim.git
Homepage: http://www.vim.org/
diff --git a/debian/rules b/debian/rules
index c3c76db..d49c51f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -160,7 +160,11 @@ get-orig-source:
clean: $(foreach v,$(VARIANTS),clean-$(v))
dh_testdir
dh_testroot
- rm -f extract-stamp* build-stamp* install-stamp* configure-stamp*
+ if test -f src/auto/configure.dist; then \
+ mv src/auto/configure.dist src/auto/configure; \
+ make distclean; \
+ fi
+ rm -f extract-stamp* build-stamp* install-stamp* autoconf-stamp configure-stamp*
rm -f debian/helpztags.1
rm -rf debian/policy/vim-policy.html
rm -f debian/policy/vim-policy.txt
@@ -194,7 +198,14 @@ build-stamp: $(foreach v,$(VARIANTS),build-stamp-$(v))
$(MAKE) -C debian/policy/ text html
touch $@
-configure-stamp-%:
+autoconf-stamp:
+ if ! test -f src/auto/configure.dist; then \
+ cp -a src/auto/configure src/auto/configure.dist; \
+ fi
+ $(MAKE) -C src autoconf
+ touch $@
+
+configure-stamp-%: autoconf-stamp
dh_testdir
@echo "*** DEBIAN *** CONFIGURING VARIANT $*"
if test -f src/auto/config.cache; then make distclean; fi
diff --git a/src/config.h.in b/src/config.h.in
index 3d9e162..cb1feaf 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -155,6 +155,7 @@
#undef HAVE_READLINK
#undef HAVE_RENAME
#undef HAVE_SELECT
+#undef HAVE_SELINUX
#undef HAVE_SETENV
#undef HAVE_SETPGID
#undef HAVE_SETSID
diff --git a/src/configure.in b/src/configure.in
index 898e79c..87d0ae4 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -300,6 +300,21 @@ esac
fi
+dnl vim: set sw=2 tw=78 fo+=l:
+dnl Link with -lselinux for SELinux stuff; if not found
+AC_MSG_CHECKING(--disable-selinux argument)
+AC_ARG_ENABLE(selinux,
+ [ --disable-selinux Don't check for SELinux support.],
+ , [enable_selinux="yes"])
+if test "$enable_selinux" = "yes"; then
+ AC_MSG_RESULT(no)
+ AC_CHECK_LIB(selinux, is_selinux_enabled,
+ [LIBS="$LIBS -lselinux"
+ AC_DEFINE(HAVE_SELINUX)])
+else
+ AC_MSG_RESULT(yes)
+fi
+
dnl Check user requested features.
AC_MSG_CHECKING(--with-features argument)
diff --git a/src/fileio.c b/src/fileio.c
index bcabbff..58dd47a 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -1,3 +1,4 @@
+
/* vi:set ts=8 sts=4 sw=4:
*
* VIM - Vi IMproved by Bram Moolenaar
@@ -3651,6 +3652,9 @@ buf_write(buf, fname, sfname, start, end, eap, append, forceit,
)
mch_setperm(backup,
(perm & 0707) | ((perm & 07) << 3));
+#ifdef HAVE_SELINUX
+ mch_copy_sec(fname, backup);
+#endif
#endif
/*
@@ -3687,6 +3691,9 @@ buf_write(buf, fname, sfname, start, end, eap, append, forceit,
#ifdef HAVE_ACL
mch_set_acl(backup, acl);
#endif
+#ifdef HAVE_SELINUX
+ mch_copy_sec(fname, backup);
+#endif
break;
}
}
@@ -4309,6 +4316,12 @@ restore_backup:
}
#endif
+#ifdef HAVE_SELINUX
+ /* Probably need to set the security context */
+ if (!backup_copy)
+ mch_copy_sec(backup, wfname);
+#endif
+
#ifdef UNIX
/* When creating a new file, set its owner/group to that of the original
* file. Get the new device and inode number. */
diff --git a/src/memfile.c b/src/memfile.c
index d0dd8de..e405656 100644
--- a/src/memfile.c
+++ b/src/memfile.c
@@ -1346,5 +1346,10 @@ mf_do_open(mfp, fname, flags)
mfp->mf_ffname = NULL;
}
else
+ {
+#ifdef HAVE_SELINUX
+ mch_copy_sec(fname, mfp->mf_fname);
+#endif
mch_hide(mfp->mf_fname); /* try setting the 'hidden' flag */
+ }
}
diff --git a/src/os_unix.c b/src/os_unix.c
index 1b0ec70..00107eb 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -45,6 +45,10 @@
# include <X11/SM/SMlib.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+static int selinux_enabled=-1;
+#endif
/*
* Use this prototype for select, some include files have a wrong prototype
*/
@@ -2557,6 +2561,55 @@ typedef struct vim_acl_solaris_T {
} vim_acl_solaris_T;
# endif
+mch_copy_sec(from_file, to_file)
+ char_u *from_file;
+ char_u *to_file;
+{
+ if (from_file == NULL)
+ return;
+
+#ifdef HAVE_SELINUX
+ if (selinux_enabled == -1)
+ selinux_enabled = is_selinux_enabled ();
+
+ if (selinux_enabled>0)
+ {
+ security_context_t from_context=NULL;
+ security_context_t to_context=NULL;
+ if (getfilecon (from_file, &from_context) < 0)
+ {
+ /* If the filesystem doesn't support extended attributes,
+ the original had no special security context and the
+ target cannot have one either. */
+ if (errno == EOPNOTSUPP)
+ return ;
+
+ MSG_PUTS(_("\nCould not get security context for "));
+ msg_outtrans(from_file);
+ msg_putchar('\n');
+ return ;
+ }
+ if (getfilecon (to_file, &to_context) < 0)
+ {
+ MSG_PUTS(_("\nCould not get security context for "));
+ msg_outtrans(to_file);
+ msg_putchar('\n');
+ freecon (from_context);
+ return ;
+ }
+ if (strcmp(from_context,to_context) != 0 ) {
+ if (setfilecon (to_file, from_context) < 0)
+ {
+ MSG_PUTS(_("\nCould not set security context for "));
+ msg_outtrans(to_file);
+ msg_putchar('\n');
+ }
+ }
+ freecon (to_context);
+ freecon (from_context);
+ }
+#endif /* HAVE_SELINUX */
+}
/*
* Return a pointer to the ACL of file "fname" in allocated memory.
* Return NULL if the ACL is not available for whatever reason.
--
1.5.4.4
More information about the pkg-vim-maintainers
mailing list