Use a process context to perform the dominance check.

This is required because the dominance check seems to work only on
process contexts at present.  Mangle both ranges onto a process context
from getcon() to perform the check.

1 files changed, 28 insertions, 2 deletions

diff --git a/src/mcscolor.c b/src/mcscolor.c
index 677fcaf..8ea05e3 100644
--- a/src/mcscolor.c
+++ b/src/mcscolor.c
@@ -38,6 +38,8 @@ static char *rules[] = { "user", "role", "type", "range" };
 static setab_t *clist[N_COLOR];
 static setab_t *cend[N_COLOR];
 
+static security_context_t my_context;
+
 void finish_context_colors(void) {
 	setab_t *cur, *next;
 	unsigned i;
@@ -52,6 +54,9 @@ void finish_context_colors(void) {
 		}
 		clist[i] = cend[i] = NULL;
 	}
+
+	freecon(my_context);
+	my_context = NULL;
 }
 
 static void print_colors(void) {
@@ -74,22 +79,41 @@ static int check_dominance(const char *pattern, const char *raw) {
 	unsigned int bit = CONTEXT__CONTAINS;
 	struct av_decision avd;
 	int rc = -1;
+	context_t my_tmp;
+	const char *raw_range;
 
 	con = context_new(raw);
 	if (!con)
 		return -1;
-	if (context_range_set(con, pattern))
+	raw_range = context_range_get(con);
+
+	my_tmp = context_new(my_context);
+	if (!my_tmp) {
+		context_free(con);
+		return -1;
+	}
+
+	ctx = NULL;
+	if (context_range_set(my_tmp, pattern))
 		goto out;
-	ctx = context_str(con);
+	ctx = strdup(context_str(my_tmp));
 	if (!ctx)
 		goto out;
 
+	if (context_range_set(my_tmp, raw_range))
+		goto out;
+	raw = context_str(my_tmp);
+	if (!raw)
+		goto out;
+
 	rc = security_compute_av_raw(ctx, raw, SECCLASS_CONTEXT, bit, &avd);
 	if (rc)
 		goto out;
 
 	rc = (bit & avd.allowed) != bit;
 out:
+	free(ctx);
+	context_free(my_tmp);
 	context_free(con);
 	return rc;
 }
@@ -167,6 +191,8 @@ int init_colors(void) {
 	char *buffer = NULL;
 	int line = 0;
 
+	getcon(&my_context);
+
 	cfg = fopen("/etc/selinux/refpolicy/secolor.conf", "r");
 	if (!cfg) return 1;