2006-11-07 16:49:02 +00:00
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.32/newrole/newrole.c
2006-10-20 13:08:28 +00:00
--- nsapolicycoreutils/newrole/newrole.c 2006-09-29 11:50:09.000000000 -0400
2006-11-07 16:49:02 +00:00
+++ policycoreutils-1.32/newrole/newrole.c 2006-11-07 11:47:21.000000000 -0500
2006-10-20 13:08:28 +00:00
@@ -680,6 +680,7 @@
{
fprintf(stderr, _("newrole: incorrect password for %s\n"),
pw->pw_name);
+ send_audit_message(0, old_context, new_context, ttyn);
return (-1);
2006-09-21 21:04:29 +00:00
}
2006-10-20 13:08:28 +00:00
/* If we reach here, then we have authenticated the user. */
2006-11-07 16:49:02 +00:00
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.32/restorecond/Makefile
2006-09-21 21:04:29 +00:00
--- nsapolicycoreutils/restorecond/Makefile 2006-08-28 16:58:19.000000000 -0400
2006-11-07 16:49:02 +00:00
+++ policycoreutils-1.32/restorecond/Makefile 2006-11-07 11:47:21.000000000 -0500
2006-09-29 18:12:05 +00:00
@@ -5,8 +5,9 @@
2006-09-21 21:04:29 +00:00
INITDIR = $(DESTDIR)/etc/rc.d/init.d
SELINUXDIR = $(DESTDIR)/etc/selinux
-CFLAGS ?= -g -Werror -Wall -W
2006-09-21 21:17:30 +00:00
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
2006-09-29 18:12:05 +00:00
+LDFLAGS ?= -pie
2006-09-21 21:17:30 +00:00
+CFLAGS ?= -g -Werror -Wall -W
+override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
2006-09-21 21:04:29 +00:00
LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
all: restorecond
2006-11-07 16:49:02 +00:00
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.32/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.32/restorecond/restorecond.conf 2006-11-07 11:47:21.000000000 -0500
@@ -2,5 +2,6 @@
/etc/samba/secrets.tdb
/etc/mtab
/var/run/utmp
+/var/log/wtmp
~/public_html
~/.mozilla/plugins/libflashplayer.so
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-1.32/scripts/genhomedircon.8
--- nsapolicycoreutils/scripts/genhomedircon.8 2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.32/scripts/genhomedircon.8 2006-11-07 11:47:21.000000000 -0500
@@ -45,35 +45,30 @@
.SH DESCRIPTION
.PP
This utility is used to generate file context configuration entries for
-user home directories based on their default roles and is run when building
-the policy. It can also be run when ever the
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed
+user home directories based on their
+.B prefix
+entry in the the
+.B semanage user record.
+genhomedircon is run when building
+the policy. It is also run automaticaly when ever the
+.B semanage
+utility modifies
+.B user
+or
+.B login
+records.
Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in
-.I local.users,
-.B genhomedircon
-uses the first role in the list.
+file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the
+.B user
+record.
.PP
-If a user is not listed in
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs.
-When looking for these users,
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal
+genhomedircon searches through all password entires for all "login" user home directories, (as opposed
+to system users). Login users are those whose UID is greater than or equal
.I STARTING_UID
(default 500) and whose login shell is not "/sbin/nologin", or
"/bin/false".
.PP
-Users who are explicitly defined in
-.I local.users,
-are always "real" (including root, in the default configuration).
.SH AUTHOR
This manual page was originally written by
.I Manoj Srivastava <srivasta@debian.org>,
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.32/semanage/semanage.8
2006-10-20 13:08:28 +00:00
--- nsapolicycoreutils/semanage/semanage.8 2006-09-14 08:07:24.000000000 -0400
2006-11-07 16:49:02 +00:00
+++ policycoreutils-1.32/semanage/semanage.8 2006-11-07 11:47:21.000000000 -0500
2006-10-20 13:08:28 +00:00
@@ -7,7 +7,7 @@
.br
.B semanage login \-{a|d|m} [\-sr] login_name
.br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
.br
.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
.br
@@ -71,6 +71,9 @@
.I \-R, \-\-role
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
.TP
+.I \-P, \-\-prefix
+SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
+.TP
.I \-s, \-\-seuser
SELinux user name
.TP
2006-11-07 16:49:02 +00:00
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.32/semanage/seobject.py
2006-10-20 13:08:28 +00:00
--- nsapolicycoreutils/semanage/seobject.py 2006-10-17 12:04:55.000000000 -0400
2006-11-07 16:49:02 +00:00
+++ policycoreutils-1.32/semanage/seobject.py 2006-11-07 11:47:21.000000000 -0500
2006-09-25 14:01:37 +00:00
@@ -456,7 +456,8 @@
2006-09-23 23:35:08 +00:00
rc = semanage_user_set_mlslevel(self.sh, u, selevel)
if rc < 0:
raise ValueError(_("Could not set MLS level for %s") % name)
-
2006-09-29 18:12:05 +00:00
+ if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0:
2006-09-23 23:35:08 +00:00
+ raise ValueError(_("Invalid prefix %s") % prefix)
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
2006-10-20 13:08:28 +00:00
@@ -522,7 +523,9 @@
2006-09-23 23:35:08 +00:00
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
if prefix != "":
- semanage_user_set_prefix(self.sh, u, prefix)
+ if selinux.security_check_context("system_u:object_r:%s_home_t" % prefix) != 0:
+ raise ValueError(_("Invalid prefix %s") % prefix)
+ semanage_user_set_prefix(self.sh, u, prefix)
if len(roles) != 0:
for r in roles:
