policycoreutils/policycoreutils-rhat.patch

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon	2006-01-30 18:32:39.000000000 -0500
+++ policycoreutils-1.29.20/scripts/genhomedircon	2006-02-07 10:36:38.000000000 -0500
@@ -170,7 +170,7 @@
 	def heading(self):
 		ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
 		if self.semanaged:
-			ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n"
+			ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n"
 		else:
 			ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
 		return ret
@@ -196,7 +196,7 @@
 		return role
 		
 	def adduser(self, udict, user, seuser, role):
-		if seuser == "user_u" or user == "__default__":
+		if seuser == "user_u" or user == "__default__" or user == "system_u":
 			return
 		# !!! chooses first role in the list to use in the file context !!!
 		if role[-2:] == "_r" or role[-2:] == "_u":
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-02-02 12:08:04.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py	2006-02-07 10:35:46.000000000 -0500
@@ -21,8 +21,11 @@
 #
 #  
 
-import pwd, string, selinux, tempfile, os, re
+import pwd, string, selinux, tempfile, os, re, sys
 from semanage import *;
+import audit
+
+audit_fd=audit.audit_open()
 
 def validate_level(raw):
 	sensitivity="s([0-9]|1[0-5])"
@@ -170,119 +173,143 @@
 		if sename == "":
 			sename = "user_u"
 			
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
-
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if exists:
-			raise ValueError("Login mapping for %s is already defined" % name)
 		try:
-			pwd.getpwnam(name)
-		except:
-			raise ValueError("Linux User %s does not exist" % name)
-			
-		(rc,u) = semanage_seuser_create(self.sh)
-		if rc < 0:
-			raise ValueError("Could not create login mapping for %s" % name)
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		rc = semanage_seuser_set_name(self.sh, u, name)
-		if rc < 0:
-			raise ValueError("Could not set name for %s" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if exists:
+				raise ValueError("Login mapping for %s is already defined" % name)
+			try:
+				pwd.getpwnam(name)
+			except:
+				raise ValueError("Linux User %s does not exist" % name)
 
-		rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
-		if rc < 0:
-			raise ValueError("Could not set MLS range for %s" % name)
+			(rc,u) = semanage_seuser_create(self.sh)
+			if rc < 0:
+				raise ValueError("Could not create login mapping for %s" % name)
 
-		rc = semanage_seuser_set_sename(self.sh, u, sename)
-		if rc < 0:
-			raise ValueError("Could not set SELinux user for %s" % name)
+			rc = semanage_seuser_set_name(self.sh, u, name)
+			if rc < 0:
+				raise ValueError("Could not set name for %s" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+			if rc < 0:
+				raise ValueError("Could not set MLS range for %s" % name)
 
-		rc = semanage_seuser_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not add login mapping for %s" % name)
+			rc = semanage_seuser_set_sename(self.sh, u, sename)
+			if rc < 0:
+				raise ValueError("Could not set SELinux user for %s" % name)
 
-		rc = semanage_commit(self.sh) 
-		if rc < 0:
-			raise ValueError("Could not add login mapping for %s" % name)
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
+			rc = semanage_seuser_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not add login mapping for %s" % name)
+
+			rc = semanage_commit(self.sh) 
+			if rc < 0:
+				raise ValueError("Could not add login mapping for %s" % name)
+
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
+		
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping",
+					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
 	def modify(self, name, sename = "", serange = ""):
-		if sename == "" and serange == "":
-			raise ValueError("Requires seuser or serange")
+		try:
+			if sename == "" and serange == "":
+				raise ValueError("Requires seuser or serange")
 
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is not defined" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is not defined" % name)
 
-		(rc,u) = semanage_seuser_query(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not query seuser for %s" % name)
+			(rc,u) = semanage_seuser_query(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not query seuser for %s" % name)
 
-		if serange != "":
-			semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
-		if sename != "":
-			semanage_seuser_set_sename(self.sh, u, sename)
+			if serange != "":
+				semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+			if sename != "":
+				semanage_seuser_set_sename(self.sh, u, sename)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not srart semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not srart semanage transaction")
 
-		rc = semanage_seuser_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not modify login mapping for %s" % name)
-	
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not modify login mapping for %s" % name)
+			rc = semanage_seuser_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not modify login mapping for %s" % name)
 
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not modify login mapping for %s" % name)
+
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
+
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping",
+					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
 	def delete(self, name):
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+		try:
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is not defined" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is not defined" % name)
 
-		(rc,exists) = semanage_seuser_exists_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
+			(rc,exists) = semanage_seuser_exists_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_seuser_del_local(self.sh, k)
+			rc = semanage_seuser_del_local(self.sh, k)
 
-		if rc < 0:
-			raise ValueError("Could not delete login mapping for %s" % name)
+			if rc < 0:
+				raise ValueError("Could not delete login mapping for %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not delete login mapping for %s" % name)
-	
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not delete login mapping for %s" % name)
+
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
+
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping",
+					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
 
 		
@@ -322,127 +349,150 @@
 		else:
 			selevel = untranslate(selevel)
 
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+		try:
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if exists:
-			raise ValueError("SELinux user %s is already defined" % name)
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if exists:
+				raise ValueError("SELinux user %s is already defined" % name)
 
-		(rc,u) = semanage_user_create(self.sh)
-		if rc < 0:
-			raise ValueError("Could not create SELinux user for %s" % name)
+			(rc,u) = semanage_user_create(self.sh)
+			if rc < 0:
+				raise ValueError("Could not create SELinux user for %s" % name)
 
-		rc = semanage_user_set_name(self.sh, u, name)
-		if rc < 0:
-			raise ValueError("Could not set name for %s" % name)
+			rc = semanage_user_set_name(self.sh, u, name)
+			if rc < 0:
+				raise ValueError("Could not set name for %s" % name)
 
-		for r in roles:
-			rc = semanage_user_add_role(self.sh, u, r)
+			for r in roles:
+				rc = semanage_user_add_role(self.sh, u, r)
+				if rc < 0:
+					raise ValueError("Could not add role %s for %s" % (r, name))
+
+			rc = semanage_user_set_mlsrange(self.sh, u, serange)
 			if rc < 0:
-				raise ValueError("Could not add role %s for %s" % (r, name))
+				raise ValueError("Could not set MLS range for %s" % name)
 
-		rc = semanage_user_set_mlsrange(self.sh, u, serange)
-		if rc < 0:
-			raise ValueError("Could not set MLS range for %s" % name)
+			rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+			if rc < 0:
+				raise ValueError("Could not set MLS level for %s" % name)
 
-		rc = semanage_user_set_mlslevel(self.sh, u, selevel)
-		if rc < 0:
-			raise ValueError("Could not set MLS level for %s" % name)
+			(rc,key) = semanage_user_key_extract(self.sh,u)
+			if rc < 0:
+				raise ValueError("Could not extract key for %s" % name)
 
-		(rc,key) = semanage_user_key_extract(self.sh,u)
-		if rc < 0:
-			raise ValueError("Could not extract key for %s" % name)
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_user_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
 
-		rc = semanage_user_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not add SELinux user %s" % name)
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not add SELinux user %s" % name)
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
 
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record",
+					     name, 0, "", "", "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
 	def modify(self, name, roles = [], selevel = "", serange = ""):
-		if len(roles) == 0  and serange == "" and selevel == "":
-			raise ValueError("Requires roles, level or range")
+		try:
+			if len(roles) == 0  and serange == "" and selevel == "":
+				raise ValueError("Requires roles, level or range")
 
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if not exists:
-			raise ValueError("SELinux user %s is not defined" % name)
-		
-		(rc,u) = semanage_user_query(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not query user for %s" % name)
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if not exists:
+				raise ValueError("SELinux user %s is not defined" % name)
 
-		if serange != "":
-			semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
-		if selevel != "":
-			semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
-			
-		if len(roles) != 0:
-			for r in roles:
-				semanage_user_add_role(self.sh, u, r)
+			(rc,u) = semanage_user_query(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not query user for %s" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			if serange != "":
+				semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+			if selevel != "":
+				semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
+			if len(roles) != 0:
+				for r in roles:
+					semanage_user_add_role(self.sh, u, r)
 
-		rc = semanage_user_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not modify SELinux user %s" % name)
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not modify SELinux user %s" % name)
-		
+			rc = semanage_user_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not modify SELinux user %s" % name)
+
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not modify SELinux user %s" % name)
+
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
+
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record",
+					     name, 0, "", "", "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
 	def delete(self, name):
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
-
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)		
-		if not exists:
-			raise ValueError("SELinux user %s is not defined" % name)
+		try:
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
+			
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)		
+			if not exists:
+				raise ValueError("SELinux user %s is not defined" % name)
 
-		(rc,exists) = semanage_user_exists_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if not exists:
-			raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
+			(rc,exists) = semanage_user_exists_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if not exists:
+				raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
 			
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_user_del_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not delete SELinux user %s" % name)
+			rc = semanage_user_del_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not delete SELinux user %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not delete SELinux user %s" % name)
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not delete SELinux user %s" % name)
+		except ValueError, error:
+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+						     name, 0, "", "", "", 0);
+			raise error
 		
+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record",
+					     name, 0, "", "", "", 1);
 		semanage_user_key_free(k)		
 
 	def get_all(self):