2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.57/Makefile
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/Makefile 2008-09-22 13:25:07.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/Makefile 2008-12-01 15:20:08.000000000 -0500
|
2008-07-10 13:40:20 +00:00
|
|
|
@@ -1,4 +1,4 @@
|
|
|
|
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
|
|
|
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
|
|
|
|
|
|
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
|
|
|
|
|
2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.57/audit2allow/audit2allow
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/audit2allow/audit2allow 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/audit2allow/audit2allow 2008-12-01 15:22:30.000000000 -0500
|
|
|
|
|
@@ -42,10 +42,10 @@
|
|
|
|
|
from optparse import OptionParser
|
|
|
|
|
|
|
|
|
|
parser = OptionParser(version=self.VERSION)
|
|
|
|
|
- parser.add_option("-a", "--audit", action="store_true", dest="audit", default=False,
|
|
|
|
|
+ parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
|
|
|
|
help="read input from audit log - conflicts with -i")
|
|
|
|
|
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
|
|
|
|
- help="read input from dmesg - conflicts with --audit and --input")
|
|
|
|
|
+ help="read input from dmesg - conflicts with --all and --input")
|
|
|
|
|
parser.add_option("-i", "--input", dest="input",
|
|
|
|
|
help="read input from <input> - conflicts with -a")
|
|
|
|
|
parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
|
|
|
|
|
@@ -82,9 +82,9 @@
|
|
|
|
|
# Make -d, -a, and -i conflict
|
|
|
|
|
if options.audit is True:
|
|
|
|
|
if options.input is not None:
|
|
|
|
|
- sys.stderr.write("error: --audit conflicts with --input\n")
|
|
|
|
|
+ sys.stderr.write("error: --all conflicts with --input\n")
|
|
|
|
|
if options.dmesg is True:
|
|
|
|
|
- sys.stderr.write("error: --audit conflicts with --dmesg\n")
|
|
|
|
|
+ sys.stderr.write("error: --all conflicts with --dmesg\n")
|
|
|
|
|
if options.input is not None and options.dmesg is True:
|
|
|
|
|
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
|
|
|
|
|
|
|
|
|
@@ -200,7 +200,7 @@
|
|
|
|
|
try:
|
|
|
|
|
fd = open(filename, "w")
|
|
|
|
|
except IOError, e:
|
|
|
|
|
- sys.stderr.write("could not write output file: %s\n", str(e))
|
|
|
|
|
+ sys.stderr.write("could not write output file: %s\n" % str(e))
|
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
|
|
writer.write(generator.get_module(), fd)
|
2008-10-30 18:23:59 +00:00
|
|
|
@@ -287,7 +287,11 @@
|
|
|
|
|
def __output(self):
|
|
|
|
|
|
|
|
|
|
if self.__options.audit2why:
|
|
|
|
|
- return self.__output_audit2why()
|
|
|
|
|
+ try:
|
|
|
|
|
+ return self.__output_audit2why()
|
|
|
|
|
+ except RuntimeError, e:
|
|
|
|
|
+ print e
|
|
|
|
|
+ sys.exit(1)
|
|
|
|
|
|
|
|
|
|
g = policygen.PolicyGenerator()
|
|
|
|
|
|
2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.57/audit2allow/audit2allow.1
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/audit2allow/audit2allow.1 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/audit2allow/audit2allow.1 2008-12-01 15:22:34.000000000 -0500
|
|
|
|
|
@@ -44,9 +44,6 @@
|
|
|
|
|
Note that all audit messages are not available via dmesg when
|
|
|
|
|
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
|
|
|
|
|
.TP
|
|
|
|
|
-.B "\-f" | "\-\-fcfile" <File Context File>
|
|
|
|
|
-Add File Context File to generated Module Package. Requires -M option.
|
|
|
|
|
-.TP
|
|
|
|
|
.B "\-h" | "\-\-help"
|
|
|
|
|
Print a short usage message
|
|
|
|
|
.TP
|
|
|
|
|
@@ -82,7 +79,7 @@
|
2008-10-29 13:46:43 +00:00
|
|
|
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
|
|
|
|
|
.TP
|
|
|
|
|
.B "\-w" | "\-\-why"
|
|
|
|
|
-Translates SELinux audit messages into a description of why the access wasn denied
|
|
|
|
|
+Translates SELinux audit messages into a description of why the access was denied
|
|
|
|
|
|
|
|
|
|
.TP
|
|
|
|
|
.B "\-v" | "\-\-verbose"
|
2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.57/newrole/newrole.c
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/newrole/newrole.c 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/newrole/newrole.c 2008-12-01 15:20:08.000000000 -0500
|
2008-10-17 22:05:43 +00:00
|
|
|
@@ -553,7 +553,7 @@
|
|
|
|
|
new_caps = cap_init();
|
|
|
|
|
tmp_caps = cap_init();
|
|
|
|
|
if (!new_caps || !tmp_caps) {
|
|
|
|
|
- fprintf(stderr, _("Error initing capabilities, aborting.\n"));
|
|
|
|
|
+ fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
|
|
|
|
|
@@ -631,7 +631,7 @@
|
|
|
|
|
/* Non-root caller, suid root path */
|
|
|
|
|
new_caps = cap_init();
|
|
|
|
|
if (!new_caps) {
|
|
|
|
|
- fprintf(stderr, _("Error initing capabilities, aborting.\n"));
|
|
|
|
|
+ fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
|
2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.57/restorecond/restorecond.c
|
|
|
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/restorecond/restorecond.c 2008-12-02 08:37:59.000000000 -0500
|
|
|
|
|
@@ -283,6 +283,8 @@
|
|
|
|
|
inotify_rm_watch(fd, master_wd);
|
|
|
|
|
master_wd =
|
|
|
|
|
inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
|
|
|
|
|
+ if (master_wd == -1)
|
|
|
|
|
+ exitApp("Error watching config file.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
@@ -411,7 +413,14 @@
|
|
|
|
|
|
|
|
|
|
if (!ptr)
|
|
|
|
|
exitApp("Out of Memory");
|
|
|
|
|
+
|
|
|
|
|
ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
|
|
|
|
|
+ if (ptr->wd == -1) {
|
|
|
|
|
+ free(ptr);
|
|
|
|
|
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
|
|
|
|
|
+ path, strerror(errno));
|
|
|
|
|
+ return;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
ptr->dir = strdup(dir);
|
|
|
|
|
if (!ptr->dir)
|
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.57/restorecond/utmpwatcher.c
|
|
|
|
|
--- nsapolicycoreutils/restorecond/utmpwatcher.c 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/restorecond/utmpwatcher.c 2008-12-02 08:38:00.000000000 -0500
|
|
|
|
|
@@ -57,7 +57,7 @@
|
|
|
|
|
utmp_ptr = NULL;
|
|
|
|
|
FILE *cfg = fopen(utmp_path, "r");
|
|
|
|
|
if (!cfg)
|
|
|
|
|
- exitApp("Error reading config file.");
|
|
|
|
|
+ exitApp("Error reading utmp file.");
|
|
|
|
|
|
|
|
|
|
while (fread(&u, sizeof(struct utmp), 1, cfg) > 0) {
|
|
|
|
|
if (u.ut_type == USER_PROCESS)
|
|
|
|
|
@@ -69,6 +69,9 @@
|
|
|
|
|
|
|
|
|
|
utmp_wd =
|
|
|
|
|
inotify_add_watch(inotify_fd, utmp_path, IN_MOVED_FROM | IN_MODIFY);
|
|
|
|
|
+ if (utmp_wd == -1)
|
|
|
|
|
+ exitApp("Error watching utmp file.");
|
|
|
|
|
+
|
|
|
|
|
if (prev_utmp_ptr) {
|
|
|
|
|
changed = strings_list_diff(prev_utmp_ptr, utmp_ptr);
|
|
|
|
|
strings_list_free(prev_utmp_ptr);
|
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.57/scripts/chcat
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/scripts/chcat 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/scripts/chcat 2008-12-01 15:23:46.000000000 -0500
|
|
|
|
|
@@ -291,6 +291,8 @@
|
|
|
|
|
for i in c.split(","):
|
|
|
|
|
if i not in newcats:
|
|
|
|
|
newcats.append(i)
|
|
|
|
|
+ if len(newcats) > 25:
|
|
|
|
|
+ return cats
|
|
|
|
|
return newcats
|
|
|
|
|
|
|
|
|
|
def translate(cats):
|
2008-12-02 13:41:50 +00:00
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.14 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.57/semanage/seobject.py
|
2008-12-01 20:28:00 +00:00
|
|
|
--- nsapolicycoreutils/semanage/seobject.py 2008-09-22 13:25:08.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.57/semanage/seobject.py 2008-12-01 15:20:08.000000000 -0500
|
2008-10-28 19:54:05 +00:00
|
|
|
@@ -35,7 +35,7 @@
|
|
|
|
|
import __builtin__
|
|
|
|
|
__builtin__.__dict__['_'] = unicode
|
|
|
|
|
|
|
|
|
|
-is_mls_enabled = selinux.is_selinux_mls_enabled()
|
|
|
|
|
+is_mls_enabled = not selinux.is_selinux_enabled() or selinux.is_selinux_mls_enabled()
|
2008-10-23 17:17:24 +00:00
|
|
|
|
2008-10-28 19:54:05 +00:00
|
|
|
import syslog
|
|
|
|
|
|
|
|
|
|
@@ -1433,8 +1433,14 @@
|
|
|
|
|
(rc,exists) = semanage_fcontext_exists(self.sh, k)
|
2008-10-23 17:17:24 +00:00
|
|
|
if rc < 0:
|
|
|
|
|
raise ValueError(_("Could not check if file context for %s is defined") % target)
|
2008-10-28 19:54:05 +00:00
|
|
|
- if exists:
|
|
|
|
|
- raise ValueError(_("File context for %s already defined") % target)
|
|
|
|
|
+
|
|
|
|
|
+ if not exists:
|
|
|
|
|
+ (rc,exists) = semanage_fcontext_exists_local(self.sh, k)
|
|
|
|
|
+ if rc < 0:
|
|
|
|
|
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
|
|
|
|
|
+
|
|
|
|
|
+ if exists:
|
|
|
|
|
+ raise ValueError(_("File context for %s already defined") % target)
|
|
|
|
|
|
|
|
|
|
(rc,fcontext) = semanage_fcontext_create(self.sh)
|
|
|
|
|
if rc < 0:
|
|
|
|
|
@@ -1481,15 +1487,19 @@
|
|
|
|
|
if rc < 0:
|
|
|
|
|
raise ValueError(_("Could not create a key for %s") % target)
|
|
|
|
|
|
|
|
|
|
- (rc,exists) = semanage_fcontext_exists_local(self.sh, k)
|
|
|
|
|
+ (rc,exists) = semanage_fcontext_exists(self.sh, k)
|
2008-10-27 14:11:34 +00:00
|
|
|
if rc < 0:
|
|
|
|
|
raise ValueError(_("Could not check if file context for %s is defined") % target)
|
|
|
|
|
if not exists:
|
|
|
|
|
- raise ValueError(_("File context for %s is not defined") % target)
|
2008-10-28 19:54:05 +00:00
|
|
|
+ (rc,exists) = semanage_fcontext_exists_local(self.sh, k)
|
|
|
|
|
+ if not exists:
|
2008-10-27 14:11:34 +00:00
|
|
|
+ raise ValueError(_("File context for %s is not defined") % target)
|
|
|
|
|
|
|
|
|
|
(rc,fcontext) = semanage_fcontext_query_local(self.sh, k)
|
|
|
|
|
if rc < 0:
|
2008-10-28 19:54:05 +00:00
|
|
|
- raise ValueError(_("Could not query file context for %s") % target)
|
|
|
|
|
+ (rc,fcontext) = semanage_fcontext_query(self.sh, k)
|
|
|
|
|
+ if rc < 0:
|
|
|
|
|
+ raise ValueError(_("Could not query file context for %s") % target)
|
|
|
|
|
|
|
|
|
|
if setype != "<<none>>":
|
|
|
|
|
con = semanage_fcontext_get_con(fcontext)
|
|
|
|
|
@@ -1591,30 +1601,33 @@
|
2008-10-27 14:11:34 +00:00
|
|
|
|
|
|
|
|
self.flist += fclocal
|
|
|
|
|
|
|
|
|
|
+ ddict = {}
|
|
|
|
|
for fcontext in self.flist:
|
|
|
|
|
expr = semanage_fcontext_get_expr(fcontext)
|
|
|
|
|
ftype = semanage_fcontext_get_type(fcontext)
|
|
|
|
|
ftype_str = semanage_fcontext_get_type_str(ftype)
|
|
|
|
|
con = semanage_fcontext_get_con(fcontext)
|
|
|
|
|
if con:
|
|
|
|
|
- l.append((expr, ftype_str, semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)))
|
|
|
|
|
+ ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
|
|
|
|
|
else:
|
|
|
|
|
- l.append((expr, ftype_str, con))
|
|
|
|
|
+ ddict[(expr, ftype_str)] = con
|
|
|
|
|
|
|
|
|
|
- return l
|
|
|
|
|
+ return ddict
|
|
|
|
|
|
|
|
|
|
def list(self, heading = 1, locallist = 0 ):
|
|
|
|
|
if heading:
|
|
|
|
|
print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
|
|
|
|
|
- fcon_list = self.get_all(locallist)
|
|
|
|
|
- for fcon in fcon_list:
|
|
|
|
|
- if len(fcon) > 3:
|
|
|
|
|
+ fcon_dict = self.get_all(locallist)
|
|
|
|
|
+ keys = fcon_dict.keys()
|
|
|
|
|
+ keys.sort()
|
|
|
|
|
+ for k in keys:
|
|
|
|
|
+ if fcon_dict[k]:
|
|
|
|
|
if is_mls_enabled:
|
|
|
|
|
- print "%-50s %-18s %s:%s:%s:%s " % (fcon[0], fcon[1], fcon[2], fcon[3], fcon[4], translate(fcon[5],False))
|
|
|
|
|
+ print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False))
|
|
|
|
|
else:
|
|
|
|
|
- print "%-50s %-18s %s:%s:%s " % (fcon[0], fcon[1], fcon[2], fcon[3],fcon[4])
|
|
|
|
|
+ print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
|
|
|
|
|
else:
|
|
|
|
|
- print "%-50s %-18s <<None>>" % (fcon[0], fcon[1])
|
|
|
|
|
+ print "%-50s %-18s <<None>>" % (k[0], k[1])
|
|
|
|
|
|
|
|
|
|
class booleanRecords(semanageRecords):
|
|
|
|
|
def __init__(self, store = ""):
|
