From 2ef5159db84830df1811b8a2eb2d895085d61a5c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 19 Jan 2006 21:14:38 +0000 Subject: [PATCH] * Thu Jan 19 2006 Dan Walsh 1.29.9-1 - Update to match NSA * Merged chcat, semanage, and setsebool patches from Dan Walsh. --- .cvsignore | 1 + policycoreutils-rhat.patch | 429 ++----------------------------------- policycoreutils.spec | 8 +- sources | 2 +- 4 files changed, 21 insertions(+), 419 deletions(-) diff --git a/.cvsignore b/.cvsignore index 3ef788b..68ddf9e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -81,3 +81,4 @@ policycoreutils-1.29.4.tgz policycoreutils-1.29.5.tgz policycoreutils-1.29.7.tgz policycoreutils-1.29.8.tgz +policycoreutils-1.29.9.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 0048733..e6898d8 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,418 +1,15 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.8/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.8/scripts/chcat 2006-01-19 09:41:13.000000000 -0500 -@@ -25,11 +25,19 @@ - import commands, sys, os, pwd, string, getopt, re, selinux - import seobject - -+def verify_users(users): -+ for u in users: -+ try: -+ pwd.getpwnam(u) -+ except KeyError, e: -+ error( "User %s does not exist" % u) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.8/scripts/chcat.8 +--- nsapolicycoreutils/scripts/chcat.8 2006-01-18 11:12:43.000000000 -0500 ++++ policycoreutils-1.29.8/scripts/chcat.8 2006-01-19 10:48:59.000000000 -0500 +@@ -27,6 +27,11 @@ + Change/Remove the security CATEGORY for each FILE/USER. + .PP + Use +/- to add/remove categories from a FILE/USER. ++.PP ++.B ++Note: ++When removing a category you must specify '--' on the command line before using the -Category syntax. This tells the shell that you have finished entering options. + - def chcat_user_add(orig, newcat, users): - errors=0 - logins = seobject.loginRecords() - seusers=logins.get_all() - add_ind=0 -+ verify_users(users) - for u in users: - if u in seusers.keys(): - user=seusers[u] -@@ -98,6 +106,7 @@ - logins = seobject.loginRecords() - seusers=logins.get_all() - add_ind=0 -+ verify_users(users) - for u in users: - if u in seusers.keys(): - user=seusers[u] -@@ -174,6 +183,7 @@ - logins = seobject.loginRecords() - seusers=logins.get_all() - add_ind=0 -+ verify_users(users) - for u in users: - if u in seusers.keys(): - user=seusers[u] -@@ -281,6 +291,7 @@ - print "Usage %s -d File ..." % sys.argv[0] - print "Usage %s -l -d user ..." % sys.argv[0] - print "Usage %s -L" % sys.argv[0] -+ print "Usage %s -L -l user" % sys.argv[0] - print "Use -- to end option list. For example" - print "chcat -- -CompanyConfidential /docs/businessplan.odt" - print "chcat -l +CompanyConfidential juser" -@@ -297,13 +308,14 @@ - fd.close() - return 0 - -+ - def listusercats(users): -- seusers = seobject.loginRecords().get_all() -+ if len(users) == 0: -+ users.append(os.getlogin()) -+ -+ verify_users(users) - for u in users: -- if u in seusers.keys(): -- cats=seobject.translate(seusers[u][1]) -- else: -- cats=seobject.translate(seusers["__default__"][1]) -+ cats=seobject.translate(selinux.getseuserbyname(u)[2]) - cats=cats.split("-") - if len(cats) > 1 and cats[1] != "s0": - print "%s: %s" % (u, cats[1]) -@@ -352,8 +364,6 @@ - - if list_ind: - if login_ind: -- if len(cmds) < 1: -- usage() - sys.exit(listusercats(cmds)) - else: - if len(cmds) > 0: -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.8/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.8/semanage/semanage 2006-01-18 17:02:47.000000000 -0500 -@@ -30,11 +30,12 @@ - - def usage(message = ""): - print '\ --semanage user [-admLRr] SELINUX_USER\n\ -+semanage fcontext [-admhfrst] INTERFACE\n\ -+semanage interface [-admtr] INTERFACE\n\ - semanage login [-admsr] LOGIN_NAME\n\ - semanage port [-admtpr] PORT | PORTRANGE\n\ --semanage interface [-admtr] INTERFACE\n\ --semanage fcontext [-admhfrst] INTERFACE\n\ -+semanage translation [-adm] LEVEL\n\ -+semanage user [-admLRr] SELINUX_USER\n\ - -a, --add Add a OBJECT record NAME\n\ - -d, --delete Delete a OBJECT record NAME\n\ - -f, --ftype File Type of OBJECT \n\ -@@ -47,6 +48,7 @@ - -R, --roles SELinux Roles (Separate by spaces)\n\ - -s, --seuser SELinux user name\n\ - -t, --type SELinux Type for the object\n\ -+ -T, --trans SELinux Level Translation\n\ - -v, --verbose verbose output\n\ - ' - print message -@@ -62,7 +64,7 @@ - # - # - try: -- objectlist = ("login", "user", "port", "interface", "fcontext") -+ objectlist = ("login", "user", "port", "interface", "fcontext", "translation") - input = sys.stdin - output = sys.stdout - serange = "" -@@ -71,6 +73,7 @@ - selevel = "" - setype = "" - ftype = "" -+ setrans = "" - roles = "" - seuser = "" - heading=1 -@@ -88,7 +91,7 @@ - - args = sys.argv[2:] - gopts, cmds = getopt.getopt(args, -- 'adf:lhmnp:P:s:R:L:r:t:v', -+ 'adf:lhmnp:P:s:R:L:r:t:vT:', - ['add', - 'delete', - 'ftype=', -@@ -103,6 +106,7 @@ - 'level=', - 'roles=', - 'type=', -+ 'trans=', - 'verbose' - ]) - for o,a in gopts: -@@ -149,6 +153,9 @@ - if o == "-t" or o == "--type": - setype = a - -+ if o == "-T" or o == "--trans": -+ setrans = a -+ - if o == "-v" or o == "--verbose": - verbose = 1 - -@@ -167,6 +174,9 @@ - if object == "fcontext": - OBJECT = seobject.fcontextRecords() - -+ if object == "translation": -+ OBJECT = seobject.setransRecords() -+ - if list: - OBJECT.list(heading) - sys.exit(0); -@@ -180,6 +190,9 @@ - if object == "login": - OBJECT.add(target, seuser, serange) - -+ if object == "translation": -+ OBJECT.add(target, setrans) -+ - if object == "user": - rlist = roles.split() - if len(rlist) == 0: -@@ -200,6 +213,9 @@ - if object == "login": - OBJECT.modify(target, seuser, serange) - -+ if object == "translation": -+ OBJECT.modify(target, setrans) -+ - if object == "user": - rlist = roles.split() - OBJECT.modify(target, rlist, selevel, serange) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.8/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.8/semanage/semanage.8 2006-01-18 17:04:31.000000000 -0500 -@@ -13,6 +13,8 @@ - .br - .B semanage interface \-{a|d|m} [\-tr] interface_spec - .br -+.B semanage translation \-{a|d|m} [\-T] level -+.br - .B semanage fcontext \-{a|d|m} [\-frst] file_spec - .P - -@@ -23,7 +25,7 @@ - .BR semanage - program. - .br --This tool is used to configure SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. File Context and Network Interfaces. -+This tool is used to configure SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. File Context and Network Interfaces and MLS/MCS Translations. - - .SH "OPTIONS" .TP -@@ -64,6 +66,9 @@ - .I \-t, \-\-type - SELinux Type for the object - .TP -+.I \-T, \-\-trans -+SELinux Translation -+.TP - .I \-v, \-\-verbose - verbose output - -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.8/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.8/semanage/seobject.py 2006-01-19 09:43:38.000000000 -0500 -@@ -21,9 +21,18 @@ - # - # - --import pwd, string, selinux -+import pwd, string, selinux, tempfile, os, re - from semanage import *; - -+def validate_level(raw): -+ sensitivity="s([0-9]|1[0-5])" -+ category="c(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])" -+ range=category + "(\." + category +")?" -+ categories = range + "(\," + range + ")*" -+ sensitivity + "(:categies)?" -+ reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?" -+ return re.search("^" + reg +"$",raw) -+ - def translate(raw, prepend=1): - if prepend == 1: - context="a:b:c:%s" % raw -@@ -54,6 +63,82 @@ - else: - return raw - -+class setransRecords: -+ def __init__(self): -+ self.filename=selinux.selinux_translations_path() -+ fd=open(self.filename, "r") -+ translations=fd.read().split('\n') -+ fd.close() -+ self.dict={} -+ self.comments=[] -+ for r in translations: -+ if len(r) == 0: -+ continue -+ i=r.strip() -+ if i== "" or i[0] == "#": -+ self.comments.append(r) -+ continue -+ i=i.split("=") -+ if len(i) != 2: -+ self.comments.append(r) -+ continue -+ self.dict[i[0]] = i[1] -+ -+ def get_all(self): -+ return self.dict -+ -+ def out(self): -+ rec="" -+ for c in self.comments: -+ rec+=c +"\n" -+ keys=self.dict.keys() -+ keys.sort() -+ for k in keys: -+ rec += "%s=%s\n" % (k, self.dict[k]) -+ return rec -+ -+ def list(self,heading=1): -+ if heading: -+ print "\n%-25s %s\n" % ("Level", "Translation") -+ keys=self.dict.keys() -+ keys.sort() -+ for k in keys: -+ print "%-25s %s" % (k, self.dict[k]) -+ -+ def add(self, raw, trans): -+ if trans.find(" ") >= 0: -+ raise ValueError("Translations can not contain spaces '%s' " % trans) -+ -+ if validate_level(raw) == None: -+ raise ValueError("Invalid Level '%s' " % raw) -+ -+ if self.dict.has_key(raw): -+ raise ValueError("%s already defined in translations" % raw) -+ else: -+ self.dict[raw]=trans -+ self.save() -+ -+ def modify(self, raw, trans): -+ if trans.find(" ") >= 0: -+ -+ raise ValueError("Translations can not contain spaces '%s' " % trans) -+ if self.dict.has_key(raw): -+ self.dict[raw]=trans -+ else: -+ raise ValueError("%s not defined in translations" % raw) -+ self.save() -+ -+ def delete(self, raw): -+ self.dict.pop(raw) -+ self.save() -+ -+ def save(self): -+ newfilename = tempfile.mktemp('', self.filename) -+ fd=open(newfilename, "w") -+ fd.write(self.out()) -+ fd.close() -+ os.rename(newfilename, self.filename) -+ - class semanageRecords: - def __init__(self): - self.sh = semanage_handle_create() -@@ -458,7 +543,7 @@ - - rc = semanage_commit(self.sh) - if rc < 0: -- raise ValueError("Failed to add port %s/%s" % (proto, port)) -+ raise ValueError("Failed to modify port %s/%s" % (proto, port)) - - def delete(self, port, proto): - ( k, proto_d, low, high ) = self.__genkey(port, proto) -@@ -491,22 +576,44 @@ - for idx in range(self.psize): - u = semanage_port_by_idx(self.plist, idx) - con = semanage_port_get_con(u) -- name = semanage_context_get_type(con) -+ type = semanage_context_get_type(con) -+ if type == "reserved_port_t": -+ continue -+ level = semanage_context_get_mls(con) -+ proto=semanage_port_get_proto_str(u) -+ low=semanage_port_get_low(u) -+ high = semanage_port_get_high(u) -+ dict[(low, high)]=(type, proto, level) -+ return dict -+ -+ def get_all_by_type(self): -+ dict={} -+ (rc, self.plist, self.psize) = semanage_port_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list ports") -+ -+ for idx in range(self.psize): -+ u = semanage_port_by_idx(self.plist, idx) -+ con = semanage_port_get_con(u) -+ type = semanage_context_get_type(con) -+ if type == "reserved_port_t": -+ continue -+ level = semanage_context_get_mls(con) - proto=semanage_port_get_proto_str(u) - low=semanage_port_get_low(u) - high = semanage_port_get_high(u) -- if (name, proto) not in dict.keys(): -- dict[(name,proto)]=[] -+ if (type, proto) not in dict.keys(): -+ dict[(type,proto)]=[] - if low == high: -- dict[(name,proto)].append("%d" % low) -+ dict[(type,proto)].append("%d" % low) - else: -- dict[(name,proto)].append("%d-%d" % (low, high)) -+ dict[(type,proto)].append("%d-%d" % (low, high)) - return dict - - def list(self, heading=1): - if heading: -- print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number") -- dict=self.get_all() -+ print "%-30s %-8s %s\n" % ("SELinux Port Type", "Proto", "Port Number") -+ dict=self.get_all_by_type() - keys=dict.keys() - keys.sort() - for i in keys: -@@ -614,7 +721,7 @@ - - rc = semanage_commit(self.sh) - if rc < 0: -- raise ValueError("Failed to add interface %s" % interface) -+ raise ValueError("Failed to modify interface %s" % interface) - - def delete(self, interface): - (rc,k) = semanage_iface_key_create(self.sh, interface) -@@ -779,7 +886,7 @@ - - rc = semanage_commit(self.sh) - if rc < 0: -- raise ValueError("Failed to add file context for %s" % target) -+ raise ValueError("Failed to modify file context for %s" % target) - - def delete(self, target, ftype): - (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/setsebool.c policycoreutils-1.29.8/setsebool/setsebool.c ---- nsapolicycoreutils/setsebool/setsebool.c 2006-01-04 13:07:46.000000000 -0500 -+++ policycoreutils-1.29.8/setsebool/setsebool.c 2006-01-18 13:27:42.000000000 -0500 -@@ -130,7 +130,7 @@ - - for (j = 0; j < boolcnt; j++) { - -- if (semanage_bool_create(handle, &boolean) < 0) -+ if (semanage_bool_create(handle, &boolean) < 0) - goto err; - - if (semanage_bool_set_name(handle, boolean, boollist[j].name) < 0) -@@ -144,9 +144,10 @@ - if (permanent && semanage_bool_modify_local(handle, bool_key, boolean) < 0) - goto err; - -- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) -+ if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { -+ fprintf(stderr, "Could not change boolean %s\n", boollist[j].name); - goto err; -- -+ } - semanage_bool_key_free(bool_key); - semanage_bool_free(boolean); - bool_key = NULL; + \fB\-d\fR + delete the category from each FILE/USER. diff --git a/policycoreutils.spec b/policycoreutils.spec index 8cb2473..87aa1cc 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -3,8 +3,8 @@ %define libselinuxver 1.29.6-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.8 -Release: 4 +Version: 1.29.9 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -97,6 +97,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python2.4/site-packages/seobject.py* %changelog +* Thu Jan 19 2006 Dan Walsh 1.29.9-1 +- Update to match NSA + * Merged chcat, semanage, and setsebool patches from Dan Walsh. + * Thu Jan 19 2006 Dan Walsh 1.29.8-4 - Fixes for "add"-"modify" error messages - Fixes for chcat diff --git a/sources b/sources index 711fac9..4aa9ecc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c40bd665ecbb503adf1a8e8730fed32a policycoreutils-1.29.8.tgz +f9a8e2b1f33895ef25ad9eeb52dec04e policycoreutils-1.29.9.tgz