From 43e3506502564f65eede93ed0458f63aa0c03760 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 25 Jan 2006 16:07:46 +0000 Subject: [PATCH] * Thu Jan 19 2006 Dan Walsh 1.29.9-10 * Thu Jan 19 2006 Dan Walsh 1.29.9-2 - Fix genhomedircon to work on MLS policy --- .cvsignore | 2 + policycoreutils-rhat.patch | 402 ++++++++++++++++++++++++++++++------- policycoreutils.spec | 5 +- sources | 2 +- 4 files changed, 341 insertions(+), 70 deletions(-) diff --git a/.cvsignore b/.cvsignore index 68ddf9e..51821f2 100644 --- a/.cvsignore +++ b/.cvsignore @@ -82,3 +82,5 @@ policycoreutils-1.29.5.tgz policycoreutils-1.29.7.tgz policycoreutils-1.29.8.tgz policycoreutils-1.29.9.tgz +policycoreutils-1.29.10.tgz +policycoreutils-1.29.11.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 06349fb..7ed3ebb 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,69 +1,337 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.9/scripts/chcat.8 ---- nsapolicycoreutils/scripts/chcat.8 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.9/scripts/chcat.8 2006-01-19 17:23:42.000000000 -0500 -@@ -27,6 +27,11 @@ - Change/Remove the security CATEGORY for each FILE/USER. - .PP - Use +/- to add/remove categories from a FILE/USER. -+.PP -+.B -+Note: -+When removing a category you must specify '--' on the command line before using the -Category syntax. This tells the shell that you have finished entering options. +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.10/scripts/chcat +--- nsapolicycoreutils/scripts/chcat 2006-01-19 16:00:44.000000000 -0500 ++++ policycoreutils-1.29.10/scripts/chcat 2006-01-20 17:17:02.000000000 -0500 +@@ -356,7 +356,7 @@ + + if list_ind==0 and len(cmds) < 1: + usage() +- except: ++ except ValueError, e: + usage() + + if delete_ind: +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.10/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 2006-01-20 10:37:37.000000000 -0500 ++++ policycoreutils-1.29.10/semanage/semanage 2006-01-20 15:17:56.000000000 -0500 +@@ -30,28 +30,27 @@ + + def usage(message = ""): + print '\ +-semanage {login|user|port|interface|fcontext} -l\n\ ++semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\ + semanage login -{a|d|m} [-sr] login_name\n\ + semanage user -{a|d|m} [-LrR] selinux_name\n\ +-semanage port -{a|d|m} -p protocol [-t] port_number\n\ ++semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\ + semanage interface -{a|d|m} [-tr] interface_spec\n\ +-semanage translation -{a|d|m} [-T] level\n\ + semanage fcontext -{a|d|m} [-frst] file_spec\n\ ++semanage translation -{a|d|m} [-T] level\n\ + -a, --add Add a OBJECT record NAME\n\ + -d, --delete Delete a OBJECT record NAME\n\ + -f, --ftype File Type of OBJECT \n\ + -h, --help display this message\n\ + -l, --list List the OBJECTS\n\ + -L, --level Default SELinux Level\n\ +- -n, --noheading Do not print heading when listing OBJECTS\n\ + -m, --modify Modify a OBJECT record NAME\n\ +- -P, --proto Port protocol\n\ ++ -n, --noheading Do not print heading when listing OBJECTS\n\ ++ -p, --proto Port protocol\n\ + -r, --range MLS/MCS Security Range\n\ + -R, --roles SELinux Roles (Separate by spaces)\n\ + -s, --seuser SELinux user name\n\ + -t, --type SELinux Type for the object\n\ + -T, --trans SELinux Level Translation\n\ +- -v, --verbose verbose output\n\ + ' + print message + sys.exit(1) +@@ -62,35 +61,29 @@ + sys.stderr.flush() + sys.exit(1) + +- def unwanted_ftype(): +- if ftype != "": +- sys.stderr.write("ftype not used\n"); +- def unwanted_selevel(): +- if selevel != "": +- sys.stderr.write("level not used\n"); +- def unwanted_proto(): +- if proto != "": +- sys.stderr.write("proto not used\n"); +- def unwanted_roles(): +- if roles != "": +- sys.stderr.write("role not used\n"); +- def unwanted_serange(): +- if serange != "": +- sys.stderr.write("range not used\n"); +- def unwanted_seuser(): +- if seuser != "": +- sys.stderr.write("seuser not used\n"); +- def unwanted_setype(): +- if setype != "": +- sys.stderr.write("type not used\n"); +- def unwanted_setrans(): +- if setrans != "": +- sys.stderr.write("trans not used\n"); ++ def get_options(): ++ valid_option={} ++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading' ] ++ valid_option["login"] = [] ++ valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] ++ valid_option["user"] = [] ++ valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] ++ valid_option["port"] = [] ++ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range'] ++ valid_option["port"] = [] ++ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] ++ valid_option["interface"] = [] ++ valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] ++ valid_option["fcontext"] = [] ++ valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] ++ valid_option["translation"] = [] ++ valid_option["fcontext"] += valid_everyone + [ '-T', '--trans' ] ++ return valid_option + + # + # + # + try: +- objectlist = ("login", "user", "port", "interface", "fcontext", "translation") + input = sys.stdin + output = sys.stdout + serange = "" +@@ -112,12 +105,14 @@ + usage("Requires 2 or more arguments") + + object = sys.argv[1] +- if object not in objectlist: ++ option_dict=get_options() ++ if object not in option_dict.keys(): + usage("%s not defined" % object) + + args = sys.argv[2:] ++ + gopts, cmds = getopt.getopt(args, +- 'adf:lhmnp:P:s:R:L:r:t:vT:', ++ 'adf:lhmnp:s:R:L:r:t:vT:', + ['add', + 'delete', + 'ftype=', +@@ -125,16 +120,18 @@ + 'list', + 'modify', + 'noheading', +- 'port=', + 'proto=', + 'seuser=', + 'range=', + 'level=', + 'roles=', + 'type=', +- 'trans=', +- 'verbose' ++ 'trans=' + ]) ++ for o, a in gopts: ++ if o not in option_dict[object]: ++ sys.stderr.write("%s not valid for %s objects\n" % ( o, object) ); ++ + for o,a in gopts: + if o == "-a" or o == "--add": + if modify or delete: +@@ -167,11 +164,11 @@ + if o == "-L" or o == '--level': + selevel = a + +- if o == "-P" or o == '--proto': ++ if o == "-p" or o == '--proto': + proto = a + + if o == "-R" or o == '--roles': +- roles = roles + " " + a ++ roles = a + + if o == "-s" or o == "--seuser": + seuser = a +@@ -185,91 +182,25 @@ + if o == "-v" or o == "--verbose": + verbose = 1 + +-# Note in this section I intentionally leave the unwanted_*() functions for +-# variabled which are wanted commented out and don't delete those lines. This +-# will make it easier to modify the code when the list of wanted variables +-# changes. + if object == "login": +- if not delete: +- unwanted_ftype() +- unwanted_selevel() +- unwanted_proto() +- unwanted_roles() +-# unwanted_serange() +-# unwanted_seuser() +- unwanted_setype() +- unwanted_setrans() + OBJECT = seobject.loginRecords() + + if object == "user": +- if not delete: +- unwanted_ftype() +-# unwanted_selevel() +- unwanted_proto() +-# unwanted_roles() +-# unwanted_serange() +- unwanted_seuser() +- unwanted_setype() +- unwanted_setrans() + OBJECT = seobject.seluserRecords() + + if object == "port": +- if not delete: +- unwanted_ftype() +- unwanted_selevel() +-# unwanted_proto() +- unwanted_roles() +- unwanted_serange() +- unwanted_seuser() +-# unwanted_setype() +- unwanted_setrans() + OBJECT = seobject.portRecords() + + if object == "interface": +- if not delete: +- unwanted_ftype() +- unwanted_selevel() +- unwanted_proto() +- unwanted_roles() +-# unwanted_serange() +- unwanted_seuser() +-# unwanted_setype() +- unwanted_setrans() + OBJECT = seobject.interfaceRecords() + + if object == "fcontext": +- if not delete: +-# unwanted_ftype() +- unwanted_selevel() +- unwanted_proto() +- unwanted_roles() +-# unwanted_serange() +-# unwanted_seuser() +-# unwanted_setype() +- unwanted_setrans() + OBJECT = seobject.fcontextRecords() + + if object == "translation": +- if not delete: +- unwanted_ftype() +- unwanted_selevel() +- unwanted_proto() +- unwanted_roles() +- unwanted_serange() +- unwanted_seuser() +- unwanted_setype() +-# unwanted_setrans() + OBJECT = seobject.setransRecords() + + if list: +- unwanted_ftype() +- unwanted_selevel() +- unwanted_proto() +- unwanted_roles() +- unwanted_serange() +- unwanted_seuser() +- unwanted_setype() +- unwanted_setrans() + OBJECT.list(heading) + sys.exit(0); + +@@ -324,16 +255,6 @@ + sys.exit(0); + + if delete: +- if object != "fcontext": +- unwanted_ftype() +- unwanted_selevel() +- if object == "port": +- unwanted_proto() +- unwanted_roles() +- unwanted_serange() +- unwanted_seuser() +- unwanted_setype() +- unwanted_setrans() + if object == "port": + OBJECT.delete(target, proto) + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.10/semanage/semanage.8 +--- nsapolicycoreutils/semanage/semanage.8 2006-01-20 10:37:37.000000000 -0500 ++++ policycoreutils-1.29.10/semanage/semanage.8 2006-01-20 15:10:15.000000000 -0500 +@@ -3,19 +3,19 @@ + semanage \- SELinux Policy Management tool + + .SH "SYNOPSIS" +-.B semanage {login|user|port|interface|fcontext} \-l [\-n] ++.B semanage {login|user|port|interface|fcontext|translation} \-l [\-n] + .br + .B semanage login \-{a|d|m} [\-sr] login_name + .br + .B semanage user \-{a|d|m} [\-LrR] selinux_name + .br +-.B semanage port \-{a|d|m} \-p protocol [\-t] port_number ++.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range + .br + .B semanage interface \-{a|d|m} [\-tr] interface_spec + .br +-.B semanage translation \-{a|d|m} [\-T] level +-.br + .B semanage fcontext \-{a|d|m} [\-frst] file_spec ++.br ++.B semanage translation \-{a|d|m} [\-T] level + .P + + This tool is used to configure SELinux policy +@@ -35,34 +35,34 @@ + .I \-d, \-\-delete + Delete a OBJECT record NAME + .TP +-.I \-h, \-\-help +-display this message +-.TP + .I \-f, \-\-ftype + File Type. This is used with fcontext. + Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. + .TP ++.I \-h, \-\-help ++display this message ++.TP + .I \-l, \-\-list + List the OBJECTS + .TP +-.I \-n, \-\-noheading +-Do not print heading when listing OBJECTS +-.TP + .I \-L, \-\-level + Default SELinux Level for SELinux use. (s0) + .TP + .I \-m, \-\-modify + Modify a OBJECT record NAME + .TP ++.I \-n, \-\-noheading ++Do not print heading when listing OBJECTS. ++.TP + .I \-p, \-\-proto + Protocol for the specified port (tcp|udp). + .TP +-.I \-R, \-\-role +-SELinux Roles (Separate by spaces) +-.TP + .I \-r, \-\-range + MLS/MCS Security Range + .TP ++.I \-R, \-\-role ++SELinux Roles. You must inclose multiple roles within quotes, separate by spaces. ++.TP + .I \-s, \-\-seuser + SELinux user name .TP - \fB\-d\fR - delete the category from each FILE/USER. -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.9/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2006-01-18 11:12:43.000000000 -0500 -+++ policycoreutils-1.29.9/scripts/genhomedircon 2006-01-19 17:23:54.000000000 -0500 -@@ -199,10 +199,11 @@ - sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) - return - prefs = {} -+ prefs["seuser"] = seuser - prefs["role"] = role - prefs["home"] = home -- udict[seuser] = prefs -- -+ udict[user] = prefs -+ - def getUsers(self): - udict = {} - if self.semanaged: -@@ -233,14 +234,14 @@ - - return udict - -- def getHomeDirContext(self, user, home, role): -+ def getHomeDirContext(self, user, seuser, home, role): - ret="\n\n#\n# Home Context for user %s\n#\n\n" % user - fd=open(self.getHomeDirTemplate(), 'r') - for i in fd.read().split('\n'): - if i.startswith("HOME_DIR") == 1: - i=i.replace("HOME_DIR", home) - i=i.replace("ROLE", role) -- i=i.replace("system_u", user) -+ i=i.replace("system_u", seuser) - ret = ret+i+"\n" - fd.close() - return ret -@@ -265,8 +266,8 @@ - ret="" - # Fill in HOME and ROLE for users that are defined - for u in users.keys(): -- ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"]) -- ret += self.getUserContext (u, u, users[u]["role"]) -+ ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"]) -+ ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"]) - return ret+"\n" - - def checkExists(self, home): -@@ -309,7 +310,7 @@ - def genoutput(self): - ret= self.heading() - for h in self.getHomeDirs(): -- ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user") -+ ret += self.getHomeDirContext ("user_u", "user_u" , h+'/[^/]*', "user") - ret += self.getHomeRootContext(h) - ret += self.getUserContext(".*", "user_u", "user") + "\n" - ret += self.genHomeDirContext() diff --git a/policycoreutils.spec b/policycoreutils.spec index 6c3a10e..e2e1ebb 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -3,8 +3,8 @@ %define libselinuxver 1.29.6-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.9 -Release: 2 +Version: 1.29.10 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -97,6 +97,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python2.4/site-packages/seobject.py* %changelog +* Thu Jan 19 2006 Dan Walsh 1.29.9-10 * Thu Jan 19 2006 Dan Walsh 1.29.9-2 - Fix genhomedircon to work on MLS policy diff --git a/sources b/sources index 4aa9ecc..7e694f0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f9a8e2b1f33895ef25ad9eeb52dec04e policycoreutils-1.29.9.tgz +51372837f3abaffa294b289c3acc89c4 policycoreutils-1.29.11.tgz