* Thu Jan 19 2006 Dan Walsh <dwalsh@redhat.com> 1.29.9-10

* Thu Jan 19 2006 Dan Walsh <dwalsh@redhat.com> 1.29.9-2
- Fix genhomedircon to work on MLS policy

.cvsignore

@@ -82,3 +82,5 @@ policycoreutils-1.29.5.tgz
 policycoreutils-1.29.7.tgz
 policycoreutils-1.29.8.tgz
 policycoreutils-1.29.9.tgz
+policycoreutils-1.29.10.tgz
+policycoreutils-1.29.11.tgz

policycoreutils-rhat.patch

@@ -1,69 +1,337 @@
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.9/scripts/chcat.8
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.10/scripts/chcat
---- nsapolicycoreutils/scripts/chcat.8	2006-01-18 11:12:43.000000000 -0500
+--- nsapolicycoreutils/scripts/chcat	2006-01-19 16:00:44.000000000 -0500
-+++ policycoreutils-1.29.9/scripts/chcat.8	2006-01-19 17:23:42.000000000 -0500
++++ policycoreutils-1.29.10/scripts/chcat	2006-01-20 17:17:02.000000000 -0500
-@@ -27,6 +27,11 @@
+@@ -356,7 +356,7 @@
- Change/Remove the security CATEGORY for each FILE/USER.
+ 
- .PP
+         if list_ind==0 and len(cmds) < 1:
- Use +/- to add/remove categories from a FILE/USER.
+             usage()
-+.PP
+-    except:
-+.B
++    except ValueError, e:
-+Note:
+         usage()
-+When removing a category you must specify '--' on the command line before using the -Category syntax.  This tells the shell that you have finished entering options.
+ 
+     if delete_ind:
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.10/semanage/semanage
+--- nsapolicycoreutils/semanage/semanage	2006-01-20 10:37:37.000000000 -0500
++++ policycoreutils-1.29.10/semanage/semanage	2006-01-20 15:17:56.000000000 -0500
+@@ -30,28 +30,27 @@
+ 
+ 	def usage(message = ""):
+ 		print '\
+-semanage {login|user|port|interface|fcontext} -l\n\
++semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\
+ semanage login -{a|d|m} [-sr] login_name\n\
+ semanage user -{a|d|m} [-LrR] selinux_name\n\
+-semanage port -{a|d|m} -p protocol [-t] port_number\n\
++semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
+ semanage interface -{a|d|m} [-tr] interface_spec\n\
+-semanage translation -{a|d|m} [-T] level\n\
+ semanage fcontext -{a|d|m} [-frst] file_spec\n\
++semanage translation -{a|d|m} [-T] level\n\
+ 	-a, --add        Add a OBJECT record NAME\n\
+ 	-d, --delete     Delete a OBJECT record NAME\n\
+ 	-f, --ftype      File Type of OBJECT \n\
+ 	-h, --help       display this message\n\
+ 	-l, --list       List the OBJECTS\n\
+ 	-L, --level      Default SELinux Level\n\
+-	-n, --noheading  Do not print heading when listing OBJECTS\n\
+ 	-m, --modify     Modify a OBJECT record NAME\n\
+-	-P, --proto      Port protocol\n\
++	-n, --noheading  Do not print heading when listing OBJECTS\n\
++	-p, --proto      Port protocol\n\
+ 	-r, --range      MLS/MCS Security Range\n\
+ 	-R, --roles      SELinux Roles (Separate by spaces)\n\
+ 	-s, --seuser     SELinux user name\n\
+ 	-t, --type       SELinux Type for the object\n\
+ 	-T, --trans      SELinux Level Translation\n\
+-	-v, --verbose    verbose output\n\
+ '
+ 		print message
+ 		sys.exit(1)
+@@ -62,35 +61,29 @@
+ 		sys.stderr.flush()
+ 		sys.exit(1)
+ 
+-	def unwanted_ftype():
+-		if ftype != "":
+-			sys.stderr.write("ftype not used\n");
+-	def unwanted_selevel():
+-		if selevel != "":
+-			sys.stderr.write("level not used\n");
+-	def unwanted_proto():
+-		if proto != "":
+-			sys.stderr.write("proto not used\n");
+-	def unwanted_roles():
+-		if roles != "":
+-			sys.stderr.write("role not used\n");
+-	def unwanted_serange():
+-		if serange != "":
+-			sys.stderr.write("range not used\n");
+-	def unwanted_seuser():
+-		if seuser != "":
+-			sys.stderr.write("seuser not used\n");
+-	def unwanted_setype():
+-		if setype != "":
+-			sys.stderr.write("type not used\n");
+-	def unwanted_setrans():
+-		if setrans != "":
+-			sys.stderr.write("trans not used\n");
++	def get_options():
++		valid_option={}
++		valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading' ]
++		valid_option["login"] = []
++		valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
++		valid_option["user"] = []
++		valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] 
++		valid_option["port"] = []
++		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
++		valid_option["port"] = []
++		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] 
++		valid_option["interface"] = []
++		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
++		valid_option["fcontext"] = []
++		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
++		valid_option["translation"] = []
++		valid_option["fcontext"] += valid_everyone + [ '-T', '--trans' ] 
++		return valid_option
 +
+ 	#
+ 	# 
+ 	#
+ 	try:
+-		objectlist = ("login", "user", "port", "interface", "fcontext", "translation")
+ 		input = sys.stdin
+ 		output = sys.stdout
+ 		serange = ""
+@@ -112,12 +105,14 @@
+ 			usage("Requires 2 or more arguments")
+ 			
+ 		object = sys.argv[1]
+-		if object not in objectlist:
++		option_dict=get_options()
++		if object not in option_dict.keys():
+ 			usage("%s not defined" % object)
+ 			
+ 		args = sys.argv[2:]
++
+ 		gopts, cmds = getopt.getopt(args,
+-					    'adf:lhmnp:P:s:R:L:r:t:vT:',
++					    'adf:lhmnp:s:R:L:r:t:vT:',
+ 					    ['add',
+ 					     'delete',
+ 					     'ftype=',
+@@ -125,16 +120,18 @@
+ 					     'list', 
+ 					     'modify',
+ 					     'noheading',
+-					     'port=',
+ 					     'proto=',
+ 					     'seuser=',
+ 					     'range=',
+ 					     'level=',
+ 					     'roles=',
+ 					     'type=',
+-					     'trans=',
+-					     'verbose'
++					     'trans='
+ 					     ])
++		for o, a in gopts:
++			if o not in option_dict[object]:
++				sys.stderr.write("%s not valid for %s objects\n" % ( o, object) );
++				
+ 		for o,a in gopts:
+ 			if o == "-a" or o == "--add":
+ 				if modify or delete:
+@@ -167,11 +164,11 @@
+ 			if o == "-L" or o == '--level':
+ 				selevel = a
+ 
+-			if o == "-P" or o == '--proto':
++			if o == "-p" or o == '--proto':
+ 				proto = a
+ 
+ 			if o == "-R" or o == '--roles':
+-				roles = roles + " " + a
++				roles = a
+ 
+ 			if o == "-s" or o == "--seuser":
+ 				seuser = a
+@@ -185,91 +182,25 @@
+ 			if o == "-v" or o == "--verbose":
+ 				verbose = 1
+ 
+-# Note in this section I intentionally leave the unwanted_*() functions for
+-# variabled which are wanted commented out and don't delete those lines.  This
+-# will make it easier to modify the code when the list of wanted variables
+-# changes.
+ 		if object == "login":
+-			if not delete:
+-				unwanted_ftype()
+-				unwanted_selevel()
+-				unwanted_proto()
+-				unwanted_roles()
+-#				unwanted_serange()
+-#				unwanted_seuser()
+-				unwanted_setype()
+-				unwanted_setrans()
+ 			OBJECT = seobject.loginRecords()
+ 
+ 		if object == "user":
+-			if not delete:
+-				unwanted_ftype()
+-#				unwanted_selevel()
+-				unwanted_proto()
+-#				unwanted_roles()
+-#				unwanted_serange()
+-				unwanted_seuser()
+-				unwanted_setype()
+-				unwanted_setrans()
+ 			OBJECT = seobject.seluserRecords()
+ 
+ 		if object == "port":
+-			if not delete:
+-				unwanted_ftype()
+-				unwanted_selevel()
+-#				unwanted_proto()
+-				unwanted_roles()
+-				unwanted_serange()
+-				unwanted_seuser()
+-#				unwanted_setype()
+-				unwanted_setrans()
+ 			OBJECT = seobject.portRecords()
+ 		
+ 		if object == "interface":
+-			if not delete:
+-				unwanted_ftype()
+-				unwanted_selevel()
+-				unwanted_proto()
+-				unwanted_roles()
+-#				unwanted_serange()
+-				unwanted_seuser()
+-#				unwanted_setype()
+-				unwanted_setrans()
+ 			OBJECT = seobject.interfaceRecords()
+ 		
+ 		if object == "fcontext":
+-			if not delete:
+-#				unwanted_ftype()
+-				unwanted_selevel()
+-				unwanted_proto()
+-				unwanted_roles()
+-#				unwanted_serange()
+-#				unwanted_seuser()
+-#				unwanted_setype()
+-				unwanted_setrans()
+ 			OBJECT = seobject.fcontextRecords()
+ 		
+ 		if object == "translation":
+-			if not delete:
+-				unwanted_ftype()
+-				unwanted_selevel()
+-				unwanted_proto()
+-				unwanted_roles()
+-				unwanted_serange()
+-				unwanted_seuser()
+-				unwanted_setype()
+-#				unwanted_setrans()
+ 			OBJECT = seobject.setransRecords()
+ 		
+ 		if list:
+-			unwanted_ftype()
+-			unwanted_selevel()
+-			unwanted_proto()
+-			unwanted_roles()
+-			unwanted_serange()
+-			unwanted_seuser()
+-			unwanted_setype()
+-			unwanted_setrans()
+ 			OBJECT.list(heading)
+ 			sys.exit(0);
+ 			
+@@ -324,16 +255,6 @@
+ 			sys.exit(0);
+ 
+ 		if delete:
+-			if object != "fcontext":
+-				unwanted_ftype()
+-			unwanted_selevel()
+-			if object == "port":
+-				unwanted_proto()
+-			unwanted_roles()
+-			unwanted_serange()
+-			unwanted_seuser()
+-			unwanted_setype()
+-			unwanted_setrans()
+ 			if object == "port":
+ 				OBJECT.delete(target, proto)
+ 
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.10/semanage/semanage.8
+--- nsapolicycoreutils/semanage/semanage.8	2006-01-20 10:37:37.000000000 -0500
++++ policycoreutils-1.29.10/semanage/semanage.8	2006-01-20 15:10:15.000000000 -0500
+@@ -3,19 +3,19 @@
+ semanage \- SELinux Policy Management tool
+ 
+ .SH "SYNOPSIS"
+-.B semanage {login|user|port|interface|fcontext} \-l [\-n]
++.B semanage {login|user|port|interface|fcontext|translation} \-l [\-n]
+ .br
+ .B semanage login \-{a|d|m} [\-sr] login_name
+ .br
+ .B semanage user \-{a|d|m} [\-LrR] selinux_name
+ .br
+-.B semanage port \-{a|d|m} \-p protocol [\-t] port_number
++.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
+ .br
+ .B semanage interface \-{a|d|m} [\-tr] interface_spec
+ .br
+-.B semanage translation \-{a|d|m} [\-T] level
+-.br
+ .B semanage fcontext \-{a|d|m} [\-frst] file_spec
++.br
++.B semanage translation \-{a|d|m} [\-T] level
+ .P
+ 
+ This tool is used to configure SELinux policy
+@@ -35,34 +35,34 @@
+ .I                \-d, \-\-delete     
+ Delete a OBJECT record NAME
+ .TP
+-.I                \-h, \-\-help       
+-display this message
+-.TP
+ .I                \-f, \-\-ftype
+ File Type.   This is used with fcontext.
+ Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+ .TP
++.I                \-h, \-\-help       
++display this message
++.TP
+ .I                \-l, \-\-list       
+ List the OBJECTS
+ .TP
+-.I                \-n, \-\-noheading       
+-Do not print heading when listing OBJECTS
+-.TP
+ .I                \-L, \-\-level
+ Default SELinux Level for SELinux use. (s0)
+ .TP
+ .I                \-m, \-\-modify     
+ Modify a OBJECT record NAME
+ .TP
++.I                \-n, \-\-noheading  
++Do not print heading when listing OBJECTS.
++.TP
+ .I                \-p, \-\-proto
+ Protocol for the specified port (tcp|udp).
+ .TP
+-.I                \-R, \-\-role
+-SELinux Roles (Separate by spaces)
+-.TP
+ .I                \-r, \-\-range      
+ MLS/MCS Security Range
+ .TP
++.I                \-R, \-\-role
++SELinux Roles.  You must inclose multiple roles within quotes, separate by spaces.
++.TP
+ .I                \-s, \-\-seuser     
+ SELinux user name
  .TP
- \fB\-d\fR
- delete the category from each FILE/USER.
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.9/scripts/genhomedircon
---- nsapolicycoreutils/scripts/genhomedircon	2006-01-18 11:12:43.000000000 -0500
-+++ policycoreutils-1.29.9/scripts/genhomedircon	2006-01-19 17:23:54.000000000 -0500
-@@ -199,10 +199,11 @@
- 				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
- 				return
- 		prefs = {}
-+		prefs["seuser"] = seuser
- 		prefs["role"] = role
- 		prefs["home"] = home
--		udict[seuser] = prefs
--
-+		udict[user] = prefs
-+		
- 	def getUsers(self):
- 		udict = {}
- 		if self.semanaged:
-@@ -233,14 +234,14 @@
- 
- 		return udict
- 
--	def getHomeDirContext(self, user, home, role):
-+	def getHomeDirContext(self, user, seuser, home, role):
- 		ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
- 		fd=open(self.getHomeDirTemplate(), 'r')
- 		for i in  fd.read().split('\n'):
- 			if i.startswith("HOME_DIR") == 1:
- 				i=i.replace("HOME_DIR", home)
- 				i=i.replace("ROLE", role)
--				i=i.replace("system_u", user)
-+				i=i.replace("system_u", seuser)
- 				ret = ret+i+"\n"
- 		fd.close()
- 		return ret
-@@ -265,8 +266,8 @@
- 		ret=""
- 		# Fill in HOME and ROLE for users that are defined
- 		for u in users.keys():
--			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
--			ret += self.getUserContext (u, u, users[u]["role"])
-+			ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
-+			ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
- 		return ret+"\n"
- 
- 	def checkExists(self, home):
-@@ -309,7 +310,7 @@
- 	def genoutput(self):
- 		ret= self.heading()
- 		for h in self.getHomeDirs():
--			ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
-+			ret += self.getHomeDirContext ("user_u", "user_u" , h+'/[^/]*', "user")
- 			ret += self.getHomeRootContext(h)
- 		ret += self.getUserContext(".*", "user_u", "user") + "\n"
- 		ret += self.genHomeDirContext()

policycoreutils.spec

@@ -3,8 +3,8 @@
 %define libselinuxver 1.29.6-1
 Summary: SELinux policy core utilities.
 Name: policycoreutils
-Version: 1.29.9
+Version: 1.29.10
-Release: 2
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -97,6 +97,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/python2.4/site-packages/seobject.py*
 
 %changelog
+* Thu Jan 19 2006 Dan Walsh <dwalsh@redhat.com> 1.29.9-10
 * Thu Jan 19 2006 Dan Walsh <dwalsh@redhat.com> 1.29.9-2
 - Fix genhomedircon to work on MLS policy
 

sources

@@ -1 +1 @@
-f9a8e2b1f33895ef25ad9eeb52dec04e  policycoreutils-1.29.9.tgz
+51372837f3abaffa294b289c3acc89c4  policycoreutils-1.29.11.tgz