* Mon Jun 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-7
- Fix sepolgen-ifgen processing
This commit is contained in:
parent
885bcd1c51
commit
70545b8b95
|
@ -178,3 +178,4 @@ policycoreutils-2.0.43.tgz
|
|||
policycoreutils-2.0.44.tgz
|
||||
policycoreutils-2.0.46.tgz
|
||||
policycoreutils-2.0.47.tgz
|
||||
policycoreutils-2.0.49.tgz
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,5 +1,5 @@
|
|||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
|
||||
--- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.292734000 -0400
|
||||
--- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/Makefile 2008-05-16 11:27:02.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
||||
|
@ -8,7 +8,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
|||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
|
||||
--- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.385538000 -0400
|
||||
--- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-05-16 11:27:02.000000000 -0400
|
||||
@@ -210,9 +210,10 @@
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
|||
free(scontext);
|
||||
close(fd);
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
|
||||
--- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.394526000 -0400
|
||||
--- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-05-16 11:27:02.000000000 -0400
|
||||
@@ -2,7 +2,7 @@
|
||||
#
|
||||
|
@ -49,8 +49,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
|||
# listed in the /etc/selinux/restorecond.conf file, and restores the \
|
||||
# correct security context.
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
|
||||
--- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.983778000 -0400
|
||||
+++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.737824000 -0400
|
||||
--- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.000000000 -0400
|
||||
@@ -138,6 +138,9 @@
|
||||
fi
|
||||
LogReadOnly
|
||||
|
@ -81,7 +81,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
|||
|
||||
if [ $# = 0 ]; then
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
|
||||
--- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.942823000 -0400
|
||||
--- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-05-16 11:27:02.000000000 -0400
|
||||
@@ -7,6 +7,8 @@
|
||||
|
||||
|
@ -102,10 +102,249 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
|||
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
|
||||
--- nsapolicycoreutils/semanage/semanage 2008-05-22 14:01:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/semanage/semanage 2008-06-12 14:34:26.499263000 -0400
|
||||
@@ -43,49 +43,52 @@
|
||||
if __name__ == '__main__':
|
||||
|
||||
def usage(message = ""):
|
||||
- print _('\
|
||||
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
|
||||
-semanage login -{a|d|m} [-sr] login_name\n\
|
||||
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
|
||||
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
|
||||
-semanage interface -{a|d|m} [-tr] interface_spec\n\
|
||||
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
|
||||
-semanage translation -{a|d|m} [-T] level\n\n\
|
||||
-semanage boolean -{d|m} boolean\n\n\
|
||||
-\
|
||||
-Primary Options:\n\
|
||||
-\
|
||||
- -a, --add Add a OBJECT record NAME\n\
|
||||
- -d, --delete Delete a OBJECT record NAME\n\
|
||||
- -m, --modify Modify a OBJECT record NAME\n\
|
||||
- -l, --list List the OBJECTS\n\n\
|
||||
- -C, --locallist List OBJECTS local customizations\n\n\
|
||||
- -D, --deleteall Remove all OBJECTS local customizations\n\
|
||||
-\
|
||||
- -h, --help Display this message\n\
|
||||
- -n, --noheading Do not print heading when listing OBJECTS\n\
|
||||
- -S, --store Select and alternate SELinux store to manage\n\n\
|
||||
-Object-specific Options (see above):\n\
|
||||
- -f, --ftype File Type of OBJECT \n\
|
||||
- "" (all files) \n\
|
||||
- -- (regular file) \n\
|
||||
- -d (directory) \n\
|
||||
- -c (character device) \n\
|
||||
- -b (block device) \n\
|
||||
- -s (socket) \n\
|
||||
- -l (symbolic link) \n\
|
||||
- -p (named pipe) \n\n\
|
||||
-\
|
||||
- -p, --proto Port protocol (tcp or udp)\n\
|
||||
- -P, --prefix Prefix for home directory labeling\n\
|
||||
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
|
||||
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
|
||||
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
|
||||
-\
|
||||
- -s, --seuser SELinux User Name\n\
|
||||
- -t, --type SELinux Type for the object\n\
|
||||
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
|
||||
-')
|
||||
+ print _("""
|
||||
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
|
||||
+semanage login -{a|d|m} [-sr] login_name
|
||||
+semanage user -{a|d|m} [-LrRP] selinux_name
|
||||
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
|
||||
+semanage interface -{a|d|m} [-tr] interface_spec
|
||||
+semanage fcontext -{a|d|m} [-frst] file_spec
|
||||
+semanage translation -{a|d|m} [-T] level
|
||||
+semanage boolean -{d|m} boolean
|
||||
+semanage permissive -{d|a} type
|
||||
+
|
||||
+Primary Options:
|
||||
+
|
||||
+ -a, --add Add a OBJECT record NAME
|
||||
+ -d, --delete Delete a OBJECT record NAME
|
||||
+ -m, --modify Modify a OBJECT record NAME
|
||||
+ -l, --list List the OBJECTS
|
||||
+ -C, --locallist List OBJECTS local customizations
|
||||
+ -D, --deleteall Remove all OBJECTS local customizations
|
||||
+
|
||||
+ -h, --help Display this message
|
||||
+ -n, --noheading Do not print heading when listing OBJECTS
|
||||
+ -S, --store Select and alternate SELinux store to manage
|
||||
+
|
||||
+Object-specific Options (see above):
|
||||
+
|
||||
+ -f, --ftype File Type of OBJECT
|
||||
+ "" (all files)
|
||||
+ -- (regular file)
|
||||
+ -d (directory)
|
||||
+ -c (character device)
|
||||
+ -b (block device)
|
||||
+ -s (socket)
|
||||
+ -l (symbolic link)
|
||||
+ -p (named pipe)
|
||||
+
|
||||
+ -p, --proto Port protocol (tcp or udp)
|
||||
+ -P, --prefix Prefix for home directory labeling
|
||||
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
|
||||
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
|
||||
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
|
||||
+
|
||||
+ -s, --seuser SELinux User Name
|
||||
+ -t, --type SELinux Type for the object
|
||||
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
|
||||
+""")
|
||||
print message
|
||||
sys.exit(1)
|
||||
|
||||
@@ -112,6 +115,8 @@
|
||||
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
|
||||
valid_option["boolean"] = []
|
||||
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
|
||||
+ valid_option["permissive"] = []
|
||||
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
|
||||
return valid_option
|
||||
|
||||
#
|
||||
@@ -266,6 +271,9 @@
|
||||
if object == "translation":
|
||||
OBJECT = seobject.setransRecords()
|
||||
|
||||
+ if object == "permissive":
|
||||
+ OBJECT = seobject.permissiveRecords(store)
|
||||
+
|
||||
if list:
|
||||
OBJECT.list(heading, locallist)
|
||||
sys.exit(0);
|
||||
@@ -302,6 +310,9 @@
|
||||
|
||||
if object == "fcontext":
|
||||
OBJECT.add(target, setype, ftype, serange, seuser)
|
||||
+ if object == "permissive":
|
||||
+ OBJECT.add(target)
|
||||
+
|
||||
sys.exit(0);
|
||||
|
||||
if modify:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
|
||||
--- nsapolicycoreutils/semanage/semanage.8 2008-05-22 14:01:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-11 16:18:48.000000000 -0400
|
||||
@@ -17,6 +17,8 @@
|
||||
.br
|
||||
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
|
||||
.br
|
||||
+.B semanage permissive \-{a|d} type
|
||||
+.br
|
||||
.B semanage translation \-{a|d|m} [\-T] level
|
||||
.P
|
||||
|
||||
@@ -101,10 +103,11 @@
|
||||
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
||||
# Allow Apache to listen on port 81
|
||||
$ semanage port -a -t http_port_t -p tcp 81
|
||||
+# Change apache to a permissive domain
|
||||
+$ semanage permissive -a http_t
|
||||
.fi
|
||||
|
||||
.SH "AUTHOR"
|
||||
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
|
||||
Russell Coker <rcoker@redhat.com>.
|
||||
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
|
||||
-
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.602159000 -0400
|
||||
+++ policycoreutils-2.0.49/semanage/seobject.py 2008-05-16 11:27:02.000000000 -0400
|
||||
@@ -464,7 +464,7 @@
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-12 14:34:36.038161000 -0400
|
||||
@@ -1,5 +1,5 @@
|
||||
#! /usr/bin/python -E
|
||||
-# Copyright (C) 2005, 2006, 2007 Red Hat
|
||||
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# semanage is a tool for managing SELinux configuration files
|
||||
@@ -24,7 +24,9 @@
|
||||
import pwd, string, selinux, tempfile, os, re, sys
|
||||
from semanage import *;
|
||||
PROGNAME="policycoreutils"
|
||||
+import sepolgen.module as module
|
||||
|
||||
+import commands
|
||||
import gettext
|
||||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||
gettext.textdomain(PROGNAME)
|
||||
@@ -246,7 +248,67 @@
|
||||
os.close(fd)
|
||||
os.rename(newfilename, self.filename)
|
||||
os.system("/sbin/service mcstrans reload > /dev/null")
|
||||
-
|
||||
+
|
||||
+class permissiveRecords:
|
||||
+ def __init__(self, store):
|
||||
+ self.store = store
|
||||
+
|
||||
+ def get_all(self):
|
||||
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
|
||||
+ l = []
|
||||
+ for i in out.split():
|
||||
+ if i.startswith("permissive_"):
|
||||
+ l.append(i.split("permissive_")[1])
|
||||
+ return l
|
||||
+
|
||||
+ def list(self,heading = 1, locallist = 0):
|
||||
+ if heading:
|
||||
+ print "\n%-25s\n" % (_("Permissive Types"))
|
||||
+ for t in self.get_all():
|
||||
+ print t
|
||||
+
|
||||
+
|
||||
+ def add(self, type):
|
||||
+ name = "permissive_%s" % type
|
||||
+ dirname = "/var/lib/selinux"
|
||||
+ os.chdir(dirname)
|
||||
+ filename = "%s.te" % name
|
||||
+ modtxt = """
|
||||
+module %s 1.0;
|
||||
+
|
||||
+require {
|
||||
+ type %s;
|
||||
+}
|
||||
+
|
||||
+permissive %s;
|
||||
+""" % (name, type, type)
|
||||
+ fd = open(filename,'w')
|
||||
+ fd.write(modtxt)
|
||||
+ fd.close()
|
||||
+ mc = module.ModuleCompiler()
|
||||
+ mc.create_module_package(filename, 1)
|
||||
+ rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
|
||||
+ for root, dirs, files in os.walk("top", topdown=False):
|
||||
+ for name in files:
|
||||
+ os.remove(os.path.join(root, name))
|
||||
+ for name in dirs:
|
||||
+ os.rmdir(os.path.join(root, name))
|
||||
+
|
||||
+ if rc != 0:
|
||||
+ raise ValueError(out)
|
||||
+
|
||||
+
|
||||
+ def delete(self, name):
|
||||
+ rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
|
||||
+ if rc != 0:
|
||||
+ raise ValueError(out)
|
||||
+
|
||||
+ def deleteall(self):
|
||||
+ l = self.get_all()
|
||||
+ if len(l) > 0:
|
||||
+ all = " permissive_".join(l)
|
||||
+ self.delete(all)
|
||||
+
|
||||
class semanageRecords:
|
||||
def __init__(self, store):
|
||||
self.sh = semanage_handle_create()
|
||||
@@ -464,7 +526,7 @@
|
||||
def __init__(self, store = ""):
|
||||
semanageRecords.__init__(self, store)
|
||||
|
||||
|
|
|
@ -1,6 +1,28 @@
|
|||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
|
||||
--- nsasepolgen/src/sepolgen/audit.py 2008-01-23 14:36:29.000000000 -0500
|
||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-05-28 10:11:36.373597000 -0400
|
||||
@@ -241,14 +241,17 @@
|
||||
def from_split_string(self, recs):
|
||||
AuditMessage.from_split_string(self, recs)
|
||||
dict={}
|
||||
+ ctr = 0
|
||||
for i in recs:
|
||||
+ ctr = ctr + 1
|
||||
t = i.split('=')
|
||||
if len(t) < 2:
|
||||
+ if t[0] == "context":
|
||||
+ self.type = refpolicy.SecurityContext(recs[ctr]).type
|
||||
continue
|
||||
dict[t[0]]=t[1]
|
||||
try:
|
||||
self.role = refpolicy.SecurityContext(dict["scontext"]).role
|
||||
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
|
||||
except:
|
||||
raise ValueError("Split string does not represent a valid compute sid message")
|
||||
def output(self):
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
|
||||
--- nsasepolgen/src/sepolgen/refparser.py 2008-01-23 14:36:29.000000000 -0500
|
||||
+++ policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-01-11 11:17:50.000000000 -0500
|
||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-05-16 11:27:03.000000000 -0400
|
||||
@@ -919,7 +919,7 @@
|
||||
def list_headers(root):
|
||||
modules = []
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.49
|
||||
Release: 3%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
|
@ -63,6 +63,7 @@ make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optfla
|
|||
%install
|
||||
rm -rf %{buildroot}
|
||||
mkdir -p %{buildroot}/etc/rc.d/init.d
|
||||
mkdir -p %{buildroot}/var/lib/selinux
|
||||
mkdir -p %{buildroot}%{_bindir}
|
||||
mkdir -p %{buildroot}%{_sbindir}
|
||||
mkdir -p %{buildroot}/sbin
|
||||
|
@ -111,7 +112,7 @@ Summary: SELinux configuration GUI
|
|||
Group: System Environment/Base
|
||||
Requires: policycoreutils = %{version}-%{release}
|
||||
Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas
|
||||
Requires: usermode, rhpl
|
||||
Requires: usermode
|
||||
Requires: setools-console
|
||||
Requires: python >= 2.4
|
||||
BuildRequires: desktop-file-utils
|
||||
|
@ -172,6 +173,7 @@ rm -rf %{buildroot}
|
|||
%dir %{_libdir}/python?.?/site-packages/sepolgen
|
||||
%{_libdir}/python?.?/site-packages/sepolgen/*
|
||||
%dir /var/lib/sepolgen
|
||||
%dir /var/lib/selinux
|
||||
/var/lib/sepolgen/perm_map
|
||||
|
||||
%preun
|
||||
|
@ -183,7 +185,6 @@ fi
|
|||
%post
|
||||
/sbin/chkconfig --add restorecond
|
||||
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen > /dev/null
|
||||
/usr/bin/sepolgen-ifgen > /dev/null
|
||||
exit 0
|
||||
|
||||
%postun
|
||||
|
@ -192,6 +193,18 @@ if [ "$1" -ge "1" ]; then
|
|||
fi
|
||||
|
||||
%changelog
|
||||
* Mon Jun 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-7
|
||||
- Fix sepolgen-ifgen processing
|
||||
|
||||
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-6
|
||||
- Add deleteall to semanage permissive, cleanup error handling
|
||||
|
||||
* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-5
|
||||
- Complete removal of rhpl requirement
|
||||
|
||||
* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-4
|
||||
- Add semanage permissive *
|
||||
|
||||
* Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-3
|
||||
- Fix fixfiles to cleanup /tmp and /var/tmp
|
||||
|
||||
|
|
Loading…
Reference in New Issue