From 831d6fd46cb259d689a4488ba4247c1daeccda9a Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 18 Aug 2011 07:23:59 -0400 Subject: [PATCH] Update to upstream 2.1.4 2011-08-17 * run_init: clarification of the usage in the * semanage: fix usage header around booleans * semanage: remove useless empty lines * semanage: update man page with new examples * semanage: update usage text * semanage: introduce file context equivalencies * semanage: enable and disable modules * semanage: output all local modifications * semanage: introduce extraction of local configuration * semanage: cleanup error on invalid operation * semanage: handle being called with no arguments * semanage: return sooner to save CPU time * semanage: surround getopt with try/except * semanage: use define/raise instead of lots of * semanage: some options are only valid for * semanage: introduce better deleteall support * semanage: do not allow spaces in file * semanage: distinguish between builtin and local permissive * semanage: centralized ip node handling * setfiles: make the restore function exclude() non-static * setfiles: use glob to handle ~ and * fixfiles: do not hard code types * fixfiles: stop trying to be smart about * fixfiles: use new kernel seclabel option * fixfiles: pipe everything to cat before sending * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs * semodule: support for alternative root paths --- .gitignore | 1 + policycoreutils-gui.patch | 158 +-- policycoreutils-rhat.patch | 2682 ++++++++---------------------------- policycoreutils.spec | 89 +- sources | 2 +- 5 files changed, 714 insertions(+), 2218 deletions(-) diff --git a/.gitignore b/.gitignore index 1eb6044..5fae7f7 100644 --- a/.gitignore +++ b/.gitignore @@ -224,3 +224,4 @@ policycoreutils-2.0.83.tgz /policycoreutils-2.0.84.tgz /policycoreutils-2.0.85.tgz /policycoreutils-2.0.86.tgz +/policycoreutils-2.1.4.tgz diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 06085d7..415d192 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -1,6 +1,6 @@ diff -up policycoreutils-2.0.86/gui/booleansPage.py.gui policycoreutils-2.0.86/gui/booleansPage.py ---- policycoreutils-2.0.86/gui/booleansPage.py.gui 2011-04-12 10:52:07.463643555 -0400 -+++ policycoreutils-2.0.86/gui/booleansPage.py 2011-04-12 10:52:07.463643555 -0400 +--- policycoreutils-2.0.86/gui/booleansPage.py.gui 2011-06-13 13:35:38.766854582 -0400 ++++ policycoreutils-2.0.86/gui/booleansPage.py 2011-06-13 13:35:38.766854582 -0400 @@ -0,0 +1,247 @@ +# +# booleansPage.py - GUI for Booleans page in system-config-securitylevel @@ -250,8 +250,8 @@ diff -up policycoreutils-2.0.86/gui/booleansPage.py.gui policycoreutils-2.0.86/g + return True + diff -up policycoreutils-2.0.86/gui/domainsPage.py.gui policycoreutils-2.0.86/gui/domainsPage.py ---- policycoreutils-2.0.86/gui/domainsPage.py.gui 2011-04-12 10:52:07.464643571 -0400 -+++ policycoreutils-2.0.86/gui/domainsPage.py 2011-04-12 10:52:07.464643571 -0400 +--- policycoreutils-2.0.86/gui/domainsPage.py.gui 2011-06-13 13:35:38.767854591 -0400 ++++ policycoreutils-2.0.86/gui/domainsPage.py 2011-06-13 13:35:38.767854591 -0400 @@ -0,0 +1,154 @@ +## domainsPage.py - show selinux domains +## Copyright (C) 2009 Red Hat, Inc. @@ -408,8 +408,8 @@ diff -up policycoreutils-2.0.86/gui/domainsPage.py.gui policycoreutils-2.0.86/gu + except ValueError, e: + self.error(e.args[0]) diff -up policycoreutils-2.0.86/gui/fcontextPage.py.gui policycoreutils-2.0.86/gui/fcontextPage.py ---- policycoreutils-2.0.86/gui/fcontextPage.py.gui 2011-04-12 10:52:07.468643633 -0400 -+++ policycoreutils-2.0.86/gui/fcontextPage.py 2011-04-12 10:52:07.468643633 -0400 +--- policycoreutils-2.0.86/gui/fcontextPage.py.gui 2011-06-13 13:35:38.768854600 -0400 ++++ policycoreutils-2.0.86/gui/fcontextPage.py 2011-06-13 13:35:38.768854600 -0400 @@ -0,0 +1,223 @@ +## fcontextPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -635,8 +635,8 @@ diff -up policycoreutils-2.0.86/gui/fcontextPage.py.gui policycoreutils-2.0.86/g + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) diff -up policycoreutils-2.0.86/gui/html_util.py.gui policycoreutils-2.0.86/gui/html_util.py ---- policycoreutils-2.0.86/gui/html_util.py.gui 2011-04-12 10:52:07.469643648 -0400 -+++ policycoreutils-2.0.86/gui/html_util.py 2011-04-12 10:52:07.470643663 -0400 +--- policycoreutils-2.0.86/gui/html_util.py.gui 2011-06-13 13:35:38.768854600 -0400 ++++ policycoreutils-2.0.86/gui/html_util.py 2011-06-13 13:35:38.769854608 -0400 @@ -0,0 +1,164 @@ +# Authors: John Dennis +# @@ -803,8 +803,8 @@ diff -up policycoreutils-2.0.86/gui/html_util.py.gui policycoreutils-2.0.86/gui/ + return doc + diff -up policycoreutils-2.0.86/gui/lockdown.glade.gui policycoreutils-2.0.86/gui/lockdown.glade ---- policycoreutils-2.0.86/gui/lockdown.glade.gui 2011-04-12 10:52:07.471643678 -0400 -+++ policycoreutils-2.0.86/gui/lockdown.glade 2011-04-12 10:52:07.477643771 -0400 +--- policycoreutils-2.0.86/gui/lockdown.glade.gui 2011-06-13 13:35:38.770854616 -0400 ++++ policycoreutils-2.0.86/gui/lockdown.glade 2011-06-13 13:35:38.770854616 -0400 @@ -0,0 +1,771 @@ + + @@ -1578,8 +1578,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.glade.gui policycoreutils-2.0.86/gu + + diff -up policycoreutils-2.0.86/gui/lockdown.gladep.gui policycoreutils-2.0.86/gui/lockdown.gladep ---- policycoreutils-2.0.86/gui/lockdown.gladep.gui 2011-04-12 10:52:07.482643847 -0400 -+++ policycoreutils-2.0.86/gui/lockdown.gladep 2011-04-12 10:52:07.483643863 -0400 +--- policycoreutils-2.0.86/gui/lockdown.gladep.gui 2011-06-13 13:35:38.770854616 -0400 ++++ policycoreutils-2.0.86/gui/lockdown.gladep 2011-06-13 13:35:38.771854624 -0400 @@ -0,0 +1,7 @@ + + @@ -1589,8 +1589,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.gladep.gui policycoreutils-2.0.86/g + + diff -up policycoreutils-2.0.86/gui/lockdown.py.gui policycoreutils-2.0.86/gui/lockdown.py ---- policycoreutils-2.0.86/gui/lockdown.py.gui 2011-04-12 10:52:07.484643879 -0400 -+++ policycoreutils-2.0.86/gui/lockdown.py 2011-04-12 10:52:07.484643879 -0400 +--- policycoreutils-2.0.86/gui/lockdown.py.gui 2011-06-13 13:35:38.773854641 -0400 ++++ policycoreutils-2.0.86/gui/lockdown.py 2011-06-13 13:35:38.773854641 -0400 @@ -0,0 +1,382 @@ +#!/usr/bin/python -Es +# @@ -1975,8 +1975,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.py.gui policycoreutils-2.0.86/gui/l + app = booleanWindow() + app.stand_alone() diff -up policycoreutils-2.0.86/gui/loginsPage.py.gui policycoreutils-2.0.86/gui/loginsPage.py ---- policycoreutils-2.0.86/gui/loginsPage.py.gui 2011-04-12 10:52:07.485643894 -0400 -+++ policycoreutils-2.0.86/gui/loginsPage.py 2011-04-12 10:52:07.486643909 -0400 +--- policycoreutils-2.0.86/gui/loginsPage.py.gui 2011-06-13 13:35:38.775854659 -0400 ++++ policycoreutils-2.0.86/gui/loginsPage.py 2011-06-13 13:35:38.775854659 -0400 @@ -0,0 +1,185 @@ +## loginsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -2164,8 +2164,8 @@ diff -up policycoreutils-2.0.86/gui/loginsPage.py.gui policycoreutils-2.0.86/gui + self.store.set_value(iter, 2, seobject.translate(serange)) + diff -up policycoreutils-2.0.86/gui/Makefile.gui policycoreutils-2.0.86/gui/Makefile ---- policycoreutils-2.0.86/gui/Makefile.gui 2011-04-12 10:52:07.486643909 -0400 -+++ policycoreutils-2.0.86/gui/Makefile 2011-04-12 10:52:07.487643924 -0400 +--- policycoreutils-2.0.86/gui/Makefile.gui 2011-06-13 13:35:38.776854668 -0400 ++++ policycoreutils-2.0.86/gui/Makefile 2011-06-13 13:35:38.776854668 -0400 @@ -0,0 +1,40 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -2208,8 +2208,8 @@ diff -up policycoreutils-2.0.86/gui/Makefile.gui policycoreutils-2.0.86/gui/Make + +relabel: diff -up policycoreutils-2.0.86/gui/mappingsPage.py.gui policycoreutils-2.0.86/gui/mappingsPage.py ---- policycoreutils-2.0.86/gui/mappingsPage.py.gui 2011-04-12 10:52:07.487643924 -0400 -+++ policycoreutils-2.0.86/gui/mappingsPage.py 2011-04-12 10:52:07.492644000 -0400 +--- policycoreutils-2.0.86/gui/mappingsPage.py.gui 2011-06-13 13:35:38.776854668 -0400 ++++ policycoreutils-2.0.86/gui/mappingsPage.py 2011-06-13 13:35:38.777854677 -0400 @@ -0,0 +1,56 @@ +## mappingsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -2268,8 +2268,8 @@ diff -up policycoreutils-2.0.86/gui/mappingsPage.py.gui policycoreutils-2.0.86/g + print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1])) + diff -up policycoreutils-2.0.86/gui/modulesPage.py.gui policycoreutils-2.0.86/gui/modulesPage.py ---- policycoreutils-2.0.86/gui/modulesPage.py.gui 2011-04-12 10:52:07.493644016 -0400 -+++ policycoreutils-2.0.86/gui/modulesPage.py 2011-04-12 10:52:07.493644016 -0400 +--- policycoreutils-2.0.86/gui/modulesPage.py.gui 2011-06-13 13:35:38.778854686 -0400 ++++ policycoreutils-2.0.86/gui/modulesPage.py 2011-06-13 13:35:38.778854686 -0400 @@ -0,0 +1,190 @@ +## modulesPage.py - show selinux mappings +## Copyright (C) 2006-2009 Red Hat, Inc. @@ -2462,8 +2462,8 @@ diff -up policycoreutils-2.0.86/gui/modulesPage.py.gui policycoreutils-2.0.86/gu + except ValueError, e: + self.error(e.args[0]) diff -up policycoreutils-2.0.86/gui/polgen.glade.gui policycoreutils-2.0.86/gui/polgen.glade ---- policycoreutils-2.0.86/gui/polgen.glade.gui 2011-04-12 10:52:07.505644201 -0400 -+++ policycoreutils-2.0.86/gui/polgen.glade 2011-04-12 10:52:07.507644232 -0400 +--- policycoreutils-2.0.86/gui/polgen.glade.gui 2011-06-13 13:35:38.782854720 -0400 ++++ policycoreutils-2.0.86/gui/polgen.glade 2011-06-13 13:35:38.783854728 -0400 @@ -0,0 +1,3432 @@ + + @@ -5898,8 +5898,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.glade.gui policycoreutils-2.0.86/gui/ + + diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui/polgen.gladep ---- policycoreutils-2.0.86/gui/polgen.gladep.gui 2011-04-12 10:52:07.508644247 -0400 -+++ policycoreutils-2.0.86/gui/polgen.gladep 2011-04-12 10:52:07.508644247 -0400 +--- policycoreutils-2.0.86/gui/polgen.gladep.gui 2011-06-13 13:35:38.784854736 -0400 ++++ policycoreutils-2.0.86/gui/polgen.gladep 2011-06-13 13:35:38.784854736 -0400 @@ -0,0 +1,7 @@ + + @@ -5909,8 +5909,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui + + diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/polgengui.py ---- policycoreutils-2.0.86/gui/polgengui.py.gui 2011-04-12 10:52:07.513644322 -0400 -+++ policycoreutils-2.0.86/gui/polgengui.py 2011-05-23 17:04:16.377786536 -0400 +--- policycoreutils-2.0.86/gui/polgengui.py.gui 2011-06-13 13:35:38.786854754 -0400 ++++ policycoreutils-2.0.86/gui/polgengui.py 2011-06-13 13:35:38.786854754 -0400 @@ -0,0 +1,750 @@ +#!/usr/bin/python -Es +# @@ -6663,8 +6663,8 @@ diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/ + app = childWindow() + app.stand_alone() diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/polgen.py ---- policycoreutils-2.0.86/gui/polgen.py.gui 2011-04-12 10:52:07.516644368 -0400 -+++ policycoreutils-2.0.86/gui/polgen.py 2011-05-23 17:04:04.539689964 -0400 +--- policycoreutils-2.0.86/gui/polgen.py.gui 2011-06-13 13:35:38.789854781 -0400 ++++ policycoreutils-2.0.86/gui/polgen.py 2011-07-26 10:08:47.330188867 -0400 @@ -0,0 +1,1346 @@ +#!/usr/bin/python -Es +# @@ -6982,7 +6982,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol + if name == "": + raise ValueError(_("You must enter a name for your confined process/user")) + if not name.isalnum(): -+ raise ValueError(_("Name must be alpha numberic with no spaces.")) ++ raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) + + if type == CGI: + self.name = "httpd_%s_script" % name @@ -7950,7 +7950,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol + print _(""" +%s + -+sepolgen [ -m ] [ -t type ] [ executable | Name ] ++sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ] +valid Types: +""") % msg + keys=poltype.keys() @@ -7966,7 +7966,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol + ["type=", + "mount", + "test", -+ "name", ++ "name=", + "help"]) + for o, a in gopts: + if o == "-t" or o == "--type": @@ -8013,8 +8013,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol + except ValueError, e: + usage(e) diff -up policycoreutils-2.0.86/gui/portsPage.py.gui policycoreutils-2.0.86/gui/portsPage.py ---- policycoreutils-2.0.86/gui/portsPage.py.gui 2011-04-12 10:52:07.518644400 -0400 -+++ policycoreutils-2.0.86/gui/portsPage.py 2011-04-12 10:52:07.521644446 -0400 +--- policycoreutils-2.0.86/gui/portsPage.py.gui 2011-06-13 13:35:38.790854790 -0400 ++++ policycoreutils-2.0.86/gui/portsPage.py 2011-06-13 13:35:38.791854799 -0400 @@ -0,0 +1,259 @@ +## portsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -8276,8 +8276,8 @@ diff -up policycoreutils-2.0.86/gui/portsPage.py.gui policycoreutils-2.0.86/gui/ + return True + diff -up policycoreutils-2.0.86/gui/selinux.tbl.gui policycoreutils-2.0.86/gui/selinux.tbl ---- policycoreutils-2.0.86/gui/selinux.tbl.gui 2011-04-12 10:52:07.522644461 -0400 -+++ policycoreutils-2.0.86/gui/selinux.tbl 2011-04-12 10:52:07.522644461 -0400 +--- policycoreutils-2.0.86/gui/selinux.tbl.gui 2011-06-13 13:35:38.792854808 -0400 ++++ policycoreutils-2.0.86/gui/selinux.tbl 2011-06-13 13:35:38.793854816 -0400 @@ -0,0 +1,234 @@ +acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon") +allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /") @@ -8514,8 +8514,8 @@ diff -up policycoreutils-2.0.86/gui/selinux.tbl.gui policycoreutils-2.0.86/gui/s +webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories") + diff -up policycoreutils-2.0.86/gui/semanagePage.py.gui policycoreutils-2.0.86/gui/semanagePage.py ---- policycoreutils-2.0.86/gui/semanagePage.py.gui 2011-04-12 10:52:07.523644476 -0400 -+++ policycoreutils-2.0.86/gui/semanagePage.py 2011-04-12 10:52:07.524644491 -0400 +--- policycoreutils-2.0.86/gui/semanagePage.py.gui 2011-06-13 13:35:38.794854824 -0400 ++++ policycoreutils-2.0.86/gui/semanagePage.py 2011-06-13 13:35:38.794854824 -0400 @@ -0,0 +1,168 @@ +## semanagePage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -8686,8 +8686,8 @@ diff -up policycoreutils-2.0.86/gui/semanagePage.py.gui policycoreutils-2.0.86/g + return True + diff -up policycoreutils-2.0.86/gui/statusPage.py.gui policycoreutils-2.0.86/gui/statusPage.py ---- policycoreutils-2.0.86/gui/statusPage.py.gui 2011-04-12 10:52:07.530644584 -0400 -+++ policycoreutils-2.0.86/gui/statusPage.py 2011-04-12 10:52:07.530644584 -0400 +--- policycoreutils-2.0.86/gui/statusPage.py.gui 2011-06-13 13:35:38.795854832 -0400 ++++ policycoreutils-2.0.86/gui/statusPage.py 2011-06-13 13:35:38.795854832 -0400 @@ -0,0 +1,190 @@ +# statusPage.py - show selinux status +## Copyright (C) 2006-2009 Red Hat, Inc. @@ -8880,8 +8880,8 @@ diff -up policycoreutils-2.0.86/gui/statusPage.py.gui policycoreutils-2.0.86/gui + + diff -up policycoreutils-2.0.86/gui/system-config-selinux.glade.gui policycoreutils-2.0.86/gui/system-config-selinux.glade ---- policycoreutils-2.0.86/gui/system-config-selinux.glade.gui 2011-04-12 10:52:07.534644645 -0400 -+++ policycoreutils-2.0.86/gui/system-config-selinux.glade 2011-04-12 10:52:07.539644720 -0400 +--- policycoreutils-2.0.86/gui/system-config-selinux.glade.gui 2011-06-13 13:35:38.799854868 -0400 ++++ policycoreutils-2.0.86/gui/system-config-selinux.glade 2011-06-13 13:35:38.800854877 -0400 @@ -0,0 +1,3024 @@ + + @@ -11908,8 +11908,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.glade.gui policycoreut + + diff -up policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui policycoreutils-2.0.86/gui/system-config-selinux.gladep ---- policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui 2011-04-12 10:52:07.540644736 -0400 -+++ policycoreutils-2.0.86/gui/system-config-selinux.gladep 2011-04-12 10:52:07.541644752 -0400 +--- policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui 2011-06-13 13:35:38.801854886 -0400 ++++ policycoreutils-2.0.86/gui/system-config-selinux.gladep 2011-06-13 13:35:38.801854886 -0400 @@ -0,0 +1,7 @@ + + @@ -11919,8 +11919,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui policycoreu + + diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils-2.0.86/gui/system-config-selinux.py ---- policycoreutils-2.0.86/gui/system-config-selinux.py.gui 2011-04-12 10:52:07.542644768 -0400 -+++ policycoreutils-2.0.86/gui/system-config-selinux.py 2011-04-12 10:52:07.542644768 -0400 +--- policycoreutils-2.0.86/gui/system-config-selinux.py.gui 2011-06-13 13:35:38.802854894 -0400 ++++ policycoreutils-2.0.86/gui/system-config-selinux.py 2011-06-13 13:35:38.802854894 -0400 @@ -0,0 +1,187 @@ +#!/usr/bin/python -Es +# @@ -12110,8 +12110,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils + app = childWindow() + app.stand_alone() diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0.86/gui/templates/boolean.py ---- policycoreutils-2.0.86/gui/templates/boolean.py.gui 2011-04-12 10:52:07.543644784 -0400 -+++ policycoreutils-2.0.86/gui/templates/boolean.py 2011-05-23 16:59:42.369598714 -0400 +--- policycoreutils-2.0.86/gui/templates/boolean.py.gui 2011-06-13 13:35:38.804854910 -0400 ++++ policycoreutils-2.0.86/gui/templates/boolean.py 2011-06-13 13:35:38.804854910 -0400 @@ -0,0 +1,40 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -12154,8 +12154,8 @@ diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0 +""" + diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.86/gui/templates/etc_rw.py ---- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui 2011-04-12 10:52:07.546644829 -0400 -+++ policycoreutils-2.0.86/gui/templates/etc_rw.py 2011-05-23 16:59:53.369684469 -0400 +--- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui 2011-06-13 13:35:38.805854919 -0400 ++++ policycoreutils-2.0.86/gui/templates/etc_rw.py 2011-06-13 13:35:38.806854928 -0400 @@ -0,0 +1,112 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -12270,8 +12270,8 @@ diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0. +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-2.0.86/gui/templates/executable.py ---- policycoreutils-2.0.86/gui/templates/executable.py.gui 2011-04-12 10:52:07.548644859 -0400 -+++ policycoreutils-2.0.86/gui/templates/executable.py 2011-05-23 17:03:10.575251921 -0400 +--- policycoreutils-2.0.86/gui/templates/executable.py.gui 2011-06-13 13:35:38.807854937 -0400 ++++ policycoreutils-2.0.86/gui/templates/executable.py 2011-06-13 13:35:38.807854937 -0400 @@ -0,0 +1,451 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -12725,8 +12725,8 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils- +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.0.86/gui/templates/__init__.py ---- policycoreutils-2.0.86/gui/templates/__init__.py.gui 2011-04-12 10:52:07.549644874 -0400 -+++ policycoreutils-2.0.86/gui/templates/__init__.py 2011-05-23 17:02:40.424008790 -0400 +--- policycoreutils-2.0.86/gui/templates/__init__.py.gui 2011-06-13 13:35:38.808854946 -0400 ++++ policycoreutils-2.0.86/gui/templates/__init__.py 2011-06-13 13:35:38.808854946 -0400 @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007-2011 Red Hat @@ -12747,8 +12747,8 @@ diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2. +# + diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0.86/gui/templates/network.py ---- policycoreutils-2.0.86/gui/templates/network.py.gui 2011-04-12 10:52:07.556644982 -0400 -+++ policycoreutils-2.0.86/gui/templates/network.py 2011-05-23 17:03:09.237241107 -0400 +--- policycoreutils-2.0.86/gui/templates/network.py.gui 2011-06-13 13:35:38.809854955 -0400 ++++ policycoreutils-2.0.86/gui/templates/network.py 2011-06-13 13:35:38.810854964 -0400 @@ -0,0 +1,102 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -12853,8 +12853,8 @@ diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0 +""" + diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/gui/templates/rw.py ---- policycoreutils-2.0.86/gui/templates/rw.py.gui 2011-04-12 10:52:07.557644997 -0400 -+++ policycoreutils-2.0.86/gui/templates/rw.py 2011-05-23 16:59:48.308644991 -0400 +--- policycoreutils-2.0.86/gui/templates/rw.py.gui 2011-06-13 13:35:38.811854972 -0400 ++++ policycoreutils-2.0.86/gui/templates/rw.py 2011-06-13 13:35:38.811854972 -0400 @@ -0,0 +1,129 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -12986,8 +12986,8 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.86/gui/templates/script.py ---- policycoreutils-2.0.86/gui/templates/script.py.gui 2011-04-12 10:52:07.558645012 -0400 -+++ policycoreutils-2.0.86/gui/templates/script.py 2011-05-23 17:02:13.796795073 -0400 +--- policycoreutils-2.0.86/gui/templates/script.py.gui 2011-06-13 13:35:38.812854980 -0400 ++++ policycoreutils-2.0.86/gui/templates/script.py 2011-06-13 13:35:38.813854988 -0400 @@ -0,0 +1,126 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13116,8 +13116,8 @@ diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0. +fi +""" diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.0.86/gui/templates/semodule.py ---- policycoreutils-2.0.86/gui/templates/semodule.py.gui 2011-04-12 10:52:07.560645042 -0400 -+++ policycoreutils-2.0.86/gui/templates/semodule.py 2011-05-23 17:02:07.466744404 -0400 +--- policycoreutils-2.0.86/gui/templates/semodule.py.gui 2011-06-13 13:35:38.814854997 -0400 ++++ policycoreutils-2.0.86/gui/templates/semodule.py 2011-06-13 13:35:38.814854997 -0400 @@ -0,0 +1,41 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13161,8 +13161,8 @@ diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2. +""" + diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/gui/templates/tmp.py ---- policycoreutils-2.0.86/gui/templates/tmp.py.gui 2011-04-12 10:52:07.561645058 -0400 -+++ policycoreutils-2.0.86/gui/templates/tmp.py 2011-05-23 17:01:55.736650663 -0400 +--- policycoreutils-2.0.86/gui/templates/tmp.py.gui 2011-06-13 13:35:38.815855006 -0400 ++++ policycoreutils-2.0.86/gui/templates/tmp.py 2011-06-13 13:35:38.815855006 -0400 @@ -0,0 +1,102 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13267,8 +13267,8 @@ diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/ + admin_pattern($1, TEMPLATETYPE_tmp_t) +""" diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86/gui/templates/user.py ---- policycoreutils-2.0.86/gui/templates/user.py.gui 2011-04-12 10:52:07.562645074 -0400 -+++ policycoreutils-2.0.86/gui/templates/user.py 2011-05-23 17:01:46.816579501 -0400 +--- policycoreutils-2.0.86/gui/templates/user.py.gui 2011-06-13 13:35:38.816855015 -0400 ++++ policycoreutils-2.0.86/gui/templates/user.py 2011-06-13 13:35:38.817855024 -0400 @@ -0,0 +1,204 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13475,8 +13475,8 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86 +seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r) +""" diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2.0.86/gui/templates/var_cache.py ---- policycoreutils-2.0.86/gui/templates/var_cache.py.gui 2011-04-12 10:52:07.566645136 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_cache.py 2011-05-23 17:01:38.793515591 -0400 +--- policycoreutils-2.0.86/gui/templates/var_cache.py.gui 2011-06-13 13:35:38.818855033 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_cache.py 2011-06-13 13:35:38.818855033 -0400 @@ -0,0 +1,132 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13611,8 +13611,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2 +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0.86/gui/templates/var_lib.py ---- policycoreutils-2.0.86/gui/templates/var_lib.py.gui 2011-04-12 10:52:07.567645151 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_lib.py 2011-05-23 17:01:31.516457701 -0400 +--- policycoreutils-2.0.86/gui/templates/var_lib.py.gui 2011-06-13 13:35:38.819855042 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_lib.py 2011-06-13 13:35:38.819855042 -0400 @@ -0,0 +1,160 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13775,8 +13775,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0 +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0.86/gui/templates/var_log.py ---- policycoreutils-2.0.86/gui/templates/var_log.py.gui 2011-04-12 10:52:07.568645166 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_log.py 2011-05-23 17:01:22.948389639 -0400 +--- policycoreutils-2.0.86/gui/templates/var_log.py.gui 2011-06-13 13:35:38.821855059 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_log.py 2011-06-13 13:35:38.821855059 -0400 @@ -0,0 +1,114 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13893,8 +13893,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0 +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0.86/gui/templates/var_run.py ---- policycoreutils-2.0.86/gui/templates/var_run.py.gui 2011-04-12 10:52:07.569645181 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_run.py 2011-05-23 17:01:11.639299961 -0400 +--- policycoreutils-2.0.86/gui/templates/var_run.py.gui 2011-06-13 13:35:38.822855067 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_run.py 2011-06-13 13:35:38.822855067 -0400 @@ -0,0 +1,101 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -13998,8 +13998,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0 +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py ---- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400 +--- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-06-13 13:35:38.823855075 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-06-13 13:35:38.824855083 -0400 @@ -0,0 +1,131 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -14133,8 +14133,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2 +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" diff -up policycoreutils-2.0.86/gui/usersPage.py.gui policycoreutils-2.0.86/gui/usersPage.py ---- policycoreutils-2.0.86/gui/usersPage.py.gui 2011-04-12 10:52:07.578645320 -0400 -+++ policycoreutils-2.0.86/gui/usersPage.py 2011-04-12 10:52:07.578645320 -0400 +--- policycoreutils-2.0.86/gui/usersPage.py.gui 2011-06-13 13:35:38.825855092 -0400 ++++ policycoreutils-2.0.86/gui/usersPage.py 2011-06-13 13:35:38.825855092 -0400 @@ -0,0 +1,150 @@ +## usersPage.py - show selinux mappings +## Copyright (C) 2006,2007,2008 Red Hat, Inc. diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 0cbf513..b73beec 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,10 +1,10 @@ diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile -index 86ed03f..67d0ee8 100644 +index 86ed03f..3e95698 100644 --- a/policycoreutils/Makefile +++ b/policycoreutils/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po -+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui ++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) @@ -87,26 +87,10 @@ index 5435e9d..c60490b 100644 if __name__ == "__main__": app = AuditToPolicy() diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 -index 6178cc8..b6f386d 100644 +index fd9eb88..a854a45 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 -@@ -1,5 +1,6 @@ - .\" Hey, Emacs! This is an -*- nroff -*- source file. - .\" Copyright (c) 2005 Manoj Srivastava -+.\" Copyright (c) 2010 Dan Walsh - .\" - .\" This is free documentation; you can redistribute it and/or - .\" modify it under the terms of the GNU General Public License as -@@ -22,7 +23,7 @@ - .\" USA. - .\" - .\" --.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA -+.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA - .SH NAME - .BR audit2allow - \- generate SELinux policy allow/dontaudit rules from logs of denied operations -@@ -66,6 +67,9 @@ Generate module/require output +@@ -67,6 +67,9 @@ Generate module/require output .B "\-M " Generate loadable module package, conflicts with -o .TP @@ -116,91 +100,10 @@ index 6178cc8..b6f386d 100644 .B "\-o " | "\-\-output " append output to .I -@@ -117,14 +121,6 @@ an 'allow' rule. - .B Please substitute /var/log/messages for /var/log/audit/audit.log in the - .B examples. - .PP --.B Using audit2allow to generate monolithic (non-module) policy --$ cd /etc/selinux/$SELINUXTYPE/src/policy --$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te --$ cat domains/misc/local.te --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -- --$ make load -- - .B Using audit2allow to generate module policy - - $ cat /var/log/audit/audit.log | audit2allow -m local > local.te -@@ -132,20 +128,38 @@ $ cat local.te - module local 1.0; - - require { -- role system_r; -+ class file { getattr open read }; - - -- class fifo_file { getattr ioctl }; -+ type myapp_t; -+ type etc_t; -+ }; - - -- type cupsd_config_t; -- type unconfined_t; -- }; -+allow myapp_t etc_t:file { getattr open read }; -+ - -+.B Using audit2allow to generate module policy using reference policy - --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te -+$ cat local.te -+policy_module(local, 1.0) -+ -+gen_require(` -+ type myapp_t; -+ type etc_t; -+ }; -+ -+files_read_etc_files(myapp_t) - - -+.B Building module policy using Makefile -+ -+# SELinux provides a policy devel environment under /usr/share/selinux/devel -+# You can create a te file and compile it by executing -+$ make -f /usr/share/selinux/devel/Makefile -+$ semodule -i local.pp -+ - .B Building module policy manually - - # Compile the module -@@ -168,6 +182,14 @@ you are required to execute - - semodule -i local.pp - -+.B Using audit2allow to generate monolithic (non-module) policy -+$ cd /etc/selinux/$SELINUXTYPE/src/policy -+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te -+$ cat domains/misc/local.te -+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+ -+$ make load -+ - .fi - .PP - .SH AUTHOR diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen -index 03f95a1..dad2009 100644 +index 0acbf7e..ef4bec3 100644 --- a/policycoreutils/audit2allow/sepolgen-ifgen +++ b/policycoreutils/audit2allow/sepolgen-ifgen -@@ -1,4 +1,4 @@ --#! /usr/bin/python -E -+#! /usr/bin/python -Es - # - # Authors: Karl MacMillan - # @@ -28,6 +28,10 @@ import sys @@ -289,7 +192,7 @@ index 03f95a1..dad2009 100644 + attrs = get_attrs(options.policy_path) + if attrs is None: + return 1 -+ ++ + # Parse the headers try: headers = refparser.parse_headers(options.headers, output=log, debug=options.debug) @@ -304,35 +207,24 @@ index 03f95a1..dad2009 100644 f.close() diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 2d31d64..e985289 100644 +index 99d0ed7..3f08d37 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c -@@ -586,7 +586,7 @@ static int drop_capabilities(int full) - return -1; - } - if (! full) -- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE); -+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP ); - return capng_apply(CAPNG_SELECT_BOTH); - } - -@@ -1030,8 +1030,13 @@ int main(int argc, char *argv[]) +@@ -1030,10 +1030,11 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ -- if (drop_capabilities(FALSE)) -+ +- if (drop_capabilities(FALSE)) { +/* if (drop_capabilities(FALSE)) { -+ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n")); -+ perror(""); + perror(_("Sorry, newrole failed to drop capabilities\n")); return -1; -+ } + } +*/ if (set_signal_handles()) return -1; diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile -index 3f235e6..7552668 100644 +index 3f235e6..03a4544 100644 --- a/policycoreutils/restorecond/Makefile +++ b/policycoreutils/restorecond/Makefile @@ -1,17 +1,28 @@ @@ -348,7 +240,7 @@ index 3f235e6..7552668 100644 INITDIR = $(DESTDIR)/etc/rc.d/init.d SELINUXDIR = $(DESTDIR)/etc/selinux -+DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include ++DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include +DBUSLIB = -ldbus-glib-1 -ldbus-1 + CFLAGS ?= -g -Werror -Wall -W @@ -361,7 +253,7 @@ index 3f235e6..7552668 100644 all: restorecond -restorecond: restorecond.o utmpwatcher.o stringslist.o -+restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h ++restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h + +restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) @@ -391,7 +283,7 @@ index 0000000..0ef5f0b +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8 -index b149dcb..0c14c94 100644 +index b149dcb..4622d2b 100644 --- a/policycoreutils/restorecond/restorecond.8 +++ b/policycoreutils/restorecond/restorecond.8 @@ -3,7 +3,7 @@ @@ -407,13 +299,13 @@ index b149dcb..0c14c94 100644 .B \-d Turns on debugging mode. Application will stay in the foreground and lots of debugs messages start printing. -+.TP ++.TP +.B \-f restorecond_file +Use alternative restorecond.conf file. -+.TP ++.TP +.B \-u +Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session. -+.TP ++.TP +.B \-v +Turns on verbose debugging. (Report missing files) @@ -429,7 +321,7 @@ index b149dcb..0c14c94 100644 .SH "SEE ALSO" .BR restorecon (8), diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c -index 58774e6..a588e5e 100644 +index 4952632..89f5d97 100644 --- a/policycoreutils/restorecond/restorecond.c +++ b/policycoreutils/restorecond/restorecond.c @@ -30,9 +30,11 @@ @@ -440,12 +332,12 @@ index 58774e6..a588e5e 100644 + * restorecond [-d] [-u] [-v] [-f restorecond_file ] * * -d Run in debug mode -+ * -f Use alternative restorecond_file ++ * -f Use alternative restorecond_file + * -u Run in user mode * -v Run in verbose mode (Report missing files) * * EXAMPLE USAGE: -@@ -48,294 +50,38 @@ +@@ -48,297 +50,38 @@ #include #include #include @@ -478,7 +370,7 @@ index 58774e6..a588e5e 100644 -#define EVENT_SIZE (sizeof (struct inotify_event)) -/* reasonable guess as to size of 1024 events */ -#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -- + -static int debug_mode = 0; -static int verbose_mode = 0; - @@ -505,7 +397,11 @@ index 58774e6..a588e5e 100644 - return 0; - return (strcmp(rest_a, rest_b) == 0); -} -- ++static char *server_watch_file = "/etc/selinux/restorecond.conf"; ++static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; ++static char *watch_file; ++static struct restore_opts r_opts; + -/* - A file was in a direcroty has been created. This function checks to - see if it is one that we are watching. @@ -667,7 +563,7 @@ index 58774e6..a588e5e 100644 - } - free(line_buf); -} - +- -/* - Read config file ignoring Comment lines - Files specified one per line. Files with "~" will be expanded to the logged in users @@ -722,26 +618,25 @@ index 58774e6..a588e5e 100644 - printf("wd=%d mask=%u cookie=%u len=%u\n", - event->wd, event->mask, - event->cookie, event->len); -- if (event->wd == master_wd) -- read_config(fd); -- else { -- switch (utmpwatcher_handle(fd, event->wd)) { -- case -1: /* Message was not for utmpwatcher */ -- if (event->len) -- watch_list_find(event->wd, event->name); -- break; -+static char *server_watch_file = "/etc/selinux/restorecond.conf"; -+static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; -+static char *watch_file; -+static struct restore_opts r_opts; - -- case 1: /* utmp has changed need to reload */ +- +- if (event->mask & ~IN_IGNORED) { +- if (event->wd == master_wd) - read_config(fd); -- break; +- else { +- switch (utmpwatcher_handle(fd, event->wd)) { +- case -1: /* Message was not for utmpwatcher */ +- if (event->len) +- watch_list_find(event->wd, event->name); +- break; +- +- case 1: /* utmp has changed need to reload */ +- read_config(fd); +- break; +#include -- default: /* No users logged in or out */ -- break; +- default: /* No users logged in or out */ +- break; +- } - } - } +int debug_mode = 0; @@ -760,7 +655,7 @@ index 58774e6..a588e5e 100644 } static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +120,7 @@ static void term_handler() +@@ -377,7 +120,7 @@ static void term_handler() static void usage(char *program) { @@ -769,7 +664,7 @@ index 58774e6..a588e5e 100644 exit(0); } -@@ -390,74 +136,35 @@ void exitApp(const char *msg) +@@ -393,74 +136,35 @@ void exitApp(const char *msg) to see if it is one that we are watching. */ @@ -868,7 +763,7 @@ index 58774e6..a588e5e 100644 /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,36 +174,59 @@ int main(int argc, char **argv) +@@ -470,36 +174,59 @@ int main(int argc, char **argv) set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -906,14 +801,14 @@ index 58774e6..a588e5e 100644 + + uid_t uid = getuid(); + struct passwd *pwd = getpwuid(uid); -+ if (!pwd) ++ if (!pwd) + exitApp("getpwuid"); + + homedir = pwd->pw_dir; + if (uid != 0) { + if (run_as_user) + return server(master_fd, user_watch_file); -+ if (start() != 0) ++ if (start() != 0) + return server(master_fd, user_watch_file); + return 0; + } @@ -1040,32 +935,32 @@ index 0000000..e0c2871 +~/.config/* diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c new file mode 100644 -index 0000000..8cf2f20 +index 0000000..ade3fb8 --- /dev/null +++ b/policycoreutils/restorecond/user.c -@@ -0,0 +1,242 @@ +@@ -0,0 +1,246 @@ +/* + * restorecond + * -+ * Copyright (C) 2006-2009 Red Hat ++ * Copyright (C) 2006-2009 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of + * the License, or (at your option) any later version. -+ * ++ * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. -+.* ++.* + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + * 02111-1307 USA + * -+ * Authors: ++ * Authors: + * Dan Walsh + * +*/ @@ -1108,9 +1003,9 @@ index 0000000..8cf2f20 + GMainLoop *loop = user_data; + + /* A signal from the bus saying we are about to be disconnected */ -+ if (dbus_message_is_signal ++ if (dbus_message_is_signal + (message, INTERFACE, "Stop")) { -+ ++ + /* Tell the main loop to quit */ + g_main_loop_quit (loop); + /* We have handled this message, don't pass it on */ @@ -1133,12 +1028,12 @@ index 0000000..8cf2f20 + bus = dbus_bus_get (DBUS_BUS_SESSION, &error); + if (bus) { + dbus_connection_setup_with_g_main (bus, NULL); -+ ++ + /* listening to messages from all objects as no path is specified */ + dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey + dbus_connection_add_filter (bus, signal_filter, loop, NULL); + return 0; -+ } ++ } + return -1; +} + @@ -1178,7 +1073,7 @@ index 0000000..8cf2f20 + event->cookie, event->len); + if (event->len) + watch_list_find(event->wd, event->name); -+ ++ + i += EVENT_SIZE + event->len; + } + } @@ -1209,7 +1104,7 @@ index 0000000..8cf2f20 + DBusConnection *bus; + DBusError error; + DBusMessage *message; -+ ++ + /* Get a connection to the session bus */ + dbus_error_init (&error); + bus = dbus_bus_get (DBUS_BUS_SESSION, &error); @@ -1219,7 +1114,7 @@ index 0000000..8cf2f20 + dbus_error_free (&error); + return 1; + } -+ ++ + + /* Create a new signal "Start" on the interface, + * from the object */ @@ -1236,11 +1131,15 @@ index 0000000..8cf2f20 +static int local_server() { + // ! dbus, run as local service + char *ptr=NULL; -+ asprintf(&ptr, "%s/.restorecond", homedir); ++ if (asprintf(&ptr, "%s/.restorecond", homedir) < 0) { ++ if (debug_mode) ++ perror("asprintf"); ++ return -1; ++ } + int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR); + if (debug_mode) + g_warning ("Lock file: %s", ptr); -+ ++ + free(ptr); + if (fd < 0) { + if (debug_mode) @@ -1259,26 +1158,26 @@ index 0000000..8cf2f20 + GMainLoop *loop; + + loop = g_main_loop_new (NULL, FALSE); -+ ++ +#ifdef HAVE_DBUS -+ if (dbus_server(loop) != 0) ++ if (dbus_server(loop) != 0) +#endif /* HAVE_DBUS */ -+ if (local_server(loop)) ++ if (local_server(loop)) + goto end; + + read_config(master_fd, watch_file); -+ ++ + if (watch_list_isempty()) goto end; + + set_matchpathcon_flags(MATCHPATHCON_NOTRANS); -+ ++ + GIOChannel *c = g_io_channel_unix_new(master_fd); -+ ++ + g_io_add_watch_full( c, + G_PRIORITY_HIGH, + G_IO_IN|G_IO_ERR|G_IO_HUP, + io_channel_callback, NULL, NULL); -+ ++ + g_main_loop_run (loop); + +end: @@ -1286,26 +1185,12 @@ index 0000000..8cf2f20 + return 0; +} + -diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c -index f182c22..feddb5a 100644 ---- a/policycoreutils/restorecond/utmpwatcher.c -+++ b/policycoreutils/restorecond/utmpwatcher.c -@@ -72,8 +72,8 @@ unsigned int utmpwatcher_handle(int inotify_fd, int wd) - if (utmp_wd == -1) - exitApp("Error watching utmp file."); - -+ changed = strings_list_diff(prev_utmp_ptr, utmp_ptr); - if (prev_utmp_ptr) { -- changed = strings_list_diff(prev_utmp_ptr, utmp_ptr); - strings_list_free(prev_utmp_ptr); - } - return changed; diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c new file mode 100644 -index 0000000..20a861f +index 0000000..6a833c3 --- /dev/null +++ b/policycoreutils/restorecond/watch.c -@@ -0,0 +1,270 @@ +@@ -0,0 +1,272 @@ +#define _GNU_SOURCE +#include +#include @@ -1361,7 +1246,7 @@ index 0000000..20a861f + if (exclude(path)) goto end; + + globbuf.gl_offs = 1; -+ if (glob(path, ++ if (glob(path, + GLOB_TILDE | GLOB_PERIOD, + NULL, + &globbuf) >= 0) { @@ -1390,7 +1275,7 @@ index 0000000..20a861f + ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); + if (ptr->wd == -1) { + free(ptr); -+ if (! run_as_user) ++ if (! run_as_user) + syslog(LOG_ERR, "Unable to watch (%s) %s\n", + path, strerror(errno)); + goto end; @@ -1414,8 +1299,8 @@ index 0000000..20a861f + return; +} + -+/* -+ A file was in a direcroty has been created. This function checks to ++/* ++ A file was in a direcroty has been created. This function checks to + see if it is one that we are watching. +*/ + @@ -1433,7 +1318,7 @@ index 0000000..20a861f + if (asprintf(&path, "%s/%s", ptr->dir, file) < + 0) + exitApp("Error allocating memory."); -+ ++ + process_one_realpath(path, 0); + free(path); + return 0; @@ -1467,8 +1352,8 @@ index 0000000..20a861f + firstDir = NULL; +} + -+/* -+ Inotify watch loop ++/* ++ Inotify watch loop +*/ +int watch(int fd, const char *watch_file) +{ @@ -1505,7 +1390,7 @@ index 0000000..20a861f + case 1: /* utmp has changed need to reload */ + read_config(fd, watch_file); + break; -+ ++ + default: /* No users logged in or out */ + break; + } @@ -1534,7 +1419,9 @@ index 0000000..20a861f + if (buffer[0] == '~') { + if (run_as_user) { + char *ptr=NULL; -+ asprintf(&ptr, "%s%s", homedir, &buffer[1]); ++ if (asprintf(&ptr, "%s%s", homedir, &buffer[1]) < 0) ++ exitApp("Error allocating memory."); ++ + watch_list_add(fd, ptr); + free(ptr); + } else { @@ -1547,8 +1434,8 @@ index 0000000..20a861f + free(line_buf); +} + -+/* -+ Read config file ignoring Comment lines ++/* ++ Read config file ignoring Comment lines + Files specified one per line. Files with "~" will be expanded to the logged in users + homedirs. +*/ @@ -1576,33 +1463,6 @@ index 0000000..20a861f + if (master_wd == -1) + exitApp("Error watching config file."); +} -diff --git a/policycoreutils/run_init/open_init_pty.8 b/policycoreutils/run_init/open_init_pty.8 -index 540860a..10175dd 100644 ---- a/policycoreutils/run_init/open_init_pty.8 -+++ b/policycoreutils/run_init/open_init_pty.8 -@@ -24,18 +24,18 @@ - .\" - .TH OPEN_INIT_PTY "8" "January 2005" "Security Enhanced Linux" NSA - .SH NAME --open_init_pty \- run an program under a psuedo terminal -+open_init_pty \- run an program under a pseudo terminal - .SH SYNOPSIS - .B open_init_pty - \fISCRIPT\fR [[\fIARGS\fR]...] - .br - .SH DESCRIPTION - .PP --Run a program under a psuedo terminal. This is used by -+Run a program under a pseudo terminal. This is used by - .B run_init - to run actually run the program after setting up the proper --context. This program acquires a new Psuedo terminal, forks a child --process that binds to the psueado terminal, and then sits around and -+context. This program acquires a new Pseudo terminal, forks a child -+process that binds to the pseudo terminal, and then sits around and - connects the physical terminal it was invoked upon with the pseudo - terminal, passing keyboard input into to the child process, and passing the - output of the child process to the physical terminal. diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c index 9db766c..068e24c 100644 --- a/policycoreutils/run_init/run_init.c @@ -1626,7 +1486,7 @@ index 9db766c..068e24c 100644 } /* main() */ diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile -index ff0ee7c..0c8a085 100644 +index ff0ee7c..924999d 100644 --- a/policycoreutils/sandbox/Makefile +++ b/policycoreutils/sandbox/Makefile @@ -7,10 +7,10 @@ SBINDIR ?= $(PREFIX)/sbin @@ -1636,7 +1496,7 @@ index ff0ee7c..0c8a085 100644 -override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -LDLIBS += -lselinux -lcap-ng +override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -+LDLIBS += -lcgroup -lselinux -lcap-ng ++LDLIBS += -lcgroup -lselinux -lcap-ng -all: sandbox seunshare sandboxX.sh +all: sandbox seunshare sandboxX.sh start @@ -1649,7 +1509,7 @@ index ff0ee7c..0c8a085 100644 install -m 644 sandbox.8 $(MANDIR)/man8/ + install -m 644 seunshare.8 $(MANDIR)/man8/ + -mkdir -p $(MANDIR)/man5 -+ install -m 644 sandbox.conf.5 $(MANDIR)/man5/ ++ install -m 644 sandbox.conf.5 $(MANDIR)/man5/sandbox.5 -mkdir -p $(SBINDIR) install -m 4755 seunshare $(SBINDIR)/ -mkdir -p $(SHAREDIR) @@ -1664,12 +1524,11 @@ index ff0ee7c..0c8a085 100644 test: @python test_sandbox.py -v diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox -index 48a26c2..4d17385 100644 +index 0b89e9a..481034c 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -1,5 +1,6 @@ --#! /usr/bin/python -E -+#! /usr/bin/python -Es + #! /usr/bin/python -Es # Authors: Dan Walsh +# Authors: Thomas Liu # Authors: Josh Cogliati @@ -1685,7 +1544,7 @@ index 48a26c2..4d17385 100644 import signal from tempfile import mkdtemp import pwd -+import commands ++import commands +import setools PROGNAME = "policycoreutils" @@ -1746,7 +1605,7 @@ index 48a26c2..4d17385 100644 raise ValueError(_(""" -/usr/sbin/seunshare is required for the action you want to perform. -""")) -+%s is required for the action you want to perform. ++%s is required for the action you want to perform. +""") % SEUNSHARE) def __mount_callback(self, option, opt, value, parser): @@ -1757,12 +1616,12 @@ index 48a26c2..4d17385 100644 setattr(parser.values, option.dest, True) + if not os.path.exists(SEUNSHARE): + raise ValueError(_(""" -+%s is required for the action you want to perform. ++%s is required for the action you want to perform. +""") % SEUNSHARE) + + if not os.path.exists(SANDBOXSH): + raise ValueError(_(""" -+%s is required for the action you want to perform. ++%s is required for the action you want to perform. +""") % SANDBOXSH) def __validdir(self, option, opt, value, parser): @@ -1794,18 +1653,14 @@ index 48a26c2..4d17385 100644 kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command)) fd.close() -@@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null +@@ -229,11 +247,22 @@ kill -TERM $WM_PID 2> /dev/null - def usage(self, message = ""): - error_exit("%s\n%s" % (self.__parser.usage, message)) -- -+ def __parse_options(self): from optparse import OptionParser + types = "" + try: + types = _(""" -+Policy defines the following types for use with the -t: ++Policy defines the following types for use with the -t: +\t%s +""") % "\n\t".join(setools.seinfo(setools.ATTRIBUTE, "sandbox_type")[0]['types']) + except RuntimeError: @@ -1813,9 +1668,9 @@ index 48a26c2..4d17385 100644 + usage = _(""" -sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] command -+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command ++sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command + -+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S ++sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S +%s +""") % types @@ -1824,13 +1679,23 @@ index 48a26c2..4d17385 100644 parser = OptionParser(version=self.VERSION, usage=usage) parser.disable_interspersed_args() -@@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -260,14 +289,18 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- + parser.add_option("-H", "--homedir", + action="callback", callback=self.__validdir, + type="string", +- dest="homedir", ++ dest="homedir", + help=_("alternate home directory to use for mounting")) + +- parser.add_option("-T", "--tmpdir", dest="tmpdir", ++ parser.add_option("-T", "--tmpdir", dest="tmpdir", + type="string", action="callback", callback=self.__validdir, help=_("alternate /tmp directory to use for mounting")) + parser.add_option("-w", "--windowsize", dest="windowsize", + type="string", default=DEFAULT_WINDOWSIZE, -+ help="size of the sandbox window") ++ help="size of the sandbox window") + parser.add_option("-W", "--windowmanager", dest="wm", type="string", @@ -1840,8 +1705,8 @@ index 48a26c2..4d17385 100644 help=_("MCS/MLS level for the sandbox")) + parser.add_option("-c", "--cgroups", -+ action="store_true", dest="usecgroup", default=False, -+ help="Use cgroups to limit this sandbox.") ++ action="store_true", dest="usecgroup", default=False, ++ help=_("Use cgroups to limit this sandbox.")) + + parser.add_option("-C", "--capabilities", + action="store_true", dest="usecaps", default=False, @@ -1869,7 +1734,15 @@ index 48a26c2..4d17385 100644 if len(cmds) == 0: self.usage(_("Command required")) cmds[0] = fullpath(cmds[0]) -@@ -329,44 +374,47 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -323,50 +368,51 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- + + con = selinux.getcon()[1].split(":") + self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level) +- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r", +- "%s_file_t" % self.setype[:-2], ++ self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r", ++ "%s_file_t" % self.setype[:-2], + level) def __setup_dir(self): if self.__options.level or self.__options.session: return @@ -1914,8 +1787,6 @@ index 48a26c2..4d17385 100644 + cmds.append('-c') + if self.__options.usecaps: + cmds.append('-C') -+ if not self.__options.level: -+ cmds.append('-k') if self.__mount: - cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths - rc = subprocess.Popen(cmds).wait() @@ -1937,7 +1808,7 @@ index 48a26c2..4d17385 100644 selinux.setexeccon(self.__execcon) rc = subprocess.Popen(self.__cmds).wait() -@@ -404,7 +452,7 @@ if __name__ == '__main__': +@@ -404,7 +450,7 @@ if __name__ == '__main__': sandbox = Sandbox() rc = sandbox.main() except OSError, error: @@ -1947,7 +1818,7 @@ index 48a26c2..4d17385 100644 error_exit(error.args[0]) except KeyError, error: diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 -index 1479364..3deb4b2 100644 +index 1479364..2b37e63 100644 --- a/policycoreutils/sandbox/sandbox.8 +++ b/policycoreutils/sandbox/sandbox.8 @@ -1,10 +1,13 @@ @@ -1975,7 +1846,7 @@ index 1479364..3deb4b2 100644 +Run a full desktop session, Requires level, and home and tmpdir. +.TP +\fB\-w windowsize\fR -+Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700. ++Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700. +.TP \fB\-W windowmanager\fR Select alternative window manager to run within @@ -1998,7 +1869,7 @@ index 1479364..3deb4b2 100644 .PP + +.SH AUTHOR -+This manual page was written by ++This manual page was written by +.I Dan Walsh +and +.I Thomas Liu @@ -2017,13 +1888,13 @@ index 0000000..7c35808 +CPUUSAGE=80% diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5 new file mode 100644 -index 0000000..ee97e10 +index 0000000..b3ee67d --- /dev/null +++ b/policycoreutils/sandbox/sandbox.conf.5 @@ -0,0 +1,40 @@ +.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" +.SH NAME -+sandbox.conf \- user config file for the SELinux sandbox ++sandbox.conf \- user config file for the SELinux sandbox +.SH DESCRIPTION +.PP +When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. @@ -2059,7 +1930,7 @@ index 0000000..ee97e10 +.PP + +.SH AUTHOR -+This manual page was written by ++This manual page was written by +.I Thomas Liu diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init index ff8b3ef..66aadfd 100644 @@ -2106,22 +1977,23 @@ index ff8b3ef..66aadfd 100644 } diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh -index 8338203..0b0239c 100644 +index 8338203..88ebfee 100644 --- a/policycoreutils/sandbox/sandboxX.sh +++ b/policycoreutils/sandbox/sandboxX.sh @@ -1,15 +1,21 @@ - #!/bin/bash +-#!/bin/bash ++#!/bin/bash +trap "" TERM context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" -export SCREENSIZE="1000x700" -#export SCREENSIZE=`xdpyinfo | awk '/dimensions/ { print $2 }'` -+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" -+[ -z $2 ] && export DPI="96" || export DPI="$2" ++[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" ++[ -z $2 ] && export DPI="96" || export DPI="$2" trap "exit 0" HUP -(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do -+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do ++(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D - python -c 'import gtk, os, commands; commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])' + cat > ~/seremote << __EOF @@ -2138,7 +2010,7 @@ index 8338203..0b0239c 100644 exit 0 diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 new file mode 100644 -index 0000000..c69ceda +index 0000000..06610c0 --- /dev/null +++ b/policycoreutils/sandbox/seunshare.8 @@ -0,0 +1,43 @@ @@ -2147,11 +2019,11 @@ index 0000000..c69ceda +seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context +.SH SYNOPSIS +.B seunshare -+[-v] [-c] [-C] [-k] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args] ++[ -v ] [ -c ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args] +.br +.SH DESCRIPTION +.PP -+Run the ++Run the +.I executable +within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context. + @@ -2178,15 +2050,15 @@ index 0000000..c69ceda +Verbose output +.SH "SEE ALSO" +.TP -+runcon(1), sandbox(8), selinux(8) ++runcon(1), sandbox(8), selinux(8) +.PP +.SH AUTHOR -+This manual page was written by ++This manual page was written by +.I Dan Walsh +and +.I Thomas Liu diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index ec692e7..2718a68 100644 +index e713b74..1a0a488 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -1,27 +1,35 @@ @@ -2195,7 +2067,7 @@ index ec692e7..2718a68 100644 + * Authors: Thomas Liu + */ + -+#define _GNU_SOURCE + #define _GNU_SOURCE #include #include +#include @@ -2204,7 +2076,6 @@ index ec692e7..2718a68 100644 #include +#include #include --#define _GNU_SOURCE #include +#include #include @@ -2230,7 +2101,7 @@ index ec692e7..2718a68 100644 #ifdef USE_NLS #include /* for setlocale() */ -@@ -39,29 +47,56 @@ +@@ -39,29 +47,55 @@ #define MS_PRIVATE 1<<18 #endif @@ -2240,8 +2111,7 @@ index ec692e7..2718a68 100644 + +#define BUF_SIZE 1024 +#define DEFAULT_PATH "/usr/bin:/bin" -+ -+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]") ++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -k ] [ -C ] [ -t tmpdir] [ -h homedir ] [ -Z context ] -- executable [args]") + +static int verbose = 0; +static int child = 0; @@ -2300,7 +2170,7 @@ index ec692e7..2718a68 100644 */ static int set_signal_handles(void) { -@@ -75,32 +110,117 @@ static int set_signal_handles(void) +@@ -75,32 +109,117 @@ static int set_signal_handles(void) (void)sigprocmask(SIG_SETMASK, &empty, NULL); @@ -2312,7 +2182,7 @@ index ec692e7..2718a68 100644 } + if (signal(SIGINT, handler) == SIG_ERR) { -+ perror("Unable to set SIGHUP handler"); ++ perror("Unable to set SIGINT handler"); + return -1; + } + @@ -2408,7 +2278,7 @@ index ec692e7..2718a68 100644 - fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, strerror(errno)); + + if (st_out == NULL) st_out = &sb; -+ ++ + if (lstat(dir, st_out) == -1) { + fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno)); + return -1; @@ -2429,7 +2299,7 @@ index ec692e7..2718a68 100644 return 0; } -@@ -123,7 +243,7 @@ static int verify_shell(const char *shell_name) +@@ -123,7 +242,7 @@ static int verify_shell(const char *shell_name) /* check the shell skipping newline char */ if (!strcmp(shell_name, buf)) { @@ -2438,7 +2308,7 @@ index ec692e7..2718a68 100644 break; } } -@@ -131,45 +251,594 @@ static int verify_shell(const char *shell_name) +@@ -131,54 +250,618 @@ static int verify_shell(const char *shell_name) return rc; } @@ -2522,12 +2392,12 @@ index ec692e7..2718a68 100644 +static int match(const char *string, char *pattern) +{ + int status; -+ regex_t re; ++ regex_t re; + if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) { + return 0; + } + status = regexec(&re, string, (size_t)0, NULL, 0); -+ regfree(&re); ++ regfree(&re); + if (status != 0) { + return 0; + } @@ -2549,8 +2419,8 @@ index ec692e7..2718a68 100644 + char *tok = NULL; + int rc = -1; + char *str = NULL; -+ const char* fname = "/etc/sysconfig/sandbox"; -+ ++ const char* fname = "/etc/sysconfig/sandbox"; ++ + if ((fp = fopen(fname, "rt")) == NULL) { + fprintf(stderr, "Error opening sandbox config file."); + return rc; @@ -2558,13 +2428,15 @@ index ec692e7..2718a68 100644 + while(fgets(buf, BUF_SIZE, fp) != NULL) { + /* Skip comments */ + if (buf[0] == '#') continue; -+ ++ + /* Copy the string, ignoring whitespace */ + int len = strlen(buf); + free(str); + str = malloc((len + 1) * sizeof(char)); -+ -+ int ind = 0; ++ if (!str) ++ goto err; ++ ++ int ind = 0; + int i; + for (i = 0; i < len; i++) { + char cur = buf[i]; @@ -2574,7 +2446,7 @@ index ec692e7..2718a68 100644 + } + } + str[ind] = '\0'; -+ ++ + tok = strtok(str, "=\n"); + if (tok != NULL) { + if (!strcmp(tok, "CPUAFFINITY")) { @@ -2598,7 +2470,7 @@ index ec692e7..2718a68 100644 + fprintf(stderr, "Error parsing config file."); + goto err; + } -+ ++ + } else if (!strcmp(tok, "CPUUSAGE")) { + tok = strtok(NULL, "=\n"); + if (match(tok, "^[0-9]+\%")) { @@ -2616,14 +2488,14 @@ index ec692e7..2718a68 100644 + continue; + } + } -+ ++ + } + if (mem == NULL) { + long phypz = sysconf(_SC_PHYS_PAGES); + long psize = sysconf(_SC_PAGE_SIZE); + memusage = phypz * psize * (float) memusage / 100.0; + } -+ ++ + cgroup_init(); + + int64_t current_runtime = 0; @@ -2639,8 +2511,8 @@ index ec692e7..2718a68 100644 + cgroup_get_cgroup(curr); + cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", ¤t_runtime); + cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", ¤t_period); -+ } -+ ++ } ++ + ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path); + if (ret) { + sandbox_error("Error while trying to get current controller path.\n"); @@ -2648,33 +2520,33 @@ index ec692e7..2718a68 100644 + struct cgroup *curr = cgroup_new_cgroup(curr_mem_path); + cgroup_get_cgroup(curr); + cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", ¤t_mem); -+ } -+ ++ } ++ + if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) { + sandbox_error("CPU usage restricted!\n"); + goto err; -+ } -+ -+ if (mem == NULL) { ++ } ++ ++ if (mem == NULL) { + if (memusage > current_mem) { + sandbox_error("Attempting to use more memory than allowed!"); + goto err; + } + } -+ ++ + long nprocs = sysconf(_SC_NPROCESSORS_ONLN); -+ -+ struct sched_param sp; ++ ++ struct sched_param sp; + sp.sched_priority = sched_get_priority_min(SCHED_FIFO); + sched_setscheduler(getpid(), SCHED_FIFO, &sp); + struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname); + cgroup_add_controller(sandbox_group, "memory"); + cgroup_add_controller(sandbox_group, "cpu"); -+ ++ + if (mem == NULL) { + if (memusage > 0) { + cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage); -+ } ++ } + } else { + cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem); + } @@ -2686,13 +2558,13 @@ index ec692e7..2718a68 100644 + if (cpus != NULL) { + cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus); + } -+ ++ + uint64_t allocated_mem; + if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) { + sandbox_error("Attempting to use more memory than allowed!\n"); + goto err; + } -+ ++ + rc = cgroup_create_cgroup(sandbox_group, 1); + if (rc != 0) { + sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n"); @@ -2711,7 +2583,7 @@ index ec692e7..2718a68 100644 + return rc; +} + -+/* ++/* + If path is empy or ends with "/." or "/.. return -1 else return 0; + */ +static int bad_path(const char *path) { @@ -2733,7 +2605,7 @@ index ec692e7..2718a68 100644 + return 0; +} + -+static int rsynccmd(const char * src, const char *dst, char **cmdbuf) ++static int rsynccmd(const char * src, const char *dst, char **cmdbuf) +{ + char *buf = NULL; + char *newbuf = NULL; @@ -2777,7 +2649,7 @@ index ec692e7..2718a68 100644 + newbuf = NULL; + } + -+ if (buf) { ++ if (buf) { + if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) { + fprintf(stderr, "Out of memory\n"); + goto err; @@ -2892,8 +2764,12 @@ index ec692e7..2718a68 100644 + if (verify_directory(tmpdir, NULL, out_st) < 0) { + goto err; + } -+ if (check_owner_uid(0, tmpdir, out_st) < 0) goto err; -+ if (check_owner_gid(getgid(), tmpdir, out_st) < 0) goto err; ++ ++ if (check_owner_uid(0, tmpdir, out_st) < 0) ++ goto err; ++ ++ if (check_owner_gid(getgid(), tmpdir, out_st) < 0) ++ goto err; + + /* change permissions of the temporary directory */ + if ((fd_t = open(tmpdir, O_RDONLY)) < 0) { @@ -2920,7 +2796,7 @@ index ec692e7..2718a68 100644 + + /* copy selinux context */ + if (execcon) { -+ if (fsetfilecon(fd_t, con) == -1) { ++ if (fsetfilecon(fd_t, con) == -1) { + fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } @@ -2972,6 +2848,7 @@ index ec692e7..2718a68 100644 + max_pids = 256; + pid_table = malloc(max_pids * sizeof (pid_t)); + if (!pid_table) { ++ (void)closedir(dir); + return -1; + } + pids = 0; @@ -2985,6 +2862,7 @@ index ec692e7..2718a68 100644 + + if (pids == max_pids) { + if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) { ++ (void)closedir(dir); + return -1; + } + max_pids *= 2; @@ -2998,7 +2876,7 @@ index ec692e7..2718a68 100644 + pid_t id = pid_table[i]; + + if (getpidcon(id, &scon) == 0) { -+ ++ + context_t pidcon = context_new(scon); + /* Attempt to kill remaining processes */ + if (strcmp(context_range_get(pidcon), mcs) == 0) @@ -3047,20 +2925,24 @@ index ec692e7..2718a68 100644 {NULL, 0, 0, 0} }; -@@ -180,6 +849,12 @@ int main(int argc, char **argv) { + uid_t uid = getuid(); +- ++/* + if (!uid) { + fprintf(stderr, _("Must not be root")); return -1; } - ++*/ ++ +#ifdef USE_NLS + setlocale(LC_ALL, ""); + bindtextdomain(PACKAGE, LOCALEDIR); + textdomain(PACKAGE); +#endif -+ + struct passwd *pwd=getpwuid(uid); if (!pwd) { - perror(_("getpwduid failed")); -@@ -187,34 +862,36 @@ int main(int argc, char **argv) { +@@ -187,34 +870,36 @@ int main(int argc, char **argv) { } if (verify_shell(pwd->pw_shell) < 0) { @@ -3112,7 +2994,7 @@ index ec692e7..2718a68 100644 break; default: fprintf(stderr, "%s\n", USAGE_STRING); -@@ -223,76 +900,84 @@ int main(int argc, char **argv) { +@@ -223,99 +908,131 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -3133,14 +3015,16 @@ index ec692e7..2718a68 100644 - scontext = argv[optind++]; - - if (set_signal_handles()) -- return -1; -- -- if (unshare(CLONE_NEWNS) < 0) { -- perror(_("Failed to unshare")); + if (execcon && is_selinux_enabled() != 1) { + fprintf(stderr, _("Error: execution context specified, but SELinux is not enabled\n")); return -1; - } ++ } + +- if (unshare(CLONE_NEWNS) < 0) { +- perror(_("Failed to unshare")); ++ if (set_signal_handles()) + return -1; +- } - if (homedir_s && tmpdir_s && (strncmp(pwd->pw_dir, tmpdir_s, strlen(pwd->pw_dir)) == 0)) { - if (seunshare_mount(tmpdir_s, "/tmp", pwd) < 0) @@ -3154,16 +3038,17 @@ index ec692e7..2718a68 100644 - if (tmpdir_s && seunshare_mount(tmpdir_s, "/tmp", pwd) < 0) - return -1; - } -+ if (set_signal_handles()) return -1; -+ -+ if (usecgroups && setup_cgroups() < 0) return -1; ++ if (usecgroups && setup_cgroups() < 0) ++ return -1; + + /* set fsuid to ruid */ + /* Changing fsuid is usually required when user-specified directory is + * on an NFS mount. It's also desired to avoid leaking info about + * existence of the files not accessible to the user. */ + setfsuid(uid); -+ + +- if (drop_capabilities(uid)) { +- perror(_("Failed to drop all capabilities")); + /* verify homedir and tmpdir */ + if (homedir_s && ( + verify_directory(homedir_s, NULL, &st_homedir) < 0 || @@ -3172,9 +3057,7 @@ index ec692e7..2718a68 100644 + verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 || + check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1; + setfsuid(0); - -- if (drop_capabilities(uid)) { -- perror(_("Failed to drop all capabilities")); ++ + /* create runtime tmpdir */ + if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s, + &st_tmpdir_r, pwd, execcon)) == NULL) { @@ -3243,18 +3126,20 @@ index ec692e7..2718a68 100644 + goto childerr; } - - if (display) +- if (display) ++ if (display) rc |= setenv("DISPLAY", display, 1); rc |= setenv("HOME", pwd->pw_dir, 1); -@@ -300,22 +985,47 @@ int main(int argc, char **argv) { + rc |= setenv("SHELL", pwd->pw_shell, 1); rc |= setenv("USER", pwd->pw_name, 1); rc |= setenv("LOGNAME", pwd->pw_name, 1); rc |= setenv("PATH", DEFAULT_PATH, 1); +- + if (rc != 0) { + fprintf(stderr, _("Failed to construct environment\n")); + goto childerr; + } - ++ + /* selinux context */ + if (execcon && setexeccon(execcon) != 0) { + fprintf(stderr, _("Could not set exec context to %s.\n"), execcon); @@ -3266,9 +3151,7 @@ index ec692e7..2718a68 100644 - exit(-1); + goto childerr; } -+ setsid(); -+ execv(argv[optind], argv + optind); + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); +childerr: @@ -3286,7 +3169,7 @@ index ec692e7..2718a68 100644 + /* parent waits for child exit to do the cleanup */ + waitpid(child, &status, 0); + status_to_retval(status, status); - ++ + /* Make sure all child processes exit */ + kill(-child,SIGTERM); + @@ -3294,12 +3177,11 @@ index ec692e7..2718a68 100644 + killall(execcon); + + if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1); -+ + +err: + free(tmpdir_r); return status; } -+ diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start new file mode 100644 index 0000000..52950d7 @@ -3315,246 +3197,26 @@ index 0000000..52950d7 + pass +if rc[0] == 0: + print rc[1] -diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile -index 53b65b6..cc75a96 100644 ---- a/policycoreutils/scripts/Makefile -+++ b/policycoreutils/scripts/Makefile -@@ -14,6 +14,7 @@ install: all - install -m 755 genhomedircon $(SBINDIR) - -mkdir -p $(MANDIR)/man8 - install -m 644 fixfiles.8 $(MANDIR)/man8/ -+ install -m 644 genhomedircon.8 $(MANDIR)/man8/ - install -m 644 chcat.8 $(MANDIR)/man8/ - - clean: -diff --git a/policycoreutils/scripts/chcat b/policycoreutils/scripts/chcat -index 4038a99..9efcb22 100755 ---- a/policycoreutils/scripts/chcat -+++ b/policycoreutils/scripts/chcat -@@ -1,4 +1,4 @@ --#! /usr/bin/python -E -+#! /usr/bin/python -Es - # Copyright (C) 2005 Red Hat - # see file 'COPYING' for use and warranty information - # -diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8 -index 3f9efba..7c6d75a 100644 ---- a/policycoreutils/scripts/chcat.8 -+++ b/policycoreutils/scripts/chcat.8 -@@ -51,5 +51,5 @@ When operating on files this script wraps the chcon command. - .SH "FILES" - /etc/selinux/{SELINUXTYPE}/setrans.conf - .br --/etc/selinux/{SELINUXTYPE}/seuser -+/etc/selinux/{SELINUXTYPE}/seusers - diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index ae519fc..8e47d94 100755 +index e4e5f0d..27dcccf 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles -@@ -21,6 +21,44 @@ - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +@@ -103,7 +103,7 @@ exclude_dirs_from_relabelling() { - # -+# Get all mounted rw file systems that support seclabel -+# -+get_labeled_mounts() { -+# /dev is not listed in the mountab -+FS="`mount | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/\(rw/{print $3}';` /dev" -+for i in $FS; do -+ grep --silent "$i ".*seclabel /proc/self/mounts && echo $i -+done -+} -+exclude_dirs_from_relabelling() { -+ exclude_from_relabelling= -+ if [ -e /etc/selinux/fixfiles_exclude_dirs ] -+ then -+ while read i -+ do -+ # skip blank line and comment -+ # skip not absolute path -+ # skip not directory -+ [ -z "${i}" ] && continue -+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue -+ [[ ! "${i}" =~ ^/.* ]] && continue -+ [[ ! -d "${i}" ]] && continue -+ exclude_from_relabelling="$exclude_from_relabelling -e $i" -+ logit "skipping the directory $i from relabelling" -+ done < /etc/selinux/fixfiles_exclude_dirs -+ fi -+ echo "$exclude_from_relabelling" -+} -+exclude_dirs() { -+ exclude= -+ for i in /var/lib/BackupPC /home /tmp /dev; do -+ [ -e $i ] && exclude="$exclude -e $i"; -+ done -+ exclude="$exclude `exclude_dirs_from_relabelling`" -+ echo "$exclude" -+} -+ -+# - # Set global Variables - # - fullFlag=0 -@@ -35,9 +73,7 @@ SYSLOGFLAG="-l" - LOGGER=/usr/sbin/logger - SETFILES=/sbin/setfiles - RESTORECON=/sbin/restorecon --FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';` --FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';` --FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" -+FILESYSTEMS=`get_labeled_mounts` - SELINUXTYPE="targeted" - if [ -e /etc/selinux/config ]; then - . /etc/selinux/config -@@ -87,23 +123,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then - esac; \ - fi; \ - done | \ -- while read pattern ; do sh -c "find $pattern \ -- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \ -- \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \ -- done 2> /dev/null | \ -- ${RESTORECON} $* -0 -f - -+ ${RESTORECON} -f - -R -p `exclude_dirs`; \ - rm -f ${TEMPFILE} ${PREFCTEMPFILE} - fi - } --# --# Log all Read Only file systems --# --LogReadOnly() { --if [ ! -z "$FILESYSTEMSRO" ]; then -- logit "Warning: Skipping the following R/O filesystems:" -- logit "$FILESYSTEMSRO" --fi --} - - rpmlist() { - rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' -@@ -121,33 +144,45 @@ if [ ! -z "$PREFC" ]; then - fi - if [ ! -z "$RPMFILES" ]; then - for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do -- rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE -+ rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 | cat >> $LOGFILE + exclude_dirs() { + exclude= +- for i in /home /root /tmp /dev; do ++ for i in /var/lib/BackupPC /home /tmp /dev; do + [ -e $i ] && exclude="$exclude -e $i"; done - exit $? - fi - if [ ! -z "$FILEPATH" ]; then -- if [ -x /usr/bin/find ]; then -- /usr/bin/find "$FILEPATH" \ -- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \ -- ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE -- else -- ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE -- fi -+ ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE - return - fi - [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon --LogReadOnly --${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE --rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* -+# -+exclude_dirs="`exclude_dirs_from_relabelling`" -+if [ -n "${exclude_dirs}" ] -+then -+ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` -+ test -z "$TEMPFCFILE" && exit -+ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit -+ exclude_dirs=${exclude_dirs//-e/} -+ for p in ${exclude_dirs} -+ do -+ p="${p%/}" -+ p1="${p}(/.*)? -- <>" -+ echo "${p1}" >> $TEMPFCFILE -+ logit "skipping the directory ${p} from relabelling" -+ done -+FC=$TEMPFCFILE -+fi -+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE -+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE -+find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete - find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; - find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -+find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \; -+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \; - exit $? - } - - fullrelabel() { - logit "Cleaning out /tmp" -- find /tmp/ -mindepth 1 -print0 | xargs -0 /bin/rm -f -- LogReadOnly -+ find /tmp/ -mindepth 1 -delete - restore - } - -diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 -index dfe8aa9..0b4cbaa 100644 ---- a/policycoreutils/scripts/fixfiles.8 -+++ b/policycoreutils/scripts/fixfiles.8 -@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all - as you expect. By default it will relabel all mounted ext2, ext3, xfs and - jfs file systems as long as they do not have a security context mount - option. You can use the -R flag to use rpmpackages as an alternative. -+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories -+excluded from relabelling. - .P - .B fixfiles onboot - will setup the machine to relabel on the next reboot. -diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 -new file mode 100644 -index 0000000..6331660 ---- /dev/null -+++ b/policycoreutils/scripts/genhomedircon.8 -@@ -0,0 +1,37 @@ -+.\" Hey, Emacs! This is an -*- nroff -*- source file. -+.\" Copyright (c) 2010 Dan Walsh -+.\" -+.\" This is free documentation; you can redistribute it and/or -+.\" modify it under the terms of the GNU General Public License as -+.\" published by the Free Software Foundation; either version 2 of -+.\" the License, or (at your option) any later version. -+.\" -+.\" The GNU General Public License's references to "object code" -+.\" and "executables" are to be interpreted as the output of any -+.\" document formatting or typesetting system, including -+.\" intermediate and printed output. -+.\" -+.\" This manual is distributed in the hope that it will be useful, -+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+.\" GNU General Public License for more details. -+.\" -+.\" You should have received a copy of the GNU General Public -+.\" License along with this manual; if not, write to the Free -+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, -+.\" USA. -+.\" -+.\" -+.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux" -+.SH NAME -+genhomedircon \- generate SELinux file context configuration entries for user home directories -+.SH SYNOPSIS -+.B genhomedircon -+is a script that executes semodule to rebuild policy and create the -+labels for HOMEDIRS based on home directories returned by the getpw calls. -+ -+This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf. -+ -+.SH AUTHOR -+This manual page was written by -+.I Dan Walsh + exclude="$exclude `exclude_dirs_from_relabelling`" diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile new file mode 100644 -index 0000000..176b11f +index 0000000..e15a877 --- /dev/null +++ b/policycoreutils/semanage/default_encoding/Makefile @@ -0,0 +1,8 @@ -+all: ++all: + LDFLAGS="" python setup.py build + +install: all @@ -3564,7 +3226,7 @@ index 0000000..176b11f + rm -rf build *~ diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c new file mode 100644 -index 0000000..c3cdd4e +index 0000000..2ba4870 --- /dev/null +++ b/policycoreutils/semanage/default_encoding/default_encoding.c @@ -0,0 +1,59 @@ @@ -3620,7 +3282,7 @@ index 0000000..c3cdd4e + + +PyMODINIT_FUNC -+initdefault_encoding_utf8(void) ++initdefault_encoding_utf8(void) +{ + PyObject* m; + @@ -3695,15 +3357,9 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index ffaca5b..bc989bf 100644 +index 0140cd2..656a028 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage -@@ -1,4 +1,4 @@ --#! /usr/bin/python -E -+#! /usr/bin/python -Es - # Copyright (C) 2005, 2006, 2007 Red Hat - # see file 'COPYING' for use and warranty information - # @@ -20,6 +20,7 @@ # 02111-1307 USA # @@ -3712,7 +3368,7 @@ index ffaca5b..bc989bf 100644 import sys, getopt, re import seobject import selinux -@@ -32,27 +33,35 @@ gettext.textdomain(PROGNAME) +@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir="/usr/share/locale", @@ -3721,415 +3377,50 @@ index ffaca5b..bc989bf 100644 codeset = 'utf-8') except IOError: import __builtin__ - __builtin__.__dict__['_'] = unicode +@@ -283,11 +284,14 @@ Object-specific Options (see above): + equal = a - if __name__ == '__main__': -- -+ action = False -+ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"] -+ def set_action(option): -+ global action -+ if action: -+ raise ValueError(_("%s bad option") % option) -+ action = True -+ - def usage(message = ""): - text = _(""" - semanage [ -S store ] -i [ input_file | - ] -- --semanage {boolean|login|user|port|interface|node|fcontext} -{l|D} [-n] --semanage login -{a|d|m} [-sr] login_name | %groupname --semanage user -{a|d|m} [-LrRP] selinux_name --semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range --semanage interface -{a|d|m} [-tr] interface_spec --semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr --semanage fcontext -{a|d|m} [-frst] file_spec -+semanage [ -S store ] -o [ output_file | - ] + if o == "--enable": +- set_action(o) ++ if disable: ++ raise ValueError(_("You can't disable and enable at the same time")) + -+semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname -+semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name -+semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range -+semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec -+semanage module -{a|d|m} [--enable|--disable] module -+semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr -+semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec - semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file --semanage permissive -{d|a} type -+semanage permissive -{d|a|l} [-n] type - semanage dontaudit [ on | off ] + enable = True - Primary Options: -@@ -61,7 +70,9 @@ Primary Options: - -d, --delete Delete a OBJECT record NAME - -m, --modify Modify a OBJECT record NAME - -i, --input Input multiple semange commands in a transaction -+ -o, --output Output current customizations as semange commands - -l, --list List the OBJECTS -+ -E, --extract extract customizable commands - -C, --locallist List OBJECTS local customizations - -D, --deleteall Remove all OBJECTS local customizations + if o == "--disable": +- set_action(o) ++ if enable: ++ raise ValueError(_("You can't disable and enable at the same time")) + disable = True -@@ -84,12 +95,15 @@ Object-specific Options (see above): - -F, --file Treat target as an input file for command, change multiple settings - -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) - -M, --mask Netmask -+ -e, --equal Substitue source path for dest path when labeling - -P, --prefix Prefix for home directory labeling - -L, --level Default SELinux Level (MLS/MCS Systems only) - -R, --roles SELinux Roles (ex: "sysadm_r staff_r") - -s, --seuser SELinux User Name - -t, --type SELinux Type for the object - -r, --range MLS/MCS Security Range (MLS/MCS Systems only) -+ --enable Enable a module -+ --disable Disable a module - """) - raise ValueError("%s\n%s" % (text, message)) - -@@ -101,22 +115,25 @@ Object-specific Options (see above): - - def get_options(): - valid_option={} -- valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ] -+ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ] -+ valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall'] - valid_option["login"] = [] -- valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] -+ valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range'] - valid_option["user"] = [] -- valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ] -+ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ] - valid_option["port"] = [] -- valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ] -+ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ] - valid_option["interface"] = [] -- valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] -+ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range'] - valid_option["node"] = [] -- valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] -+ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] -+ valid_option["module"] = [] -+ valid_option["module"] += valid_everyone + [ '--enable', '--disable'] - valid_option["fcontext"] = [] -- valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] -+ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] - valid_option["dontaudit"] = [ '-S', '--store' ] - valid_option["boolean"] = [] -- valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] -+ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"] - valid_option["permissive"] = [] - valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] - return valid_option -@@ -168,6 +185,8 @@ Object-specific Options (see above): - return ret - - def process_args(argv): -+ global action -+ action = False - serange = "" - port = "" - proto = "" -@@ -184,11 +203,17 @@ Object-specific Options (see above): - modify = False - delete = False - deleteall = False -+ enable = False -+ extract = False -+ disable = False - list = False - locallist = False - use_file = False - store = "" -+ equal="" - -+ if len(argv) == 0: -+ return - object = argv[0] - option_dict=get_options() - if object not in option_dict.keys(): -@@ -196,58 +221,84 @@ Object-specific Options (see above): - - args = argv[1:] - -- gopts, cmds = getopt.getopt(args, -- '01adf:i:lhmnp:s:FCDR:L:r:t:P:S:M:', -- ['add', -- 'delete', -- 'deleteall', -- 'ftype=', -- 'file', -- 'help', -- 'input=', -- 'list', -- 'modify', -- 'noheading', -- 'localist', -- 'off', -- 'on', -- 'proto=', -- 'seuser=', -- 'store=', -- 'range=', -- 'locallist=', -- 'level=', -- 'roles=', -- 'type=', -- 'prefix=', -- 'mask=' -- ]) -+ try: -+ gopts, cmds = getopt.getopt(args, -+ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:', -+ ['add', -+ 'delete', -+ 'deleteall', -+ 'equal=', -+ 'enable', -+ 'extract', -+ 'disable', -+ 'ftype=', -+ 'file', -+ 'help', -+ 'input=', -+ 'list', -+ 'modify', -+ 'noheading', -+ 'localist', -+ 'off', -+ 'on', -+ 'proto=', -+ 'seuser=', -+ 'store=', -+ 'range=', -+ 'locallist=', -+ 'level=', -+ 'roles=', -+ 'type=', -+ 'prefix=', -+ 'mask=' -+ ]) -+ except getopt.error, error: -+ usage(_("Options Error %s ") % error.msg) -+ - for o, a in gopts: - if o not in option_dict[object]: - sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) ); -+ -+ return - - for o,a in gopts: - if o == "-a" or o == "--add": -- if modify or delete: -- raise ValueError(_("%s bad option") % o) -+ set_action(o) - add = True - - if o == "-d" or o == "--delete": -- if modify or add: -- raise ValueError(_("%s bad option") % o) -+ set_action(o) - delete = True -+ - if o == "-D" or o == "--deleteall": -- if modify: -- raise ValueError(_("%s bad option") % o) -+ set_action(o) - deleteall = True -+ -+ if o == "-E" or o == "--extract": -+ set_action(o) -+ extract = True - if o == "-f" or o == "--ftype": - ftype=a - -+ if o == "-e" or o == "--equal": -+ equal = a -+ -+ if o == "--enable": -+ if disable: -+ raise ValueError(_("You can't disable and enable at the same time")) -+ -+ enable = True -+ -+ if o == "--disable": -+ if enable: -+ raise ValueError(_("You can't disable and enable at the same time")) -+ disable = True -+ if o == "-F" or o == "--file": - use_file = True +@@ -338,9 +342,11 @@ Object-specific Options (see above): - if o == "-h" or o == "--help": -- raise ValueError(_("%s bad option") % o) -+ raise usage() + if o == "--on" or o == "-1": + value = "on" ++ modify = True - if o == "-n" or o == "--noheading": - heading = False -@@ -256,8 +307,7 @@ Object-specific Options (see above): - locallist = True - - if o == "-m"or o == "--modify": -- if delete or add: -- raise ValueError(_("%s bad option") % o) -+ set_action(o) - modify = True - - if o == "-S" or o == '--store': -@@ -292,8 +342,10 @@ Object-specific Options (see above): - - if o == "--on" or o == "-1": - value = "on" -+ modify = True - if o == "--off" or o == "-0": - value = "off" -+ modify = True + if o == "--off" or o == "-0": + value = "off" ++ modify = True if object == "login": OBJECT = seobject.loginRecords(store) -@@ -315,6 +367,11 @@ Object-specific Options (see above): +@@ -362,6 +368,8 @@ Object-specific Options (see above): if object == "boolean": OBJECT = seobject.booleanRecords(store) -+ if use_file: -+ modify=True -+ -+ if object == "module": -+ OBJECT = seobject.moduleRecords(store) - - if object == "permissive": - OBJECT = seobject.permissiveRecords(store) -@@ -330,65 +387,97 @@ Object-specific Options (see above): - OBJECT.deleteall() - return - -+ if extract: -+ for i in OBJECT.customized(): -+ print "%s %s" % (object, str(i)) -+ return -+ - if len(cmds) != 1: -- raise ValueError(_("%s bad option") % o) -+ raise ValueError(_("bad option")) - - target = cmds[0] - -- - if object == "dontaudit": -- OBJECT = seobject.dontauditClass(store) -- OBJECT.toggle(target) -- return -+ OBJECT = seobject.dontauditClass(store) -+ OBJECT.toggle(target) -+ return - - if add: - if object == "login": - OBJECT.add(target, seuser, serange) -+ return - - if object == "user": - OBJECT.add(target, roles.split(), selevel, serange, prefix) -+ return - - if object == "port": - OBJECT.add(target, proto, serange, setype) -+ return - - if object == "interface": - OBJECT.add(target, serange, setype) -+ return -+ -+ if object == "module": -+ OBJECT.add(target) -+ return - - if object == "node": - OBJECT.add(target, mask, proto, serange, setype) -+ return - - if object == "fcontext": -- OBJECT.add(target, setype, ftype, serange, seuser) -+ if equal == "": -+ OBJECT.add(target, setype, ftype, serange, seuser) -+ else: -+ OBJECT.add_equal(target, equal) -+ return - if object == "permissive": - OBJECT.add(target) -+ return - -- return -- - if modify: - if object == "boolean": - OBJECT.modify(target, value, use_file) -+ return - - if object == "login": - OBJECT.modify(target, seuser, serange) -+ return - - if object == "user": - rlist = roles.split() - OBJECT.modify(target, rlist, selevel, serange, prefix) -+ return -+ -+ if object == "module": -+ if enable: -+ OBJECT.enable(target) -+ elif disable: -+ OBJECT.disable(target) -+ else: -+ OBJECT.modify(target) -+ return - - if object == "port": - OBJECT.modify(target, proto, serange, setype) -+ return - - if object == "interface": - OBJECT.modify(target, serange, setype) -+ return - - if object == "node": - OBJECT.modify(target, mask, proto, serange, setype) -+ return - - if object == "fcontext": -- OBJECT.modify(target, setype, ftype, serange, seuser) -- -- return -- -+ if equal == "": -+ OBJECT.modify(target, setype, ftype, serange, seuser) -+ else: -+ OBJECT.modify_equal(target, equal) -+ return - if delete: - if object == "port": - OBJECT.delete(target, proto) -@@ -401,50 +490,65 @@ Object-specific Options (see above): - - else: - OBJECT.delete(target) -- - return -- -- raise ValueError(_("Invalid command") % " ".join(argv)) -+ raise ValueError(_("Invalid command: semanage %s") % " ".join(argv)) - - # - # - # - try: -+ output = None - input = None - store = "" ++ if use_file: ++ modify = True + if object == "module": + OBJECT = seobject.moduleRecords(store) +@@ -500,31 +508,36 @@ Object-specific Options (see above): if len(sys.argv) < 3: usage(_("Requires 2 or more arguments")) - gopts, cmds = getopt.getopt(sys.argv[1:], -- '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', +- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', - ['add', - 'delete', - 'deleteall', @@ -4143,6 +3434,7 @@ index ffaca5b..bc989bf 100644 - 'localist', - 'off', - 'on', +- 'output=', - 'proto=', - 'seuser=', - 'store=', @@ -4162,12 +3454,12 @@ index ffaca5b..bc989bf 100644 + 'file', + 'help', + 'input=', -+ 'list', ++ 'list', + 'modify', + 'noheading', + 'localist', -+ 'off', -+ 'on', ++ 'off', ++ 'on', + 'output=', + 'proto=', + 'seuser=', @@ -4185,22 +3477,7 @@ index ffaca5b..bc989bf 100644 for o, a in gopts: if o == "-S" or o == '--store': store = a - if o == "-i" or o == '--input': - input = a -+ if o == "-o" or o == '--output': -+ output = a -+ -+ if output != None: -+ if output != "-": -+ sys.stdout = open(output, 'w') -+ for i in manageditems: -+ print "%s -D" % i -+ process_args([i, "-E"]) -+ sys.exit(0) - - if input != None: - if input == "-": -@@ -459,11 +563,11 @@ Object-specific Options (see above): +@@ -554,8 +567,6 @@ Object-specific Options (see above): else: process_args(sys.argv[1:]) @@ -4209,231 +3486,11 @@ index ffaca5b..bc989bf 100644 except ValueError, error: errorExit(error.args[0]) except KeyError, error: - errorExit(_("Invalid value %s") % error.args[0]) - except IOError, error: - errorExit(error.args[1]) -+ except OSError, error: -+ errorExit(error.args[1]) -diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 -index 70d1a20..fb6a79b 100644 ---- a/policycoreutils/semanage/semanage.8 -+++ b/policycoreutils/semanage/semanage.8 -@@ -1,29 +1,69 @@ --.TH "semanage" "8" "2005111103" "" "" -+.TH "semanage" "8" "20100223" "" "" - .SH "NAME" - semanage \- SELinux Policy Management tool - - .SH "SYNOPSIS" --.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store] -+Output local customizations - .br --.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file -+.B semanage [ -S store ] -o [ output_file | - ] -+ -+Input local customizations -+.br -+.B semanage [ -S store ] -i [ input_file | - ] -+ -+Manage booleans. Booleans allow the administrator to modify the confinement of -+processes based on his configuration. -+.br -+.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file -+ -+Manage SELinux confined users (Roles and levels for an SELinux user) -+.br -+.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name -+ -+Manage login mappings between linux users and SELinux confined users. -+.br -+.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname -+ -+Manage policy modules. -+.br -+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name -+ -+Manage network port type definitions - .br --.B semanage login \-{a|d|m} [\-sr] login_name | %groupname -+.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range - .br --.B semanage user \-{a|d|m} [\-LrRP] selinux_name -+ -+Manage network interface type definitions -+.br -+.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec -+ -+Manage network node type definitions - .br --.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range -+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address - .br --.B semanage interface \-{a|d|m} [\-tr] interface_spec -+ -+Manage file context mapping definitions -+.br -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec - .br --.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target - .br --.B semanage fcontext \-{a|d|m} [\-frst] file_spec -+ -+Manage processes type enforcement mode - .br --.B semanage permissive \-{a|d} type -+.B semanage permissive [\-S store] \-{a|d|l|n|D} type - .br --.B semanage dontaudit [ on | off ] -+ -+Disable/Enable dontaudit rules in policy -+.br -+.B semanage dontaudit [\-S store] [ on | off ] - .P - -+Execute multiple commands within a single transaction. -+.br -+.B semanage [\-S store] \-i command-file -+.br -+ - .SH "DESCRIPTION" - semanage is used to configure certain elements of - SELinux policy without requiring modification to or recompilation -@@ -52,6 +92,22 @@ Delete a OBJECT record NAME - .I \-D, \-\-deleteall - Remove all OBJECTS local customizations - .TP -+.I \-\-disable -+Disable a policy module, requires -m option -+ -+Currently modules only. -+.TP -+.I \-\-enable -+Enable a disabled policy module, requires -m option -+ -+Currently modules only. -+.TP -+.I \-e, \-\-equal -+Substitute target path with sourcepath when generating default label. This is used with -+fcontext. Requires source and target path arguments. The context -+labeling for the target subtree is made equivalent to that -+defined for the source. -+.TP - .I \-f, \-\-ftype - File Type. This is used with fcontext. - Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -@@ -60,6 +116,7 @@ Requires a file type as shown in the mode field by ls, e.g. use -d to match only - Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. - - Currently booleans only. -+ - .TP - .I \-h, \-\-help - display this message -@@ -76,6 +133,9 @@ Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only) - .I \-m, \-\-modify - Modify a OBJECT record NAME - .TP -+.I \-M, \-\-mask -+Network Mask -+.TP - .I \-n, \-\-noheading - Do not print heading when listing OBJECTS. - .TP -@@ -99,26 +159,67 @@ Select and alternate SELinux store to manage - .TP - .I \-t, \-\-type - SELinux Type for the object -+.TP -+.I \-i, \-\-input -+Take a set of commands from a specified file and load them in a single -+transaction. - - .SH EXAMPLE - .nf --# View SELinux user mappings --$ semanage user -l --# Allow joe to login as staff_u --$ semanage login -a -s staff_u joe --# Allow the group clerks to login as user_u --$ semanage login -a -s user_u %clerks --# Add file-context for everything under /web (used by restorecon) --$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" --# Allow Apache to listen on port 81 --$ semanage port -a -t http_port_t -p tcp 81 --# Change apache to a permissive domain --$ semanage permissive -a httpd_t --# Turn off dontaudit rules --$ semanage dontaudit off -+.B SELinux user -+List SELinux users -+# semanage user -l -+ -+.B SELinux login -+Change joe to login as staff_u -+# semanage login -a -s staff_u joe -+Change the group clerks to login as user_u -+# semanage login -a -s user_u %clerks -+ -+.B File contexts -+.i remember to run restorecon after you set the file context -+Add file-context for everything under /web -+# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" -+# restorecon -R -v /web -+ -+Substitute /home1 with /home when setting file context -+# semanage fcontext -a -e /home /home1 -+# restorecon -R -v /home1 -+ -+For home directories under top level directory, for example /disk6/home, -+execute the following commands. -+# semanage fcontext -a -t home_root_t "/disk6" -+# semanage fcontext -a -e /home /disk6/home -+# restorecon -R -v /disk6 -+ -+.B Port contexts -+Allow Apache to listen on tcp port 81 -+# semanage port -a -t http_port_t -p tcp 81 -+ -+.B Change apache to a permissive domain -+# semanage permissive -a httpd_t -+ -+.B Turn off dontaudit rules -+# semanage dontaudit off -+ -+.B Managing multiple machines -+Multiple machines that need the same customizations. -+Extract customizations off first machine, copy them -+to second and import them. -+ -+# semanage -o /tmp/local.selinux -+# scp /tmp/local.selinux secondmachine:/tmp -+# ssh secondmachine -+# semanage -i /tmp/local.selinux -+ -+If these customizations include file context, you need to apply the -+context using restorecon. -+ - .fi - - .SH "AUTHOR" --This man page was written by Daniel Walsh and --Russell Coker . -+This man page was written by Daniel Walsh -+.br -+and Russell Coker . -+.br - Examples by Thomas Bleher . diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index b7d257b..4462c9e 100644 +index 6842b07..6742fe9 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py -@@ -25,51 +25,17 @@ import pwd, grp, string, selinux, tempfile, os, re, sys, stat - from semanage import *; - PROGNAME = "policycoreutils" - import sepolgen.module as module -+from IPy import IP - +@@ -30,11 +30,10 @@ from IPy import IP import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) @@ -4442,213 +3499,37 @@ index b7d257b..4462c9e 100644 -except IOError: - import __builtin__ - __builtin__.__dict__['_'] = unicode -- --import syslog - --handle = None -- --def get_handle(store): -- global handle -- global is_mls_enabled -- -- handle = semanage_handle_create() -- if not handle: -- raise ValueError(_("Could not create semanage handle")) -- -- if store != "": -- semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); -- -- if not semanage_is_managed(handle): -- semanage_handle_destroy(handle) -- raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) -- -- rc = semanage_access_check(handle) -- if rc < SEMANAGE_CAN_READ: -- semanage_handle_destroy(handle) -- raise ValueError(_("Cannot read policy store.")) -- -- rc = semanage_connect(handle) -- if rc < 0: -- semanage_handle_destroy(handle) -- raise ValueError(_("Could not establish semanage connection")) -- -- is_mls_enabled = semanage_mls_enabled(handle) -- if is_mls_enabled < 0: -- semanage_handle_destroy(handle) -- raise ValueError(_("Could not test MLS enabled status")) ++ +import gettext +translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True) +_=translation.ugettext -- return handle -+import syslog + import syslog - file_types = {} - file_types[""] = SEMANAGE_FCONTEXT_ALL; -@@ -194,45 +160,148 @@ def untranslate(trans, prepend = 1): +@@ -161,10 +160,12 @@ def untranslate(trans, prepend = 1): return trans else: return raw - + class semanageRecords: -- def __init__(self, store): -+ transaction = False -+ handle = None -+ store = None + transaction = False + handle = None ++ store = None + -+ def __init__(self, store): + def __init__(self, store): global handle -- if handle != None: -- self.sh = handle -- else: -- self.sh = get_handle(store) -- self.transaction = False -+ self.sh = self.get_handle(store) -+ -+ def get_handle(self, store): -+ global is_mls_enabled -+ -+ if semanageRecords.handle: -+ return semanageRecords.handle -+ -+ handle = semanage_handle_create() -+ if not handle: -+ raise ValueError(_("Could not create semanage handle")) -+ -+ if not semanageRecords.transaction and store != "": -+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); -+ semanageRecords.store = store -+ -+ if not semanage_is_managed(handle): -+ semanage_handle_destroy(handle) -+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) -+ -+ rc = semanage_access_check(handle) -+ if rc < SEMANAGE_CAN_READ: -+ semanage_handle_destroy(handle) -+ raise ValueError(_("Cannot read policy store.")) -+ -+ rc = semanage_connect(handle) -+ if rc < 0: -+ semanage_handle_destroy(handle) -+ raise ValueError(_("Could not establish semanage connection")) -+ -+ is_mls_enabled = semanage_mls_enabled(handle) -+ if is_mls_enabled < 0: -+ semanage_handle_destroy(handle) -+ raise ValueError(_("Could not test MLS enabled status")) -+ -+ semanageRecords.handle = handle -+ return semanageRecords.handle +@@ -182,7 +183,7 @@ class semanageRecords: - def deleteall(self): - raise ValueError(_("Not yet implemented")) + if not semanageRecords.transaction and store != "": + semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); +- semanageRecords.store = store ++ semanageRecords.store = store - def start(self): -- if self.transaction: -+ if semanageRecords.transaction: - raise ValueError(_("Semanage transaction already in progress")) - self.begin() -- self.transaction = True -- -+ semanageRecords.transaction = True - def begin(self): -- if self.transaction: -+ if semanageRecords.transaction: - return - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) -+ def customized(self): -+ raise ValueError(_("Not yet implemented")) -+ - def commit(self): -- if self.transaction: -+ if semanageRecords.transaction: - return - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not commit semanage transaction")) - - def finish(self): -- if not self.transaction: -+ if not semanageRecords.transaction: - raise ValueError(_("Semanage transaction not in progress")) -- self.transaction = False -+ semanageRecords.transaction = False - self.commit() - -+class moduleRecords(semanageRecords): -+ def __init__(self, store): -+ semanageRecords.__init__(self, store) -+ -+ def get_all(self): -+ l = [] -+ (rc, mlist, number) = semanage_module_list(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list SELinux modules")) -+ -+ for i in range(number): -+ mod = semanage_module_list_nth(mlist, i) -+ l.append((semanage_module_get_name(mod), semanage_module_get_version(mod), semanage_module_get_enabled(mod))) -+ return l -+ -+ def list(self, heading = 1, locallist = 0): -+ if heading: -+ print "\n%-25s%-10s\n" % (_("Modules Name"), _("Version")) -+ for t in self.get_all(): -+ if t[2] == 0: -+ disabled = _("Disabled") -+ else: -+ disabled = "" -+ print "%-25s%-10s%s" % (t[0], t[1], disabled) -+ -+ def add(self, file): -+ rc = semanage_module_install_file(self.sh, file); -+ if rc >= 0: -+ self.commit() -+ -+ def disable(self, module): -+ need_commit = False -+ for m in module.split(): -+ rc = semanage_module_disable(self.sh, m) -+ if rc < 0 and rc != -3: -+ raise ValueError(_("Could not disable module %s (remove failed)") % m) -+ if rc != -3: -+ need_commit = True -+ if need_commit: -+ self.commit() -+ -+ def enable(self, module): -+ need_commit = False -+ for m in module.split(): -+ rc = semanage_module_enable(self.sh, m) -+ if rc < 0 and rc != -3: -+ raise ValueError(_("Could not enable module %s (remove failed)") % m) -+ if rc != -3: -+ need_commit = True -+ if need_commit: -+ self.commit() -+ -+ def modify(self, file): -+ rc = semanage_module_update_file(self.sh, file); -+ if rc >= 0: -+ self.commit() -+ -+ def delete(self, module): -+ for m in module.split(): -+ rc = semanage_module_remove(self.sh, m) -+ if rc < 0 and rc != -2: -+ raise ValueError(_("Could not remove module %s (remove failed)") % m) -+ -+ self.commit() -+ - class dontauditClass(semanageRecords): - def __init__(self, store): - semanageRecords.__init__(self, store) -@@ -259,14 +328,23 @@ class permissiveRecords(semanageRecords): + if not semanage_is_managed(handle): + semanage_handle_destroy(handle) +@@ -328,6 +329,7 @@ class permissiveRecords(semanageRecords): name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -4656,27 +3537,7 @@ index b7d257b..4462c9e 100644 return l def list(self, heading = 1, locallist = 0): -- if heading: -- print "\n%-25s\n" % (_("Permissive Types")) -- for t in self.get_all(): -- print t -+ import setools -+ all = map(lambda y: y["name"], filter(lambda x: x["permissive"], setools.seinfo(setools.TYPE))) - -+ if heading: -+ print "\n%-25s\n" % (_("Builtin Permissive Types")) -+ customized = self.get_all() -+ for t in all: -+ if t not in customized: -+ print t -+ if heading: -+ print "\n%-25s\n" % (_("Customized Permissive Types")) -+ for t in customized: -+ print t - - def add(self, type): - import glob -@@ -343,7 +421,9 @@ class loginRecords(semanageRecords): +@@ -420,7 +422,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -4687,40 +3548,7 @@ index b7d257b..4462c9e 100644 if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -475,6 +555,16 @@ class loginRecords(semanageRecords): - - mylog.log(1, "delete SELinux user mapping", name); - -+ def deleteall(self): -+ (rc, ulist) = semanage_seuser_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list login mappings")) -+ -+ self.begin() -+ for u in ulist: -+ self.__delete(semanage_seuser_get_name(u)) -+ self.commit() -+ - def get_all(self, locallist = 0): - ddict = {} - if locallist: -@@ -489,6 +579,15 @@ class loginRecords(semanageRecords): - ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) - return ddict - -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) -+ return l -+ - def list(self,heading = 1, locallist = 0): - ddict = self.get_all(locallist) - keys = ddict.keys() -@@ -531,7 +630,8 @@ class seluserRecords(semanageRecords): +@@ -627,7 +631,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -4730,49 +3558,7 @@ index b7d257b..4462c9e 100644 (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -682,6 +782,16 @@ class seluserRecords(semanageRecords): - - mylog.log(1,"delete SELinux user record", name) - -+ def deleteall(self): -+ (rc, ulist) = semanage_user_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list login mappings")) -+ -+ self.begin() -+ for u in ulist: -+ self.__delete(semanage_user_get_name(u)) -+ self.commit() -+ - def get_all(self, locallist = 0): - ddict = {} - if locallist: -@@ -702,6 +812,15 @@ class seluserRecords(semanageRecords): - - return ddict - -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ l.append("-a -r %s -R '%s' %s" % (ddict[k][2], ddict[k][3], k)) -+ return l -+ - def list(self, heading = 1, locallist = 0): - ddict = self.get_all(locallist) - keys = ddict.keys() -@@ -740,12 +859,16 @@ class portRecords(semanageRecords): - low = int(ports[0]) - high = int(ports[1]) - -+ if high > 65536: -+ raise ValueError(_("Invalid Port")) -+ - (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d) - if rc < 0: - raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) +@@ -864,6 +869,7 @@ class portRecords(semanageRecords): return ( k, proto_d, low, high ) def __add(self, port, proto, serange, type): @@ -4780,7 +3566,7 @@ index b7d257b..4462c9e 100644 if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -808,6 +931,7 @@ class portRecords(semanageRecords): +@@ -926,6 +932,7 @@ class portRecords(semanageRecords): self.commit() def __modify(self, port, proto, serange, setype): @@ -4788,72 +3574,7 @@ index b7d257b..4462c9e 100644 if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -942,6 +1066,18 @@ class portRecords(semanageRecords): - ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) - return ddict - -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ if k[0] == k[1]: -+ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0])) -+ else: -+ l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) -+ return l -+ - def list(self, heading = 1, locallist = 0): - if heading: - print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) -@@ -958,21 +1094,36 @@ class portRecords(semanageRecords): - class nodeRecords(semanageRecords): - def __init__(self, store = ""): - semanageRecords.__init__(self,store) -+ self.protocol = ["ipv4", "ipv6"] -+ -+ def validate(self, addr, mask, protocol): -+ newaddr=addr -+ newmask=mask -+ newprotocol="" - -- def __add(self, addr, mask, proto, serange, ctype): - if addr == "": - raise ValueError(_("Node Address is required")) - -- if mask == "": -- raise ValueError(_("Node Netmask is required")) -- -- if proto == "ipv4": -- proto = 0 -- elif proto == "ipv6": -- proto = 1 -- else: -+ # verify valid comination -+ if len(mask) == 0 or mask[0] == "/": -+ i = IP(addr + mask) -+ newaddr = i.strNormal(0) -+ newmask = str(i.netmask()) -+ if newmask == "0.0.0.0" and i.version() == 6: -+ newmask = "::" -+ -+ protocol = "ipv%d" % i.version() -+ -+ try: -+ newprotocol = self.protocol.index(protocol) -+ except: - raise ValueError(_("Unknown or missing protocol")) - -+ return newaddr, newmask, newprotocol -+ -+ def __add(self, addr, mask, proto, serange, ctype): -+ -+ addr, mask, proto = self.validate(addr, mask, proto) - - if is_mls_enabled == 1: - if serange == "": -@@ -991,11 +1142,13 @@ class nodeRecords(semanageRecords): +@@ -1136,7 +1143,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -4863,42 +3584,15 @@ index b7d257b..4462c9e 100644 (rc, node) = semanage_node_create(self.sh) if rc < 0: - raise ValueError(_("Could not create addr for %s") % addr) -+ semanage_node_set_proto(node, proto) - - rc = semanage_node_set_addr(self.sh, node, proto, addr) - (rc, con) = semanage_context_create(self.sh) -@@ -1005,8 +1158,7 @@ class nodeRecords(semanageRecords): - rc = semanage_node_set_mask(self.sh, node, proto, mask) +@@ -1152,7 +1160,6 @@ class nodeRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not set mask for %s") % addr) + - -- -+ rc = semanage_context_set_user(self.sh, con, "system_u") if rc < 0: raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1042,18 +1194,8 @@ class nodeRecords(semanageRecords): - self.commit() - - def __modify(self, addr, mask, proto, serange, setype): -- if addr == "": -- raise ValueError(_("Node Address is required")) -- -- if mask == "": -- raise ValueError(_("Node Netmask is required")) -- if proto == "ipv4": -- proto = 0 -- elif proto == "ipv6": -- proto = 1 -- else: -- raise ValueError(_("Unknown or missing protocol")) - -+ addr, mask, proto = self.validate(addr, mask, proto) - - if serange == "" and setype == "": - raise ValueError(_("Requires setype or serange")) -@@ -1068,12 +1210,11 @@ class nodeRecords(semanageRecords): +@@ -1204,12 +1211,11 @@ class nodeRecords(semanageRecords): if not exists: raise ValueError(_("Addr %s is not defined") % addr) @@ -4912,70 +3606,7 @@ index b7d257b..4462c9e 100644 if serange != "": semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": -@@ -1092,18 +1233,8 @@ class nodeRecords(semanageRecords): - self.commit() - - def __delete(self, addr, mask, proto): -- if addr == "": -- raise ValueError(_("Node Address is required")) -- -- if mask == "": -- raise ValueError(_("Node Netmask is required")) - -- if proto == "ipv4": -- proto = 0 -- elif proto == "ipv6": -- proto = 1 -- else: -- raise ValueError(_("Unknown or missing protocol")) -+ addr, mask, proto = self.validate(addr, mask, proto) - - (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) - if rc < 0: -@@ -1132,6 +1263,16 @@ class nodeRecords(semanageRecords): - self.__delete(addr, mask, proto) - self.commit() - -+ def deleteall(self): -+ (rc, nlist) = semanage_node_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not deleteall node mappings")) -+ -+ self.begin() -+ for node in nlist: -+ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)]) -+ self.commit() -+ - def get_all(self, locallist = 0): - ddict = {} - if locallist : -@@ -1145,15 +1286,20 @@ class nodeRecords(semanageRecords): - con = semanage_node_get_con(node) - addr = semanage_node_get_addr(self.sh, node) - mask = semanage_node_get_mask(self.sh, node) -- proto = semanage_node_get_proto(node) -- if proto == 0: -- proto = "ipv4" -- elif proto == 1: -- proto = "ipv6" -+ proto = self.protocol[semanage_node_get_proto(node)] - ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) - - return ddict - -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2],ddict[k][2], k[0])) -+ return l -+ - def list(self, heading = 1, locallist = 0): - if heading: - print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") -@@ -1193,7 +1339,8 @@ class interfaceRecords(semanageRecords): +@@ -1334,7 +1340,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -4985,98 +3616,7 @@ index b7d257b..4462c9e 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1307,6 +1454,16 @@ class interfaceRecords(semanageRecords): - self.__delete(interface) - self.commit() - -+ def deleteall(self): -+ (rc, ulist) = semanage_iface_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not delete all interface mappings")) -+ -+ self.begin() -+ for i in ulist: -+ self.__delete(semanage_iface_get_name(i)) -+ self.commit() -+ - def get_all(self, locallist = 0): - ddict = {} - if locallist: -@@ -1322,6 +1479,15 @@ class interfaceRecords(semanageRecords): - - return ddict - -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ l.append("-a -t %s %s" % (ddict[k][2], k)) -+ return l -+ - def list(self, heading = 1, locallist = 0): - if heading: - print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) -@@ -1338,6 +1504,48 @@ class interfaceRecords(semanageRecords): - class fcontextRecords(semanageRecords): - def __init__(self, store = ""): - semanageRecords.__init__(self, store) -+ self.equiv = {} -+ self.equal_ind = False -+ try: -+ fd = open(selinux.selinux_file_context_subs_path(), "r") -+ for i in fd.readlines(): -+ src, dst = i.split() -+ self.equiv[src] = dst -+ fd.close() -+ except IOError: -+ pass -+ -+ def commit(self): -+ if self.equal_ind: -+ subs_file = selinux.selinux_file_context_subs_path() -+ tmpfile = "%s.tmp" % subs_file -+ fd = open(tmpfile, "w") -+ for src in self.equiv.keys(): -+ fd.write("%s %s\n" % (src, self.equiv[src])) -+ fd.close() -+ try: -+ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) -+ except: -+ pass -+ os.rename(tmpfile,subs_file) -+ self.equal_ind = False -+ semanageRecords.commit(self) -+ -+ def add_equal(self, src, dst): -+ self.begin() -+ if src in self.equiv.keys(): -+ raise ValueError(_("Equivalence class for %s already exists") % src) -+ self.equiv[src] = dst -+ self.equal_ind = True -+ self.commit() -+ -+ def modify_equal(self, src, dst): -+ self.begin() -+ if src not in self.equiv.keys(): -+ raise ValueError(_("Equivalence class for %s does not exists") % src) -+ self.equiv[src] = dst -+ self.equal_ind = True -+ self.commit() - - def createcon(self, target, seuser = "system_u"): - (rc, con) = semanage_context_create(self.sh) -@@ -1364,6 +1572,8 @@ class fcontextRecords(semanageRecords): - def validate(self, target): - if target == "" or target.find("\n") >= 0: - raise ValueError(_("Invalid file specification")) -+ if target.find(" ") != -1: -+ raise ValueError(_("File specification can not include spaces")) - - def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): - self.validate(target) -@@ -1388,7 +1598,8 @@ class fcontextRecords(semanageRecords): +@@ -1592,7 +1599,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -5086,62 +3626,21 @@ index b7d257b..4462c9e 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1504,9 +1715,16 @@ class fcontextRecords(semanageRecords): - raise ValueError(_("Could not delete the file context %s") % target) - semanage_fcontext_key_free(k) - -+ self.equiv = {} -+ self.equal_ind = True - self.commit() +@@ -1783,11 +1791,11 @@ class fcontextRecords(semanageRecords): + return l - def __delete(self, target, ftype): -+ if target in self.equiv.keys(): -+ self.equiv.pop(target) -+ self.equal_ind = True -+ return -+ - (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % target) -@@ -1561,12 +1779,22 @@ class fcontextRecords(semanageRecords): - - return ddict - -+ def customized(self): -+ l = [] -+ fcon_dict = self.get_all(True) -+ keys = fcon_dict.keys() -+ keys.sort() -+ for k in keys: -+ if fcon_dict[k]: -+ l.append("-a -f '%s' -t %s '%s'" % (k[1], fcon_dict[k][2], k[0])) -+ return l -+ def list(self, heading = 1, locallist = 0 ): - if heading: - print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) fcon_dict = self.get_all(locallist) keys = fcon_dict.keys() keys.sort() -+ if len(keys) > 0 and heading: ++ if len(keys) > 0 and heading: + print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1575,6 +1803,12 @@ class fcontextRecords(semanageRecords): - print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) - else: - print "%-50s %-18s <>" % (k[0], k[1]) -+ if len(self.equiv.keys()) > 0: -+ if heading: -+ print _("\nSELinux fcontext Equivalence \n") -+ -+ for src in self.equiv.keys(): -+ print "%s = %s" % (src, self.equiv[src]) - - class booleanRecords(semanageRecords): - def __init__(self, store = ""): -@@ -1587,6 +1821,18 @@ class booleanRecords(semanageRecords): +@@ -1814,6 +1822,18 @@ class booleanRecords(semanageRecords): self.dict["1"] = 1 self.dict["0"] = 0 @@ -5160,7 +3659,7 @@ index b7d257b..4462c9e 100644 def __mod(self, name, value): (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: -@@ -1606,9 +1852,10 @@ class booleanRecords(semanageRecords): +@@ -1833,9 +1853,10 @@ class booleanRecords(semanageRecords): else: raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) @@ -5174,7 +3673,7 @@ index b7d257b..4462c9e 100644 rc = semanage_bool_modify_local(self.sh, k, b) if rc < 0: raise ValueError(_("Could not modify boolean %s") % name) -@@ -1691,8 +1938,12 @@ class booleanRecords(semanageRecords): +@@ -1918,8 +1939,12 @@ class booleanRecords(semanageRecords): value = [] name = semanage_bool_get_name(boolean) value.append(semanage_bool_get_value(boolean)) @@ -5189,92 +3688,191 @@ index b7d257b..4462c9e 100644 ddict[name] = value return ddict -@@ -1706,6 +1957,16 @@ class booleanRecords(semanageRecords): - else: - return _("unknown") +diff --git a/policycoreutils/semodule_package/Makefile b/policycoreutils/semodule_package/Makefile +index 0a4a3a6..f84cd7e 100644 +--- a/policycoreutils/semodule_package/Makefile ++++ b/policycoreutils/semodule_package/Makefile +@@ -9,15 +9,17 @@ CFLAGS ?= -Werror -Wall -W + override CFLAGS += -I$(INCLUDEDIR) + LDLIBS = -lsepol -lselinux -L$(LIBDIR) -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = ddict.keys() -+ keys.sort() -+ for k in keys: -+ if ddict[k]: -+ l.append("-%s %s" % (ddict[k][2], k)) -+ return l -+ - def list(self, heading = True, locallist = False, use_file = False): - on_off = (_("off"), _("on")) - if use_file: -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 059f629..81d6a3c 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -162,6 +162,7 @@ static void parse_command_line(int argc, char **argv) - {"noreload", 0, NULL, 'n'}, - {"build", 0, NULL, 'B'}, - {"disable_dontaudit", 0, NULL, 'D'}, -+ {"path", required_argument, NULL, 'p'}, - {NULL, 0, NULL, 0} - }; - int i; -@@ -170,7 +171,7 @@ static void parse_command_line(int argc, char **argv) - no_reload = 0; - create_store = 0; - while ((i = -- getopt_long(argc, argv, "s:b:hi:lvqe:d:r:u:RnBD", opts, -+ getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBD", opts, - NULL)) != -1) { - switch (i) { - case 'b': -@@ -198,6 +199,9 @@ static void parse_command_line(int argc, char **argv) - case 'r': - set_mode(REMOVE_M, optarg); - break; -+ case 'p': -+ semanage_set_root(optarg); -+ break; - case 'u': - set_mode(UPGRADE_M, optarg); - break; -diff --git a/policycoreutils/semodule_expand/semodule_expand.8 b/policycoreutils/semodule_expand/semodule_expand.8 -index 22ad3be..35df2ed 100644 ---- a/policycoreutils/semodule_expand/semodule_expand.8 -+++ b/policycoreutils/semodule_expand/semodule_expand.8 -@@ -3,7 +3,7 @@ - semodule_expand \- Expand a SELinux policy module package. +-all: semodule_package ++all: semodule_package semodule_unpackage - .SH SYNOPSIS --.B semodule_expand [-V -c [version]] basemodpkg outputfile -+.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile - .br - .SH DESCRIPTION - .PP -@@ -22,6 +22,9 @@ show version - .TP - .B \-c [version] - policy version to create -+.TP -+.B \-a -+Check assertions. This will cause the policy to check all neverallow rules. + semodule_package: semodule_package.o + + install: all + -mkdir -p $(BINDIR) + install -m 755 semodule_package $(BINDIR) ++ install -m 755 semodule_unpackage $(BINDIR) + test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + install -m 644 semodule_package.8 $(MANDIR)/man8/ ++ install -m 644 semodule_unpackage.8 $(MANDIR)/man8/ + + relabel: - .SH SEE ALSO - .B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8) diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8 -index fb41480..29c9eb2 100644 +index 29c9eb2..ddad2d2 100644 --- a/policycoreutils/semodule_package/semodule_package.8 +++ b/policycoreutils/semodule_package/semodule_package.8 -@@ -45,7 +45,6 @@ netfilter context file to be included in the package. +@@ -44,7 +44,7 @@ File contexts file for the module (optional). + netfilter context file to be included in the package. .SH SEE ALSO - .B checkmodule(8), semodule(8) --(8), +-.B checkmodule(8), semodule(8) ++.B checkmodule(8), semodule(8), semodule_unpackage(8) .SH AUTHORS .nf This manual page was written by Dan Walsh . +diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8 +new file mode 100644 +index 0000000..62dd53e +--- /dev/null ++++ b/policycoreutils/semodule_package/semodule_unpackage.8 +@@ -0,0 +1,24 @@ ++.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA ++.SH NAME ++semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage. ++ ++.SH SYNOPSIS ++.B semodule_unpackage [] ++.br ++.SH DESCRIPTION ++.PP ++semodule_unpackage is the tool used to extract the SELinux policy module ++ and file context file from an SELinux Policy Package. ++ ++.SH EXAMPLE ++.nf ++# Extract the httpd module file from httpd policy package. ++$ semodule_unpackage httpd.pp httpd.mod httpd.fc ++.fi ++ ++.SH SEE ALSO ++.B semodule_package(8) ++.SH AUTHORS ++.nf ++This manual page was written by Dan Walsh . ++The program was written by Stephen Smalley +diff --git a/policycoreutils/semodule_package/semodule_unpackage.c b/policycoreutils/semodule_package/semodule_unpackage.c +new file mode 100644 +index 0000000..0120ee4 +--- /dev/null ++++ b/policycoreutils/semodule_package/semodule_unpackage.c +@@ -0,0 +1,103 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++char *progname = NULL; ++extern char *optarg; ++ ++static void usage(char *progname) ++{ ++ printf("usage: %s ppfile modfile [fcfile]\n", progname); ++ exit(1); ++} ++ ++static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode) ++{ ++ FILE *f; ++ ++ if (sepol_policy_file_create(pf)) { ++ fprintf(stderr, "%s: Out of memory\n", progname); ++ return -1; ++ } ++ ++ f = fopen(filename, mode); ++ if (!f) { ++ fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), filename); ++ return -1; ++ } ++ sepol_policy_file_set_fp(*pf, f); ++ return 0; ++} ++ ++int main(int argc, char **argv) ++{ ++ struct sepol_module_package *pkg; ++ struct sepol_policy_file *in, *out; ++ FILE *fp; ++ size_t len; ++ char *ppfile, *modfile, *fcfile = NULL, *fcdata; ++ ++ progname = argv[0]; ++ ++ if (argc < 3) { ++ usage(progname); ++ exit(1); ++ } ++ ++ ppfile = argv[1]; ++ modfile = argv[2]; ++ if (argc >= 3) ++ fcfile = argv[3]; ++ ++ if (file_to_policy_file(ppfile, &in, "r")) ++ exit(1); ++ ++ if (sepol_module_package_create(&pkg)) { ++ fprintf(stderr, "%s: Out of memory\n", progname); ++ exit(1); ++ } ++ ++ if (sepol_module_package_read(pkg, in, 0) == -1) { ++ fprintf(stderr, "%s: Error while reading policy module from %s\n", ++ progname, ppfile); ++ exit(1); ++ } ++ ++ if (file_to_policy_file(modfile, &out, "w")) ++ exit(1); ++ ++ if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) { ++ fprintf(stderr, "%s: Error while writing module to %s\n", progname, modfile); ++ exit(1); ++ } ++ ++ sepol_policy_file_free(in); ++ sepol_policy_file_free(out); ++ ++ len = sepol_module_package_get_file_contexts_len(pkg); ++ if (fcfile && len) { ++ fp = fopen(fcfile, "w"); ++ if (!fp) { ++ fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), fcfile); ++ exit(1); ++ } ++ fcdata = sepol_module_package_get_file_contexts(pkg); ++ if (fwrite(fcdata, 1, len, fp) != len) { ++ fprintf(stderr, "%s: Could not write file %s: %s\n", progname, strerror(errno), fcfile); ++ exit(1); ++ } ++ fclose(fp); ++ } ++ ++ sepol_module_package_free(pkg); ++ exit(0); ++} +diff --git a/policycoreutils/sepolgen-ifgen/.gitignore b/policycoreutils/sepolgen-ifgen/.gitignore +new file mode 100644 +index 0000000..3816d2e +--- /dev/null ++++ b/policycoreutils/sepolgen-ifgen/.gitignore +@@ -0,0 +1 @@ ++sepolgen-ifgen-attr-helper diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile new file mode 100644 -index 0000000..211580d +index 0000000..99f8fd0 --- /dev/null +++ b/policycoreutils/sepolgen-ifgen/Makefile @@ -0,0 +1,25 @@ @@ -5284,7 +3882,7 @@ index 0000000..211580d +LIBDIR ?= ${PREFIX}/lib +INCLUDEDIR ?= $(PREFIX)/include + -+CFLAGS ?= -Wall -W ++CFLAGS ?= -Werror -Wall -W +override CFLAGS += -I$(INCLUDEDIR) +LDLIBS = $(LIBDIR)/libsepol.a + @@ -5305,15 +3903,15 @@ index 0000000..211580d +relabel: ; diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c new file mode 100644 -index 0000000..8f5c8e0 +index 0000000..1ce37b0 --- /dev/null +++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c -@@ -0,0 +1,233 @@ +@@ -0,0 +1,232 @@ +/* Authors: Frank Mayer + * and Karl MacMillan + * + * Copyright (C) 2003,2010 Tresys Technology, LLC -+ * ++ * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2. @@ -5492,7 +4090,7 @@ index 0000000..8f5c8e0 + } + + fclose(fp); -+ ++ + return policydb; + +} @@ -5515,9 +4113,8 @@ index 0000000..8f5c8e0 + + /* Open the policy. */ + p = load_policy(argv[1]); -+ if (p == NULL) { ++ if (p == NULL) + return -1; -+ } + + /* Open the output policy. */ + fp = fopen(argv[2], "w"); @@ -5543,76 +4140,30 @@ index 0000000..8f5c8e0 + return 0; +} diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c -index b649d8f..38416d8 100644 +index e05761a..66cb950 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c -@@ -1,4 +1,5 @@ - #include "restore.h" -+#include - - #define SKIP -2 - #define ERR -1 -@@ -31,7 +32,6 @@ struct edir { +@@ -318,11 +318,16 @@ static int process_one(char *name, int recurse_this_path) - static file_spec_t *fl_head; --static int exclude(const char *file); - static int filespec_add(ino_t ino, const security_context_t con, const char *file); - static int only_changed_user(const char *a, const char *b); - struct restore_opts *r_opts = NULL; -@@ -53,7 +53,6 @@ void remove_exclude(const char *directory) - } - } - return; -- - } - - void restore_init(struct restore_opts *opts) -@@ -300,8 +299,14 @@ static int process_one(char *name, int recurse_this_path) - int rc = 0; - const char *namelist[2] = {name, NULL}; - dev_t dev_num = 0; -- FTS *fts_handle; -- FTSENT *ftsent; -+ FTS *fts_handle = NULL; -+ FTSENT *ftsent = NULL; -+ -+ if (r_opts == NULL){ + ftsent = fts_read(fts_handle); +- if (ftsent != NULL) { +- /* Keep the inode of the first one. */ +- dev_num = ftsent->fts_statp->st_dev; ++ if (ftsent == NULL) { + fprintf(stderr, -+ "Must call initialize first!"); ++ "%s: error while labeling %s: %s\n", ++ r_opts->progname, namelist[0], strerror(errno)); + goto err; -+ } + } - fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); - if (fts_handle == NULL) { -@@ -357,11 +362,34 @@ err: - goto out; - } - -+int process_glob(char *name, int recurse) { -+ glob_t globbuf; -+ size_t i = 0; -+ int errors = 0; -+ memset(&globbuf, 0, sizeof(globbuf)); -+ globbuf.gl_offs = 0; -+ if (glob(name, -+ GLOB_TILDE | GLOB_PERIOD, -+ NULL, -+ &globbuf) >= 0) { -+ for (i = 0; i < globbuf.gl_pathc; i++) { -+ int len = strlen(globbuf.gl_pathv[i]) -2; -+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; -+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; -+ errors |= process_one_realpath(globbuf.gl_pathv[i], recurse) < 0; -+ } -+ globfree(&globbuf); -+ } -+ else -+ errors |= process_one_realpath(name, recurse) < 0; -+ return errors; -+} ++ /* Keep the inode of the first one. */ ++ dev_num = ftsent->fts_statp->st_dev; + - int process_one_realpath(char *name, int recurse) + do { + rc = 0; + /* Skip the post order nodes. */ +@@ -388,7 +393,7 @@ int process_one_realpath(char *name, int recurse) { int rc = 0; char *p; @@ -5621,27 +4172,16 @@ index b649d8f..38416d8 100644 if (r_opts == NULL){ fprintf(stderr, -@@ -372,8 +400,9 @@ int process_one_realpath(char *name, int recurse) +@@ -399,7 +404,7 @@ int process_one_realpath(char *name, int recurse) if (!r_opts->expand_realpath) { return process_one(name, recurse); } else { - rc = lstat(name, &sb); + rc = lstat64(name, &sb); if (rc < 0) { -+ if (r_opts->ignore_enoent && errno == ENOENT) return 0; - fprintf(stderr, "%s: lstat(%s) failed: %s\n", - r_opts->progname, name, strerror(errno)); - return -1; -@@ -409,7 +438,7 @@ int process_one_realpath(char *name, int recurse) - } - } - --static int exclude(const char *file) -+int exclude(const char *file) - { - int i = 0; - for (i = 0; i < excludeCtr; i++) { -@@ -537,7 +566,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil + if (r_opts->ignore_enoent && errno == ENOENT) + return 0; +@@ -566,7 +571,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil { file_spec_t *prevfl, *fl; int h, ret; @@ -5650,7 +4190,7 @@ index b649d8f..38416d8 100644 if (!fl_head) { fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -@@ -550,7 +579,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil +@@ -579,7 +584,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { @@ -5659,7 +4199,7 @@ index b649d8f..38416d8 100644 if (ret < 0 || sb.st_ino != ino) { freecon(fl->con); free(fl->file); -@@ -602,5 +631,67 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil +@@ -631,5 +636,67 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil return -1; } @@ -5688,7 +4228,7 @@ index b649d8f..38416d8 100644 + fp = fopen("/proc/mounts", "r"); + if (!fp) + return; -+ + + while ((num = getline(&buf, &len, fp)) != -1) { + found = 0; + index = 0; @@ -5706,7 +4246,7 @@ index b649d8f..38416d8 100644 + buf); + continue; + } - ++ + /* remove pre-existing entry */ + remove_exclude(mount_info[1]); + @@ -5728,80 +4268,18 @@ index b649d8f..38416d8 100644 +} diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h -index 03b82e8..8b50ff8 100644 +index 7e988d5..ac27222 100644 --- a/policycoreutils/setfiles/restore.h +++ b/policycoreutils/setfiles/restore.h -@@ -27,6 +27,7 @@ struct restore_opts { - int hard_links; - int verbose; - int logging; -+ int ignore_enoent; - char *rootpath; - int rootpathlen; - char *progname; -@@ -44,7 +45,10 @@ struct restore_opts { - void restore_init(struct restore_opts *opts); - void restore_finish(); - int add_exclude(const char *directory); -+int exclude(const char *path); +@@ -49,5 +49,6 @@ int exclude(const char *path); void remove_exclude(const char *directory); int process_one_realpath(char *name, int recurse); -+int process_glob(char *name, int recurse); - + int process_glob(char *name, int recurse); +void exclude_non_seclabel_mounts(); + #endif -diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 -index 1eb6a43..c8ea4bb 100644 ---- a/policycoreutils/setfiles/restorecon.8 -+++ b/policycoreutils/setfiles/restorecon.8 -@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts. - - .SH "SYNOPSIS" - .B restorecon --.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... -+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... - .P - .B restorecon --.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] -+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] - - .SH "DESCRIPTION" - This manual page describes the -@@ -40,6 +40,9 @@ don't change any file labels. - .TP - .B \-o outfilename - save list of files with incorrect context in outfilename. -+.TP -+.B \-p -+show progress by printing * every 1000 files. - .TP - .B \-v - show changes in file labels. -diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index ac68b94..7f700ca 100644 ---- a/policycoreutils/setfiles/setfiles.8 -+++ b/policycoreutils/setfiles/setfiles.8 -@@ -10,7 +10,7 @@ This manual page describes the - .BR setfiles - program. - .P --This program is primarily used to initialise the security context -+This program is primarily used to initialize the security context - database (extended attributes) on one or more filesystems. This - program is initially run as part of the SE Linux installation process. - .P -@@ -31,6 +31,9 @@ log changes in file labels to syslog. - .TP - .B \-n - don't change any file labels. -+.TP -+.B \-p -+show progress by printing * every 1000 files. - .TP - .B \-q - suppress non-error output. diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c -index 8f4f663..b0a7e09 100644 +index d320e9f..fa0cd6a 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -5,7 +5,6 @@ @@ -5812,31 +4290,38 @@ index 8f4f663..b0a7e09 100644 #define __USE_XOPEN_EXTENDED 1 /* nftw */ #include #ifdef USE_AUDIT -@@ -25,7 +24,6 @@ static char *policyfile = NULL; +@@ -15,8 +14,6 @@ + #define AUDIT_FS_RELABEL 2309 + #endif + #endif +-static int mass_relabel; +-static int mass_relabel_errs; + + + /* cmdline opts*/ +@@ -24,7 +21,6 @@ static int mass_relabel_errs; + static char *policyfile = NULL; static int warn_no_match = 0; static int null_terminated = 0; - static int errors; --static int ignore_enoent; +-static int errors; static struct restore_opts r_opts; #define STAT_BLOCK_SIZE 1 -@@ -44,13 +42,13 @@ void usage(const char *const name) +@@ -108,10 +104,11 @@ int canoncon(char **contextp) + } + + #ifndef USE_AUDIT +-static void maybe_audit_mass_relabel(void) ++static void maybe_audit_mass_relabel(int mass_relabel __attribute__((unused)), ++ int mass_relabel_errs __attribute__((unused))) { - if (iamrestorecon) { - fprintf(stderr, -- "usage: %s [-iFnrRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", -+ "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", - name); - } else { - fprintf(stderr, - "usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n" - "usage: %s -c policyfile spec_file\n" -- "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, -+ "usage: %s -s [-dnpqvW] [-o filename ] spec_file\n", name, name, - name); - } - exit(1); -@@ -138,69 +136,6 @@ static void maybe_audit_mass_relabel(void) + #else +-static void maybe_audit_mass_relabel(void) ++static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) + { + int audit_fd = -1; + int rc = 0; +@@ -137,69 +134,6 @@ static void maybe_audit_mass_relabel(void) #endif } @@ -5906,89 +4391,22 @@ index 8f4f663..b0a7e09 100644 int main(int argc, char **argv) { struct stat sb; -@@ -335,7 +270,7 @@ int main(int argc, char **argv) - r_opts.debug = 1; - break; - case 'i': -- ignore_enoent = 1; -+ r_opts.ignore_enoent = 1; - break; - case 'l': - r_opts.logging = 1; -@@ -371,7 +306,7 @@ int main(int argc, char **argv) - break; - } - if (optind + 1 >= argc) { -- fprintf(stderr, "usage: %s -r r_opts.rootpath\n", -+ fprintf(stderr, "usage: %s -r rootpath\n", - argv[0]); - exit(1); - } -@@ -475,7 +410,7 @@ int main(int argc, char **argv) - buf[len - 1] = 0; - if (!strcmp(buf, "/")) - mass_relabel = 1; -- errors |= process_one_realpath(buf, recurse) < 0; -+ errors |= process_glob(buf, recurse) < 0; - } - if (strcmp(input_filename, "-") != 0) - fclose(f); -@@ -483,7 +418,8 @@ int main(int argc, char **argv) - for (i = optind; i < argc; i++) { - if (!strcmp(argv[i], "/")) - mass_relabel = 1; -- errors |= process_one_realpath(argv[i], recurse) < 0; -+ -+ errors |= process_glob(argv[i], recurse) < 0; +@@ -210,6 +144,7 @@ int main(int argc, char **argv) + size_t buf_len; + int recurse; /* Recursive descent. */ + char *base; ++ int mass_relabel = 0, errors = 0; + + memset(&r_opts, 0, sizeof(r_opts)); + +@@ -487,9 +422,7 @@ int main(int argc, char **argv) } } -diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8 -index 4b13387..2b66bad 100644 ---- a/policycoreutils/setsebool/setsebool.8 -+++ b/policycoreutils/setsebool/setsebool.8 -@@ -16,7 +16,7 @@ affected; the boot-time default settings - are not changed. - - If the -P option is given, all pending values are written to --the policy file on disk. So they will be persistant across reboots. -+the policy file on disk. So they will be persistent across reboots. - - .SH AUTHOR - This manual page was written by Dan Walsh . -diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c -index dc037dd..d6c041b 100644 ---- a/policycoreutils/setsebool/setsebool.c -+++ b/policycoreutils/setsebool/setsebool.c -@@ -82,8 +82,13 @@ static int selinux_set_boolean_list(size_t boolcnt, - if (errno == ENOENT) - fprintf(stderr, "Could not change active booleans: " - "Invalid boolean\n"); -- else if (errno) -- perror("Could not change active booleans"); -+ else if (errno) { -+ if (getuid() == 0) { -+ perror("Could not change active booleans"); -+ } else { -+ perror("Could not change active booleans. Please try as root"); -+ } -+ } - - return -1; - } -@@ -115,8 +120,13 @@ static int semanage_set_boolean_list(size_t boolcnt, - goto err; - - } else if (managed == 0) { -- fprintf(stderr, -- "Cannot set persistent booleans without managed policy.\n"); -+ if (getuid() == 0) { -+ fprintf(stderr, -+ "Cannot set persistent booleans without managed policy.\n"); -+ } else { -+ fprintf(stderr, -+ "Cannot set persistent booleans, please try as root.\n"); -+ } - goto err; - } +- if (mass_relabel) +- mass_relabel_errs = errors; +- maybe_audit_mass_relabel(); ++ maybe_audit_mass_relabel(mass_relabel, errors); + if (warn_no_match) + selabel_stats(r_opts.hnd); diff --git a/policycoreutils.spec b/policycoreutils.spec index 7eb97f1..1d33fc4 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,13 +1,13 @@ %define libauditver 1.4.2-1 -%define libsepolver 2.0.44-2 -%define libsemanagever 2.0.46-6 -%define libselinuxver 2.0.90-3 +%define libsepolver 2.1.0-1 +%define libsemanagever 2.1.0-0 +%define libselinuxver 2.1.0-1 %define sepolgenver 1.0.23 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.0.86 -Release: 18%{?dist} +Version: 2.1.4 +Release: 1%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -184,7 +184,7 @@ The policycoreutils-sandbox package contains the scripts to create graphical san %{_datadir}/sandbox/start %attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare %{_mandir}/man8/seunshare.8* -%{_mandir}/man5/sandbox.conf.5* +%{_mandir}/man5/sandbox.5* %triggerin python -- selinux-policy selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null @@ -349,6 +349,83 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Aug 18 2011 Dan Walsh - 2.1.4-1 +-Update to upstream +2.1.4 2011-08-17 + * run_init: clarification of the usage in the + * semanage: fix usage header around booleans + * semanage: remove useless empty lines + * semanage: update man page with new examples + * semanage: update usage text + * semanage: introduce file context equivalencies + * semanage: enable and disable modules + * semanage: output all local modifications + * semanage: introduce extraction of local configuration + * semanage: cleanup error on invalid operation + * semanage: handle being called with no arguments + * semanage: return sooner to save CPU time + * semanage: surround getopt with try/except + * semanage: use define/raise instead of lots of + * semanage: some options are only valid for + * semanage: introduce better deleteall support + * semanage: do not allow spaces in file + * semanage: distinguish between builtin and local permissive + * semanage: centralized ip node handling + * setfiles: make the restore function exclude() non-static + * setfiles: use glob to handle ~ and + * fixfiles: do not hard code types + * fixfiles: stop trying to be smart about + * fixfiles: use new kernel seclabel option + * fixfiles: pipe everything to cat before sending + * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs + * semodule: support for alternative root paths + +2.1.3 2011-08-03 + * semanage: fix indention + * semodule_package: fix man page typo + * semodule_expand: update man page with -a + * semanage: handle os errors + * semanage: fix traceback with bad options + * semanage: show usage on -h or --help + * semanage: introduce more deleteall options + * semanage: verify ports < 65536 + * transaction into semanageRecords + * make get_handle a method of semanageRecords + * remove a needless blank line + * make process_one error if not initialized correctly + * fixfiles: correct usage for r_opts.rootpath + * put -p in help for restorecon and + * fixfiles: do not try to only label + * fixfiles clean up /var/run and /var/lib/debug + * fixfiles delete tmp sockets and pipes rather + * fixfile use find -delete instead of pipe + * chcat man page typo + * add man page for genhomedircon + * setfiles fix typo + * setsebool should inform users they need to + * setsebool typos + * open_init_tty man page typos + * Don't add user site directory to sys.path + * newrole retain CAP_SETPCAP + +2.1.2 2011-08-02 + * seunshare: define _GNU_SOURCE earlier + * make ignore_enoent do something + * restorecond: first user logged in is not noticed + * Repo: update .gitignore + +2.1.1 2011-08-01 + * Man page updates + * restorecon fix for bad inotify assumptions + +2.1.0 2011-07-27 + * Release, minor version bump + +* Tue Jul 26 2011 Dan Walsh 2.0.86-20 +- Fix sepolgen usage statement +- Stop using -k insandbox +- Fix seunshare usage statement + * Thu Jul 7 2011 Dan Walsh 2.0.86-18 - Change seunshare to send kill signals to the childs session. - Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown. diff --git a/sources b/sources index c65b198..53b109d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 -13d864a8a6f8a933ef7aee7baf4a9662 policycoreutils-2.0.86.tgz +7e1e18c09798ffb44913bce3d60c667d policycoreutils-2.1.4.tgz