* Fri Oct 9 2006 Dan Walsh <dwalsh@redhat.com> 1.32-1

- Add newrole audit patch from sgrubb
- Update to upstream
	* Merged audit2allow -l fix from Yuichi Nakamura.
	* Merged restorecon -i and -o - support from Karl MacMillan.
	* Merged semanage/seobject fix from Dan Walsh.
	* Merged fixfiles -R and verify changes from Dan Walsh.
This commit is contained in:
Daniel J Walsh 2006-10-20 13:08:28 +00:00
parent 12eda6fb9a
commit d0a35325c9
5 changed files with 392 additions and 5944 deletions

View File

@ -114,3 +114,4 @@ policycoreutils-1.30.27.tgz
policycoreutils-1.30.28.tgz policycoreutils-1.30.28.tgz
policycoreutils-1.30.29.tgz policycoreutils-1.30.29.tgz
policycoreutils-1.30.30.tgz policycoreutils-1.30.30.tgz
policycoreutils-1.32.tgz

File diff suppressed because it is too large Load Diff

View File

@ -1,195 +1,17 @@
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/audit2allow/avc.py policycoreutils-1.30.30/audit2allow/avc.py diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.32/newrole/newrole.c
--- nsapolicycoreutils/audit2allow/avc.py 2006-09-14 08:07:24.000000000 -0400 --- nsapolicycoreutils/newrole/newrole.c 2006-09-29 11:50:09.000000000 -0400
+++ policycoreutils-1.30.30/audit2allow/avc.py 2006-09-29 12:58:24.000000000 -0400 +++ policycoreutils-1.32/newrole/newrole.c 2006-10-20 09:04:57.000000000 -0400
@@ -357,6 +357,15 @@ @@ -680,6 +680,7 @@
break
else:
dict.append(i)
+
+ if not found:
+ regexp = "audit\(\d+\.\d+:\d+\): policy loaded"
+ m = re.match(regexp, line)
+ if m !=None:
+ found =1
+ dict.append("load_policy")
+ dict.append("granted")
+
if found:
self.translate(dict)
found = 0
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.30.30/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8 2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.30.30/restorecon/restorecon.8 2006-09-29 12:58:24.000000000 -0400
@@ -23,6 +23,9 @@
.SH "OPTIONS"
.TP
+.B \-i
+ignore files that do not exist
+.TP
.B \-f infilename
infilename contains a list of files to be processed by application. Use \- for stdin.
.TP
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.30.30/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2006-09-01 22:32:11.000000000 -0400
+++ policycoreutils-1.30.30/restorecon/restorecon.c 2006-09-29 12:58:24.000000000 -0400
@@ -11,9 +11,10 @@
* restorecon [-Rnv] pathname...
*
* -e Specify directory to exclude
+ * -i Ignore error if file does not exist
* -n Do not change any file labels.
* -v Show changes in file labels.
- * -o filename save list of files with incorrect context
+ * -o filename save list of files with incorrect context
* -F Force reset of context to match file_context for customizable files
*
* pathname... The file(s) to label
@@ -41,12 +42,14 @@
#include <ftw.h>
static int change = 1;
+static int change_ctr = 0;
static int verbose = 0;
static int progress = 0;
static FILE *outfile = NULL;
static char *progname;
static int errors = 0;
static int recurse = 0;
+static int file_exist = 1;
static int force = 0;
#define STAT_BLOCK_SIZE 1
static int pipe_fds[2] = { -1, -1 };
@@ -62,6 +65,7 @@
static int add_exclude(const char *directory)
{ {
struct stat sb; fprintf(stderr, _("newrole: incorrect password for %s\n"),
+ int len=0; pw->pw_name);
if (directory == NULL || directory[0] != '/') { + send_audit_message(0, old_context, new_context, ttyn);
fprintf(stderr, "Full path required for exclude: %s.\n", return (-1);
directory);
@@ -85,12 +89,18 @@
return 1;
} }
/* If we reach here, then we have authenticated the user. */
- excludeArray[excludeCtr].directory = strdup(directory); diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.32/restorecond/Makefile
+ len = strlen(directory);
+ if (len > 1 && directory[len-1] == '/') {
+ excludeArray[excludeCtr].directory = calloc(1,len--);
+ strncpy(excludeArray[excludeCtr].directory, directory, len);
+ } else
+ excludeArray[excludeCtr].directory = strdup(directory);
+
if (!excludeArray[excludeCtr].directory) {
fprintf(stderr, "Out of memory.\n");
return 1;
}
- excludeArray[excludeCtr++].size = strlen(directory);
+ excludeArray[excludeCtr++].size = len;
return 0;
}
@@ -129,7 +139,7 @@
void usage(const char *const name)
{
fprintf(stderr,
- "usage: %s [-FnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
+ "usage: %s [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
name);
exit(1);
}
@@ -160,6 +170,8 @@
}
if (lstat(filename, &st) != 0) {
+ if (!file_exist && errno == ENOENT)
+ return 0;
fprintf(stderr, "lstat(%s) failed: %s\n", filename,
strerror(errno));
return 1;
@@ -249,7 +261,10 @@
freecon(scontext);
return 1;
}
- }
+ }
+ else
+ change_ctr++;
+
if (verbose)
printf("%s reset %s context %s->%s\n",
progname, filename,
@@ -322,6 +337,8 @@
close(pipe_fds[1]);
if (rc == -1 || rc > 0) {
if (nftw(buf, apply_spec, 1024, FTW_PHYS)) {
+ if (!file_exist && errno == ENOENT)
+ return;
fprintf(stderr,
"%s: error while labeling files under %s\n",
progname, buf);
@@ -351,13 +368,17 @@
progname = argv[0];
if (is_selinux_enabled() <= 0)
exit(0);
+
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
- while ((opt = getopt(argc, argv, "pFrRnvf:o:e:")) > 0) {
+ while ((opt = getopt(argc, argv, "ipFrRnvf:o:e:")) > 0) {
switch (opt) {
case 'n':
change = 0;
break;
+ case 'i':
+ file_exist = 0;
+ break;
case 'r':
case 'R':
recurse = 1;
@@ -370,13 +391,17 @@
exit(1);
break;
case 'o':
- outfile = fopen(optarg, "w");
- if (!outfile) {
- fprintf(stderr, "Error opening %s: %s\n",
- optarg, strerror(errno));
- usage(argv[0]);
+ if (strcmp(optarg,"-") == 0)
+ outfile=stdout;
+ else {
+ outfile = fopen(optarg, "w");
+ if (!outfile) {
+ fprintf(stderr, "Error opening %s: %s\n",
+ optarg, strerror(errno));
+ usage(argv[0]);
+ }
+ __fsetlocking(outfile, FSETLOCKING_BYCALLER);
}
- __fsetlocking(outfile, FSETLOCKING_BYCALLER);
break;
case 'v':
if (progress) {
@@ -421,6 +446,7 @@
if (strcmp(file_name, "-") != 0)
fclose(f);
} else {
+ if (optind >= argc) usage(argv[0]);
for (i = optind; i < argc; i++) {
process(argv[i]);
}
@@ -428,5 +454,7 @@
if (outfile)
fclose(outfile);
+ if (! change) return change_ctr;
+
return errors;
}
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.30.30/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2006-08-28 16:58:19.000000000 -0400 --- nsapolicycoreutils/restorecond/Makefile 2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.30.30/restorecond/Makefile 2006-09-29 13:01:57.000000000 -0400 +++ policycoreutils-1.32/restorecond/Makefile 2006-10-17 12:59:55.000000000 -0400
@@ -5,8 +5,9 @@ @@ -5,8 +5,9 @@
INITDIR = $(DESTDIR)/etc/rc.d/init.d INITDIR = $(DESTDIR)/etc/rc.d/init.d
SELINUXDIR = $(DESTDIR)/etc/selinux SELINUXDIR = $(DESTDIR)/etc/selinux
@ -202,74 +24,31 @@ diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restore
LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
all: restorecond all: restorecond
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.30.30/scripts/fixfiles diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.32/semanage/semanage.8
--- nsapolicycoreutils/scripts/fixfiles 2006-09-01 22:32:11.000000000 -0400 --- nsapolicycoreutils/semanage/semanage.8 2006-09-14 08:07:24.000000000 -0400
+++ policycoreutils-1.30.30/scripts/fixfiles 2006-09-29 12:58:24.000000000 -0400 +++ policycoreutils-1.32/semanage/semanage.8 2006-10-19 07:55:00.000000000 -0400
@@ -117,8 +117,8 @@ @@ -7,7 +7,7 @@
exit $? .br
fi .B semanage login \-{a|d|m} [\-sr] login_name
if [ ! -z "$RPMFILES" ]; then .br
- for i in `echo $RPMFILES | sed 's/,/ /g'`; do -.B semanage user \-{a|d|m} [\-LrR] selinux_name
- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* -f - 2>&1 >> $LOGFILE +.B semanage user \-{a|d|m} [\-LrRP] selinux_name
+ for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do .br
+ rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
done .br
exit $? @@ -71,6 +71,9 @@
fi .I \-R, \-\-role
@@ -219,7 +219,7 @@ SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
# check if they specified both DIRS and RPMFILES
#
-if [ ! -z $RPMFILES ]; then
+if [ ! -z "$RPMFILES" ]; then
if [ $OPTIND -le $# ]; then
usage
fi
@@ -236,6 +236,7 @@
case "$command" in
restore) restore -p ;;
check) restore -n -v ;;
+ verify) restore -n -o -;;
relabel) relabel;;
*)
usage
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-1.30.30/scripts/fixfiles.8
--- nsapolicycoreutils/scripts/fixfiles.8 2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.30.30/scripts/fixfiles.8 2006-09-29 12:58:24.000000000 -0400
@@ -3,9 +3,9 @@
fixfiles \- fix file security contexts.
.SH "SYNOPSIS"
-.B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel }"
+.B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel | verify }"
-.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel } [[dir/file] ... ]
+.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
.SH "DESCRIPTION"
This manual page describes the
@@ -48,7 +48,7 @@
One of:
.TP .TP
.B check +.I \-P, \-\-prefix
-show any incorrect file context labels but do not change them. +SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
+print any incorrect file context labels, showing old and new context, but do not change them.
.TP
.B restore
change any incorrect file context labels.
@@ -56,6 +56,9 @@
.B relabel
Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file.
.TP
+.B verify
+List out files with incorrect file context labels, but do not change them.
+.TP +.TP
.B [[dir/file] ... ] .I \-s, \-\-seuser
List of files or directories trees that you wish to check file context on. SELinux user name
.TP
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.30.30/semanage/seobject.py diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.32/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2006-09-14 08:07:24.000000000 -0400 --- nsapolicycoreutils/semanage/seobject.py 2006-10-17 12:04:55.000000000 -0400
+++ policycoreutils-1.30.30/semanage/seobject.py 2006-09-29 12:58:48.000000000 -0400 +++ policycoreutils-1.32/semanage/seobject.py 2006-10-17 12:59:55.000000000 -0400
@@ -456,7 +456,8 @@ @@ -456,7 +456,8 @@
rc = semanage_user_set_mlslevel(self.sh, u, selevel) rc = semanage_user_set_mlslevel(self.sh, u, selevel)
if rc < 0: if rc < 0:
@ -280,15 +59,7 @@ diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanag
rc = semanage_user_set_prefix(self.sh, u, prefix) rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0: if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
@@ -486,6 +487,7 @@ @@ -522,7 +523,9 @@
def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
oldroles = ""
+ oldserange = ""
newroles = string.join(roles, ' ');
try:
if prefix == "" and len(roles) == 0 and serange == "" and selevel == "":
@@ -521,7 +523,9 @@
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
if prefix != "": if prefix != "":

View File

@ -1,10 +1,10 @@
%define libauditver 1.1.4-3 %define libauditver 1.1.4-3
%define libsepolver 1.12.27-1 %define libsepolver 1.12.28-1
%define libsemanagever 1.6.17-1 %define libsemanagever 1.6.17-1
%define libselinuxver 1.30.27-1 %define libselinuxver 1.30.29-2
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.30.30 Version: 1.32
Release: 1 Release: 1
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
@ -59,6 +59,19 @@ make LOG_AUDIT_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" in
%clean %clean
rm -rf %{buildroot} rm -rf %{buildroot}
%package newrole
Summary: newrole application for RBAC/MLS
Group: Development/Libraries
Requires: policycoreutils = %{version}-%{release}
%description newrole
RBAC/MLS policy machines require newrole as a way of changing the role
or level of a logged in user.
%files newrole
%{_bindir}/newrole
%{_mandir}/man1/newrole.1.gz
%files -f %{name}.lang %files -f %{name}.lang
%defattr(-,root,root) %defattr(-,root,root)
/sbin/restorecon /sbin/restorecon
@ -74,7 +87,6 @@ rm -rf %{buildroot}
%{_sbindir}/sestatus %{_sbindir}/sestatus
%{_sbindir}/run_init %{_sbindir}/run_init
%{_sbindir}/open_init_pty %{_sbindir}/open_init_pty
%{_bindir}/newrole
%{_bindir}/audit2allow %{_bindir}/audit2allow
%{_bindir}/chcat %{_bindir}/chcat
%{_bindir}/secon %{_bindir}/secon
@ -101,7 +113,6 @@ rm -rf %{buildroot}
%{_mandir}/man8/setsebool.8.gz %{_mandir}/man8/setsebool.8.gz
%{_mandir}/man8/run_init.8.gz %{_mandir}/man8/run_init.8.gz
%{_mandir}/man1/audit2allow.1.gz %{_mandir}/man1/audit2allow.1.gz
%{_mandir}/man1/newrole.1.gz
%{_mandir}/man1/secon.1.gz %{_mandir}/man1/secon.1.gz
%config %{_sysconfdir}/pam.d/newrole %config %{_sysconfdir}/pam.d/newrole
%config %{_sysconfdir}/pam.d/run_init %config %{_sysconfdir}/pam.d/run_init
@ -122,6 +133,17 @@ fi
[ -x /sbin/service ] && /sbin/service restorecond condrestart [ -x /sbin/service ] && /sbin/service restorecond condrestart
%changelog %changelog
* Fri Oct 9 2006 Dan Walsh <dwalsh@redhat.com> 1.32-1
- Add newrole audit patch from sgrubb
- Update to upstream
* Merged audit2allow -l fix from Yuichi Nakamura.
* Merged restorecon -i and -o - support from Karl MacMillan.
* Merged semanage/seobject fix from Dan Walsh.
* Merged fixfiles -R and verify changes from Dan Walsh.
* Fri Oct 6 2006 Dan Walsh <dwalsh@redhat.com> 1.30.30-2
- Separate out newrole into its own package
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 1.30.30-1 * Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 1.30.30-1
- Update to upstream - Update to upstream
* Merged newrole auditing of failures due to user actions from * Merged newrole auditing of failures due to user actions from

View File

@ -1 +1 @@
d21b5be848a6654e4af607b90753836d policycoreutils-1.30.30.tgz ebc0633aab2735c27a78e6c3f478143e policycoreutils-1.32.tgz