From f1e361ef1cce35e9e9ff64ffdfe93ad7cfdf2b59 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 4 Jan 2006 18:53:16 +0000 Subject: [PATCH] * Wed Jan 4 2006 Dan Walsh 1.29.3-1 - Update to match NSA * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). * Merged patch series from Ivan Gyurdiev. This includes patches to: - cleanup setsebool - update setsebool to apply active booleans through libsemanage - update semodule to use the new semanage_set_rebuild() interface - fix various bugs in semanage * Merged patch from Dan Walsh (Red Hat). This includes fixes for restorecon, chcat, fixfiles, genhomedircon, and semanage. --- .cvsignore | 1 + policycoreutils-rhat.patch | 1581 ++++-------------------------------- policycoreutils.spec | 23 +- sources | 2 +- 4 files changed, 188 insertions(+), 1419 deletions(-) diff --git a/.cvsignore b/.cvsignore index 0f805fc..2e402af 100644 --- a/.cvsignore +++ b/.cvsignore @@ -76,3 +76,4 @@ policycoreutils-1.27.37.tgz policycoreutils-1.28.tgz policycoreutils-1.29.1.tgz policycoreutils-1.29.2.tgz +policycoreutils-1.29.3.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index fcfed96..7a1153a 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,1470 +1,225 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.29.2/restorecon/restorecon.8 ---- nsapolicycoreutils/restorecon/restorecon.8 2005-12-08 12:59:25.000000000 -0500 -+++ policycoreutils-1.29.2/restorecon/restorecon.8 2006-01-02 14:35:46.000000000 -0500 -@@ -45,7 +45,7 @@ - show changes in file labels, if type, role, or user are changing. - .TP - .B \-F --Force reset of context to match file_context for customizable files -+Force reset of context to match file_context for customizable files, or the user section, if it has changed. - .TP - .SH "ARGUMENTS" - .B pathname... -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.29.2/restorecon/restorecon.c ---- nsapolicycoreutils/restorecon/restorecon.c 2005-12-08 12:59:25.000000000 -0500 -+++ policycoreutils-1.29.2/restorecon/restorecon.c 2006-01-02 14:33:52.000000000 -0500 -@@ -112,18 +112,16 @@ - void usage(const char * const name) - { - fprintf(stderr, -- "usage: %s [-rRnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name); -+ "usage: %s [-FnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name); - exit(1); - } - int restore(char *filename) { - int retcontext=0; -- int retval=0; - security_context_t scontext=NULL; - security_context_t prev_context=NULL; - int len=strlen(filename); - struct stat st; - char path[PATH_MAX+1]; -- int user_only_changed=0; - /* - Eliminate trailing / - */ -@@ -175,8 +173,7 @@ - if (excludeCtr > 0 && exclude(filename)) { - return 0; - } -- retval = matchpathcon(filename, st.st_mode, &scontext); -- if (retval < 0) { -+ if (matchpathcon(filename, st.st_mode, &scontext) < 0) { - if (errno == ENOENT) - return 0; - fprintf(stderr,"matchpathcon(%s) failed %s\n", filename,strerror(errno)); -@@ -194,27 +191,24 @@ - if (retcontext < 0 || force || - (strcmp(prev_context,scontext) != 0 && - !(customizable=is_context_customizable(prev_context) > 0))) { -- if (outfile) { -- fprintf(outfile, "%s\n", filename); -- } -- user_only_changed = only_changed_user(scontext, prev_context); -- if (change && !user_only_changed) { -- retval=lsetfilecon(filename,scontext); -- } -- if (retval<0) { -- fprintf(stderr,"%s set context %s->%s failed:'%s'\n", -- progname, filename, scontext, strerror(errno)); -- if (retcontext >= 0) -- freecon(prev_context); -- freecon(scontext); -- return 1; -- } else -- if (verbose && -- (verbose > 1 || !user_only_changed)) -+ if (only_changed_user(scontext, prev_context) == 0) { -+ if (outfile) fprintf(outfile, "%s\n", filename); -+ if (change) { -+ if (lsetfilecon(filename,scontext) < 0) { -+ fprintf(stderr,"%s set context %s->%s failed:'%s'\n", -+ progname, filename, scontext, strerror(errno)); -+ if (retcontext >= 0) -+ freecon(prev_context); -+ freecon(scontext); -+ return 1; -+ } -+ } -+ if (verbose) - printf("%s reset %s context %s->%s\n", -- progname, filename, (retcontext >= 0 ? prev_context : ""), scontext); -+ progname, filename, (retcontext >= 0 ? prev_context : ""), scontext); -+ } - } -- if (verbose > 1 && customizable>0) { -+ if (verbose > 1 && ! force && customizable>0) { - printf("%s: %s not reset customized by admin to %s\n", - progname, filename, prev_context); - } -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.2/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2005-12-14 14:16:50.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/chcat 2006-01-02 14:33:44.000000000 -0500 -@@ -39,11 +39,11 @@ - print("Can not modify sensitivity levels using '+' on %s" % f) - - if len(clist) > 1: -- cats=clist[1].split(",") -- if cat in cats: -+ if cat in clist[1:]: - print "%s is already in %s" % (f, orig) - continue -- cats.append(cat) -+ clist.append(cat) -+ cats=clist[1:] - cats.sort() - cat_string=cats[0] - for c in cats[1:]: -@@ -73,14 +73,13 @@ - continue - - if len(clist) > 1: -- cats=clist[1].split(",") -- if cat not in cats: -+ if cat not in clist[1:]: - print "%s is not in %s" % (f, orig) - continue -- cats.remove(cat) -- if len(cats) > 0: -- cat=cats[0] -- for c in cats[1:]: -+ clist.remove(cat) -+ if len(clist) > 1: -+ cat=clist[1] -+ for c in clist[2:]: - cat="%s,%s" % (cat, c) - else: - cat="" -@@ -91,7 +90,7 @@ - if len(cat) == 0: - cmd='chcon -l %s %s' % (sensitivity, f) - else: -- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) -+ cmd='chcon -l %s:%s %s' % (sensitivity,cat, f) - rc=commands.getstatusoutput(cmd) - if rc[0] != 0: - print rc[1] -@@ -101,18 +100,17 @@ - def chcat_replace(orig, newcat, files): - errors=0 - if len(newcat) == 1: -- if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16): -- sensitivity=newcat[0] -- cmd='chcon -l %s ' % newcat[0] -- else: -- cmd='chcon -l s0:%s ' % newcat[0] -+ sensitivity=newcat[0] -+ cmd='chcon -l %s ' % newcat[0] - else: - sensitivity=newcat[0] -- cat=newcat[1] -- cmd='chcon -l %s:%s ' % (sensitivity, cat) -+ cmd='chcon -l %s:%s' % (sensitivity, newcat[1]) -+ for cat in newcat[2:]: -+ cmd='%s,%s' % (cmd, cat) - - for f in files: - cmd = "%s %s" % (cmd, f) -+ - rc=commands.getstatusoutput(cmd) - if rc[0] != 0: - print rc[1] -@@ -134,44 +132,73 @@ - raise ValueError("Can not combine +/- with other types of categories") - return replace_ind - -+def isSensitivity(sensitivity): -+ if sensitivity[0] == "s" and sensitivity[1:].isdigit() and int(sensitivity[1:]) in range(0,16): -+ return 1 -+ else: -+ return 0 -+ -+def expandCats(cats): -+ newcats=[] -+ for c in cats: -+ if c.find(".") != -1: -+ c=c.split(".") -+ for i in range(int(c[0][1:]), int(c[1][1:])+1): -+ x=("c%d" % i) -+ if x not in newcats: -+ newcats.append("c%d" % i) -+ else: -+ for i in c.split(","): -+ if i not in newcats: -+ newcats.append(i) -+ return newcats -+ - def translate(cats): - newcat=[] -+ if len(cats) == 0: -+ newcat.append("s0") -+ return newcat - for c in cats: - (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c) - rlist=raw.split(":")[3:] -- if len(rlist) > 1: -- if len(newcat) == 0: -- newcat.append(rlist[0]) -- else: -- if newcat[0] != rlist[0]: -- raise ValueError("Can not have multiple sensitivities") -- newcat.append(rlist[1]) -- else: -- if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16): -- -- if len(newcat) == 0: -- newcat.append(rlist[0]) -- else: -- if newcat[0] != rlist[0]: -- raise ValueError("Can not have multiple sensitivities") -- else: -- if len(newcat) == 0: -- newcat.append("s0") -- else: -- if newcat[0] != "s0": -- raise ValueError("Can not have multiple sensitivities") -- newcat.append(rlist[0]) -- -+ tlist=[] -+ if isSensitivity(rlist[0])==0: -+ tlist.append("s0") -+ for i in expandCats(rlist): -+ tlist.append(i) -+ else: -+ tlist.append(rlist[0]) -+ for i in expandCats(rlist[1:]): -+ tlist.append(i) -+ if len(newcat) == 0: -+ newcat.append(tlist[0]) -+ else: -+ if newcat[0] != tlist[0]: -+ raise ValueError("Can not have multiple sensitivities") -+ for i in tlist[1:]: -+ newcat.append(i) - return newcat - - def usage(): - print "Usage %s CATEGORY File ..." % sys.argv[0] - print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0] - print "Usage %s -d File ..." % sys.argv[0] -+ print "Usage %s -l" % sys.argv[0] - print "Use -- to end option list. For example" - print "chcat -- -CompanyConfidential /docs/businessplan.odt." - sys.exit(1) - -+def listcats(): -+ fd = open(selinux.selinux_translations_path()) -+ for l in fd.read().split("\n"): -+ if l.startswith("#"): -+ continue -+ if l.find("=")!=-1: -+ rec=l.split("=") -+ print "%-30s %s" % tuple(rec) -+ fd.close() -+ return 0 -+ - def error(msg): - print "%s: %s" % (sys.argv[0], msg) - sys.exit(1) -@@ -184,10 +211,12 @@ - error("Requires an SELinux enabled system") - - delete_ind=0 -+ list_ind=0 - try: - gopts, cmds = getopt.getopt(sys.argv[1:], -- 'dh', -- ['help', -+ 'dhl', -+ ['list', -+ 'help', - 'delete']) - - for o,a in gopts: -@@ -195,8 +224,10 @@ - usage() - if o == "-d" or o == "--delete": - delete_ind=1 -+ if o == "-l" or o == "--list": -+ list_ind=1 - -- if len(cmds) < 1: -+ if list_ind==0 and len(cmds) < 1: - usage() - except: - usage() -@@ -204,6 +235,8 @@ - if delete_ind: - sys.exit(chcat_replace(["s0"], ["s0"], cmds)) - -+ if list_ind: -+ sys.exit(listcats()) - - if len(cmds) < 2: - usage() -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.2/scripts/chcat.8 ---- nsapolicycoreutils/scripts/chcat.8 2005-12-08 12:52:47.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/chcat.8 2006-01-02 14:33:44.000000000 -0500 -@@ -11,6 +11,9 @@ - .B chcat - [\fI-d\fR] \fIFILE\fR... - .br -+.B chcat -+[\fI-l\fR] -+.br - .PP - Change/Remove the security CATEGORY for each FILE. - .PP -@@ -18,6 +21,9 @@ - .TP - \fB\-d\fR - delete the category from each file. -+.TP -+\fB\-l\fR -+list available categories. - .SH "SEE ALSO" - .TP - chcon(1), selinux(8) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.2/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2005-10-13 13:51:22.000000000 -0400 -+++ policycoreutils-1.29.2/scripts/fixfiles 2006-01-02 14:33:44.000000000 -0500 -@@ -62,8 +62,8 @@ - TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` - test -z "$TEMPFILE" && exit - PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX` -- sed -r -e 's,:s0, ,g' $PREFC > ${PREFCTEMPFILE} -- sed -r -e 's,:s0, ,g' $FC | \ -+ sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE} -+ sed -r -e 's,:s0, ,g' $FC | sort -u | \ - /usr/bin/diff -b ${PREFCTEMPFILE} - | \ - grep '^[<>]'|cut -c3-| grep ^/ | \ - egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/genhomedircon 2006-01-02 14:33:44.000000000 -0500 -@@ -1,4 +1,4 @@ --#! /usr/bin/env python -+#! /usr/bin/python - # Copyright (C) 2004 Tresys Technology, LLC - # see file 'COPYING' for use and warranty information - # -@@ -26,64 +26,73 @@ - # - # - --import commands, sys, os, pwd, string, getopt, re -+import sys, os, pwd, string, getopt, re - from semanage import *; - --fd=open("/etc/shells", 'r') --VALID_SHELLS=fd.read().split('\n') --fd.close() --if "/sbin/nologin" in VALID_SHELLS: -- VALID_SHELLS.remove("/sbin/nologin") -+try: -+ fd=open("/etc/shells", 'r') -+ VALID_SHELLS=fd.read().split('\n') -+ fd.close() -+ if "/sbin/nologin" in VALID_SHELLS: -+ VALID_SHELLS.remove("/sbin/nologin") -+except: -+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] -+ -+def findval(file, var, delim=""): -+ val="" -+ try: -+ fd=open(file, 'r') -+ for i in fd.read().split('\n'): -+ if i.startswith(var) == 1: -+ if delim == "": -+ val = i.split()[1] -+ else: -+ val = i.split(delim)[1] -+ val = val.split("#")[0] -+ val = val.strip() -+ fd.close() -+ except: -+ val="" -+ return val - - def getStartingUID(): - starting_uid = sys.maxint -- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") -- if rc[0] == 0: -- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) -- #stip any comment from the end of the line -+ uid_min= findval("/etc/login.defs", "UID_MIN") -+ if uid_min != "": - uid_min = uid_min.split("#")[0] - uid_min = uid_min.strip() - if int(uid_min) < starting_uid: - starting_uid = int(uid_min) -- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") -- if rc[0] == 0: -- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) -- #stip any comment from the end of the line -- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) -- lu_uidnumber = lu_uidnumber.split("#")[0] -- lu_uidnumber = lu_uidnumber.strip() -- if int(lu_uidnumber) < starting_uid: -- starting_uid = int(lu_uidnumber) -+ -+ uid_min= findval("/etc/libuser.conf", "LU_UIDNUMBER", "=") -+ if uid_min != "": -+ uid_min = uid_min.split("#")[0] -+ uid_min = uid_min.strip() -+ if int(uid_min) < starting_uid: -+ starting_uid = int(uid_min) -+ - if starting_uid == sys.maxint: - starting_uid = 500 - return starting_uid - - def getDefaultHomeDir(): - ret = [] -- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") -- if rc[0] == 0: -- homedir = rc[1].split("=")[1] -- homedir = homedir.split("#")[0] -- homedir = homedir.strip() -- if not homedir in ret: -- ret.append(homedir) -- -- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") -- if rc[0] == 0: -- homedir = rc[1].split("=")[1] -- homedir = homedir.split("#")[0] -- homedir = homedir.strip() -- if not homedir in ret: -- ret.append(homedir) -- -+ homedir=findval("/etc/default/useradd", "HOME", "=") -+ if homedir != "" and not homedir in ret: -+ ret.append(homedir) -+ -+ homedir=findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=") -+ if homedir != "" and not homedir in ret: -+ ret.append(homedir) -+ - if ret == []: - ret.append("/home") - return ret - - def getSELinuxType(directory): -- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory) -- if rc[0]==0: -- return rc[1].split("=")[-1].strip() -+ val=findval(directory+"/config", "SELINUXTYPE", "=") -+ if val != "": -+ return val - return "targeted" - - def usage(error = ""): -@@ -129,11 +138,17 @@ - return self.getFileContextDir()+"/homedir_template" - - def getHomeRootContext(self, homedir): -- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir)) -- if rc[0] == 0: -- return rc[1]+"\n" -- else: -- errorExit("sed error %s" % rc[1]) -+ ret="" -+ fd=open(self.getHomeDirTemplate(), 'r') -+ -+ for i in fd.read().split('\n'): -+ if i.find("HOME_ROOT") == 0: -+ i=i.replace("HOME_ROOT", homedir) -+ ret = i+"\n" -+ fd.close() -+ if ret=="": -+ errorExit("No Home Root Context Found") -+ return ret - - def heading(self): - ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] -@@ -152,32 +167,40 @@ - return "user_r" - return name - def getOldRole(self, role): -- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users")) -- if rc[0] != 0: -- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users")) -- if rc[0] == 0: -- user=rc[1].split() -+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=") -+ if rc == "": -+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=") -+ if rc != "": -+ user=rc.split() - role = user[3] - if role == "{": - role = user[4] - return role - - def adduser(self, udict, user, seuser, role): -+ if seuser == "user_u" or user == "__default__": -+ return -+ # !!! chooses first role in the list to use in the file context !!! -+ if role[-2:] == "_r" or role[-2:] == "_u": -+ role = role[:-2] - try: -- if seuser == "user_u" or user == "__default__": -- return -- # !!! chooses first role in the list to use in the file context !!! -- if role[-2:] == "_r" or role[-2:] == "_u": -- role = role[:-2] - home = pwd.getpwnam(user)[5] - if home == "/": -- return -- prefs = {} -- prefs["role"] = role -- prefs["home"] = home -- udict[seuser] = prefs -+ # Probably install so hard code to /root -+ if user == "root": -+ home="/root" -+ else: -+ return - except KeyError: -- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) -+ if user == "root": -+ home = "/root" -+ else: -+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) -+ return -+ prefs = {} -+ prefs["role"] = role -+ prefs["home"] = home -+ udict[seuser] = prefs - - def getUsers(self): - udict = {} -@@ -190,30 +213,50 @@ - self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername)) - - else: -- rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers") -- if rc[0] == 0 and rc[1] != "": -- ulist = rc[1].split("\n") -- for u in ulist: -- if len(u)==0: -+ try: -+ fd =open(self.selinuxdir+self.type+"/seusers") -+ for u in fd.read().split('\n'): -+ u=u.strip() -+ if len(u)==0 or u[0]=="#": +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.3/scripts/genhomedircon +--- nsapolicycoreutils/scripts/genhomedircon 2006-01-04 13:07:46.000000000 -0500 ++++ policycoreutils-1.29.3/scripts/genhomedircon 2006-01-04 13:17:35.000000000 -0500 +@@ -220,8 +220,9 @@ + if len(u)==0 or u[0]=="#": continue user = u.split(":") - if len(user) < 3: +- if len(user) < 3: ++ if len(user) < 2: continue ++ role=self.getOldRole(user[1]) self.adduser(udict, user[0], user[1], role) -+ fd.close() -+ except IOError, error: -+ # Must be install so force add of root -+ self.adduser(udict, "root", "root", "root") -+ - return udict + fd.close() +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.3/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 2006-01-04 13:07:46.000000000 -0500 ++++ policycoreutils-1.29.3/semanage/semanage 2006-01-04 13:17:35.000000000 -0500 +@@ -36,7 +36,7 @@ + sename = "user_u" + + (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s" % name) - def getHomeDirContext(self, user, home, role): - ret="\n\n#\n# Home Context for user %s\n#\n\n" % user -- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user)) -- return ret + rc[1] + "\n" -+ fd=open(self.getHomeDirTemplate(), 'r') -+ for i in fd.read().split('\n'): -+ if i.startswith("HOME_DIR") == 1: -+ i=i.replace("HOME_DIR", home) -+ i=i.replace("ROLE", role) -+ i=i.replace("system_u", user) -+ ret = ret+i+"\n" -+ fd.close() -+ return ret - - def getUserContext(self, user, sel_user, role): -- rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user)) -- return rc[1] + "\n" -+ ret="" -+ fd=open(self.getHomeDirTemplate(), 'r') -+ for i in fd.read().split('\n'): -+ if i.find("USER") == 1: -+ i=i.replace("USER", user) -+ i=i.replace("ROLE", role) -+ i=i.replace("system_u", sel_user) -+ ret=ret+i+"\n" -+ fd.close() -+ return ret - - def genHomeDirContext(self): -- if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged: -+ if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "": - warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate()); - warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root)."); - users = self.getUsers() -@@ -225,40 +268,23 @@ - return ret+"\n" - - def checkExists(self, home): -- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0: -- return 0 -- #this works by grepping the file_contexts for -- # 1. ^/ makes sure this is not a comment -- # 2. prints only the regex in the first column first cut on \t then on space -- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() ) -- if rc[0] == 0: -- prefix_regex = rc[1].split("\n") -- else: -- warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile())) -- -- exists=1 -- for regex in prefix_regex: -- #match a trailing (/*)? which is actually a bug in rpc_pipefs -- regex = re.sub("\(/\*\)\?$", "", regex) -- #match a trailing .+ -- regex = re.sub("\.+$", "", regex) -- #match a trailing .* -- regex = re.sub("\.\*$", "", regex) -- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s -- regex = re.sub("\(\/\.\*\)\?", "", regex) -- regex = regex + "/*$" -- if re.search(regex, home, 0): -- exists = 0 -- break -- if exists == 1: -- return 1 -- else: -- return 0 -- -+ fd=open(self.getFileContextFile()) -+ for i in fd.read().split('\n'): -+ if len(i)==0: -+ return -+ regex=i.split()[0] -+ #match a trailing .+ -+ regex = re.sub("\.+$", "", regex) -+ regex = re.sub("\.\*$", "", regex) -+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s -+ regex = re.sub("\(\/\.\*\)\?", "", regex) -+ regex = regex + "/*$" -+ if re.search(home, regex, 0): -+ return 1 -+ return 0 - - def getHomeDirs(self): -- homedirs = [] -- homedirs = homedirs + getDefaultHomeDir() -+ homedirs = getDefaultHomeDir() - starting_uid=getStartingUID() - if self.usepwd==0: - return homedirs -@@ -270,8 +296,8 @@ - string.count(u[5], "/") > 1: - homedir = u[5][:string.rfind(u[5], "/")] - if not homedir in homedirs: -- if self.checkExists(homedir)==0: -- warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) -+ if self.checkExists(homedir)==1: -+ warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) - else: - homedirs.append(homedir) - -@@ -333,7 +359,3 @@ - - except getopt.error, error: - errorExit("Options Error %s " % error) --except ValueError, error: -- errorExit("ValueError %s" % error) --except IndexError, error: -- errorExit("IndexError") -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners ---- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/selisteners 2006-01-02 14:33:44.000000000 -0500 -@@ -0,0 +1,37 @@ -+#! /usr/bin/env python -+# Copyright (C) 2005 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# listeners - this script finds all processes listening on a TCP or UDP Port -+# configuration entries for user home directories based on their -+# default roles and is run when building the policy. Specifically, we -+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with -+# generic and user-specific values. -+# -+# Based off original script by Dan Walsh, -+# -+# ASSUMPTIONS: -+# -+# The file CONTEXTDIR/files/homedir_template exists. This file is used to -+# set up the home directory context for each real user. -+# -+# If a user has more than one role, genhomedircon uses the first role in the list. -+# -+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user -+# -+# "Real" users (as opposed to system users) are those whose UID is greater than -+# or equal STARTING_UID (usually 500) and whose login is not a member of -+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers -+# are always "real" (including root, in the default configuration). -+# -+# -+import commands, string -+import selinux -+rc=commands.getstatusoutput("netstat -aptul") -+out=rc[1].split("\n") -+for i in out: -+ x=i.split() -+ y=x[-1].split("/") -+ if len(y)==2: -+ pid=string.atoi(y[0]) -+ print "%s %-40s %-10s\t%-20s\t%s" % (x[0], x[3], pid,y[1],selinux.getpidcon(pid)[1]) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/chcat_test policycoreutils-1.29.2/scripts/tests/chcat_test ---- nsapolicycoreutils/scripts/tests/chcat_test 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/tests/chcat_test 2006-01-02 14:33:44.000000000 -0500 -@@ -0,0 +1,43 @@ -+#!/bin/sh -x -+# -+# You must copy the setrans.conf file in place before testing -+# -+chcat -l -+rm -f /tmp/chcat_test -+touch /tmp/chcat_test -+chcat -d /tmp/chcat_test -+chcat -d /tmp/chcat_test -+chcat -- -Payroll /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- +Payroll /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -Payroll /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat Payroll,Marketing /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- +Payroll /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- Payroll /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -Payroll,+Marketing /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- +Payroll,-Marketing /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -Payroll,+Marketing,+NDA_Yoyodyne /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -Marketing,-NDA_Yoyodyne /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -s0 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- s0 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- s0:c1 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- s0:c1,c2 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- s0:c1.c3 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -s0:c3 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -+chcat -- -s0:c2,+c3 /tmp/chcat_test -+ls -lZ /tmp/chcat_test -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.conf policycoreutils-1.29.2/scripts/tests/setrans.conf ---- nsapolicycoreutils/scripts/tests/setrans.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/tests/setrans.conf 2006-01-02 14:33:44.000000000 -0500 -@@ -0,0 +1,23 @@ -+# -+# Multi-Category Security translation table for SELinux -+# -+# Uncomment the following to disable translation libary -+# disable=1 -+# -+# Objects can be categorized with 0-256 categories defined by the admin. -+# Objects can be in more than one category at a time. -+# Categories are stored in the system as c0-c255. Users can use this -+# table to translate the categories into a more meaningful output. -+# Examples: -+# s0:c0=CompanyConfidential -+# s0:c1=PatientRecord -+# s0:c2=Unclassified -+# s0:c3=TopSecret -+# s0:c1,c3=CompanyConfidentialRedHat -+s0= -+s0-s0:c0.c255=SystemLow-SystemHigh -+s0:c0.c255=SystemHigh -+s0:c0=Company_Confidential -+s0:c1=Marketing -+s0:c2=Payroll -+s0:c3=NDA_Yoyodyne -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.2/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2005-11-29 10:55:01.000000000 -0500 -+++ policycoreutils-1.29.2/semanage/semanage 2006-01-02 14:33:44.000000000 -0500 -@@ -24,22 +24,33 @@ - from semanage import *; - class loginRecords: - def __init__(self): -- self.sh=semanage_handle_create() -- self.semanaged=semanage_is_managed(self.sh) -+ self.sh = semanage_handle_create() -+ self.semanaged = semanage_is_managed(self.sh) - if self.semanaged: - semanage_connect(self.sh) - - def add(self, name, sename, serange): -- (rc,k)=semanage_seuser_key_create(self.sh, name) -- (rc,exists)= semanage_seuser_exists(self.sh, k) -+ if serange == "": -+ serange = "s0" -+ if sename == "": -+ sename = "user_u" -+ -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_seuser_exists(self.sh, k) - if exists: - raise ValueError("SELinux User %s mapping already defined" % name) - try: -- pwd.getpwname(name) -+ pwd.getpwnam(name) - except: + (rc,exists) = semanage_seuser_exists(self.sh, k) +@@ -48,7 +48,7 @@ raise ValueError("Linux User %s does not exist" % name) -- (rc,u)= semanage_seuser_create(self.sh) -+ (rc,u) = semanage_seuser_create(self.sh) -+ if rc != 0: -+ raise ValueError("Could not create seuser for %s" % name) -+ + (rc,u) = semanage_seuser_create(self.sh) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create seuser for %s" % name) + semanage_seuser_set_name(self.sh, u, name) - semanage_seuser_set_mlsrange(self.sh, u, serange) +@@ -56,12 +56,12 @@ semanage_seuser_set_sename(self.sh, u, sename) -@@ -48,13 +59,22 @@ - if semanage_commit(self.sh) != 0: + semanage_begin_transaction(self.sh) + semanage_seuser_add(self.sh, k, u) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Failed to add SELinux user mapping") -- def modify(self, name, sename="", serange=""): -- (rc,k)=semanage_seuser_key_create(self.sh, name) -- (rc,u)= semanage_seuser_query(self.sh, k) -- if rc !=0 : -- raise ValueError("SELinux user %s mapping is not defined." % name) -- if sename == "" and serange=="": -+ def modify(self, name, sename = "", serange = ""): -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ if sename == "" and serange == "": - raise ValueError("Requires, seuser or serange") -+ -+ (rc,exists) = semanage_seuser_exists(self.sh, k) -+ if exists: -+ (rc,u) = semanage_seuser_query(self.sh, k) -+ if rc != 0: -+ raise ValueError("Could not query seuser for %s" % name) -+ else: -+ raise ValueError("SELinux user %s mapping is not defined." % name) -+ - if serange != "": - semanage_seuser_set_mlsrange(self.sh, u, serange) - if sename != "": -@@ -66,78 +86,107 @@ + def modify(self, name, sename = "", serange = ""): + (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + if sename == "" and serange == "": +@@ -70,7 +70,7 @@ + (rc,exists) = semanage_seuser_exists(self.sh, k) + if exists: + (rc,u) = semanage_seuser_query(self.sh, k) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not query seuser for %s" % name) + else: + raise ValueError("SELinux user %s mapping is not defined." % name) +@@ -81,13 +81,13 @@ + semanage_seuser_set_sename(self.sh, u, sename) + semanage_begin_transaction(self.sh) + semanage_seuser_modify(self.sh, k, u) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: + raise ValueError("Failed to modify SELinux user mapping") def delete(self, name): -- (rc,k)=semanage_seuser_key_create(self.sh, name) -- (rc,exists)= semanage_seuser_exists(self.sh, k) -- if rc !=0 : -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_seuser_exists(self.sh, k) -+ if not exists: + (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + (rc,exists) = semanage_seuser_exists(self.sh, k) +@@ -95,7 +95,7 @@ raise ValueError("SELinux user %s mapping is not defined." % name) semanage_begin_transaction(self.sh) semanage_seuser_del(self.sh, k) - if semanage_commit(self.sh) != 0: +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("SELinux User %s mapping not defined" % name) -- def list(self): -- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") -+ def list(self,heading=1): -+ if heading: -+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") - (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) - for idx in range(self.usize): -- u=semanage_seuser_by_idx(self.ulist, idx) -- name=semanage_seuser_get_name(u) -- -+ u = semanage_seuser_by_idx(self.ulist, idx) -+ name = semanage_seuser_get_name(u) - print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) + def list(self,heading=1): +@@ -122,7 +122,7 @@ + selevel = "s0" - class seluserRecords: - def __init__(self): -- roles=[] -- self.sh=semanage_handle_create() -- self.semanaged=semanage_is_managed(self.sh) -+ roles = [] -+ self.sh = semanage_handle_create() -+ self.semanaged = semanage_is_managed(self.sh) - if self.semanaged: - semanage_connect(self.sh) + (rc,k) = semanage_user_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + (rc,exists) = semanage_user_exists_local(self.sh, k) +@@ -132,7 +132,7 @@ + raise ValueError("SELinux user %s is already defined." % name) + + (rc,u) = semanage_user_create(self.sh) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create login mapping for %s" % name) - def add(self, name, roles, selevel, serange): -- (rc,k)=semanage_user_key_create(self.sh, name) -- (rc,exists)= semanage_user_exists(self.sh, k) -- if exists: -- raise ValueError("Seuser %s already defined" % name) -- (rc,u)= semanage_user_create(self.sh) -+ if serange == "": -+ serange = "s0" -+ if selevel == "": -+ selevel = "s0" -+ -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_user_exists_local(self.sh, k) -+ if not exists: -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if not exists: -+ raise ValueError("SELinux user %s is already defined." % name) -+ -+ (rc,u) = semanage_user_create(self.sh) -+ if rc != 0: -+ raise ValueError("Could not create login mapping for %s" % name) -+ semanage_user_set_name(self.sh, u, name) - for r in roles: - semanage_user_add_role(self.sh, u, r) +@@ -141,12 +141,12 @@ semanage_user_set_mlsrange(self.sh, u, serange) semanage_user_set_mlslevel(self.sh, u, selevel) (rc,key) = semanage_user_key_extract(self.sh,u) -+ if rc != 0: -+ raise ValueError("Could not extract key for %s" % name) -+ +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not extract key for %s" % name) + semanage_begin_transaction(self.sh) semanage_user_add_local(self.sh, k, u) - if semanage_commit(self.sh) != 0: +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Failed to add SELinux user") -- self.dict[name]=seluser(name, roles, selevel, serange) -- -- def modify(self, name, roles=[], selevel="", serange=""): -- (rc,k)=semanage_user_key_create(self.sh, name) -- (rc,exists)= semanage_user_exists(self.sh, k) -- if not exists: -- raise ValueError("user %s is not defined" % name) -- (rc,u)= semanage_user_query(self.sh, k) -- if rc !=0 : -- raise ValueError("User %s is not defined." % name) -- if len(roles) == 0 and serange=="" and selevel=="": -+ def modify(self, name, roles = [], selevel = "", serange = ""): -+ if len(roles) == 0 and serange == "" and selevel == "": + def modify(self, name, roles = [], selevel = "", serange = ""): +@@ -154,7 +154,7 @@ raise ValueError("Requires, roles, level or range") -+ -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_user_exists_local(self.sh, k) -+ if exists: -+ (rc,u) = semanage_user_query_local(self.sh, k) -+ else: -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if exists: -+ (rc,u) = semanage_user_query(self.sh, k) -+ else: -+ raise ValueError("SELinux user %s mapping is not defined." % name) -+ if rc != 0: -+ raise ValueError("Could not query user for %s" % name) -+ + + (rc,k) = semanage_user_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + (rc,exists) = semanage_user_exists_local(self.sh, k) +@@ -166,24 +166,24 @@ + (rc,u) = semanage_user_query(self.sh, k) + else: + raise ValueError("SELinux user %s mapping is not defined." % name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not query user for %s" % name) + if serange != "": semanage_user_set_mlsrange(self.sh, u, serange) if selevel != "": semanage_user_set_mlslevel(self.sh, u, selevel) - if len(roles) != 0: +- if len(roles) != 0: ++ if len(roles) < 0: for r in roles: -- print r semanage_user_add_role(self.sh, u, r) semanage_begin_transaction(self.sh) semanage_user_modify_local(self.sh, k, u) - if semanage_commit(self.sh) != 0: +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Failed to modify SELinux user") -- def delete(self, name): -- (rc,k)=semanage_user_key_create(self.sh, name) -- (rc,exists)= semanage_user_exists(self.sh, k) -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc != 0: -+ raise ValueError("Could not crpppeate a key for %s" % name) -+ -+ (rc,exists) = semanage_user_exists_local(self.sh, k) - if not exists: + (rc,k) = semanage_user_key_create(self.sh, name) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not crpppeate a key for %s" % name) + + (rc,exists) = semanage_user_exists_local(self.sh, k) +@@ -191,7 +191,7 @@ raise ValueError("user %s is not defined" % name) semanage_begin_transaction(self.sh) -@@ -145,86 +194,183 @@ - if semanage_commit(self.sh) != 0: + semanage_user_del_local(self.sh, k) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Login User %s not defined" % name) -- def list(self): -- print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") -- print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") -+ def list(self, heading=1): -+ if heading: -+ print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") -+ print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") - (status, self.ulist, self.usize) = semanage_user_list(self.sh) - for idx in range(self.usize): -- u=semanage_user_by_idx(self.ulist, idx) -- name=semanage_user_get_name(u) -+ u = semanage_user_by_idx(self.ulist, idx) -+ name = semanage_user_get_name(u) - (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) -- roles="" -+ roles = "" + def list(self, heading=1): +@@ -238,7 +238,7 @@ + high=string.atoi(ports[1]) + + (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create a key for %s/%s" % (proto, port)) + return ( k, proto_d, low, high ) - if rlist_size: -- roles+=char_by_idx(rlist, 0) -+ roles += char_by_idx(rlist, 0) - for ridx in range (1,rlist_size): -- roles+=" " + char_by_idx(rlist, ridx) -+ roles += " " + char_by_idx(rlist, ridx) - print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) +@@ -260,13 +260,13 @@ + raise ValueError("Port %s/%s already defined locally" % (proto, port)) - class portRecords: - def __init__(self): -- self.dict={} -- self.sh=semanage_handle_create() -- self.semanaged=semanage_is_managed(self.sh) -+ self.sh = semanage_handle_create() -+ self.semanaged = semanage_is_managed(self.sh) - if self.semanaged: - semanage_connect(self.sh) + (rc,p) = semanage_port_create(self.sh) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create port for %s/%s" % (proto, port)) + + semanage_port_set_proto(p, proto_d) + semanage_port_set_range(p, low, high) + (rc, con) = semanage_context_create(self.sh) +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not create context for %s/%s" % (proto, port)) -- def add(self, name, type): -- (rc,k)=semanage_port_key_create(self.sh, name) -- (rc,exists)= semanage_port_exists(self.sh, k) -+ def __genkey(self, port, proto): -+ if proto == "tcp": -+ proto_d=SEMANAGE_PROTO_TCP -+ else: -+ if proto == "udp": -+ proto_d=SEMANAGE_PROTO_UDP -+ else: -+ raise ValueError("Protocol udp or tcp is required") -+ if port == "": -+ raise ValueError("Port is required") -+ -+ ports=port.split("-") -+ if len(ports) == 1: -+ low=string.atoi(ports[0]) -+ high=string.atoi(ports[0]) -+ else: -+ low=string.atoi(ports[0]) -+ high=string.atoi(ports[1]) -+ -+ (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d) -+ if rc != 0: -+ raise ValueError("Could not create a key for %s/%s" % (proto, port)) -+ return ( k, proto_d, low, high ) -+ -+ def add(self, port, proto, serange, type): -+ if serange == "": -+ serange="s0" -+ -+ if type == "": -+ raise ValueError("Type is required") -+ -+ ( k, proto_d, low, high ) = self.__genkey(port, proto) -+ -+ (rc,exists) = semanage_port_exists(self.sh, k) -+ if exists: -+ raise ValueError("Port %s/%s already defined" % (proto, port)) -+ -+ (rc,exists) = semanage_port_exists_local(self.sh, k) - if exists: -- raise ValueError("User %s already defined" % name) -- (rc,u)= semanage_port_create(self.sh) -- semanage_port_set_name(self.sh, u, name) -- semanage_port_set_mlsrange(self.sh, u, serange) -- semanage_port_set_sename(self.sh, u, sename) -+ raise ValueError("Port %s/%s already defined locally" % (proto, port)) -+ -+ (rc,p) = semanage_port_create(self.sh) -+ if rc != 0: -+ raise ValueError("Could not create port for %s/%s" % (proto, port)) -+ -+ semanage_port_set_proto(p, proto_d) -+ semanage_port_set_range(p, low, high) -+ (rc, con) = semanage_context_create(self.sh) -+ if rc != 0: -+ raise ValueError("Could not create context for %s/%s" % (proto, port)) -+ -+ semanage_context_set_user(self.sh, con, "system_u") -+ semanage_context_set_role(self.sh, con, "object_r") -+ semanage_context_set_type(self.sh, con, type) -+ semanage_context_set_mls(self.sh, con, serange) -+ semanage_port_set_con(p, con) + semanage_context_set_user(self.sh, con, "system_u") +@@ -276,7 +276,7 @@ + semanage_port_set_con(p, con) semanage_begin_transaction(self.sh) -- semanage_port_add(self.sh, k, u) -+ semanage_port_add_local(self.sh, k, p) - if semanage_commit(self.sh) != 0: + semanage_port_add_local(self.sh, k, p) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Failed to add port") -- def modify(self, name, type): -- (rc,k)=semanage_port_key_create(self.sh, name) -- (rc,u)= semanage_port_query(self.sh, k) -- if rc !=0 : -- raise ValueError("User %s is not defined." % name) -- if sename == "" and serange=="": -- raise ValueError("Requires, port or serange") -+ def modify(self, port, proto, serange, setype): -+ if serange == "" and setype == "": -+ raise ValueError("Requires, setype or serange") -+ -+ ( k, proto_d, low, high ) = self.__genkey(port, proto) -+ -+ (rc,exists) = semanage_port_exists_local(self.sh, k) -+ if exists: -+ (rc,p) = semanage_port_query_local(self.sh, k) -+ (rc,exists) = semanage_port_exists(self.sh, k) -+ if exists: -+ (rc,p) = semanage_port_query(self.sh, k) -+ else: -+ raise ValueError("port %s/%s is not defined." % (proto,port)) -+ -+ if rc != 0: -+ raise ValueError("Could not query port for %s/%s" % (proto, port)) -+ -+ con = semanage_port_get_con(p) -+ semanage_context_set_mls(self.sh, con, serange) - if serange != "": -- semanage_port_set_mlsrange(self.sh, u, serange) -- if sename != "": -- semanage_port_set_sename(self.sh, u, sename) -+ semanage_context_set_mls(self.sh, con, serange) -+ if setype != "": -+ semanage_context_set_type(self.sh, con, setype) -+ semanage_port_set_con(p, con) + def modify(self, port, proto, serange, setype): +@@ -294,7 +294,7 @@ + else: + raise ValueError("port %s/%s is not defined." % (proto,port)) + +- if rc != 0: ++ if rc < 0: + raise ValueError("Could not query port for %s/%s" % (proto, port)) + + con = semanage_port_get_con(p) +@@ -306,7 +306,7 @@ + semanage_port_set_con(p, con) semanage_begin_transaction(self.sh) -- semanage_port_modify(self.sh, k, u) -+ semanage_port_modify_local(self.sh, k, p) - if semanage_commit(self.sh) != 0: + semanage_port_modify_local(self.sh, k, p) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: raise ValueError("Failed to add port") -- def delete(self, name): -- (rc,k)=semanage_port_key_create(self.sh, name) -+ def delete(self, port, proto): -+ ( k, proto_d, low, high ) = self.__genkey(port, proto) -+ (rc,exists) = semanage_port_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("port %s/%s is not defined localy." % (proto,port)) -+ + def delete(self, port, proto): +@@ -317,7 +317,7 @@ + semanage_begin_transaction(self.sh) -- semanage_port_del(self.sh, k) -+ semanage_port_del_local(self.sh, k) - if semanage_commit(self.sh) != 0: -- raise ValueError("Port %s not defined" % name) -+ raise ValueError("Port %s/%s not defined" % (proto,port)) + semanage_port_del_local(self.sh, k) +- if semanage_commit(self.sh) != 0: ++ if semanage_commit(self.sh) < 0: + raise ValueError("Port %s/%s not defined" % (proto,port)) -- def list(self): -+ def list(self, heading=1): - (status, self.plist, self.psize) = semanage_port_list(self.sh) -- print "%-25s %s\n" % ("SELinux Port Name", "Port Number") -+ if heading: -+ print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number") -+ dict={} -+ for idx in range(self.psize): -+ u = semanage_port_by_idx(self.plist, idx) -+ con = semanage_port_get_con(u) -+ name = semanage_context_get_type(con) -+ proto=semanage_port_get_proto_str(u) -+ low=semanage_port_get_low(u) -+ high = semanage_port_get_high(u) -+ if (name, proto) not in dict.keys(): -+ dict[(name,proto)]=[] -+ if low == high: -+ dict[(name,proto)].append("%d" % low) -+ else: -+ dict[(name,proto)].append("%d-%d" % (low, high)) -+ (status, self.plist, self.psize) = semanage_port_list_local(self.sh) - for idx in range(self.psize): -- u=semanage_port_by_idx(self.plist, idx) -- name=semanage_port_get_name(u) -- print "%20s %d" % ( name, semanage_port_get_number(u)) -+ u = semanage_port_by_idx(self.plist, idx) -+ con = semanage_port_get_con(u) -+ name = semanage_context_get_type(con) -+ proto=semanage_port_get_proto_str(u) -+ low=semanage_port_get_low(u) -+ high = semanage_port_get_high(u) -+ if (name, proto) not in dict.keys(): -+ dict[(name,proto)]=[] -+ if low == high: -+ dict[(name,proto)].append("%d" % low) -+ else: -+ dict[(name,proto)].append("%d-%d" % (low, high)) -+ for i in dict.keys(): -+ rec = "%-30s %-8s " % i -+ rec += "%s" % dict[i][0] -+ for p in dict[i][1:]: -+ rec += ", %s" % p -+ print rec - - if __name__ == '__main__': - -- def usage(message=""): -+ def usage(message = ""): - print '\ - semanage user [-admsRrh] SELINUX_USER\n\ - semanage login [-admsrh] LOGIN_NAME\n\ --semanage port [-admth] SELINUX_PORT_NAME\n\ -+semanage port [-admth] PORT | PORTRANGE\n\ - -a, --add Add a OBJECT record NAME\n\ - -d, --delete Delete a OBJECT record NAME\n\ - -h, --help display this message\n\ - -l, --list List the OBJECTS\n\ -+ -n, --noheading Do not print heading when listing OBJECTS\n\ - -m, --modify Modify a OBJECT record NAME\n\ - -r, --range MLS/MCS Security Range\n\ - -R, --roles SELinux Roles (Separate by spaces)\n\ -@@ -245,33 +391,40 @@ - # - # - try: -- objectlist=("login", "user", "port") -- input=sys.stdin -- output=sys.stdout -- serange="s0" -- selevel="s0" -- roles="" -- seuser="" -- type="" -- add=0 -- modify=0 -- delete=0 -- list=0 -+ objectlist = ("login", "user", "port") -+ input = sys.stdin -+ output = sys.stdout -+ serange = "" -+ port = "" -+ proto = "" -+ selevel = "" -+ setype = "" -+ roles = "" -+ seuser = "" -+ heading=1 -+ -+ add = 0 -+ modify = 0 -+ delete = 0 -+ list = 0 - if len(sys.argv) < 3: - usage("Requires 2 or more arguments") - -- object=sys.argv[1] -+ object = sys.argv[1] - if object not in objectlist: - usage("%s not defined" % object) - -- args=sys.argv[2:] -+ args = sys.argv[2:] - gopts, cmds = getopt.getopt(args, -- 'adlhms:R:r:t:v', -+ 'adlhmnp:P:s:R:r:t:v', - ['add', - 'delete', - 'help', - 'list', - 'modify', -+ 'noheading', -+ 'port=', -+ 'proto=', - 'seuser=', - 'range=', - 'roles=', -@@ -282,88 +435,95 @@ - if o == "-a" or o == "--add": - if modify or delete: - usage() -- add=1 -+ add = 1 - - if o == "-d" or o == "--delese": - if modify or add: - usage() -- delete=1 -+ delete = 1 - if o == "-h" or o == "--help": - usage() - -+ if o == "-n" or o == "--nohead": -+ heading=0 -+ - if o == "-m"or o == "--modify": - if delete or add: - usage() -- modify=1 -+ modify = 1 - - if o == "-r" or o == '--range': -- serange=a -+ serange = a -+ -+ if o == "-P" or o == '--proto': -+ proto = a - - if o == "-R" or o == '--roles': -- roles=a -+ roles = a - - if o == "-t" or o == "--type": -- type=a -+ setype = a - - if o == "-l" or o == "--list": -- list=1 -+ list = 1 - - if o == "-s" or o == "--seuser": -- seuser=a -+ seuser = a - - if o == "-v" or o == "--verbose": -- verbose=1 -+ verbose = 1 - - if object == "login": -- OBJECT=loginRecords() -+ OBJECT = loginRecords() - - if object == "user": -- OBJECT=seluserRecords() -+ OBJECT = seluserRecords() - - if object == "port": -- OBJECT=portRecords() -+ OBJECT = portRecords() - - if list: -- OBJECT.list() -+ OBJECT.list(heading) - sys.exit(0); - - if len(cmds) != 1: - usage() - -- name=cmds[0] -+ target = cmds[0] - - if add: - if object == "login": -- OBJECT.add(name, seuser, serange) -+ OBJECT.add(target, seuser, serange) - - if object == "user": -- rlist=roles.split() -- print rlist -- OBJECT.add(name, rlist, selevel, serange) -+ rlist = roles.split() -+ if len(rlist) == 0: -+ raise ValueError("You must specify a role") -+ OBJECT.add(target, rlist, selevel, serange) - - if object == "port": -- OBJECT.add(name, type) -+ OBJECT.add(target, proto, serange, setype) - -- OBJECT.list() - sys.exit(0); - - if modify: - if object == "login": -- OBJECT.modify(name, seuser, serange) -+ OBJECT.modify(target, seuser, serange) - - if object == "user": -- rlist=roles.split() -- print rlist -- OBJECT.modify(name, rlist, selevel, serange) -+ rlist = roles.split() -+ OBJECT.modify(target, rlist, selevel, serange) - - if object == "port": -- OBJECT.modify(name, type) -+ OBJECT.modify(target, proto, serange, setype) - sys.exit(0); -- OBJECT.list() - sys.exit(0); - - if delete: -- OBJECT.delete(name) -+ if object == "port": -+ OBJECT.delete(target, proto) -+ else: -+ OBJECT.delete(target) - sys.exit(0); - usage() - -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/tests/semanage_test policycoreutils-1.29.2/semanage/tests/semanage_test ---- nsapolicycoreutils/semanage/tests/semanage_test 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.29.2/semanage/tests/semanage_test 2006-01-02 14:33:44.000000000 -0500 -@@ -0,0 +1,67 @@ -+#!/bin/sh -x -+# -+# This is a test script for the semanage command -+# -+echo " -+ -+******************** semanage List Failue test ************************ -+" -+semanage -l -+echo " -+ -+******************** semanage Mapping test ************************ -+" -+echo " * Mapping List test" -+semanage login -l -+echo " * Add mapping exist test" -+semanage login -a root -+echo " * Add new test" -+echo " * Add selinux login to selinux user mapping, username wrong" -+semanage login -a semanage_test1 -+userdel -r semanage_test1 2> /dev/null -+useradd semanage_test1 -+echo " * Add selinux login to selinux user mapping, Bad SELinux User" -+semanage login -a -s BadUser semanage_test1 -+echo " * Add selinux login to selinux user mapping, username correct" -+semanage login -a semanage_test1 -+semanage login -l -+userdel -r semanage_test1 -+echo " * remove selinux login to selinux user mapping, username wrong" -+semanage login -d semanage_test2 -+echo " * remove selinux login to selinux user mapping, username correct" -+semanage login -d semanage_test1 -+semanage login -l -+ -+echo " -+ -+******************** semanage SELinux User test ************************ -+" -+echo " * SELinux User List test" -+semanage user -l -+echo " * Add SELinux User exist test: Fail because root exist" -+semanage user -a -R user_r root -+echo " * Add SELinux User exist test: Fail because no role specified" -+semanage user -a -r s0 semanage_test1 -+echo " * Add selinux user semanage_test1: Success" -+semanage user -a -R user_r -r s0 semanage_test1 -+semanage user -l -+echo " * Modify selinux user semanage_test1 Failue bad range" -+semanage user -m -r BadRange semanage_test1 -+echo " * Modify selinux user semanage_test1 Failue bad role" -+semanage user -m -R BadRole semanage_test1 -+echo " * Modify selinux user semanage_test1" -+semanage user -m -r s0:c1,c5 semanage_test1 -+semanage user -l -+echo " * Delete selinux user semanage_test2: Fail does not exist" -+semanage user -d semanage_test2 -+echo " * Delete selinux user semanage_test1" -+semanage user -d semanage_test1 -+semanage user -l -+ -+#echo " -+# -+#******************** semanage SELinux ports test ************************ -+#" -+semanage port -l -+semanage port -a -P tcp 123456 -+semanage port -d -P tcp 123456 + def list(self, heading=1): diff --git a/policycoreutils.spec b/policycoreutils.spec index b36a8e0..e744d04 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,10 @@ -%define libsepolver 1.11.1-2 -%define libsemanagever 1.5.3-3 -%define libselinuxver 1.29.2-1 +%define libsepolver 1.11.2-2 +%define libsemanagever 1.5.4-1 +%define libselinuxver 1.29.3-2 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.2 -Release: 10 +Version: 1.29.3 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -96,6 +96,19 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Wed Jan 4 2006 Dan Walsh 1.29.3-1 +- Update to match NSA + * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - cleanup setsebool + - update setsebool to apply active booleans through libsemanage + - update semodule to use the new semanage_set_rebuild() interface + - fix various bugs in semanage + * Merged patch from Dan Walsh (Red Hat). + This includes fixes for restorecon, chcat, fixfiles, genhomedircon, + and semanage. + * Mon Jan 2 2006 Dan Walsh 1.29.2-10 - Fix restorecon to not say it is changing user section when -vv is specified diff --git a/sources b/sources index 45181c1..318db39 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -db981cfd14f597746ed87ada3a815d0e policycoreutils-1.29.2.tgz +cc6c24f4661760764c33ec8786f3efee policycoreutils-1.29.3.tgz