diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.32/newrole/newrole.c --- nsapolicycoreutils/newrole/newrole.c 2006-09-29 11:50:09.000000000 -0400 +++ policycoreutils-1.32/newrole/newrole.c 2006-11-07 11:47:21.000000000 -0500 @@ -680,6 +680,7 @@ { fprintf(stderr, _("newrole: incorrect password for %s\n"), pw->pw_name); + send_audit_message(0, old_context, new_context, ttyn); return (-1); } /* If we reach here, then we have authenticated the user. */ diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.32/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2006-08-28 16:58:19.000000000 -0400 +++ policycoreutils-1.32/restorecond/Makefile 2006-11-07 11:47:21.000000000 -0500 @@ -5,8 +5,9 @@ INITDIR = $(DESTDIR)/etc/rc.d/init.d SELINUXDIR = $(DESTDIR)/etc/selinux -CFLAGS ?= -g -Werror -Wall -W -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 +LDFLAGS ?= -pie +CFLAGS ?= -g -Werror -Wall -W +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib all: restorecond diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.32/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2006-08-28 16:58:19.000000000 -0400 +++ policycoreutils-1.32/restorecond/restorecond.conf 2006-11-07 11:47:21.000000000 -0500 @@ -2,5 +2,6 @@ /etc/samba/secrets.tdb /etc/mtab /var/run/utmp +/var/log/wtmp ~/public_html ~/.mozilla/plugins/libflashplayer.so diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-1.32/scripts/genhomedircon.8 --- nsapolicycoreutils/scripts/genhomedircon.8 2006-08-28 16:58:19.000000000 -0400 +++ policycoreutils-1.32/scripts/genhomedircon.8 2006-11-07 11:47:21.000000000 -0500 @@ -45,35 +45,30 @@ .SH DESCRIPTION .PP This utility is used to generate file context configuration entries for -user home directories based on their default roles and is run when building -the policy. It can also be run when ever the -.I /etc/selinux/<>/users/local.users -file is changed +user home directories based on their +.B prefix +entry in the the +.B semanage user record. +genhomedircon is run when building +the policy. It is also run automaticaly when ever the +.B semanage +utility modifies +.B user +or +.B login +records. Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the .I /etc/selinux/<>/contexts/files/homedir_template -file with generic and user-specific values. -.I local.users -file. If a user has more than one role in -.I local.users, -.B genhomedircon -uses the first role in the list. +file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the +.B user +record. .PP -If a user is not listed in -.I local.users, -.B genhomedircon -assumes that the user's home dir will be found in one of the -HOME_ROOTs. -When looking for these users, -.B genhomedircon -only considers real users. "Real" users (as opposed -to system users) are those whose UID is greater than or equal +genhomedircon searches through all password entires for all "login" user home directories, (as opposed +to system users). Login users are those whose UID is greater than or equal .I STARTING_UID (default 500) and whose login shell is not "/sbin/nologin", or "/bin/false". .PP -Users who are explicitly defined in -.I local.users, -are always "real" (including root, in the default configuration). .SH AUTHOR This manual page was originally written by .I Manoj Srivastava , diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.32/semanage/semanage.8 --- nsapolicycoreutils/semanage/semanage.8 2006-09-14 08:07:24.000000000 -0400 +++ policycoreutils-1.32/semanage/semanage.8 2006-11-07 11:47:21.000000000 -0500 @@ -7,7 +7,7 @@ .br .B semanage login \-{a|d|m} [\-sr] login_name .br -.B semanage user \-{a|d|m} [\-LrR] selinux_name +.B semanage user \-{a|d|m} [\-LrRP] selinux_name .br .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range .br @@ -71,6 +71,9 @@ .I \-R, \-\-role SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. .TP +.I \-P, \-\-prefix +SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories. +.TP .I \-s, \-\-seuser SELinux user name .TP diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.32/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2006-10-17 12:04:55.000000000 -0400 +++ policycoreutils-1.32/semanage/seobject.py 2006-11-07 11:47:21.000000000 -0500 @@ -456,7 +456,8 @@ rc = semanage_user_set_mlslevel(self.sh, u, selevel) if rc < 0: raise ValueError(_("Could not set MLS level for %s") % name) - + if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0: + raise ValueError(_("Invalid prefix %s") % prefix) rc = semanage_user_set_prefix(self.sh, u, prefix) if rc < 0: raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) @@ -522,7 +523,9 @@ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) if prefix != "": - semanage_user_set_prefix(self.sh, u, prefix) + if selinux.security_check_context("system_u:object_r:%s_home_t" % prefix) != 0: + raise ValueError(_("Invalid prefix %s") % prefix) + semanage_user_set_prefix(self.sh, u, prefix) if len(roles) != 0: for r in roles: