diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500 +++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-07 10:36:38.000000000 -0500 @@ -170,7 +170,7 @@ def heading(self): ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] if self.semanaged: - ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n" + ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n" else: ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") return ret @@ -196,7 +196,7 @@ return role def adduser(self, udict, user, seuser, role): - if seuser == "user_u" or user == "__default__": + if seuser == "user_u" or user == "__default__" or user == "system_u": return # !!! chooses first role in the list to use in the file context !!! if role[-2:] == "_r" or role[-2:] == "_u": diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500 +++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-07 10:35:46.000000000 -0500 @@ -21,8 +21,11 @@ # # -import pwd, string, selinux, tempfile, os, re +import pwd, string, selinux, tempfile, os, re, sys from semanage import *; +import audit + +audit_fd=audit.audit_open() def validate_level(raw): sensitivity="s([0-9]|1[0-5])" @@ -170,119 +173,143 @@ if sename == "": sename = "user_u" - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if exists: - raise ValueError("Login mapping for %s is already defined" % name) try: - pwd.getpwnam(name) - except: - raise ValueError("Linux User %s does not exist" % name) - - (rc,u) = semanage_seuser_create(self.sh) - if rc < 0: - raise ValueError("Could not create login mapping for %s" % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - rc = semanage_seuser_set_name(self.sh, u, name) - if rc < 0: - raise ValueError("Could not set name for %s" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if exists: + raise ValueError("Login mapping for %s is already defined" % name) + try: + pwd.getpwnam(name) + except: + raise ValueError("Linux User %s does not exist" % name) - rc = semanage_seuser_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) + (rc,u) = semanage_seuser_create(self.sh) + if rc < 0: + raise ValueError("Could not create login mapping for %s" % name) - rc = semanage_seuser_set_sename(self.sh, u, sename) - if rc < 0: - raise ValueError("Could not set SELinux user for %s" % name) + rc = semanage_seuser_set_name(self.sh, u, name) + if rc < 0: + raise ValueError("Could not set name for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_seuser_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError("Could not set MLS range for %s" % name) - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add login mapping for %s" % name) + rc = semanage_seuser_set_sename(self.sh, u, sename) + if rc < 0: + raise ValueError("Could not set SELinux user for %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add login mapping for %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not add login mapping for %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not add login mapping for %s" % name) + + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping", + name, 0, "", "", "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) def modify(self, name, sename = "", serange = ""): - if sename == "" and serange == "": - raise ValueError("Requires seuser or serange") + try: + if sename == "" and serange == "": + raise ValueError("Requires seuser or serange") - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is not defined" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is not defined" % name) - (rc,u) = semanage_seuser_query(self.sh, k) - if rc < 0: - raise ValueError("Could not query seuser for %s" % name) + (rc,u) = semanage_seuser_query(self.sh, k) + if rc < 0: + raise ValueError("Could not query seuser for %s" % name) - if serange != "": - semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) - if sename != "": - semanage_seuser_set_sename(self.sh, u, sename) + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) + if sename != "": + semanage_seuser_set_sename(self.sh, u, sename) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not srart semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not srart semanage transaction") - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not modify login mapping for %s" % name) - - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not modify login mapping for %s" % name) + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) + + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", + name, 0, "", "", "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) def delete(self, name): - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + try: + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is not defined" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is not defined" % name) - (rc,exists) = semanage_seuser_exists_local(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) + (rc,exists) = semanage_seuser_exists_local(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_seuser_del_local(self.sh, k) + rc = semanage_seuser_del_local(self.sh, k) - if rc < 0: - raise ValueError("Could not delete login mapping for %s" % name) + if rc < 0: + raise ValueError("Could not delete login mapping for %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not delete login mapping for %s" % name) - + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not delete login mapping for %s" % name) + + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping", + name, 0, "", "", "", 1); semanage_seuser_key_free(k) @@ -322,127 +349,150 @@ else: selevel = untranslate(selevel) - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + try: + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if exists: - raise ValueError("SELinux user %s is already defined" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if exists: + raise ValueError("SELinux user %s is already defined" % name) - (rc,u) = semanage_user_create(self.sh) - if rc < 0: - raise ValueError("Could not create SELinux user for %s" % name) + (rc,u) = semanage_user_create(self.sh) + if rc < 0: + raise ValueError("Could not create SELinux user for %s" % name) - rc = semanage_user_set_name(self.sh, u, name) - if rc < 0: - raise ValueError("Could not set name for %s" % name) + rc = semanage_user_set_name(self.sh, u, name) + if rc < 0: + raise ValueError("Could not set name for %s" % name) - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) + for r in roles: + rc = semanage_user_add_role(self.sh, u, r) + if rc < 0: + raise ValueError("Could not add role %s for %s" % (r, name)) + + rc = semanage_user_set_mlsrange(self.sh, u, serange) if rc < 0: - raise ValueError("Could not add role %s for %s" % (r, name)) + raise ValueError("Could not set MLS range for %s" % name) - rc = semanage_user_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) + rc = semanage_user_set_mlslevel(self.sh, u, selevel) + if rc < 0: + raise ValueError("Could not set MLS level for %s" % name) - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError("Could not set MLS level for %s" % name) + (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: + raise ValueError("Could not extract key for %s" % name) - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError("Could not extract key for %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not add SELinux user %s" % name) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not add SELinux user %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record", + name, 0, "", "", "", 1); semanage_user_key_free(k) semanage_user_free(u) def modify(self, name, roles = [], selevel = "", serange = ""): - if len(roles) == 0 and serange == "" and selevel == "": - raise ValueError("Requires roles, level or range") + try: + if len(roles) == 0 and serange == "" and selevel == "": + raise ValueError("Requires roles, level or range") - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is not defined" % name) - - (rc,u) = semanage_user_query(self.sh, k) - if rc < 0: - raise ValueError("Could not query user for %s" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is not defined" % name) - if serange != "": - semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) - if selevel != "": - semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) - - if len(roles) != 0: - for r in roles: - semanage_user_add_role(self.sh, u, r) + (rc,u) = semanage_user_query(self.sh, k) + if rc < 0: + raise ValueError("Could not query user for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + if serange != "": + semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) + if selevel != "": + semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) + + if len(roles) != 0: + for r in roles: + semanage_user_add_role(self.sh, u, r) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not modify SELinux user %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not modify SELinux user %s" % name) - + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify SELinux user %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not modify SELinux user %s" % name) + + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record", + name, 0, "", "", "", 1); semanage_user_key_free(k) semanage_user_free(u) def delete(self, name): - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is not defined" % name) + try: + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is not defined" % name) - (rc,exists) = semanage_user_exists_local(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) + (rc,exists) = semanage_user_exists_local(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_user_del_local(self.sh, k) - if rc < 0: - raise ValueError("Could not delete SELinux user %s" % name) + rc = semanage_user_del_local(self.sh, k) + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not delete SELinux user %s" % name) + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) + except ValueError, error: + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], + name, 0, "", "", "", 0); + raise error + audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record", + name, 0, "", "", "", 1); semanage_user_key_free(k) def get_all(self):