diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.1/Makefile --- nsapolicycoreutils/Makefile 2006-11-16 17:15:00.000000000 -0500 +++ policycoreutils-2.0.1/Makefile 2007-02-15 15:16:09.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui all install relabel clean indent: @for subdir in $(SUBDIRS); do \ diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.1/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2006-11-16 17:14:28.000000000 -0500 +++ policycoreutils-2.0.1/restorecond/restorecond.c 2007-02-15 15:16:09.000000000 -0500 @@ -210,9 +210,10 @@ } if (fsetfilecon(fd, scontext) < 0) { - syslog(LOG_ERR, - "set context %s->%s failed:'%s'\n", - filename, scontext, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, + "set context %s->%s failed:'%s'\n", + filename, scontext, strerror(errno)); if (retcontext >= 0) free(prev_context); free(scontext); @@ -225,8 +226,9 @@ if (retcontext >= 0) free(prev_context); } else { - syslog(LOG_ERR, "get context on %s failed: '%s'\n", - filename, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, "get context on %s failed: '%s'\n", + filename, strerror(errno)); } free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.1/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2006-11-20 12:19:55.000000000 -0500 +++ policycoreutils-2.0.1/restorecond/restorecond.conf 2007-02-15 15:16:09.000000000 -0500 @@ -1,7 +1,9 @@ /etc/resolv.conf +/etc/localtime /etc/samba/secrets.tdb /etc/mtab /var/run/utmp +/var/run/faillog /var/log/wtmp ~/public_html ~/.mozilla/plugins/libflashplayer.so diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.1/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2006-11-16 17:14:27.000000000 -0500 +++ policycoreutils-2.0.1/scripts/chcat 2007-02-15 15:16:09.000000000 -0500 @@ -25,11 +25,22 @@ import commands, sys, os, pwd, string, getopt, selinux import seobject import gettext +import codecs +import locale +sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') +sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') try: gettext.install('policycoreutils') -except: - pass +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) def verify_users(users): for u in users: @@ -62,12 +73,20 @@ for i in newcat[1:]: if i not in cats: cats.append(i) + new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) - + if new_serange[-1:] == ":": + new_serange = new_serange[:-1] + if add_ind: - logins.add(u, user[0], new_serange) + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) else: - logins.modify(u, user[0], new_serange) + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) + rc = commands.getstatusoutput(cmd) + if rc[0] != 0: + print rc[1] + errors += 1 + return errors def chcat_add(orig, newcat, objects,login_ind): @@ -133,11 +152,17 @@ cats.remove(i) new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ",")) + if new_serange[-1:] == ":": + new_serange = new_serange[:-1] if add_ind: - logins.add(u, user[0], new_serange) + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) else: - logins.modify(u, user[0], new_serange) + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) + rc = commands.getstatusoutput(cmd) + if rc[0] != 0: + print rc[1] + errors += 1 return errors def chcat_remove(orig, newcat, objects, login_ind): @@ -198,11 +223,17 @@ user = seusers["__default__"] serange = user[1].split("-") new_serange = "%s-%s:%s" % (serange[0],newcat[0], string.join(newcat[1:], ",")) - + if new_serange[-1:] == ":": + new_serange = new_serange[:-1] + if add_ind: - logins.add(u, user[0], new_serange) + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) else: - logins.modify(u, user[0], new_serange) + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) + rc = commands.getstatusoutput(cmd) + if rc[0] != 0: + print rc[1] + errors += 1 return errors def chcat_replace(newcat, objects, login_ind): @@ -362,6 +393,10 @@ if list_ind == 0 and len(cmds) < 1: usage() + + except getopt.error, error: + errorExit(_("Options Error %s ") % error.msg) + except ValueError, e: usage() diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-2.0.1/scripts/chcat.8 --- nsapolicycoreutils/scripts/chcat.8 2007-01-17 11:11:34.000000000 -0500 +++ policycoreutils-2.0.1/scripts/chcat.8 2007-02-15 15:16:09.000000000 -0500 @@ -3,30 +3,31 @@ chcat \- change file SELinux security category .SH SYNOPSIS .B chcat -\fICATEGORY FILE\fR... +\fIcategory file\fR... .br .B chcat -l -\fICATEGORY USER\fR... +\fIcategory user\fR... .br .B chcat -\fI[[+|-]CATEGORY],...] FILE\fR... +\fI[[+|-]category...] file\fR... .br .B chcat -l -\fI[[+|-]CATEGORY],...] USER\fR... +\fI[[+|-]category...] user\fR... .br .B chcat -[\fI-d\fR] \fIFILE\fR... +[\fI-d\fR] \fIfile\fR... .br .B chcat -l -[\fI-d\fR] \fIUSER\fR... +[\fI-d\fR] \fIuser\fR... .br .B chcat -\fI-L\fR [-l] [ USER ... ] +\fI-L\fR [ -l ] [ user ... ] .br +.SH DESCRIPTION .PP -Change/Remove the security CATEGORY for each FILE/USER. +Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR. .PP -Use +/- to add/remove categories from a FILE/USER. +Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR. .PP .B Note: diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.1/scripts/fixfiles.8 --- nsapolicycoreutils/scripts/fixfiles.8 2007-01-17 11:11:34.000000000 -0500 +++ policycoreutils-2.0.1/scripts/fixfiles.8 2007-02-15 15:16:09.000000000 -0500 @@ -54,7 +54,7 @@ change any incorrect file context labels. .TP .B relabel -Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file. +Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file. .TP .B verify List out files with incorrect file context labels, but do not change them. diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.1/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2007-02-20 08:43:10.000000000 -0500 +++ policycoreutils-2.0.1/semanage/seobject.py 2007-02-15 15:16:09.000000000 -0500 @@ -139,7 +139,7 @@ translations = fd.readlines() fd.close() except IOError, e: - raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines") % (self.filename) ) + raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines") % (self.filename, e) ) self.ddict = {} self.comments = [] @@ -209,7 +209,8 @@ os.write(fd, self.out()) os.close(fd) os.rename(newfilename, self.filename) - + os.system("/sbin/service mcstrans reload > /dev/null") + class semanageRecords: def __init__(self): self.sh = semanage_handle_create() @@ -464,7 +465,8 @@ rc = semanage_user_set_mlslevel(self.sh, u, selevel) if rc < 0: raise ValueError(_("Could not set MLS level for %s") % name) - + if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0: + raise ValueError(_("Invalid prefix %s") % prefix) rc = semanage_user_set_prefix(self.sh, u, prefix) if rc < 0: raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) @@ -530,7 +532,9 @@ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) if prefix != "": - semanage_user_set_prefix(self.sh, u, prefix) + if selinux.security_check_context("system_u:object_r:%s_home_t" % prefix) != 0: + raise ValueError(_("Invalid prefix %s") % prefix) + semanage_user_set_prefix(self.sh, u, prefix) if len(roles) != 0: for r in rlist: diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.1/newrole/newrole.c --- nsapolicycoreutils/newrole/newrole.c 2007-01-24 10:03:59.000000000 -0500 +++ policycoreutils-2.0.1/newrole/newrole.c 2007-02-15 15:16:09.000000000 -0500 @@ -636,11 +636,12 @@ static int relabel_tty(const char *ttyn, } /* Re-open TTY descriptor */ - fd = open(ttyn, O_RDWR); + fd = open(ttyn, O_RDWR|O_NONBLOCK); if (fd < 0) { fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); return fd; } + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); if (fgetfilecon(fd, &tty_con) < 0) { fprintf(stderr, _("%s! Could not get current context " @@ -1127,15 +1128,18 @@ int main(int argc, char *argv[]) fprintf(stderr, _("Could not close descriptors.\n")); goto err_close_pam; } - fd = open(ttyn, O_RDONLY); + fd = open(ttyn, O_RDONLY|O_NONBLOCK); if (fd != 0) goto err_close_pam; - fd = open(ttyn, O_RDWR); + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + fd = open(ttyn, O_RDWR|O_NONBLOCK); if (fd != 1) goto err_close_pam; - fd = open(ttyn, O_RDWR); + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + fd = open(ttyn, O_RDWR|O_NONBLOCK); if (fd != 2) goto err_close_pam; + fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); /* * Step 5: Execute a new shell with the new context in `new_context'.