diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-21 01:59:57.000000000 -0500 @@ -60,7 +60,9 @@ parser.add_option("-o", "--output", dest="output", help="append output to , conflicts with -M") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", - default=False, help="generate refpolicy style output") + default=True, help="generate refpolicy style output") + parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", + default=False, help="do not generate refpolicy style output") parser.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, help="explain generated output") parser.add_option("-e", "--explain", action="store_true", dest="explain_long", @@ -149,9 +151,11 @@ if self.__options.type: filter = audit.TypeFilter(self.__options.type) self.__avs = self.__parser.to_access(filter) + self.__selinux_errs = self.__parser.to_role(filter) else: self.__avs = self.__parser.to_access() - + self.__selinux_errs = self.__parser.to_role() + def __load_interface_info(self): # Load interface info file if self.__options.interface_info: @@ -251,6 +255,12 @@ fd = sys.stdout writer.write(g.get_module(), fd) + if len(self.__selinux_errs) > 0: + fd.write("\n=========== ROLES ===============\n") + + for role in self.__selinux_errs: + fd.write(role.output()) + def main(self): try: self.__parse_options() diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/audit2allow.1 2007-12-19 06:05:50.000000000 -0500 @@ -65,8 +65,11 @@ .B "\-r" | "\-\-requires" Generate require output syntax for loadable modules. .TP +.B "\-N" | "\-\-noreference" +Do not generate reference policy, traditional style allow rules. +.TP .B "\-R" | "\-\-reference" -Generate reference policy using installed macros. Requires the selinux-policy-devel package. +Generate reference policy using installed macros.Default .TP .B "\-t " | "\-\-tefile" Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen --- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500 @@ -80,7 +80,10 @@ if_set.to_file(f) f.close() - return 0 + if refparser.success: + return 0 + else: + return 1 if __name__ == "__main__": sys.exit(main()) Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c --- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-31 11:12:23.000000000 -0500 @@ -22,27 +22,146 @@ exit(rc); } +struct bool_t { + const sepol_bool_t * boolean; + char *name; + int active; +}; + +static struct bool_t **boollist = NULL; +static int boolcnt = 0; + +struct access_t { + sepol_handle_t *handle; + sepol_policydb_t *policydb; + sepol_security_id_t ssid; + sepol_security_id_t tsid; + sepol_security_class_t tclass; + sepol_access_vector_t av; +}; + +static int load_booleans (const sepol_bool_t * boolean, + void *arg __attribute__ ((__unused__)) ) { + boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t)); + boollist[boolcnt]->boolean = boolean; + boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean)); + boollist[boolcnt]->active = sepol_bool_get_value(boolean); + boolcnt++; + return 0; +} + +static int check_booleans (struct access_t *access) { + struct sepol_av_decision avd; + unsigned int reason; + int rc; + int i; + sepol_bool_key_t *key=NULL; + int fcnt = 0; + int *foundlist = calloc(boolcnt, sizeof(int)); + if (!foundlist) { + fprintf(stderr, + "Out of memory.\n"); + return fcnt; + } + for (i=0; i < boolcnt; i++) { + char *name = boollist[i]->name; + int active = boollist[i]->active; + sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean; + rc = sepol_bool_key_create(access->handle, + name, + &key); + if (rc < 0) { + fprintf(stderr, + "Could not create boolean key.\n"); + break; + } + sepol_bool_set_value(boolean, !active); + + rc = sepol_bool_set(access->handle, + access->policydb, + key, + boolean); + if (rc < 0) { + fprintf(stderr, + "Could not set boolean data %s.\n", name); + break; + } + + /* Reproduce the computation. */ + rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason); + if (rc < 0) { + fprintf(stderr, + "Error during access vector computation, skipping...\n"); + break; + } else { + if (!reason) { + foundlist[fcnt] = i; + fcnt++; + } + sepol_bool_set_value((sepol_bool_t*)boolean, active); + rc = sepol_bool_set(access->handle, + access->policydb, + key, + (sepol_bool_t*) boolean); + if (rc < 0) { + fprintf(stderr, + "Could not set boolean data %s.\n", name); + break; + } + } + sepol_bool_key_free(key); + key=NULL; + } + if (key) + sepol_bool_key_free(key); + + if (fcnt > 0) { + printf("\tA boolean being set incorrectly.\n"); + for (i = 0; i < fcnt; i++) { + int ctr = foundlist[i]; + char *name = boollist[ctr]->name; + int active = boollist[ctr]->active; + printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active); + printf("\t# setsebool -P %s %d\n", name, !active); + } + } + + free(foundlist); + return fcnt; +} + + int main(int argc, char **argv) { char path[PATH_MAX]; char *buffer = NULL, *bufcopy = NULL; - unsigned int lineno = 0; + unsigned int lineno = 0, cnt; size_t len = 0, bufcopy_len = 0; - FILE *fp; + FILE *fp, *avcp=stdin; int opt, rc, set_path = 0; char *p, *scon, *tcon, *tclassstr, *permstr; sepol_security_id_t ssid, tsid; sepol_security_class_t tclass; sepol_access_vector_t perm, av; + struct access_t access; struct sepol_av_decision avd; unsigned int reason; int vers = 0; sidtab_t sidtab; policydb_t policydb; struct policy_file pf; - - while ((opt = getopt(argc, argv, "p:?h")) > 0) { + + while ((opt = getopt(argc, argv, "i:p:?h")) > 0) { switch (opt) { + case 'i': + avcp = fopen(optarg, "r"); + if (!avcp) { + fprintf(stderr, "%s: unable to open %s: %s\n", + argv[0], path, strerror(errno)); + exit(1); + } + break; + case 'p': set_path = 1; strncpy(path, optarg, PATH_MAX); @@ -110,7 +229,6 @@ } fclose(fp); sepol_set_policydb(&policydb); - if (!set_path) { /* If they didn't specify a full path of a binary policy file, then also try loading any boolean settings and user @@ -125,6 +243,30 @@ (void)sepol_genusers_policydb(&policydb, selinux_users_path()); } + access.handle = sepol_handle_create(); + access.policydb = (sepol_policydb_t *) &policydb, + + rc = sepol_bool_count(access.handle, + access.policydb, + &cnt); + if (rc < 0) { + fprintf(stderr, "%s: unable to get bool count\n", argv[0]); + exit(1); + } + + boollist = calloc(cnt, sizeof(struct bool_t)); + if (!boollist) { + fprintf(stderr, "%s: Out of memory\n", argv[0]); + exit(1); + } + + + sepol_bool_iterate(access.handle, + (const sepol_policydb_t *) &policydb, + load_booleans, + (void *)NULL); + + /* Initialize the sidtab for subsequent use by sepol_context_to_sid and sepol_compute_av_reason. */ rc = sepol_sidtab_init(&sidtab); @@ -135,8 +277,10 @@ sepol_set_sidtab(&sidtab); /* Process the audit messages. */ - while (getline(&buffer, &len, stdin) > 0) { + while (getline(&buffer, &len, avcp) > 0) { size_t len2 = strlen(buffer); + char *begin, *end, *search_buf; + int slen = 0; if (buffer[len2 - 1] == '\n') buffer[len2 - 1] = 0; @@ -179,6 +323,7 @@ } *p++ = 0; + search_buf = p; /* Get scontext and convert to SID. */ while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1)) p++; @@ -188,11 +333,14 @@ continue; } p += sizeof(SCONTEXT) - 1; - scon = p; + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p++ = 0; + end = p; + slen=end - begin; + scon = calloc(slen+1, 1); + strncpy(scon, begin, slen); + rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); if (rc < 0) { fprintf(stderr, @@ -201,6 +349,10 @@ continue; } + free(scon); + /* start searching at the beginning again */ + p = search_buf; + /* Get tcontext and convert to SID. */ while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1)) p++; @@ -210,11 +362,15 @@ continue; } p += sizeof(TCONTEXT) - 1; - tcon = p; + + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p++ = 0; + end = p; + slen=end - begin; + tcon = calloc(slen+1, 1); + strncpy(tcon, begin, slen); + rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (rc < 0) { fprintf(stderr, @@ -222,6 +378,9 @@ TCONTEXT, tcon, lineno); continue; } + free(tcon); + /* start searching at the beginning again */ + p = search_buf; /* Get tclass= and convert to value. */ while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1)) @@ -232,12 +391,17 @@ continue; } p += sizeof(TCLASS) - 1; - tclassstr = p; + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p = 0; + + end = p; + slen=end - begin; + tclassstr = calloc(slen+1, 1); + strncpy(tclassstr, begin, slen); + tclass = string_to_security_class(tclassstr); + free(tclassstr); if (!tclass) { fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", @@ -286,11 +450,16 @@ } if (reason & SEPOL_COMPUTEAV_TE) { - printf("\t\tMissing or disabled TE allow rule.\n"); - printf - ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n"); - printf - ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); + access.ssid = ssid; + access.tsid = tsid; + access.tclass = tclass; + access.av = av; + + if (check_booleans(&access) == 0) { + printf("\t\tMissing or disabled TE allow rule.\n"); + printf + ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); + } } if (reason & SEPOL_COMPUTEAV_CONS) { @@ -309,5 +478,8 @@ } free(buffer); free(bufcopy); + if (avcp != stdin) + fclose(avcp); + exit(0); } diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile --- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500 +++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.34/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/restorecond/restorecond.c 2007-12-19 06:05:50.000000000 -0500 @@ -210,9 +210,10 @@ } if (fsetfilecon(fd, scontext) < 0) { - syslog(LOG_ERR, - "set context %s->%s failed:'%s'\n", - filename, scontext, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, + "set context %s->%s failed:'%s'\n", + filename, scontext, strerror(errno)); if (retcontext >= 0) free(prev_context); free(scontext); @@ -225,8 +226,9 @@ if (retcontext >= 0) free(prev_context); } else { - syslog(LOG_ERR, "get context on %s failed: '%s'\n", - filename, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, "get context on %s failed: '%s'\n", + filename, strerror(errno)); } free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.34/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2007-08-23 16:52:26.000000000 -0400 +++ policycoreutils-2.0.34/scripts/chcat 2007-12-19 06:05:50.000000000 -0500 @@ -25,10 +25,6 @@ import commands, sys, os, pwd, string, getopt, selinux import seobject import gettext -import codecs -import locale -sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') -sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') try: gettext.install('policycoreutils') diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.34/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2007-12-10 21:42:28.000000000 -0500 +++ policycoreutils-2.0.34/scripts/fixfiles 2007-12-31 10:54:13.000000000 -0500 @@ -126,17 +126,15 @@ done exit $? fi -if [ ! -z "$DIRS" ]; then +if [ ! -z "$PATH" ]; then if [ -x /usr/bin/find ]; then - for d in ${DIRS} ; do find $d \ + /usr/bin/find "$PATH" \ ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o -print | \ ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -f - 2>&1 >> $LOGFILE - done else - ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $DIRS 2>&1 >> $LOGFILE + ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $PATH 2>&1 >> $LOGFILE fi - - exit $? + return fi LogReadOnly ${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE @@ -173,6 +171,20 @@ fi } +process() { +# +# Make sure they specified one of the three valid commands +# +case "$1" in + restore) restore -p ;; + check) restore -n -v;; + verify) restore -n -o -;; + relabel) relabel;; + *) + usage + exit 1 +esac +} usage() { echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " echo or @@ -229,22 +241,15 @@ shift 1 if [ ! -z "$RPMFILES" ]; then + process $command if [ $# -gt 0 ]; then usage fi else - DIRS=$* + while [ -n "$1" ]; do + PATH=$1 + process $command + shift + done fi - -# -# Make sure they specified one of the three valid commands -# -case "$command" in - restore) restore -p ;; - check) restore -n -v ;; - verify) restore -n -o -;; - relabel) relabel;; - *) - usage - exit 1 -esac +exit $? diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.34/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400 +++ policycoreutils-2.0.34/semanage/semanage 2007-12-19 06:05:50.000000000 -0500 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005 Red Hat +# Copyright (C) 2005, 2006, 2007 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -28,10 +28,6 @@ import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) -import codecs -import locale -sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') -sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') try: gettext.install(PROGNAME, @@ -115,7 +111,7 @@ valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] - valid_option["boolean"] += valid_everyone + valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] return valid_option # @@ -135,7 +131,7 @@ seuser = "" prefix = "" heading=1 - + value=0 add = 0 modify = 0 delete = 0 @@ -154,7 +150,7 @@ args = sys.argv[2:] gopts, cmds = getopt.getopt(args, - 'adf:lhmnp:s:CDR:L:r:t:T:P:S:', + '01adf:lhmnp:s:CDR:L:r:t:T:P:S:', ['add', 'delete', 'deleteall', @@ -164,6 +160,8 @@ 'modify', 'noheading', 'localist', + 'off', + 'on', 'proto=', 'seuser=', 'store=', @@ -242,6 +240,11 @@ if o == "-T" or o == "--trans": setrans = a + if o == "--on" or o == "-1": + value = 1 + if o == "-off" or o == "-0": + value = 0 + if object == "login": OBJECT = seobject.loginRecords(store)