diff --git a/policycoreutils/.gitignore b/policycoreutils/.gitignore index 50f8b82..9e2d86b 100644 --- a/policycoreutils/.gitignore +++ b/policycoreutils/.gitignore @@ -14,3 +14,4 @@ sestatus/sestatus setfiles/restorecon setfiles/setfiles setsebool/setsebool +.tx diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile index 9cfe3bc..9c242d4 100644 --- a/policycoreutils/Makefile +++ b/policycoreutils/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po man +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po man gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen index ef4bec3..9b313ec 100644 --- a/policycoreutils/audit2allow/sepolgen-ifgen +++ b/policycoreutils/audit2allow/sepolgen-ifgen @@ -61,20 +61,10 @@ def parse_options(): return options -def get_policy(): - i = selinux.security_policyvers() - p = selinux.selinux_binary_policy_path() + "." + str(i) - while i > 0 and not os.path.exists(p): - i = i - 1 - p = selinux.selinux_binary_policy_path() + "." + str(i) - if i > 0: - return p - return None - def get_attrs(policy_path): try: if not policy_path: - policy_path = get_policy() + policy_path = selinux.selinux_current_policy_path() if not policy_path: sys.stderr.write("No installed policy to check\n") return None diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile new file mode 100644 index 0000000..53efa84 --- /dev/null +++ b/policycoreutils/gui/Makefile @@ -0,0 +1,38 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr +BINDIR ?= $(PREFIX)/bin +SHAREDIR ?= $(PREFIX)/share/system-config-selinux + +TARGETS= \ +booleansPage.py \ +domainsPage.py \ +fcontextPage.py \ +html_util.py \ +loginsPage.py \ +mappingsPage.py \ +modulesPage.py \ +polgen.glade \ +portsPage.py \ +semanagePage.py \ +statusPage.py \ +system-config-selinux.glade \ +usersPage.py \ +selinux.tbl + +all: $(TARGETS) system-config-selinux.py polgengui.py templates polgen.py + +install: all + -mkdir -p $(SHAREDIR)/templates + -mkdir -p $(BINDIR) + install -m 755 system-config-selinux.py $(SHAREDIR) + install -m 755 polgengui.py $(SHAREDIR) + install -m 755 polgen.py $(SHAREDIR) + (cd $(BINDIR); ln -fs ../share/system-config-selinux/polgen.py sepolgen) + install -m 644 $(TARGETS) $(SHAREDIR) + install -m 644 templates/*.py $(SHAREDIR)/templates/ + +clean: + +indent: + +relabel: diff --git a/policycoreutils/gui/booleansPage.py b/policycoreutils/gui/booleansPage.py new file mode 100644 index 0000000..dca786d --- /dev/null +++ b/policycoreutils/gui/booleansPage.py @@ -0,0 +1,247 @@ +# +# booleansPage.py - GUI for Booleans page in system-config-securitylevel +# +# Dan Walsh +# +# Copyright 2006, 2007 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import tempfile +import seobject +import semanagePage + +INSTALLPATH='/usr/share/system-config-selinux' +sys.path.append(INSTALLPATH) + +import commands +ENFORCING=0 +PERMISSIVE=1 +DISABLED=2 + +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +from glob import fnmatch + +class Modifier: + def __init__(self,name, on, save): + self.on=on + self.name=name + self.save=save + + def set(self,value): + self.on=value + self.save=True + + def isOn(self): + return self.on + +class Boolean(Modifier): + def __init__(self,name, val, save=False): + Modifier.__init__(self,name, val, save) + +ACTIVE = 0 +MODULE = 1 +DESC = 2 +BOOLEAN = 3 + +class booleansPage: + def __init__(self, xml, doDebug=None): + self.xml = xml + xml.signal_connect("on_lockdown_clicked", self.on_lockdown_clicked) + self.window = self.xml.get_widget("mainWindow").get_root_window() + self.local = False + self.types=[] + self.selinuxsupport = True + self.typechanged = False + self.doDebug = doDebug + self.busy_cursor = gtk.gdk.Cursor(gtk.gdk.WATCH) + self.ready_cursor = gtk.gdk.Cursor(gtk.gdk.LEFT_PTR) + + # Bring in widgets from glade file. + self.typeHBox = xml.get_widget("typeHBox") + self.booleanSW = xml.get_widget("booleanSW") + self.booleansFilter = xml.get_widget("booleansFilter") + self.booleansFilter.connect("focus_out_event", self.filter_changed) + self.booleansFilter.connect("activate", self.filter_changed) + + self.booleansView = xml.get_widget("booleansView") + self.typeLabel = xml.get_widget("typeLabel") + self.modifySeparator = xml.get_widget("modifySeparator") + + self.revertButton = xml.get_widget("booleanRevertButton") + self.revertButton.set_sensitive(self.local) + self.revertButton.connect("clicked", self.on_revert_clicked) + listStore = gtk.ListStore(gobject.TYPE_STRING) + cell = gtk.CellRendererText() + + self.store = gtk.ListStore(gobject.TYPE_BOOLEAN, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.store.set_sort_column_id(1, gtk.SORT_ASCENDING) + self.booleansView.set_model(self.store) + + checkbox = gtk.CellRendererToggle() + checkbox.connect("toggled", self.boolean_toggled) + col = gtk.TreeViewColumn('Active', checkbox, active = ACTIVE) + col.set_clickable(True) + col.set_sort_column_id(ACTIVE) + self.booleansView.append_column(col) + + col = gtk.TreeViewColumn("Module", gtk.CellRendererText(), text=MODULE) + col.set_sort_column_id(MODULE) + col.set_resizable(True) + self.booleansView.append_column(col) + + col = gtk.TreeViewColumn("Description", gtk.CellRendererText(), text=DESC) + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_fixed_width(400) + col.set_sort_column_id(DESC) + col.set_resizable(True) + self.booleansView.append_column(col) + + col = gtk.TreeViewColumn("Name", gtk.CellRendererText(), text=BOOLEAN) + col.set_sort_column_id(BOOLEAN) + col.set_resizable(True) + self.booleansView.set_search_equal_func(self.__search) + self.booleansView.append_column(col) + self.filter="" + self.load(self.filter) + + def __search(self, model, col, key, i): + sort_col = self.store.get_sort_column_id()[0] + if sort_col > 0: + val = model.get_value(i, sort_col) + if val.lower().startswith(key.lower()): + return False + return True + + def wait(self): + self.window.set_cursor(self.busy_cursor) + semanagePage.idle_func() + + def ready(self): + self.window.set_cursor(self.ready_cursor) + semanagePage.idle_func() + + def deleteDialog(self): + store, iter = self.booleansView.get_selection().get_selected() + if iter == None: + return + boolean = store.get_value(iter, BOOLEAN) + # change cursor + if boolean == None: + return + try: + self.wait() + (rc, out) = commands.getstatusoutput("semanage boolean -d %s" % boolean) + + self.ready() + if rc != 0: + return self.error(out) + self.load(self.filter) + except ValueError, e: + self.error(e.args[0]) + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.load(filter) + self.filter=filter + + def use_menus(self): + return False + + def get_description(self): + return _("Boolean") + + def match(self,key, filter=""): + try: + f=filter.lower() + cat=self.booleans.get_category(key).lower() + val=self.booleans.get_desc(key).lower() + k=key.lower() + return val.find(f) >= 0 or k.find(f) >= 0 or cat.find(f) >= 0 + except: + return False + + + def load(self, filter=None): + self.store.clear() + self.booleans = seobject.booleanRecords() + booleansList = self.booleans.get_all(self.local) + for name in booleansList: + rec = booleansList[name] + if self.match(name, filter): + iter=self.store.append() + self.store.set_value(iter, ACTIVE, rec[2] == 1) + self.store.set_value(iter, MODULE, self.booleans.get_category(name)) + self.store.set_value(iter, DESC, self.booleans.get_desc(name)) + self.store.set_value(iter, BOOLEAN, name) + + def boolean_toggled(self, widget, row): + iter = self.store.get_iter(row) + val = self.store.get_value(iter, ACTIVE) + key = self.store.get_value(iter, BOOLEAN) + self.store.set_value(iter, ACTIVE , not val) + self.wait() + setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) + commands.getstatusoutput(setsebool) + self.load(self.filter) + self.ready() + + def on_revert_clicked(self, button): + self.wait() + setsebool="semanage boolean --deleteall" + commands.getstatusoutput(setsebool) + self.load(self.filter) + self.ready() + + def on_lockdown_clicked(self, button): + try: + os.spawnl(os.P_NOWAIT, "/usr/share/system-config-selinux/lockdown.py") + except ValueError, e: + self.error(e.args[0]) + + def on_local_clicked(self, button): + self.local = not self.local + self.revertButton.set_sensitive(self.local) + + if self.local: + button.set_label(_("all")) + else: + button.set_label(_("Customized")) + + self.load(self.filter) + return True + diff --git a/policycoreutils/gui/domainsPage.py b/policycoreutils/gui/domainsPage.py new file mode 100644 index 0000000..3eeebca --- /dev/null +++ b/policycoreutils/gui/domainsPage.py @@ -0,0 +1,154 @@ +## domainsPage.py - show selinux domains +## Copyright (C) 2009 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import commands +import gobject +import sys +import seobject +import selinux +from semanagePage import *; +import polgen + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class domainsPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "domains", _("Process Domain")) + self.domain_filter = xml.get_widget("domainsFilterEntry") + self.domain_filter.connect("focus_out_event", self.filter_changed) + self.domain_filter.connect("activate", self.filter_changed) + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Domain Name"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Mode"), gtk.CellRendererText(), text = 1) + col.set_sort_column_id(1) + col.set_resizable(True) + self.view.append_column(col) + self.view.get_selection().connect("changed", self.itemSelected) + + self.permissive_button = xml.get_widget("permissiveButton") + self.enforcing_button = xml.get_widget("enforcingButton") + + self.domains=polgen.get_all_domains() + self.load() + + def get_modules(self): + modules=[] + fd=os.popen("semodule -l") + mods = fd.readlines() + fd.close() + for l in mods: + modules.append(l.split()[0]) + return modules + + def load(self, filter=""): + self.filter=filter + self.store.clear() + try: + modules=self.get_modules() + for domain in self.domains: + if not self.match(domain, filter): + continue + iter = self.store.append() + self.store.set_value(iter, 0, domain) + t = "permissive_%s_t" % domain + if t in modules: + self.store.set_value(iter, 1, _("Permissive")) + else: + self.store.set_value(iter, 1, "") + except: + pass + self.view.get_selection().select_path ((0,)) + + def itemSelected(self, selection): + store, iter = selection.get_selected() + if iter == None: + return + p = store.get_value(iter, 1) == _("Permissive") + self.permissive_button.set_sensitive(not p) + self.enforcing_button.set_sensitive(p) + + def deleteDialog(self): + # Do nothing + return self.delete() + + def delete(self): + selection = self.view.get_selection() + store, iter = selection.get_selected() + domain = store.get_value(iter, 0) + try: + self.wait() + status, output = commands.getstatusoutput("semanage permissive -d %s_t" % domain) + self.ready() + if status != 0: + self.error(output) + else: + domain = store.set_value(iter, 1, "") + self.itemSelected(selection) + + except ValueError, e: + self.error(e.args[0]) + + def propertiesDialog(self): + # Do nothing + return + + def addDialog(self): + # Do nothing + return self.add() + + def add(self): + selection = self.view.get_selection() + store, iter = selection.get_selected() + domain = store.get_value(iter, 0) + try: + self.wait() + status, output = commands.getstatusoutput("semanage permissive -a %s_t" % domain) + self.ready() + if status != 0: + self.error(output) + else: + domain = store.set_value(iter, 1, _("Permissive")) + self.itemSelected(selection) + + except ValueError, e: + self.error(e.args[0]) diff --git a/policycoreutils/gui/fcontextPage.py b/policycoreutils/gui/fcontextPage.py new file mode 100644 index 0000000..d0889b2 --- /dev/null +++ b/policycoreutils/gui/fcontextPage.py @@ -0,0 +1,223 @@ +## fcontextPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import gtk +import gtk.glade +import os +import gobject +import seobject +import commands +from semanagePage import *; + +SPEC_COL = 0 +TYPE_COL = 1 +FTYPE_COL = 2 + +class context: + def __init__(self, scontext): + self.scontext = scontext + con=scontext.split(":") + self.type = con[0] + if len(con) > 1: + self.mls = con[1] + else: + self.mls = "s0" + + def __str__(self): + return self.scontext + +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + + +class fcontextPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "fcontext", _("File Labeling")) + self.fcontextFilter = xml.get_widget("fcontextFilterEntry") + self.fcontextFilter.connect("focus_out_event", self.filter_changed) + self.fcontextFilter.connect("activate", self.filter_changed) + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view = xml.get_widget("fcontextView") + self.view.set_model(self.store) + self.view.set_search_equal_func(self.search) + + col = gtk.TreeViewColumn(_("File\nSpecification"), gtk.CellRendererText(), text=SPEC_COL) + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_fixed_width(250) + + col.set_sort_column_id(SPEC_COL) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("Selinux\nFile Type"), gtk.CellRendererText(), text=TYPE_COL) + + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_fixed_width(250) + col.set_sort_column_id(TYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("File\nType"), gtk.CellRendererText(), text=2) + col.set_sort_column_id(FTYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + + self.store.set_sort_column_id(SPEC_COL, gtk.SORT_ASCENDING) + self.load() + self.fcontextEntry = xml.get_widget("fcontextEntry") + self.fcontextFileTypeCombo = xml.get_widget("fcontextFileTypeCombo") + liststore=self.fcontextFileTypeCombo.get_model() + for k in seobject.file_types: + if len(k) > 0 and k[0] != '-': + iter=liststore.append() + liststore.set_value(iter, 0, k) + iter = liststore.get_iter_first() + self.fcontextFileTypeCombo.set_active_iter(iter) + self.fcontextTypeEntry = xml.get_widget("fcontextTypeEntry") + self.fcontextMLSEntry = xml.get_widget("fcontextMLSEntry") + + def match(self, fcon_dict, k, filter): + try: + f=filter.lower() + for con in k: + k=con.lower() + if k.find(f) >= 0: + return True + for con in fcon_dict[k]: + k=con.lower() + if k.find(f) >= 0: + return True + except: + pass + return False + + def load(self, filter=""): + self.filter=filter + self.fcontext=seobject.fcontextRecords() + self.store.clear() + fcon_dict=self.fcontext.get_all(self.local) + keys = fcon_dict.keys() + keys.sort() + for k in keys: + if not self.match(fcon_dict, k, filter): + continue + iter=self.store.append() + self.store.set_value(iter, SPEC_COL, k[0]) + self.store.set_value(iter, FTYPE_COL, k[1]) + if fcon_dict[k]: + rec="%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3],False)) + else: + rec="<>" + self.store.set_value(iter, TYPE_COL, rec) + self.view.get_selection().select_path ((0,)) + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.load(filter) + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.fcontextEntry.set_text(store.get_value(iter, SPEC_COL)) + self.fcontextEntry.set_sensitive(False) + scontext = store.get_value(iter, TYPE_COL) + scon=context(scontext) + self.fcontextTypeEntry.set_text(scon.type) + self.fcontextMLSEntry.set_text(scon.mls) + type=store.get_value(iter, FTYPE_COL) + liststore=self.fcontextFileTypeCombo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != type: + iter = liststore.iter_next(iter) + if iter != None: + self.fcontextFileTypeCombo.set_active_iter(iter) + self.fcontextFileTypeCombo.set_sensitive(False) + + def dialogClear(self): + self.fcontextEntry.set_text("") + self.fcontextEntry.set_sensitive(True) + self.fcontextFileTypeCombo.set_sensitive(True) + self.fcontextTypeEntry.set_text("") + self.fcontextMLSEntry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + fspec=store.get_value(iter, SPEC_COL) + ftype=store.get_value(iter, FTYPE_COL) + self.wait() + (rc, out) = commands.getstatusoutput("semanage fcontext -d -f '%s' '%s'" % (ftype, fspec)) + self.ready() + + if rc != 0: + return self.error(out) + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + ftype=["", "--", "-d", "-c", "-b", "-s", "-l", "-p" ] + fspec=self.fcontextEntry.get_text().strip() + type=self.fcontextTypeEntry.get_text().strip() + mls=self.fcontextMLSEntry.get_text().strip() + list_model=self.fcontextFileTypeCombo.get_model() + active = self.fcontextFileTypeCombo.get_active() + self.wait() + (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (type, mls, ftype[active], fspec)) + self.ready() + if rc != 0: + self.error(out) + return False + + iter=self.store.append() + self.store.set_value(iter, SPEC_COL, fspec) + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) + + def modify(self): + fspec=self.fcontextEntry.get_text().strip() + type=self.fcontextTypeEntry.get_text().strip() + mls=self.fcontextMLSEntry.get_text().strip() + list_model=self.fcontextFileTypeCombo.get_model() + iter = self.fcontextFileTypeCombo.get_active_iter() + ftype=list_model.get_value(iter,0) + self.wait() + (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (type, mls, ftype, fspec)) + self.ready() + if rc != 0: + self.error(out) + return False + + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, SPEC_COL, fspec) + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) diff --git a/policycoreutils/gui/html_util.py b/policycoreutils/gui/html_util.py new file mode 100644 index 0000000..d41643c --- /dev/null +++ b/policycoreutils/gui/html_util.py @@ -0,0 +1,164 @@ +# Authors: John Dennis +# +# Copyright (C) 2007 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + + +__all__ = [ + 'escape_html', + 'unescape_html', + 'html_to_text', + + 'html_document', +] + +import htmllib +import formatter as Formatter +import string +from types import * +import StringIO + +#------------------------------------------------------------------------------ + +class TextWriter(Formatter.DumbWriter): + def __init__(self, file=None, maxcol=80, indent_width=4): + Formatter.DumbWriter.__init__(self, file, maxcol) + self.indent_level = 0 + self.indent_width = indent_width + self._set_indent() + + def _set_indent(self): + self.indent_col = self.indent_level * self.indent_width + self.indent = ' ' * self.indent_col + + def new_margin(self, margin, level): + self.indent_level = level + self._set_indent() + + def send_label_data(self, data): + data = data + ' ' + if len(data) > self.indent_col: + self.send_literal_data(data) + else: + offset = self.indent_col - len(data) + self.send_literal_data(' ' * offset + data) + + def send_flowing_data(self, data): + if not data: return + atbreak = self.atbreak or data[0] in string.whitespace + col = self.col + maxcol = self.maxcol + write = self.file.write + col = self.col + if col == 0: + write(self.indent) + col = self.indent_col + for word in data.split(): + if atbreak: + if col + len(word) >= maxcol: + write('\n' + self.indent) + col = self.indent_col + else: + write(' ') + col = col + 1 + write(word) + col = col + len(word) + atbreak = 1 + self.col = col + self.atbreak = data[-1] in string.whitespace + +class HTMLParserAnchor(htmllib.HTMLParser): + + def __init__(self, formatter, verbose=0): + htmllib.HTMLParser.__init__(self, formatter, verbose) + + def anchor_bgn(self, href, name, type): + self.anchor = href + + def anchor_end(self): + if self.anchor: + self.handle_data(' (%s) ' % self.anchor) + self.anchor = None + +#------------------------------------------------------------------------------ + +def escape_html(s): + if s is None: return None + s = s.replace("&", "&") # Must be done first! + s = s.replace("<", "<") + s = s.replace(">", ">") + s = s.replace("'", "'") + s = s.replace('"', """) + return s + + +def unescape_html(s): + if s is None: return None + if '&' not in s: + return s + s = s.replace("<", "<") + s = s.replace(">", ">") + s = s.replace("'", "'") + s = s.replace(""", '"') + s = s.replace("&", "&") # Must be last + return s + +def html_to_text(html, maxcol=80): + try: + buffer = StringIO.StringIO() + formatter = Formatter.AbstractFormatter(TextWriter(buffer, maxcol)) + parser = HTMLParserAnchor(formatter) + parser.feed(html) + parser.close() + text = buffer.getvalue() + buffer.close() + return text + except Exception, e: + log_program.error('cannot convert html to text: %s' % e) + return None + +def html_document(*body_components): + '''Wrap the body components in a HTML document structure with a valid header. + Accepts a variable number of arguments of of which canb be: + * string + * a sequences of strings (tuple or list). + * a callable object taking no parameters and returning a string or sequence of strings. + ''' + head = '\n \n \n \n \n' + tail = '\n \n' + + doc = head + + for body_component in body_components: + if type(body_component) is StringTypes: + doc += body_component + elif type(body_component) in [TupleType, ListType]: + for item in body_component: + doc += item + elif callable(body_component): + result = body_component() + if type(result) in [TupleType, ListType]: + for item in result: + doc += item + else: + doc += result + else: + doc += body_component + + doc += tail + return doc + diff --git a/policycoreutils/gui/lockdown.glade b/policycoreutils/gui/lockdown.glade new file mode 100644 index 0000000..714da60 --- /dev/null +++ b/policycoreutils/gui/lockdown.glade @@ -0,0 +1,771 @@ + + + + + + + + + 5 + False + system-config-selinux + Copyright (c)2006 Red Hat, Inc. +Copyright (c) 2006 Dan Walsh <dwalsh@redhat.com> + False + Daniel Walsh <dwalsh@redhat.com> + + translator-credits + system-config-selinux.png + + + + 800 + 400 + SELinux Boolean Lockdown + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + system-config-selinux.png + True + False + False + GDK_WINDOW_TYPE_HINT_NORMAL + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + True + + + + True + GTK_SHADOW_NONE + + + + True + GTK_PACK_DIRECTION_LTR + GTK_PACK_DIRECTION_LTR + + + + True + GNOMEUIINFO_MENU_FILE_TREE + + + + + + + True + _Forward + True + + + + + + True + gtk-media-next + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + _Previous + True + + + + + + True + gtk-media-previous + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + + + + + + True + Save As + True + + + + + + True + gtk-save-as + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + Apply + True + + + + + + True + gtk-apply + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + GNOMEUIINFO_MENU_EXIT_ITEM + + + + + + + + + + + True + GNOMEUIINFO_MENU_HELP_TREE + + + + + + + True + GNOMEUIINFO_MENU_ABOUT_ITEM + + + + + + + + + + + + BONOBO_DOCK_TOP + 0 + 0 + 0 + BONOBO_DOCK_ITEM_BEH_EXCLUSIVE|BONOBO_DOCK_ITEM_BEH_NEVER_VERTICAL|BONOBO_DOCK_ITEM_BEH_LOCKED + + + + + + True + True + 0 + + + + 5 + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + 300 + True + Select Management Object + True + False + False + False + True + False + False + False + + + + + + + + + + True + <b>Select:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + False + False + + + + + + False + 0 + + + + True + False + 0 + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + + + + 0 + True + True + + + + + + True + GTK_BUTTONBOX_END + 0 + + + + True + True + True + gtk-apply + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-save-as + True + GTK_RELIEF_NORMAL + True + + + + + + 0 + False + False + GTK_PACK_END + + + + + + True + 0 + + + + True + True + GTK_RELIEF_NORMAL + True + False + False + True + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-yes + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + Enable + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + GTK_RELIEF_NORMAL + True + False + False + True + enable_radiobutton + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-no + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Disable + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + GTK_RELIEF_NORMAL + True + False + False + True + enable_radiobutton + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-undo + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Default + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + 11 + False + False + + + + + + True + GTK_BUTTONBOX_END + 0 + + + + True + True + True + gtk-quit + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-media-previous + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-media-forward + True + GTK_RELIEF_NORMAL + True + + + + + + 0 + False + False + + + + + 0 + True + True + + + + + True + True + + + + + + + 0 + True + True + + + + + + True + True + True + + + 0 + True + True + + + + + + 5 + Select file name to save boolean settings. + GTK_FILE_CHOOSER_ACTION_SAVE + True + False + False + False + Save Boolean Configuration File + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_MOUSE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + + + + True + False + 2 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + True + gtk-save + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + + diff --git a/policycoreutils/gui/lockdown.py b/policycoreutils/gui/lockdown.py new file mode 100644 index 0000000..3c29327 --- /dev/null +++ b/policycoreutils/gui/lockdown.py @@ -0,0 +1,375 @@ +#!/usr/bin/python +# +# lockdown.py - GUI for Booleans page in system-config-securitylevel +# +# Dan Walsh +# +# Copyright 2008 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import signal +import string +import gtk +import gtk.glade +import os +import gobject +import gnome +import sys +import selinux +import seobject +import webkit +import commands +import tempfile + +from html_util import * + +gnome.program_init("SELinux Boolean Lockdown Tool", "5") + +INSTALLPATH='/usr/share/system-config-selinux' +sys.path.append(INSTALLPATH) + +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +from glob import fnmatch + +STATUS=(_("Disable"), _("Enable"), _("Default")) +DISABLE = 0 +ENABLE = 1 +DEFAULT = 2 + +def idle_func(): + while gtk.events_pending(): + gtk.main_iteration() + +def td_fmt(val): + return '%s' % val + +tr_fmt = '%s\n' + +p_fmt = '

%s\n' + +## +## Pull in the Glade file +## +if os.access("system-config-selinux.glade", os.F_OK): + xml = gtk.glade.XML ("lockdown.glade", domain=PROGNAME) +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/lockdown.glade", domain=PROGNAME) +BOOLEAN = 0 +class booleanWindow: + def __init__(self): + self.tabs=[] + self.xml = xml + xml.signal_connect("on_cancel_clicked", self.cancel) + xml.signal_connect("on_forward_clicked", self.forward) + xml.signal_connect("on_previous_clicked", self.previous) + xml.signal_connect("on_save_clicked", self.save) + xml.signal_connect("on_apply_clicked", self.apply) + self.xml = xml + self.mainWindow = self.xml.get_widget("mainWindow") + self.forwardbutton = self.xml.get_widget("forwardButton") + self.window = self.xml.get_widget("mainWindow").get_root_window() + self.busy_cursor = gtk.gdk.Cursor(gtk.gdk.WATCH) + self.ready_cursor = gtk.gdk.Cursor(gtk.gdk.LEFT_PTR) + self.radiobox = self.xml.get_widget("radiobox") + self.savebox = self.xml.get_widget("savebox") + self.file_dialog = self.xml.get_widget("filechooserdialog") + self.vbox = self.xml.get_widget("vbox") + self.enable_radiobutton = self.xml.get_widget("enable_radiobutton") + self.enable_radiobutton.connect("toggled", self.toggled) + self.disable_radiobutton = self.xml.get_widget("disable_radiobutton") + self.disable_radiobutton.connect("toggled", self.toggled) + self.default_radiobutton = self.xml.get_widget("default_radiobutton") + self.default_radiobutton.connect("toggled", self.toggled) + self.html_scrolledwindow = self.xml.get_widget("html_scrolledwindow") + self.view = xml.get_widget("booleanView") + self.view.get_selection().connect("changed", self.itemSelected) + + self.store = gtk.TreeStore(gobject.TYPE_STRING) + self.view.set_model(self.store) + + col = gtk.TreeViewColumn("Boolean", gtk.CellRendererText(), text=BOOLEAN) + col.set_sort_column_id(BOOLEAN) + col.set_resizable(True) + self.view.append_column(col) + + self.html_view = self.create_htmlview(self.html_scrolledwindow) + self.load() + self.view.get_selection().select_path ((0,)) + + def create_htmlview(self, container): + view = webkit.WebView() + container.add(view) + return (view) + + def wait(self): + self.window.set_cursor(self.busy_cursor) + idle_func() + + def ready(self): + self.window.set_cursor(self.ready_cursor) + idle_func() + + def load(self): + self.store.clear() + self.booleans = seobject.booleanRecords() + booleansList = self.booleans.get_all(0) + self.booldict = {} + for name in booleansList: + cat = self.booleans.get_category(name) + if cat not in self.booldict: + self.booldict[cat] = {} + + rec = booleansList[name] + self.booldict[cat][name]= [rec[2], self.booleans.get_desc(name)] + + cats = self.booldict.keys() + cats.sort() + + citer = self.store.append(None) + self.store.set_value(citer, BOOLEAN, "Begin") + for cat in cats: + citer = self.store.append(None) + self.store.set_value(citer, BOOLEAN, cat) + bools = self.booldict[cat].keys() + for bool in bools: + biter = self.store.append(citer) + self.store.set_value(biter, BOOLEAN, bool) + biter = self.store.append(citer) + self.store.set_value(biter, BOOLEAN, "Finish") + citer = self.store.append(None) + self.store.set_value(citer, BOOLEAN, "Finish") + + def on_about_activate(self, args): + dlg = xml.get_widget ("aboutWindow") + dlg.run () + dlg.hide () + + def cancel(self, args): + gtk.main_quit() + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def __out(self): + out = '' + for c in self.booldict.keys(): + for b in self.booldict[c]: + out += "%s=%s\n" % (b, self.booldict[c][b][0]) + return out + + def save(self, args): + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SAVE) + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_OK: + try: + fd = open(self.file_dialog.get_filename(), "w") + fd.write(self.__out()) + fd.close() + + except IOError, e: + self.error(e) + + def apply(self, args): + fd = tempfile.NamedTemporaryFile(dir = "/var/lib/selinux") + fd.write(self.__out()) + fd.flush() + self.wait() + rc, err = commands.getstatusoutput("semanage boolean -m -F %s" % fd.name) + self.ready() + fd.close() + if rc != 0: + self.error(err) + + def forward(self, args): + selection = self.view.get_selection() + store, iter = selection.get_selected() + if self.store.iter_has_child(iter): + store, rows = selection.get_selected_rows() + self.view.expand_to_path(rows[0]) + niter = self.store.iter_nth_child(iter, 0) + else: + niter = store.iter_next(iter) + + if niter == None: + piter = self.store.iter_parent(iter) + if piter == None: + return + niter = store.iter_next(piter) + + if niter != None: + selection.select_iter(niter) + store, rows = selection.get_selected_rows() + self.view.scroll_to_cell(rows[0]) + else: + print "Finish" + + def toggled(self, button): + if button.get_active() == False: + return + if self.cat == None: + return + if self.disable_radiobutton == button: + self.booldict[self.cat][self.name][0] = DISABLE + if self.enable_radiobutton == button: + self.booldict[self.cat][self.name][0] = ENABLE + if self.default_radiobutton == button: + self.booldict[self.cat][self.name][0] = DEFAULT + + def previous(self, args): + selection = self.view.get_selection() + store, iter = selection.get_selected() + store, rows = selection.get_selected_rows() + row = rows[0] + if len(row) == 1 or self.store.iter_has_child(iter): + if row[0] == 0: + return + nrow = row[0] - 1 + iter = self.store.get_iter((nrow,)) + if self.store.iter_has_child(iter): + self.view.expand_to_path((nrow,)) + n = store.iter_n_children(iter) -1 + piter = store.iter_nth_child(iter, n) + else: + piter = iter + else: + if row[1] == 0: + piter = self.store.iter_parent(iter) + else: + r0 = row[0] + r1 = row[1] - 1 + piter = self.store.get_iter((r0,r1)) + if piter != None: + selection.select_iter(piter) + store, rows = selection.get_selected_rows() + self.view.scroll_to_cell(rows[0]) + else: + print "Finish" + + def html_cat(self, cat): + html = "" + row = td_fmt(_("Boolean")) + td_fmt(_("Description")) + td_fmt(_("Status")) + html += tr_fmt % row + + for b in self.booldict[cat]: + row = td_fmt(b) + td_fmt(self.booleans.get_desc(b)) + td_fmt(STATUS[self.booldict[cat][b][0]]) + html += tr_fmt % row + return html + + def html_table(self, title, body): + html = self.html_head(title) + html += '\n' + html += body + html += '
' + return html + + def html_head(self, val): + # Wrap entire alert in one table + # 1st table: primary Information + + html = '%s\n\n\n' % val + return html + + def html_all(self): + html = "" + cats = self.booldict.keys() + cats.sort() + for cat in cats: + html += self.html_table((_("Category: %s
") % cat), self.html_cat(cat)) + return html + + def itemSelected(self, selection): + store, iter = selection.get_selected() + if iter == None: + return + + piter = self.store.iter_parent(iter) + if piter != None: + self.cat = store.get_value(piter, BOOLEAN) + else: + self.cat = None + + self.name = store.get_value(iter, BOOLEAN) + + html = '' + + self.radiobox.hide() + self.savebox.hide() + + if self.name == _("Begin"): + html += self.html_head(_("Welcome to the SELinux Lockdown Tool.

This tool can be used to lockdown SELinux booleans.The tool will generate a configuration file which can be used to lockdown this system or other SELinux systems.
")) + html += self.html_all() + else: + if self.name == _("Finish"): + if self.cat != None: + html += self.html_head(_("Category %s booleans completed

") % self.cat) + html += self.html_table(_("Current settings:

"), self.html_cat(self.cat)) + else: + html += self.html_head(_("Finish:

")) + html += self.html_all() + self.savebox.show() + else: + if self.store.iter_has_child(iter): + html += self.html_table(_("Category: %s

Current Settings

") % self.name, self.html_cat(self.name)) + else: + self.radiobox.show() + html += self.html_table(_("Boolean: %s

") % self.name, tr_fmt % td_fmt(self.booleans.get_desc(self.name))) + if self.booldict[self.cat][self.name][0] == ENABLE: + self.enable_radiobutton.set_active(True) + if self.booldict[self.cat][self.name][0] == DISABLE: + self.disable_radiobutton.set_active(True) + if self.booldict[self.cat][self.name][0] == DEFAULT: + self.default_radiobutton.set_active(True) + html_doc= html_document(html) + + self.html_view.load_html_string(html, "") + + def stand_alone(self): + desktopName = _("Lockdown SELinux Booleans") + + self.mainWindow.connect("destroy", self.cancel) + + self.mainWindow.show_all() + self.radiobox.hide() + self.savebox.hide() + gtk.main() + +if __name__ == "__main__": + signal.signal (signal.SIGINT, signal.SIG_DFL) + + app = booleanWindow() + app.stand_alone() diff --git a/policycoreutils/gui/loginsPage.py b/policycoreutils/gui/loginsPage.py new file mode 100644 index 0000000..b41fc1c --- /dev/null +++ b/policycoreutils/gui/loginsPage.py @@ -0,0 +1,185 @@ +## loginsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import commands +import seobject +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class loginsPage(semanagePage): + def __init__(self, xml): + self.firstTime = False + semanagePage.__init__(self, xml, "logins", _("User Mapping")) + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Login\nName"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("SELinux\nUser"), gtk.CellRendererText(), text = 1) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("MLS/\nMCS Range"), gtk.CellRendererText(), text = 2) + col.set_resizable(True) + self.view.append_column(col) + self.load() + self.loginsNameEntry = xml.get_widget("loginsNameEntry") + self.loginsSelinuxUserCombo = xml.get_widget("loginsSelinuxUserCombo") + self.loginsMLSEntry = xml.get_widget("loginsMLSEntry") + + def load(self, filter = ""): + self.filter=filter + self.login = seobject.loginRecords() + dict = self.login.get_all(0) + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + range = seobject.translate(dict[k][1]) + if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter)): + continue + iter = self.store.append() + self.store.set_value(iter, 0, k) + self.store.set_value(iter, 1, dict[k][0]) + self.store.set_value(iter, 2, range) + self.view.get_selection().select_path ((0,)) + + def __dialogSetup(self): + if self.firstTime == True: + return + self.firstTime = True + liststore = gtk.ListStore(gobject.TYPE_STRING) + self.loginsSelinuxUserCombo.set_model(liststore) + cell = gtk.CellRendererText() + self.loginsSelinuxUserCombo.pack_start(cell, True) + self.loginsSelinuxUserCombo.add_attribute(cell, 'text', 0) + + selusers = seobject.seluserRecords().get_all(0) + keys = selusers.keys() + keys.sort() + for k in keys: + if k != "system_u": + self.loginsSelinuxUserCombo.append_text(k) + + iter = liststore.get_iter_first() + while liststore.get_value(iter,0) != "user_u": + iter = liststore.iter_next(iter) + self.loginsSelinuxUserCombo.set_active_iter(iter) + + def dialogInit(self): + self.__dialogSetup() + store, iter = self.view.get_selection().get_selected() + self.loginsNameEntry.set_text(store.get_value(iter, 0)) + self.loginsNameEntry.set_sensitive(False) + + self.loginsMLSEntry.set_text(store.get_value(iter, 2)) + seuser = store.get_value(iter, 1) + liststore = self.loginsSelinuxUserCombo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != seuser: + iter = liststore.iter_next(iter) + if iter != None: + self.loginsSelinuxUserCombo.set_active_iter(iter) + + + def dialogClear(self): + self.__dialogSetup() + self.loginsNameEntry.set_text("") + self.loginsNameEntry.set_sensitive(True) + self.loginsMLSEntry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + login=store.get_value(iter, 0) + if login == "root" or login == "__default__": + raise ValueError(_("Login '%s' is required") % login) + + self.wait() + (rc, out) = commands.getstatusoutput("semanage login -d %s" % login) + self.ready() + if rc != 0: + self.error(out) + return False + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + target=self.loginsNameEntry.get_text().strip() + serange=self.loginsMLSEntry.get_text().strip() + if serange == "": + serange="s0" + list_model=self.loginsSelinuxUserCombo.get_model() + iter = self.loginsSelinuxUserCombo.get_active_iter() + seuser = list_model.get_value(iter,0) + self.wait() + (rc, out) = commands.getstatusoutput("semanage login -a -s %s -r %s %s" % (seuser, serange, target)) + self.ready() + if rc != 0: + self.error(out) + return False + + iter = self.store.append() + self.store.set_value(iter, 0, target) + self.store.set_value(iter, 1, seuser) + self.store.set_value(iter, 2, seobject.translate(serange)) + + def modify(self): + target=self.loginsNameEntry.get_text().strip() + serange=self.loginsMLSEntry.get_text().strip() + if serange == "": + serange = "s0" + list_model = self.loginsSelinuxUserCombo.get_model() + iter = self.loginsSelinuxUserCombo.get_active_iter() + seuser=list_model.get_value(iter,0) + self.wait() + (rc, out) = commands.getstatusoutput("semanage login -m -s %s -r %s %s" % (seuser, serange, target)) + self.ready() + if rc != 0: + self.error(out) + return False + + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, 0, target) + self.store.set_value(iter, 1, seuser) + self.store.set_value(iter, 2, seobject.translate(serange)) + diff --git a/policycoreutils/gui/mappingsPage.py b/policycoreutils/gui/mappingsPage.py new file mode 100644 index 0000000..3e4c2a2 --- /dev/null +++ b/policycoreutils/gui/mappingsPage.py @@ -0,0 +1,56 @@ +## mappingsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import seobject + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class loginsPage: + def __init__(self, xml): + self.xml = xml + self.view = xml.get_widget("mappingsView") + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + self.view.set_model(self.store) + self.login = loginRecords() + dict = self.login.get_all(0) + keys = dict.keys() + keys.sort() + for k in keys: + print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1])) + diff --git a/policycoreutils/gui/modulesPage.py b/policycoreutils/gui/modulesPage.py new file mode 100644 index 0000000..82f31b6 --- /dev/null +++ b/policycoreutils/gui/modulesPage.py @@ -0,0 +1,190 @@ +## modulesPage.py - show selinux mappings +## Copyright (C) 2006-2009 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import commands +import gobject +import sys +import seobject +import selinux +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class modulesPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "modules", _("Policy Module")) + self.module_filter = xml.get_widget("modulesFilterEntry") + self.module_filter.connect("focus_out_event", self.filter_changed) + self.module_filter.connect("activate", self.filter_changed) + self.audit_enabled = False + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Module Name"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Version"), gtk.CellRendererText(), text = 1) + self.enable_audit_button = xml.get_widget("enableAuditButton") + self.enable_audit_button.connect("clicked", self.enable_audit) + self.new_button = xml.get_widget("newModuleButton") + self.new_button.connect("clicked", self.new_module) + col.set_sort_column_id(1) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_func(1,self.sort_int, "") + status, self.policy_type = selinux.selinux_getpolicytype() + + self.load() + + def sort_int(self, treemodel, iter1, iter2, user_data): + try: + p1 = int(treemodel.get_value(iter1,1)) + p2 = int(treemodel.get_value(iter1,1)) + if p1 > p2: + return 1 + if p1 == p2: + return 0 + return -1 + except: + return 0 + + def load(self, filter=""): + self.filter=filter + self.store.clear() + try: + fd=os.popen("semodule -l") + l = fd.readlines() + fd.close() + for i in l: + module, ver, newline = i.split('\t') + if not (self.match(module, filter) or self.match(ver, filter)): + continue + iter = self.store.append() + self.store.set_value(iter, 0, module.strip()) + self.store.set_value(iter, 1, ver.strip()) + except: + pass + self.view.get_selection().select_path ((0,)) + + + def new_module(self, args): + try: + os.spawnl(os.P_NOWAIT, "/usr/share/system-config-selinux/polgengui.py") + except ValueError, e: + self.error(e.args[0]) + + def delete(self): + store, iter = self.view.get_selection().get_selected() + module = store.get_value(iter, 0) + try: + self.wait() + status, output = commands.getstatusoutput("semodule -r %s" % module) + self.ready() + if status != 0: + self.error(output) + else: + store.remove(iter) + self.view.get_selection().select_path ((0,)) + + except ValueError, e: + self.error(e.args[0]) + + def enable_audit(self, button): + self.audit_enabled = not self.audit_enabled + try: + self.wait() + if self.audit_enabled: + status, output =commands.getstatusoutput("semodule -DB") + button.set_label(_("Disable Audit")) + else: + status, output =commands.getstatusoutput("semodule -B") + button.set_label(_("Enable Audit")) + self.ready() + + if status != 0: + self.error(output) + + except ValueError, e: + self.error(e.args[0]) + + def disable_audit(self, button): + try: + self.wait() + status, output =commands.getstatusoutput("semodule -B") + self.ready() + if status != 0: + self.error(output) + + except ValueError, e: + self.error(e.args[0]) + + def propertiesDialog(self): + # Do nothing + return + + def addDialog(self): + dialog = gtk.FileChooserDialog(_("Load Policy Module"), + None, + gtk.FILE_CHOOSER_ACTION_OPEN, + (gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL, + gtk.STOCK_OPEN, gtk.RESPONSE_OK)) + dialog.set_default_response(gtk.RESPONSE_OK) + + filter = gtk.FileFilter() + filter.set_name("Policy Files") + filter.add_pattern("*.pp") + dialog.add_filter(filter) + + response = dialog.run() + if response == gtk.RESPONSE_OK: + self.add(dialog.get_filename()) + dialog.destroy() + + def add(self, file): + try: + self.wait() + status, output =commands.getstatusoutput("semodule -i %s" % file) + self.ready() + if status != 0: + self.error(output) + else: + self.load() + + except ValueError, e: + self.error(e.args[0]) diff --git a/policycoreutils/gui/polgen.glade b/policycoreutils/gui/polgen.glade new file mode 100644 index 0000000..55bad9d --- /dev/null +++ b/policycoreutils/gui/polgen.glade @@ -0,0 +1,3432 @@ + + + + + + + + 5 + GTK_FILE_CHOOSER_ACTION_OPEN + True + True + True + False + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_MOUSE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + + + + True + False + 24 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + True + gtk-add + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + + + 5 + False + Polgen + Red Hat 2007 + GPL + False + www.redhat.com + Daniel Walsh <dwalsh@redhat.com> + translator-credits + + + + True + SELinux Policy Generation Tool + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_NORMAL + GDK_GRAVITY_NORTH_WEST + True + False + + + + True + False + 18 + + + + True + False + True + GTK_POS_LEFT + False + False + + + + True + False + 0 + + + + True + <b>Select the policy type for the application or user role you want to confine:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 0 + + + + True + False + 0 + + + + True + False + 12 + + + + True + False + 6 + + + + True + <b>Applications</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 6 + + + + True + Standard Init Daemon are daemons started on boot via init scripts. Usually requires a script in /etc/rc.d/init.d + True + Standard Init Daemon + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + Standard Init Daemon are daemons started on boot via init scripts. Usually requires a script in /etc/rc.d/init.d + True + DBUS System Daemon + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + Internet Services Daemon are daemons started by xinetd + True + Internet Services Daemon (inetd) + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + Web Applications/Script (CGI) CGI scripts started by the web server (apache) + True + Web Application/Script (CGI) + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + User Application are any application that you would like to confine that is started by a user + True + User Application + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + User Application are any application that you would like to confine that is started by a user + True + Sandbox + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + 0 + False + False + + + + + 0 + True + True + + + + + 0 + False + True + + + + + + True + False + 6 + + + + True + <b>Login Users</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 6 + + + + True + Modify an existing login user record. + True + Existing User Roles + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + This user will login to a machine only via a terminal or remote login. By default this user will have no setuid, no networking, no su, no sudo. + True + Minimal Terminal User Role + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + This user can login to a machine via X or terminal. By default this user will have no setuid, no networking, no sudo, no su + True + Minimal X Windows User Role + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + User with full networking, no setuid applications without transition, no sudo, no su. + True + User Role + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + User with full networking, no setuid applications without transition, no su, can sudo to Root Administration Roles + True + Admin User Role + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + 0 + True + False + + + + + 0 + True + True + + + + + 0 + False + True + + + + + + True + False + 6 + + + + True + <b>Root Users</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Select Root Administrator User Role, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly. + True + Root Admin User Role + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + 0 + False + False + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + True + True + + + + + + True + label104 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Enter name of application or user role:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + 3 + 3 + False + 6 + 12 + + + + True + Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Enter complete path for executable to be confined. + True + True + True + 0 + + True + • + False + + + 1 + 2 + 1 + 2 + + + + + + + True + True + ... + True + GTK_RELIEF_NORMAL + True + + + + 2 + 3 + 1 + 2 + fill + + + + + + + True + Enter unique name for the confined application or user role. + True + True + True + 0 + + True + • + False + + + 1 + 3 + 0 + 1 + + + + + + + True + Executable + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + Init script + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + Enter complete path to init script used to start the confined application. + True + True + True + 0 + + True + • + False + + + 1 + 2 + 2 + 3 + + + + + + + True + True + ... + True + GTK_RELIEF_NORMAL + True + + + + 2 + 3 + 2 + 3 + fill + + + + + + 0 + True + True + + + + + False + True + + + + + + True + label105 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select existing role to modify:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + GTK_POLICY_AUTOMATIC + GTK_POLICY_AUTOMATIC + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + Select the user roles that will transiton to the %s domain. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label106 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select roles that %s will transition to:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Select applications domains that %s will transition to. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label107 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select the user_roles that will transition to %s:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Select the user roles that will transiton to this applications domains. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label108 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select domains that %s will administer:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Select the domains that you would like this user administer. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label109 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select additional roles for %s:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Select the domains that you would like this user administer. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label111 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Enter network ports that %s binds on:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 6 + + + + True + <b>TCP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 6 + + + + True + False + 12 + + + + True + Allows %s to bind to any udp port + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Allow %s to call bindresvport with 0. Binding to port 600-1024 + True + 600-1024 + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Enter a comma separated list of udp ports or ranges of ports that %s binds to. Example: 612, 650-660 + True + Unreserved Ports (>1024) + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + 0 + True + True + + + + + + True + False + 12 + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Allows %s to bind to any udp ports > 1024 + True + True + True + 0 + + True + • + False + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + + True + False + 6 + + + + True + <b>UDP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 6 + + + + True + False + 12 + + + + True + Allows %s to bind to any udp port + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Allow %s to call bindresvport with 0. Binding to port 600-1024 + True + 600-1024 + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Enter a comma separated list of udp ports or ranges of ports that %s binds to. Example: 612, 650-660 + True + Unreserved Ports (>1024) + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + 0 + True + True + + + + + + True + False + 12 + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Allows %s to bind to any udp ports > 1024 + True + True + True + 0 + + True + • + False + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + False + True + + + + + + True + label113 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select network ports that %s connects to:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 6 + + + + True + <b>TCP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 12 + + + + Allows %s to connect to any tcp port + True + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of tcp ports or ranges of ports that %s connects to. Example: 612, 650-660 + True + True + True + 0 + + True + • + False + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + + True + False + 6 + + + + True + <b>UDP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 0 + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 12 + + + + Allows %s to connect to any udp port + True + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of udp ports or ranges of ports that %s connects to. Example: 612, 650-660 + True + True + True + 0 + + True + • + False + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + 0 + True + True + + + + + False + True + + + + + + True + label114 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Select common application traits for %s:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 6 + + + + True + True + Writes syslog messages + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Create/Manipulate temporary files in /tmp + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Uses Pam for authentication + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Uses nsswitch or getpw* calls + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Uses dbus + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Sends audit messages + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Interacts with the terminal + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Sends email + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label115 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Add files/directories that %s manages</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 12 + + + + True + False + 6 + + + + True + True + GTK_RELIEF_NORMAL + True + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-add + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Add File + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + GTK_RELIEF_NORMAL + True + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-add + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Add Directory + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + gtk-delete + True + GTK_RELIEF_NORMAL + True + + + + + 0 + False + False + + + + + 4 + False + False + + + + + + True + True + GTK_POLICY_AUTOMATIC + GTK_POLICY_AUTOMATIC + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + Files/Directories which the %s "manages". Pid Files, Log Files, /var/lib Files ... + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + 0 + True + True + + + + + False + True + + + + + + True + label116 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Add booleans from the %s policy:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + False + 12 + + + + True + False + 6 + + + + True + True + GTK_RELIEF_NORMAL + True + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-add + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Add Boolean + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + gtk-delete + True + GTK_RELIEF_NORMAL + True + + + + + 0 + False + False + + + + + 4 + False + True + + + + + + True + True + GTK_POLICY_AUTOMATIC + GTK_POLICY_AUTOMATIC + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + Add/Remove booleans used by the %s domain + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + 0 + True + True + + + + + False + True + + + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + <b>Which directory you will generate the %s policy?</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + True + False + 12 + + + + True + Policy Directory + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + 0 + True + True + + + + + + True + True + ... + True + GTK_RELIEF_NORMAL + True + + + 0 + False + False + + + + + 12 + False + False + + + + + False + True + + + + + + True + + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + 0 + True + True + + + + + + True + GTK_BUTTONBOX_END + 0 + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-go-back + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-media-forward + True + GTK_RELIEF_NORMAL + True + + + + + + 5 + False + False + + + + + + + + 12 + Add Booleans Dialog + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_MOUSE + False + 400 + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + False + + + + True + False + 6 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-add + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + 2 + 2 + False + 6 + 12 + + + + True + Boolean Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Description + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + True + True + True + 0 + + True + • + False + + + 1 + 2 + 0 + 1 + + + + + + + True + True + True + True + 0 + + True + • + False + + + 1 + 2 + 1 + 2 + + + + + + 0 + True + True + + + + + + + diff --git a/policycoreutils/gui/polgen.py b/policycoreutils/gui/polgen.py new file mode 100644 index 0000000..5a73fa3 --- /dev/null +++ b/policycoreutils/gui/polgen.py @@ -0,0 +1,1370 @@ +#!/usr/bin/python -Es +# +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +import os, sys, stat +import re +import commands +import setools + +from templates import executable +from templates import boolean +from templates import etc_rw +from templates import unit_file +from templates import var_cache +from templates import var_spool +from templates import var_lib +from templates import var_log +from templates import var_run +from templates import tmp +from templates import rw +from templates import network +from templates import script +from templates import user +import sepolgen.interfaces as interfaces +import sepolgen.defaults as defaults + +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +methods = [] +fn = defaults.interface_info() +try: + fd = open(fn) + # List of per_role_template interfaces + ifs = interfaces.InterfaceSet() + ifs.from_file(fd) + methods = ifs.interfaces.keys() + fd.close() +except: + sys.stderr.write("could not open interface info [%s]\n" % fn) + sys.exit(1) + +all_types = None +def get_all_types(): + global all_types + if all_types == None: + all_types = map(lambda x: x['name'], setools.seinfo(setools.TYPE)) + return all_types + +def get_all_ports(): + dict = {} + for p in setools.seinfo(setools.PORT): + if p['type'] == "reserved_port_t" or \ + p['type'] == "port_t" or \ + p['type'] == "hi_reserved_port_t": + continue + dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range']) + return dict + +def get_all_roles(): + roles = map(lambda x: x['name'], setools.seinfo(setools.ROLE)) + roles.remove("object_r") + roles.sort() + return roles + +def get_all_attributes(): + attributes = map(lambda x: x['name'], setools.seinfo(setools.ATTRIBUTE)) + attributes.sort() + return attributes + +def get_all_domains(): + all_domains = [] + types=get_all_types() + types.sort() + for i in types: + m = re.findall("(.*)%s" % "_exec_t$", i) + if len(m) > 0: + if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains: + all_domains.append(m[0]) + return all_domains + +def get_all_modules(): + try: + all_modules = [] + rc, output=commands.getstatusoutput("semodule -l 2>/dev/null") + if rc == 0: + l = output.split("\n") + for i in l: + all_modules.append(i.split()[0]) + except: + pass + + return all_modules + +def get_all_users(): + users = map(lambda x: x['name'], setools.seinfo(setools.USER)) + users.remove("system_u") + users.remove("root") + users.sort() + return users + +ALL = 0 +RESERVED = 1 +UNRESERVED = 2 +PORTS = 3 +ADMIN_TRANSITION_INTERFACE = "_admin$" +USER_TRANSITION_INTERFACE = "_role$" + +DAEMON = 0 +DBUS = 1 +INETD = 2 +CGI = 3 +USER = 4 +SANDBOX = 5 +TUSER = 6 +XUSER = 7 +LUSER = 8 +AUSER = 9 +RUSER = 10 +EUSER = 11 + +poltype={} +poltype[DAEMON] = _("Standard Init Daemon") +poltype[DBUS] = _("DBUS System Daemon") +poltype[INETD] = _("Internet Services Daemon") +poltype[CGI] = _("Web Application/Script (CGI)") +poltype[USER] = _("User Application") +poltype[SANDBOX] = _("Sandbox") +poltype[TUSER] = _("Minimal Terminal User Role") +poltype[XUSER] = _("Minimal X Windows User Role") +poltype[LUSER] = _("User Role") +poltype[AUSER] = _("Admin User Role") +poltype[RUSER] = _("Root Admin User Role") + +APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] +USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] + +def verify_ports(ports): + if ports == "": + return [] + max_port=2**16 + try: + temp = [] + for a in ports.split(","): + r = a.split("-") + if len(r) > 2: + raise ValueError + if len(r) == 1: + begin = int (r[0]) + end = int (r[0]) + else: + begin = int (r[0]) + end = int (r[1]) + + if begin > end: + raise ValueError + + for p in range(begin, end + 1): + if p < 1 or p > max_port: + raise ValueError + temp.append(p) + return temp + except ValueError: + raise ValueError(_("Ports must be numbers or ranges of numbers from 1 to %d " % max_port )) + +class policy: + + def __init__(self, name, type): + self.ports = [] + try: + self.ports = get_all_ports() + except ValueError, e: + print "Can not get port types, must be root for this information" + except RuntimeError, e: + print "Can not get port types", e + + self.symbols = {} + self.symbols["openlog"] = "set_use_kerberos(True)" + self.symbols["openlog"] = "set_use_kerb_rcache(True)" + self.symbols["openlog"] = "set_use_syslog(True)" + self.symbols["gethostby"] = "set_use_resolve(True)" + self.symbols["getaddrinfo"] = "set_use_resolve(True)" + self.symbols["getnameinfo"] = "set_use_resolve(True)" + self.symbols["krb"] = "set_use_kerberos(True)" + self.symbols["gss_accept_sec_context"] = "set_manage_krb5_rcache(True)" + self.symbols["krb5_verify_init_creds"] = "set_manage_krb5_rcache(True)" + self.symbols["krb5_rd_req"] = "set_manage_krb5_rcache(True)" + self.symbols["__syslog_chk"] = "set_use_syslog(True)" + self.symbols["getpwnam"] = "set_use_uid(True)" + self.symbols["getpwuid"] = "set_use_uid(True)" + self.symbols["dbus_"] = "set_use_dbus(True)" + self.symbols["pam_"] = "set_use_pam(True)" + self.symbols["pam_"] = "set_use_audit(True)" + self.symbols["fork"] = "add_process('fork')" + self.symbols["transition"] = "add_process('transition')" + self.symbols["sigchld"] = "add_process('sigchld')" + self.symbols["sigkill"] = "add_process('sigkill')" + self.symbols["sigstop"] = "add_process('sigstop')" + self.symbols["signull"] = "add_process('signull')" + self.symbols["signal"] = "add_process('signal')" + self.symbols["ptrace"] = "add_process('ptrace')" + self.symbols["getsched"] = "add_process('getsched')" + self.symbols["setsched"] = "add_process('setsched')" + self.symbols["getsession"] = "add_process('getsession')" + self.symbols["getpgid"] = "add_process('getpgid')" + self.symbols["setpgid"] = "add_process('setpgid')" + self.symbols["getcap"] = "add_process('getcap')" + self.symbols["setcap"] = "add_process('setcap')" + self.symbols["share"] = "add_process('share')" + self.symbols["getattr"] = "add_process('getattr')" + self.symbols["setexec"] = "add_process('setexec')" + self.symbols["setfscreate"] = "add_process('setfscreate')" + self.symbols["noatsecure"] = "add_process('noatsecure')" + self.symbols["siginh"] = "add_process('siginh')" + self.symbols["setrlimit"] = "add_process('setrlimit')" + self.symbols["rlimitinh"] = "add_process('rlimitinh')" + self.symbols["dyntransition"] = "add_process('dyntransition')" + self.symbols["setcurrent"] = "add_process('setcurrent')" + self.symbols["execmem"] = "add_process('execmem')" + self.symbols["execstack"] = "add_process('execstack')" + self.symbols["execheap"] = "add_process('execheap')" + self.symbols["setkeycreate"] = "add_process('setkeycreate')" + self.symbols["setsockcreate"] = "add_process('setsockcreate')" + + self.symbols["chown"] = "add_capability('chown')" + self.symbols["dac_override"] = "add_capability('dac_override')" + self.symbols["dac_read_search"] = "add_capability('dac_read_search')" + self.symbols["fowner"] = "add_capability('fowner')" + self.symbols["fsetid"] = "add_capability('fsetid')" + self.symbols["kill"] = "add_capability('kill')" + self.symbols["setgid"] = "add_capability('setgid')" + self.symbols["setresuid"] = "add_capability('setuid')" + self.symbols["setuid"] = "add_capability('setuid')" + self.symbols["setpcap"] = "add_capability('setpcap')" + self.symbols["linux_immutable"] = "add_capability('linux_immutable')" + self.symbols["net_bind_service"] = "add_capability('net_bind_service')" + self.symbols["net_broadcast"] = "add_capability('net_broadcast')" + self.symbols["net_admin"] = "add_capability('net_admin')" + self.symbols["net_raw"] = "add_capability('net_raw')" + self.symbols["ipc_lock"] = "add_capability('ipc_lock')" + self.symbols["ipc_owner"] = "add_capability('ipc_owner')" + self.symbols["sys_module"] = "add_capability('sys_module')" + self.symbols["sys_rawio"] = "add_capability('sys_rawio')" + self.symbols["chroot"] = "add_capability('sys_chroot')" + self.symbols["sys_chroot"] = "add_capability('sys_chroot')" + self.symbols["sys_ptrace"] = "add_capability('sys_ptrace')" + self.symbols["sys_pacct"] = "add_capability('sys_pacct')" + self.symbols["mount"] = "add_capability('sys_admin')" + self.symbols["unshare"] = "add_capability('sys_admin')" + self.symbols["sys_admin"] = "add_capability('sys_admin')" + self.symbols["sys_boot"] = "add_capability('sys_boot')" + self.symbols["sys_nice"] = "add_capability('sys_nice')" + self.symbols["sys_resource"] = "add_capability('sys_resource')" + self.symbols["sys_time"] = "add_capability('sys_time')" + self.symbols["sys_tty_config"] = "add_capability('sys_tty_config')" + self.symbols["mknod"] = "add_capability('mknod')" + self.symbols["lease"] = "add_capability('lease')" + self.symbols["audit_write"] = "add_capability('audit_write')" + self.symbols["audit_control"] = "add_capability('audit_control')" + self.symbols["setfcap"] = "add_capability('setfcap')" + + self.DEFAULT_DIRS = {} + self.DEFAULT_DIRS["/etc"] = ["etc_rw", [], etc_rw]; + self.DEFAULT_DIRS["/tmp"] = ["tmp", [], tmp]; + self.DEFAULT_DIRS["rw"] = ["rw", [], rw]; + self.DEFAULT_DIRS["/usr/lib/systemd/system"] = ["unit_file", [], unit_file]; + self.DEFAULT_DIRS["/lib/systemd/system"] = ["unit_file", [], unit_file]; + self.DEFAULT_DIRS["/etc/systemd/system"] = ["unit_file", [], unit_file]; + self.DEFAULT_DIRS["/var/cache"] = ["var_cache", [], var_cache]; + self.DEFAULT_DIRS["/var/lib"] = ["var_lib", [], var_lib]; + self.DEFAULT_DIRS["/var/log"] = ["var_log", [], var_log]; + self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]; + self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool]; + + self.DEFAULT_KEYS=["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool", "/etc/systemd/system", "/usr/lib/systemd/system", "/lib/systemd/system" ] + + self.DEFAULT_TYPES = (\ +( self.generate_daemon_types, self.generate_daemon_rules), \ +( self.generate_dbusd_types, self.generate_dbusd_rules), \ +( self.generate_inetd_types, self.generate_inetd_rules), \ +( self.generate_cgi_types, self.generate_cgi_rules), \ +( self.generate_sandbox_types, self.generate_sandbox_rules), \ +( self.generate_userapp_types, self.generate_userapp_rules), \ +( self.generate_existing_user_types, self.generate_existing_user_rules), \ +( self.generate_min_login_user_types, self.generate_login_user_rules), \ +( self.generate_x_login_user_types, self.generate_x_login_user_rules), \ +( self.generate_login_user_types, self.generate_login_user_rules), \ +( self.generate_admin_user_types, self.generate_login_user_rules), \ +( self.generate_root_user_types, self.generate_root_user_rules)) + if name == "": + raise ValueError(_("You must enter a name for your confined process/user")) + if not name.isalnum(): + raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) + + if type == CGI: + self.name = "httpd_%s_script" % name + else: + self.name = name + + self.file_name = name + + self.capabilities = [] + self.processes = [] + self.type = type + self.initscript = "" + self.program = "" + self.in_tcp = [False, False, False, []] + self.in_udp = [False, False, False, []] + self.out_tcp = [False, False, False, []] + self.out_udp = [False, False, False, []] + self.use_resolve = False + self.use_tmp = False + self.use_uid = False + self.use_syslog = False + self.use_kerberos = False + self.manage_krb5_rcache = False + self.use_pam = False + self.use_dbus = False + self.use_audit = False + self.use_etc = True + self.use_localization = True + self.use_fd = True + self.use_terminal = False + self.use_mail = False + self.booleans = {} + self.files = {} + self.dirs = {} + self.found_tcp_ports=[] + self.found_udp_ports=[] + self.need_tcp_type=False + self.need_udp_type=False + self.admin_domains = [] + self.transition_domains = [] + self.transition_users = [] + self.roles = [] + + def __isnetset(self, l): + return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0 + + def set_admin_domains(self, admin_domains): + self.admin_domains = admin_domains + + def set_admin_roles(self, roles): + self.roles = roles + + def set_transition_domains(self, transition_domains): + self.transition_domains = transition_domains + + def set_transition_users(self, transition_users): + self.transition_users = transition_users + + def use_in_udp(self): + return self.__isnetset(self.in_udp) + + def use_out_udp(self): + return self.__isnetset(self.out_udp) + + def use_udp(self): + return self.use_in_udp() or self.use_out_udp() + + def use_in_tcp(self): + return self.__isnetset(self.in_tcp) + + def use_out_tcp(self): + return self.__isnetset(self.out_tcp) + + def use_tcp(self): + return self.use_in_tcp() or self.use_out_tcp() + + def use_network(self): + return self.use_tcp() or self.use_udp() + + def find_port(self, port, protocol="tcp"): + for begin,end,p in self.ports.keys(): + if port >= begin and port <= end and protocol == p: + return self.ports[begin, end, protocol] + return None + + def set_program(self, program): + if self.type not in APPLICATIONS: + raise ValueError(_("User Role types can not be assigned executables.")) + + self.program = program + + def set_init_script(self, initscript): + if self.type != DAEMON: + raise ValueError(_("Only Daemon apps can use an init script..")) + + self.initscript = initscript + + def set_in_tcp(self, all, reserved, unreserved, ports): + self.in_tcp = [ all, reserved, unreserved, verify_ports(ports)] + + def set_in_udp(self, all, reserved, unreserved, ports): + self.in_udp = [ all, reserved, unreserved, verify_ports(ports)] + + def set_out_tcp(self, all, ports): + self.out_tcp = [ all , False, False, verify_ports(ports) ] + + def set_out_udp(self, all, ports): + self.out_udp = [ all , False, False, verify_ports(ports) ] + + def set_use_resolve(self, val): + if val != True and val != False: + raise ValueError(_("use_resolve must be a boolean value ")) + + self.use_resolve = val + + def set_use_syslog(self, val): + if val != True and val != False: + raise ValueError(_("use_syslog must be a boolean value ")) + + self.use_syslog = val + + def set_use_kerberos(self, val): + if val != True and val != False: + raise ValueError(_("use_kerberos must be a boolean value ")) + + self.use_kerberos = val + + def set_manage_krb5_rcache(self, val): + if val != True and val != False: + raise ValueError(_("manage_krb5_rcache must be a boolean value ")) + + self.manage_krb5_rcache = val + + def set_use_pam(self, val): + self.use_pam = val == True + + def set_use_dbus(self, val): + self.use_dbus = val == True + + def set_use_audit(self, val): + self.use_audit = val == True + + def set_use_etc(self, val): + self.use_etc = val == True + + def set_use_localization(self, val): + self.use_localization = val == True + + def set_use_fd(self, val): + self.use_fd = val == True + + def set_use_terminal(self, val): + self.use_terminal = val == True + + def set_use_mail(self, val): + self.use_mail = val == True + + def set_use_tmp(self, val): + if self.type in USERS: + raise ValueError(_("USER Types automatically get a tmp type")) + + if val: + self.DEFAULT_DIRS["/tmp"][1].append("/tmp"); + else: + self.DEFAULT_DIRS["/tmp"][1]=[] + + def set_use_uid(self, val): + self.use_uid = val == True + + def generate_uid_rules(self): + if self.use_uid: + return re.sub("TEMPLATETYPE", self.name, executable.te_uid_rules) + else: + return "" + + def generate_syslog_rules(self): + if self.use_syslog: + return re.sub("TEMPLATETYPE", self.name, executable.te_syslog_rules) + else: + return "" + + def generate_resolve_rules(self): + if self.use_resolve: + return re.sub("TEMPLATETYPE", self.name, executable.te_resolve_rules) + else: + return "" + + def generate_kerberos_rules(self): + if self.use_kerberos: + return re.sub("TEMPLATETYPE", self.name, executable.te_kerberos_rules) + else: + return "" + + def generate_manage_krb5_rcache_rules(self): + if self.manage_krb5_rcache: + return re.sub("TEMPLATETYPE", self.name, executable.te_manage_krb5_rcache_rules) + else: + return "" + + def generate_pam_rules(self): + newte ="" + if self.use_pam: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules) + return newte + + def generate_audit_rules(self): + newte ="" + if self.use_audit: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_audit_rules) + return newte + + def generate_etc_rules(self): + newte ="" + if self.use_etc: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_etc_rules) + return newte + + def generate_fd_rules(self): + newte ="" + if self.use_fd: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_fd_rules) + return newte + + def generate_localization_rules(self): + newte ="" + if self.use_localization: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_localization_rules) + return newte + + def generate_dbus_rules(self): + newte ="" + if self.type != DBUS and self.use_dbus: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_dbus_rules) + return newte + + def generate_mail_rules(self): + newte ="" + if self.use_mail: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules) + return newte + + def generate_network_action(self, protocol, action, port_name): + line = "" + method = "corenet_%s_%s_%s" % (protocol, action, port_name) + if method in methods: + line = "%s(%s_t)\n" % (method, self.name) + else: + line = """ +gen_require(` + type %s_t; +') +allow %s_t %s_t:%s_socket name_%s; +""" % (port_name, self.name, port_name, protocol, action) + return line + + def generate_network_types(self): + for i in self.in_tcp[PORTS]: + rec = self.find_port(int(i), "tcp") + if rec == None: + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] + line = self.generate_network_action("tcp", "bind", port_name) +# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + + for i in self.out_tcp[PORTS]: + rec = self.find_port(int(i), "tcp") + if rec == None: + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] + line = self.generate_network_action("tcp", "connect", port_name) +# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + + for i in self.in_udp[PORTS]: + rec = self.find_port(int(i),"udp") + if rec == None: + self.need_udp_type = True; + else: + port_name = rec[0][:-2] + line = self.generate_network_action("udp", "bind", port_name) +# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_udp_ports: + self.found_udp_ports.append(line) + + if self.need_udp_type == True or self.need_tcp_type == True: + return re.sub("TEMPLATETYPE", self.name, network.te_port_types) + return "" + + def __find_path(self, file): + for d in self.DEFAULT_DIRS: + if file.find(d) == 0: + self.DEFAULT_DIRS[d][1].append(file) + return self.DEFAULT_DIRS[d] + self.DEFAULT_DIRS["rw"][1].append(file) + return self.DEFAULT_DIRS["rw"] + + def add_capability(self, capability): + if capability not in self.capabilities: + self.capabilities.append(capability) + + def add_process(self, process): + if process not in self.processes: + self.processes.append(process) + + def add_boolean(self, name, description): + self.booleans[name] = description + + def add_file(self, file): + self.files[file] = self.__find_path(file) + + def add_dir(self, file): + self.dirs[file] = self.__find_path(file) + + def generate_capabilities(self): + newte = "" + self.capabilities.sort() + if len(self.capabilities) > 0: + newte = "allow %s_t self:capability { %s };\n" % (self.name, " ".join(self.capabilities)) + return newte + + def generate_process(self): + newte = "" + self.processes.sort() + if len(self.processes) > 0: + newte = "allow %s_t self:process { %s };\n" % (self.name, " ".join(self.processes)) + return newte + + + def generate_network_rules(self): + newte = "" + if self.use_network(): + newte = "\n" + + newte += re.sub("TEMPLATETYPE", self.name, network.te_network) + + if self.use_tcp(): + newte += "\n" + newte += re.sub("TEMPLATETYPE", self.name, network.te_tcp) + + if self.use_in_tcp(): + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_tcp) + + if self.need_tcp_type and len(self.in_tcp[PORTS]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_tcp) + + if self.need_tcp_type and len(self.out_tcp[PORTS]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_need_port_tcp) + + + if self.in_tcp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_tcp) + if self.in_tcp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_tcp) + if self.in_tcp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_tcp) + + if self.out_tcp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_all_ports_tcp) + if self.out_tcp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_reserved_ports_tcp) + if self.out_tcp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_unreserved_ports_tcp) + + for i in self.found_tcp_ports: + newte += i + + if self.use_udp(): + newte += "\n" + newte += re.sub("TEMPLATETYPE", self.name, network.te_udp) + + if self.need_udp_type: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_udp) + if self.use_in_udp(): + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_udp) + if self.in_udp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_udp) + if self.in_udp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_udp) + if self.in_udp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_udp) + + for i in self.found_udp_ports: + newte += i + return newte + + def generate_transition_rules(self): + newte = "" + for app in self.transition_domains: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_transition_rules) + newte += re.sub("APPLICATION", app, tmp) + + if self.type == USER: + for u in self.transition_users: + temp = re.sub("TEMPLATETYPE", self.name, executable.te_run_rules) + newte += re.sub("USER", u.split("_u")[0], temp) + + return newte + + def generate_admin_rules(self): + newte = "" + if self.type == RUSER: + newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) + + for app in self.admin_domains: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules) + newte += re.sub("APPLICATION", app, tmp) + + all_roles = [] + try: + all_roles = get_all_roles() + except ValueError, e: + print "Can not get all roles, must be root for this information" + except RuntimeError, e: + print "Can not get all roles", e + + for u in self.transition_users: + role = u.split("_u")[0] + + if (role + "_r") in all_roles: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules) + newte += re.sub("USER", role, tmp) + + return newte + + def generate_dbus_if(self): + newif = "" + if self.use_dbus: + newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules) + return newif + + def generate_sandbox_if(self): + newif = "" + if self.type != SANDBOX: + return newif + newif = re.sub("TEMPLATETYPE", self.name, executable.if_sandbox_rules) + return newif + + + def generate_admin_if(self): + newif = "" + newtypes = "" + if self.initscript != "": + newtypes += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin_types) + newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin) + for d in self.DEFAULT_KEYS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + newtypes += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_types) + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_rules) + + if newif != "": + ret = re.sub("TEMPLATETYPE", self.name, executable.if_begin_admin) + ret += newtypes + + ret += re.sub("TEMPLATETYPE", self.name, executable.if_middle_admin) + ret += newif + ret += re.sub("TEMPLATETYPE", self.name, executable.if_end_admin) + return ret + + return "" + + def generate_cgi_types(self): + return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types) + + def generate_sandbox_types(self): + return re.sub("TEMPLATETYPE", self.file_name, executable.te_sandbox_types) + + def generate_userapp_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_types) + + def generate_inetd_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_types) + + def generate_dbusd_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_types) + + def generate_min_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_min_login_user_types) + + def generate_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_types) + + def generate_admin_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_admin_user_types) + + def generate_existing_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) + + def generate_x_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types) + + def generate_root_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types) + + def generate_daemon_types(self): + newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) + if self.initscript != "": + newte += re.sub("TEMPLATETYPE", self.name, executable.te_initscript_types) + return newte + + def generate_tmp_types(self): + if self.use_tmp: + return re.sub("TEMPLATETYPE", self.name, tmp.te_types) + else: + return "" + + def generate_booleans(self): + newte = "" + for b in self.booleans: + tmp = re.sub("BOOLEAN", b, boolean.te_boolean) + newte += re.sub("DESCRIPTION", self.booleans[b], tmp) + return newte + + def generate_boolean_rules(self): + newte = "" + for b in self.booleans: + newte += re.sub("BOOLEAN", b, boolean.te_rules) + return newte + + def generate_sandbox_te(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_types) + + def generate_cgi_te(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types) + + def generate_daemon_rules(self): + newif = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules) + + return newif + + def generate_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) + + def generate_existing_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules) + + def generate_x_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules) + + def generate_root_user_rules(self): + newte =re.sub("TEMPLATETYPE", self.name, user.te_root_user_rules) + return newte + + def generate_userapp_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_rules) + + def generate_inetd_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_rules) + + def generate_dbusd_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_rules) + + def generate_tmp_rules(self): + if self.use_tmp: + return re.sub("TEMPLATETYPE", self.name, tmp.te_rules) + else: + return "" + + def generate_cgi_rules(self): + newte = "" + newte += re.sub("TEMPLATETYPE", self.name, executable.te_cgi_rules) + return newte + + def generate_sandbox_rules(self): + newte = "" + newte += re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_rules) + return newte + + def generate_user_if(self): + newif ="" + if self.use_terminal or self.type == USER: + newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules) + + if self.type in ( TUSER, XUSER, AUSER, LUSER): + newif += re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules) + return newif + + def generate_if(self): + newif = "" + newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules) + if self.program != "": + newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules) + if self.initscript != "": + newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules) + + for d in self.DEFAULT_KEYS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_rules) + for i in self.DEFAULT_DIRS[d][1]: + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules) + break + newif += self.generate_user_if() + newif += self.generate_dbus_if() + newif += self.generate_admin_if() + newif += self.generate_sandbox_if() + + return newif + + def generate_default_types(self): + return self.DEFAULT_TYPES[self.type][0]() + + def generate_default_rules(self): + return self.DEFAULT_TYPES[self.type][1]() + + def generate_roles_rules(self): + newte = "" + if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): + roles = "" + if len(self.roles) > 0: + newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules) + newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules) + for role in self.roles: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules) + newte += re.sub("ROLE", role, tmp) + return newte + + def generate_te(self): + newte = self.generate_default_types() + for d in self.DEFAULT_KEYS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + # CGI scripts already have a rw_t + if self.type != CGI or d != "rw": + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + + newte +=""" +######################################## +# +# %s local policy +# +""" % self.name + newte += self.generate_capabilities() + newte += self.generate_process() + newte += self.generate_network_types() + newte += self.generate_tmp_types() + newte += self.generate_booleans() + newte += self.generate_default_rules() + newte += self.generate_boolean_rules() + + for d in self.DEFAULT_KEYS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) + for i in self.DEFAULT_DIRS[d][1]: + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) + break + + newte += self.generate_tmp_rules() + newte += self.generate_network_rules() + newte += self.generate_fd_rules() + newte += self.generate_etc_rules() + newte += self.generate_pam_rules() + newte += self.generate_uid_rules() + newte += self.generate_audit_rules() + newte += self.generate_syslog_rules() + newte += self.generate_localization_rules() + newte += self.generate_resolve_rules() + newte += self.generate_roles_rules() + newte += self.generate_mail_rules() + newte += self.generate_transition_rules() + newte += self.generate_admin_rules() + newte += self.generate_dbus_rules() + newte += self.generate_kerberos_rules() + newte += self.generate_manage_krb5_rcache_rules() + + return newte + + def generate_fc(self): + newfc = "" + fclist = [] + if self.type in USERS + [ SANDBOX ]: + return re.sub("EXECUTABLE", self.program, executable.fc_user) + if self.program == "": + raise ValueError(_("You must enter the executable path for your confined process")) + + t1 = re.sub("EXECUTABLE", self.program, executable.fc_program) + fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) + + if self.initscript != "": + t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript) + fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) + + for i in self.files.keys(): + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file) + else: + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_file) + t2 = re.sub("FILENAME", i, t1) + fclist.append(re.sub("FILETYPE", self.files[i][0], t2)) + + for i in self.dirs.keys(): + t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir) + t2 = re.sub("FILENAME", i, t1) + fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2)) + + fclist.sort() + newfc="\n".join(fclist) + return newfc + + def generate_user_sh(self): + newsh = "" + if self.type not in ( TUSER, XUSER, AUSER, LUSER, EUSER): + return newsh + + roles = "" + for role in self.roles: + roles += " %s_r" % role + if roles != "": + roles += " system_r" + if self.type == EUSER: + tmp = re.sub("TEMPLATETYPE", self.name, script.eusers) + else: + tmp = re.sub("TEMPLATETYPE", self.name, script.users) + newsh += re.sub("ROLES", roles, tmp) + + if self.type == RUSER: + for u in self.transition_users: + tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans) + newsh += re.sub("USER", u, tmp) + + if self.type == LUSER: + newsh += re.sub("TEMPLATETYPE", self.name, script.min_login_user_default_context) + else: + newsh += re.sub("TEMPLATETYPE", self.name, script.x_login_user_default_context) + + + return newsh + + def generate_sh(self): + temp = re.sub("TEMPLATETYPE", self.file_name, script.compile) + if self.type == EUSER: + newsh = re.sub("TEMPLATEFILE", "my%s" % self.file_name, temp) + else: + newsh = re.sub("TEMPLATEFILE", self.file_name, temp) + if self.program != "": + newsh += re.sub("FILENAME", self.program, script.restorecon) + if self.initscript != "": + newsh += re.sub("FILENAME", self.initscript, script.restorecon) + + for i in self.files.keys(): + newsh += re.sub("FILENAME", i, script.restorecon) + + for i in self.dirs.keys(): + newsh += re.sub("FILENAME", i, script.restorecon) + + for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: + if self.find_port(i,"tcp") == None: + t1 = re.sub("PORTNUM", "%d" % i, script.tcp_ports) + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + for i in self.in_udp[PORTS]: + if self.find_port(i,"udp") == None: + t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports) + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + newsh += self.generate_user_sh() + + return newsh + + def write_te(self, out_dir): + if self.type == EUSER: + tefile = "%s/my%s.te" % (out_dir, self.file_name) + else: + tefile = "%s/%s.te" % (out_dir, self.file_name) + fd = open(tefile, "w") + fd.write(self.generate_te()) + fd.close() + return tefile + + def write_sh(self, out_dir): + if self.type == EUSER: + shfile = "%s/my%s.sh" % (out_dir, self.file_name) + else: + shfile = "%s/%s.sh" % (out_dir, self.file_name) + fd = open(shfile, "w") + fd.write(self.generate_sh()) + fd.close() + os.chmod(shfile, 0750) + return shfile + + def write_if(self, out_dir): + if self.type == EUSER: + iffile = "%s/my%s.if" % (out_dir, self.file_name) + else: + iffile = "%s/%s.if" % (out_dir, self.file_name) + fd = open(iffile, "w") + fd.write(self.generate_if()) + fd.close() + return iffile + + def write_fc(self,out_dir): + if self.type == EUSER: + fcfile = "%s/my%s.fc" % (out_dir, self.file_name) + else: + fcfile = "%s/%s.fc" % (out_dir, self.file_name) + fd = open(fcfile, "w") + fd.write(self.generate_fc()) + fd.close() + return fcfile + + def gen_writeable(self): + fd = os.popen("rpm -qlf %s" % self.program) + for f in fd.read().split(): + for b in self.DEFAULT_DIRS: + if b == "/etc": + continue + if f.startswith(b): + if os.path.isfile(f): + self.add_file(f) + else: + self.add_dir(f) + fd.close() + + # some packages have own systemd subpackage + # tor-systemd for example + binary_name = self.program.split("/")[-1] + rc, output = commands.getstatusoutput("rpm -q %s-systemd" % binary_name) + if rc == 0: + fd = os.popen("rpm -ql %s-systemd" % binary_name) + for f in fd.read().split(): + for b in self.DEFAULT_DIRS: + if f.startswith(b): + if os.path.isfile(f): + self.add_file(f) + else: + self.add_dir(f) + fd.close() + + if os.path.isfile("/var/run/%s.pid" % self.name): + self.add_file("/var/run/%s.pid" % self.name) + + if os.path.isfile("/etc/rc.d/init.d/%s" % self.name): + self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name) + + def gen_symbols(self): + if self.type not in APPLICATIONS: + return + + fd = os.popen("nm -D %s | grep U" % self.program) + for s in fd.read().split(): + for b in self.symbols: + if s.startswith(b): + exec "self.%s" % self.symbols[b] + fd.close() + + def generate(self, out_dir = "."): + self.write_te(out_dir) + self.write_if(out_dir) + self.write_fc(out_dir) + self.write_sh(out_dir) + out = "Created the following files in:\n%s/\n" % out_dir + out += "%s.te # %s\n" % (self.file_name, _("Type Enforcement file")) + out += "%s.if # %s\n" % (self.file_name, _("Interface file")) + out += "%s.fc # %s\n" % (self.file_name, _("File Contexts file")) + out += "%s.sh # %s\n" % (self.file_name, _("Setup Script")) + return out + +def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) + +def test(): + import tempfile + + tmpdir = tempfile.mkdtemp(prefix="polgen_") + + mypolicy = policy("myrwho", DAEMON) + mypolicy.set_program("/usr/sbin/myrwhod") + mypolicy.set_init_script("/etc/init.d/myrwhod") + mypolicy.add_dir("/etc/nasd") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.add_dir("/var/run/myrwho") + mypolicy.add_dir("/var/lib/myrwho") + print mypolicy.generate(tmpdir) + + mypolicy = policy("mywhois", USER) + mypolicy.set_program("/usr/bin/jwhois") + mypolicy.set_out_tcp(0, "43,63,4321") + mypolicy.set_out_udp(0, "43,63,4321") + mypolicy.add_dir("/var/cache/jwhois") + mypolicy.set_transition_users(["staff_u"]) + print mypolicy.generate(tmpdir) + + mypolicy = policy("mytuser", TUSER) + mypolicy.set_admin_roles(["mydbadm"]) + mypolicy.add_boolean("allow_mytuser_setuid", "Allow mytuser users to run setuid applications") + print mypolicy.generate(tmpdir) + + mypolicy = policy("mycgi", CGI) + mypolicy.set_program("/var/www/cgi-bin/cgi") + mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(False) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.set_out_tcp(0,"8000") + print mypolicy.generate(tmpdir) + + mypolicy = policy("myinetd", INETD) + mypolicy.set_program("/usr/bin/mytest") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.add_file("/var/lib/mysql/mysql.sock") + mypolicy.add_file("/var/run/rpcbind.sock") + mypolicy.add_file("/var/run/daemon.pub") + mypolicy.add_file("/var/log/daemon.log") + mypolicy.add_dir("/var/lib/daemon") + mypolicy.add_dir("/etc/daemon") + mypolicy.add_dir("/etc/daemon/special") + mypolicy.set_use_uid(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.set_use_audit(True) + mypolicy.set_use_dbus(True) + mypolicy.set_use_terminal(True) + mypolicy.set_use_mail(True) + mypolicy.set_out_tcp(0,"8000") + print mypolicy.generate(tmpdir) + + + mypolicy = policy("mydbus", DBUS) + mypolicy.set_program("/usr/libexec/mydbus") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + print mypolicy.generate(tmpdir) + + mypolicy = policy("myxuser", XUSER) + mypolicy.set_in_tcp(1, 1, 1, "28920") + mypolicy.set_in_udp(0, 0, 1, "1513") + mypolicy.set_transition_domains(["mozilla"]) + print mypolicy.generate(tmpdir) + + mypolicy = policy("myuser", USER) + mypolicy.set_program("/usr/bin/myuser") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.add_file("/var/lib/myuser/myuser.sock") + mypolicy.set_out_tcp(0,"8000") + mypolicy.set_transition_users(["unconfined_u", "staff_u"]) + print mypolicy.generate(tmpdir) + + mypolicy = policy("mysandbox", SANDBOX) + mypolicy.set_out_udp(0, "993") + print mypolicy.generate("/tmp") + + mypolicy = policy("mydbadm", RUSER) + mypolicy.set_admin_domains(["postgresql", "mysql"]) + print mypolicy.generate(tmpdir) + os.chdir(tmpdir) + rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile") + print output + sys.exit(os.WEXITSTATUS(rc)) + +import os, sys, getopt, socket, random, fcntl + +def usage(msg): + print _(""" +%s + +sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ] +valid Types: +""") % msg + keys=poltype.keys() + for i in keys: + print "\t%s\t%s" % (i, poltype[i]) + sys.exit(-1) + +if __name__ == '__main__': + setype = DAEMON + name = None + try: + gopts, cmds = getopt.getopt(sys.argv[1:], "ht:mn:", + ["type=", + "mount", + "test", + "name=", + "help"]) + for o, a in gopts: + if o == "-t" or o == "--type": + try: + if int(a) not in poltype: + usage ("invalid type %s" % a ) + except: + usage ("invalid type %s" % a ) + + setype = int(a) + + if o == "-m" or o == "--mount": + mount_ind = True + + if o == "-n" or o == "--name": + name = a + + if o == "-h" or o == "--help": + usage("") + + if o == "--test": + test() + sys.exit(0) + + except getopt.error, error: + usage(_("Options Error %s ") % error.msg) + + if len(cmds) == 0: + usage(_("Executable or Name required")) + + try: + if not name: + name = os.path.basename(cmds[0]).replace("-","_") + cmd = cmds[0] + mypolicy = policy(name, setype) + if setype not in USERS + [ SANDBOX ]: + mypolicy.set_program(cmd) + + if setype in APPLICATIONS: + mypolicy.gen_writeable() + mypolicy.gen_symbols() + print mypolicy.generate() + sys.exit(0) + except ValueError, e: + usage(e) diff --git a/policycoreutils/gui/polgengui.py b/policycoreutils/gui/polgengui.py new file mode 100644 index 0000000..cba0611 --- /dev/null +++ b/policycoreutils/gui/polgengui.py @@ -0,0 +1,750 @@ +#!/usr/bin/python -Es +# +# polgengui.py - GUI for SELinux Config tool in system-config-selinux +# +# Dan Walsh +# +# Copyright (C) 2007-2011 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import signal +import string +import gtk +import gtk.glade +import os +import gobject +import gnome +import sys +import polgen +import re + + +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +gnome.program_init("SELinux Policy Generation Tool", "5") + +version = "1.0" + +sys.path.append('/usr/share/system-config-selinux') +sys.path.append('.') + +# From John Hunter http://www.daa.com.au/pipermail/pygtk/2003-February/004454.html +def foreach(model, path, iter, selected): + selected.append(model.get_value(iter, 0)) + +## +## Pull in the Glade file +## +if os.access("polgen.glade", os.F_OK): + xml = gtk.glade.XML ("polgen.glade", domain=PROGNAME) +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME) + +FILE = 1 +DIR = 2 + +class childWindow: + START_PAGE = 0 + SELECT_TYPE_PAGE = 0 + APP_PAGE = 1 + EXISTING_USER_PAGE = 2 + TRANSITION_PAGE = 3 + USER_TRANSITION_PAGE = 4 + ADMIN_PAGE = 5 + ROLE_PAGE = 6 + IN_NET_PAGE = 7 + OUT_NET_PAGE = 8 + COMMON_APPS_PAGE = 9 + FILES_PAGE = 10 + BOOLEAN_PAGE = 11 + SELECT_DIR_PAGE = 12 + FINISH_PAGE = 12 + + def __init__(self): + self.xml = xml + self.notebook = xml.get_widget ("notebook") + self.label_dict = {} + self.tooltip_dict = {} + label = xml.get_widget ("select_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_user_roles_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_dir_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_domain_admin_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_in_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_out_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_common_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_manages_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("select_booleans_label") + self.label_dict[label] = label.get_text() + + label = xml.get_widget ("existing_user_treeview") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("transition_treeview") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_tcp_all_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_tcp_reserved_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_tcp_unreserved_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_tcp_entry") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_udp_all_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_udp_reserved_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_udp_unreserved_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("in_udp_entry") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("out_tcp_entry") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("out_udp_entry") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("out_tcp_all_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("out_udp_all_checkbutton") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("boolean_treeview") + self.tooltip_dict[label] = label.get_tooltip_text() + + label = xml.get_widget ("write_treeview") + self.tooltip_dict[label] = label.get_tooltip_text() + + try: + self.all_types = polgen.get_all_types() + self.all_modules = polgen.get_all_modules() + self.all_roles = polgen.get_all_roles() + self.all_users = polgen.get_all_users() + except RuntimeError, e: + self.all_types = [] + self.all_modules = [] + self.all_roles = [] + self.all_users = [] + self.error(str(e)) + + self.name="" + xml.signal_connect("on_delete_clicked", self.delete) + xml.signal_connect("on_delete_boolean_clicked", self.delete_boolean) + xml.signal_connect("on_exec_select_clicked", self.exec_select) + xml.signal_connect("on_init_script_select_clicked", self.init_script_select) + xml.signal_connect("on_add_clicked", self.add) + xml.signal_connect("on_add_boolean_clicked", self.add_boolean) + xml.signal_connect("on_add_dir_clicked", self.add_dir) + xml.signal_connect("on_about_clicked", self.on_about_clicked) + xml.get_widget ("cancel_button").connect("clicked",self.quit) + self.forward_button = xml.get_widget ("forward_button") + self.forward_button.connect("clicked",self.forward) + self.back_button = xml.get_widget ("back_button") + self.back_button.connect("clicked",self.back) + + self.boolean_dialog = xml.get_widget ("boolean_dialog") + self.boolean_name_entry = xml.get_widget ("boolean_name_entry") + self.boolean_description_entry = xml.get_widget ("boolean_description_entry") + + self.pages={} + for i in polgen.USERS: + self.pages[i] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ] + self.pages[polgen.RUSER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.USER_TRANSITION_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ] + self.pages[polgen.LUSER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ] + self.pages[polgen.SANDBOX] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE] + self.pages[polgen.EUSER] = [ self.SELECT_TYPE_PAGE, self.EXISTING_USER_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ] + + for i in polgen.APPLICATIONS: + self.pages[i] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE] + self.pages[polgen.USER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.USER_TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ] + + self.current_page = 0 + self.back_button.set_sensitive(0) + + self.network_buttons = {} + + self.in_tcp_all_checkbutton = xml.get_widget ("in_tcp_all_checkbutton") + self.in_tcp_reserved_checkbutton = xml.get_widget ("in_tcp_reserved_checkbutton") + self.in_tcp_unreserved_checkbutton = xml.get_widget ("in_tcp_unreserved_checkbutton") + self.in_tcp_entry = self.xml.get_widget("in_tcp_entry") + self.network_buttons[self.in_tcp_all_checkbutton] = [ self.in_tcp_reserved_checkbutton, self.in_tcp_unreserved_checkbutton, self.in_tcp_entry ] + + + self.out_tcp_all_checkbutton = xml.get_widget ("out_tcp_all_checkbutton") + self.out_tcp_reserved_checkbutton = xml.get_widget ("out_tcp_reserved_checkbutton") + self.out_tcp_unreserved_checkbutton = xml.get_widget ("out_tcp_unreserved_checkbutton") + self.out_tcp_entry = self.xml.get_widget("out_tcp_entry") + + self.network_buttons[self.out_tcp_all_checkbutton] = [ self.out_tcp_entry ] + + self.in_udp_all_checkbutton = xml.get_widget ("in_udp_all_checkbutton") + self.in_udp_reserved_checkbutton = xml.get_widget ("in_udp_reserved_checkbutton") + self.in_udp_unreserved_checkbutton = xml.get_widget ("in_udp_unreserved_checkbutton") + self.in_udp_entry = self.xml.get_widget("in_udp_entry") + + self.network_buttons[self.in_udp_all_checkbutton] = [ self.in_udp_reserved_checkbutton, self.in_udp_unreserved_checkbutton, self.in_udp_entry ] + + self.out_udp_all_checkbutton = xml.get_widget ("out_udp_all_checkbutton") + self.out_udp_entry = self.xml.get_widget("out_udp_entry") + self.network_buttons[self.out_udp_all_checkbutton] = [ self.out_udp_entry ] + + for b in self.network_buttons.keys(): + b.connect("clicked",self.network_all_clicked) + + self.boolean_treeview = self.xml.get_widget("boolean_treeview") + self.boolean_store = gtk.ListStore(gobject.TYPE_STRING,gobject.TYPE_STRING) + self.boolean_treeview.set_model(self.boolean_store) + self.boolean_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Name"), gtk.CellRendererText(), text = 0) + self.boolean_treeview.append_column(col) + col = gtk.TreeViewColumn(_("Description"), gtk.CellRendererText(), text = 1) + self.boolean_treeview.append_column(col) + + self.role_treeview = self.xml.get_widget("role_treeview") + self.role_store = gtk.ListStore(gobject.TYPE_STRING) + self.role_treeview.set_model(self.role_store) + self.role_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) + self.role_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Role"), gtk.CellRendererText(), text = 0) + self.role_treeview.append_column(col) + + self.existing_user_treeview = self.xml.get_widget("existing_user_treeview") + self.existing_user_store = gtk.ListStore(gobject.TYPE_STRING) + self.existing_user_treeview.set_model(self.existing_user_store) + self.existing_user_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Existing_User"), gtk.CellRendererText(), text = 0) + self.existing_user_treeview.append_column(col) + + for i in self.all_roles: + iter = self.role_store.append() + self.role_store.set_value(iter, 0, i[:-2]) + + self.in_tcp_reserved_checkbutton = xml.get_widget ("in_tcp_reserved_checkbutton") + + self.transition_treeview = self.xml.get_widget("transition_treeview") + self.transition_store = gtk.ListStore(gobject.TYPE_STRING) + self.transition_treeview.set_model(self.transition_store) + self.transition_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) + self.transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.transition_treeview.append_column(col) + + self.user_transition_treeview = self.xml.get_widget("user_transition_treeview") + self.user_transition_store = gtk.ListStore(gobject.TYPE_STRING) + self.user_transition_treeview.set_model(self.user_transition_store) + self.user_transition_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) + self.user_transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.user_transition_treeview.append_column(col) + + for i in self.all_users: + iter = self.user_transition_store.append() + self.user_transition_store.set_value(iter, 0, i[:-2]) + iter = self.existing_user_store.append() + self.existing_user_store.set_value(iter, 0, i[:-2]) + + self.admin_treeview = self.xml.get_widget("admin_treeview") + self.admin_store = gtk.ListStore(gobject.TYPE_STRING) + self.admin_treeview.set_model(self.admin_store) + self.admin_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) + self.admin_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.admin_treeview.append_column(col) + + for i in polgen.methods: + m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i) + if len(m) > 0: + if "%s_exec_t" % m[0] in self.all_types: + iter = self.transition_store.append() + self.transition_store.set_value(iter, 0, m[0]) + continue + + m = re.findall("(.*)%s" % polgen.ADMIN_TRANSITION_INTERFACE, i) + if len(m) > 0: + iter = self.admin_store.append() + self.admin_store.set_value(iter, 0, m[0]) + continue + + def confine_application(self): + return self.get_type() in polgen.APPLICATIONS + + def forward(self, arg): + type = self.get_type() + if self.current_page == self.START_PAGE: + self.back_button.set_sensitive(1) + + if self.pages[type][self.current_page] == self.SELECT_TYPE_PAGE: + if self.on_select_type_page_next(): + return + + if self.pages[type][self.current_page] == self.IN_NET_PAGE: + if self.on_in_net_page_next(): + return + + if self.pages[type][self.current_page] == self.OUT_NET_PAGE: + if self.on_out_net_page_next(): + return + + if self.pages[type][self.current_page] == self.APP_PAGE: + if self.on_name_page_next(): + return + + if self.pages[type][self.current_page] == self.EXISTING_USER_PAGE: + if self.on_existing_user_page_next(): + return + + if self.pages[type][self.current_page] == self.SELECT_DIR_PAGE: + outputdir = self.output_entry.get_text() + if not os.path.isdir(outputdir): + self.error(_("%s must be a directory") % outputdir ) + return False + + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.generate_policy() + self.xml.get_widget ("cancel_button").set_label(gtk.STOCK_CLOSE) + else: + self.current_page = self.current_page + 1 + self.notebook.set_current_page(self.pages[type][self.current_page]) + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_APPLY) + + def back(self,arg): + type = self.get_type() + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_GO_FORWARD) + + self.current_page = self.current_page - 1 + self.notebook.set_current_page(self.pages[type][self.current_page]) + if self.pages[type][self.current_page] == self.START_PAGE: + self.back_button.set_sensitive(0) + + def network_all_clicked(self, button): + active = button.get_active() + for b in self.network_buttons[button]: + b.set_sensitive(not active) + + def verify(self, message, title="" ): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_title(title) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def info(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_OK, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def get_name(self): + if self.existing_user_radiobutton.get_active(): + store, iter = self.existing_user_treeview.get_selection().get_selected() + if iter == None: + raise ValueError(_("You must select a user")) + return store.get_value(iter, 0) + else: + return self.name_entry.get_text() + + def get_type(self): + if self.sandbox_radiobutton.get_active(): + return polgen.SANDBOX + if self.cgi_radiobutton.get_active(): + return polgen.CGI + if self.user_radiobutton.get_active(): + return polgen.USER + if self.init_radiobutton.get_active(): + return polgen.DAEMON + if self.dbus_radiobutton.get_active(): + return polgen.DBUS + if self.inetd_radiobutton.get_active(): + return polgen.INETD + if self.login_user_radiobutton.get_active(): + return polgen.LUSER + if self.admin_user_radiobutton.get_active(): + return polgen.AUSER + if self.xwindows_user_radiobutton.get_active(): + return polgen.XUSER + if self.terminal_user_radiobutton.get_active(): + return polgen.TUSER + if self.root_user_radiobutton.get_active(): + return polgen.RUSER + if self.existing_user_radiobutton.get_active(): + return polgen.EUSER + + def generate_policy(self, *args): + outputdir = self.output_entry.get_text() + try: + my_policy=polgen.policy(self.get_name(), self.get_type()) + + iter= self.boolean_store.get_iter_first() + while(iter): + my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1)) + iter= self.boolean_store.iter_next(iter) + + if self.get_type() in polgen.APPLICATIONS: + my_policy.set_program(self.exec_entry.get_text()) + my_policy.gen_symbols() + + my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1) + my_policy.set_use_tmp(self.tmp_checkbutton.get_active() == 1) + my_policy.set_use_uid(self.uid_checkbutton.get_active() == 1) + my_policy.set_use_pam(self.pam_checkbutton.get_active() == 1) + + my_policy.set_use_dbus(self.dbus_checkbutton.get_active() == 1) + my_policy.set_use_audit(self.audit_checkbutton.get_active() == 1) + my_policy.set_use_terminal(self.terminal_checkbutton.get_active() == 1) + my_policy.set_use_mail(self.mail_checkbutton.get_active() == 1) + if self.get_type() is polgen.DAEMON: + my_policy.set_init_script(self.init_script_entry.get_text()) + if self.get_type() == polgen.USER: + selected = [] + self.user_transition_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_transition_users(selected) + else: + if self.get_type() == polgen.RUSER: + selected = [] + self.admin_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_admin_domains(selected) + selected = [] + self.user_transition_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_transition_users(selected) + else: + selected = [] + self.transition_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_transition_domains(selected) + + selected = [] + self.role_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_admin_roles(selected) + + my_policy.set_in_tcp(self.in_tcp_all_checkbutton.get_active(), self.in_tcp_reserved_checkbutton.get_active(), self.in_tcp_unreserved_checkbutton.get_active(), self.in_tcp_entry.get_text()) + my_policy.set_in_udp(self.in_udp_all_checkbutton.get_active(), self.in_udp_reserved_checkbutton.get_active(), self.in_udp_unreserved_checkbutton.get_active(), self.in_udp_entry.get_text()) + my_policy.set_out_tcp(self.out_tcp_all_checkbutton.get_active(), self.out_tcp_entry.get_text()) + my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text()) + + iter= self.store.get_iter_first() + while(iter): + if self.store.get_value(iter, 1) == FILE: + my_policy.add_file(self.store.get_value(iter, 0)) + else: + my_policy.add_dir(self.store.get_value(iter, 0)) + iter= self.store.iter_next(iter) + + self.info(my_policy.generate(outputdir)) + return False + except ValueError, e: + self.error(e.message) + + def delete(self, args): + store, iter = self.view.get_selection().get_selected() + if iter != None: + store.remove(iter) + self.view.get_selection().select_path ((0,)) + + def delete_boolean(self, args): + store, iter = self.boolean_treeview.get_selection().get_selected() + if iter != None: + store.remove(iter) + self.boolean_treeview.get_selection().select_path ((0,)) + + def add_boolean(self,type): + self.boolean_name_entry.set_text("") + self.boolean_description_entry.set_text("") + rc = self.boolean_dialog.run() + self.boolean_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + iter = self.boolean_store.append() + self.boolean_store.set_value(iter, 0, self.boolean_name_entry.get_text()) + self.boolean_store.set_value(iter, 1, self.boolean_description_entry.get_text()) + + def __add(self,type): + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + for i in self.file_dialog.get_filenames(): + iter = self.store.append() + self.store.set_value(iter, 0, i) + self.store.set_value(iter, 1, type) + + def exec_select(self, args): + self.file_dialog.set_select_multiple(0) + self.file_dialog.set_title(_("Select executable file to be confined.")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN) + self.file_dialog.set_current_folder("/usr/sbin") + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.exec_entry.set_text(self.file_dialog.get_filename()) + + def init_script_select(self, args): + self.file_dialog.set_select_multiple(0) + self.file_dialog.set_title(_("Select init script file to be confined.")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN) + self.file_dialog.set_current_folder("/etc/rc.d/init.d") + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.init_script_entry.set_text(self.file_dialog.get_filename()) + + def add(self, args): + self.file_dialog.set_title(_("Select file(s) that confined application creates or writes")) + self.file_dialog.set_current_folder("/") + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN) + self.file_dialog.set_select_multiple(1) + self.__add(FILE) + + def add_dir(self, args): + self.file_dialog.set_title(_("Select directory(s) that the confined application owns and writes into")) + self.file_dialog.set_current_folder("/") + self.file_dialog.set_select_multiple(1) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SELECT_FOLDER) + self.__add(DIR) + + def on_about_clicked(self, args): + dlg = xml.get_widget ("about_dialog") + dlg.run () + dlg.hide () + + def quit(self, args): + gtk.main_quit() + + def setupScreen(self): + # Bring in widgets from glade file. + self.mainWindow = self.xml.get_widget("main_window") + self.druid = self.xml.get_widget("druid") + self.type = 0 + self.name_entry = self.xml.get_widget("name_entry") + self.name_entry.connect("insert_text",self.on_name_entry_changed) + self.name_entry.connect("focus_out_event",self.on_focus_out_event) + self.exec_entry = self.xml.get_widget("exec_entry") + self.exec_button = self.xml.get_widget("exec_button") + self.init_script_entry = self.xml.get_widget("init_script_entry") + self.init_script_button = self.xml.get_widget("init_script_button") + self.output_entry = self.xml.get_widget("output_entry") + self.output_entry.set_text(os.getcwd()) + self.xml.get_widget("output_button").connect("clicked",self.output_button_clicked) + + self.xwindows_user_radiobutton = self.xml.get_widget("xwindows_user_radiobutton") + self.terminal_user_radiobutton = self.xml.get_widget("terminal_user_radiobutton") + self.root_user_radiobutton = self.xml.get_widget("root_user_radiobutton") + self.login_user_radiobutton = self.xml.get_widget("login_user_radiobutton") + self.admin_user_radiobutton = self.xml.get_widget("admin_user_radiobutton") + self.existing_user_radiobutton = self.xml.get_widget("existing_user_radiobutton") + + self.user_radiobutton = self.xml.get_widget("user_radiobutton") + self.init_radiobutton = self.xml.get_widget("init_radiobutton") + self.inetd_radiobutton = self.xml.get_widget("inetd_radiobutton") + self.dbus_radiobutton = self.xml.get_widget("dbus_radiobutton") + self.cgi_radiobutton = self.xml.get_widget("cgi_radiobutton") + self.sandbox_radiobutton = self.xml.get_widget("sandbox_radiobutton") + self.tmp_checkbutton = self.xml.get_widget("tmp_checkbutton") + self.uid_checkbutton = self.xml.get_widget("uid_checkbutton") + self.pam_checkbutton = self.xml.get_widget("pam_checkbutton") + self.dbus_checkbutton = self.xml.get_widget("dbus_checkbutton") + self.audit_checkbutton = self.xml.get_widget("audit_checkbutton") + self.terminal_checkbutton = self.xml.get_widget("terminal_checkbutton") + self.mail_checkbutton = self.xml.get_widget("mail_checkbutton") + self.syslog_checkbutton = self.xml.get_widget("syslog_checkbutton") + self.view = self.xml.get_widget("write_treeview") + self.file_dialog = self.xml.get_widget("filechooserdialog") + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_INT) + self.view.set_model(self.store) + col = gtk.TreeViewColumn("", gtk.CellRendererText(), text = 0) + col.set_resizable(True) + self.view.append_column(col) + self.view.get_selection().select_path ((0,)) + + def output_button_clicked(self, *args): + self.file_dialog.set_title(_("Select directory to generate policy files in")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SELECT_FOLDER) + self.file_dialog.set_select_multiple(0) + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.output_entry.set_text(self.file_dialog.get_filename()) + + def on_name_entry_changed(self, entry, text, size, position): + if text.find(" ") >= 0: + entry.emit_stop_by_name("insert_text") + + def on_focus_out_event(self, entry, third): + name = entry.get_text() + if self.name != name: + if name in self.all_types: + if self.verify(_("Type %s_t already defined in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: + entry.set_text("") + return False + if name in self.all_modules: + if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: + entry.set_text("") + return False + + file = "/etc/rc.d/init.d/" + name + if os.path.isfile(file) and self.init_script_entry.get_text() == "": + self.init_script_entry.set_text(file) + + file = "/usr/sbin/" + name + if os.path.isfile(file) and self.exec_entry.get_text() == "": + self.exec_entry.set_text(file) + + self.name = name + return False + + def on_in_net_page_next(self, *args): + try: + polgen.verify_ports(self.in_tcp_entry.get_text()) + polgen.verify_ports(self.in_udp_entry.get_text()) + except ValueError, e: + self.error(e.message) + return True + + def on_out_net_page_next(self, *args): + try: + polgen.verify_ports(self.out_tcp_entry.get_text()) + polgen.verify_ports(self.out_udp_entry.get_text()) + except ValueError, e: + self.error(e.message) + return True + + def on_select_type_page_next(self, *args): + self.exec_entry.set_sensitive(self.confine_application()) + self.exec_button.set_sensitive(self.confine_application()) + self.init_script_entry.set_sensitive(self.init_radiobutton.get_active()) + self.init_script_button.set_sensitive(self.init_radiobutton.get_active()) + + def on_existing_user_page_next(self, *args): + store, iter = self.view.get_selection().get_selected() + if iter != None: + self.error(_("You must select a user")) + return True + + def on_name_page_next(self, *args): + name=self.name_entry.get_text() + if not name.isalnum(): + self.error(_("You must add a name made up of letters and numbers and containing no spaces.")) + return True + + for i in self.label_dict: + text = '%s' % (self.label_dict[i] % ("'" + name + "'")) + i.set_markup(text) + + for i in self.tooltip_dict: + text = self.tooltip_dict[i] % ("'" + name + "'") + i.set_tooltip_text(text) + + if self.confine_application(): + exe = self.exec_entry.get_text() + if exe == "": + self.error(_("You must enter a executable")) + return True + policy=polgen.policy(name, self.get_type()) + policy.set_program(exe) + policy.gen_writeable() + policy.gen_symbols() + for f in policy.files.keys(): + iter = self.store.append() + self.store.set_value(iter, 0, f) + self.store.set_value(iter, 1, FILE) + + for f in policy.dirs.keys(): + iter = self.store.append() + self.store.set_value(iter, 0, f) + self.store.set_value(iter, 1, DIR) + self.tmp_checkbutton.set_active(policy.use_tmp) + self.uid_checkbutton.set_active(policy.use_uid) + self.pam_checkbutton.set_active(policy.use_pam) + self.dbus_checkbutton.set_active(policy.use_dbus) + self.audit_checkbutton.set_active(policy.use_audit) + self.terminal_checkbutton.set_active(policy.use_terminal) + self.mail_checkbutton.set_active(policy.use_mail) + self.syslog_checkbutton.set_active(policy.use_syslog) + + def stand_alone(self): + desktopName = _("Configue SELinux") + + self.setupScreen() + self.mainWindow.connect("destroy", self.quit) + + self.mainWindow.show_all() + gtk.main() + +if __name__ == "__main__": + signal.signal (signal.SIGINT, signal.SIG_DFL) + + app = childWindow() + app.stand_alone() diff --git a/policycoreutils/gui/portsPage.py b/policycoreutils/gui/portsPage.py new file mode 100644 index 0000000..d5daffb --- /dev/null +++ b/policycoreutils/gui/portsPage.py @@ -0,0 +1,259 @@ +## portsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import seobject +import commands +from semanagePage import *; + +## +## I18N +## +PROGNAME = "policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +TYPE_COL = 0 +PROTOCOL_COL = 1 +MLS_COL = 2 +PORT_COL = 3 +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class portsPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "ports", _("Network Port")) + xml.signal_connect("on_group_clicked", self.on_group_clicked) + self.group = False + self.ports_filter = xml.get_widget("portsFilterEntry") + self.ports_filter.connect("focus_out_event", self.filter_changed) + self.ports_filter.connect("activate", self.filter_changed) + self.ports_name_entry = xml.get_widget("portsNameEntry") + self.ports_protocol_combo = xml.get_widget("portsProtocolCombo") + self.ports_number_entry = xml.get_widget("portsNumberEntry") + self.ports_mls_entry = xml.get_widget("portsMLSEntry") + self.ports_add_button = xml.get_widget("portsAddButton") + self.ports_properties_button = xml.get_widget("portsPropertiesButton") + self.ports_delete_button = xml.get_widget("portsDeleteButton") + liststore = self.ports_protocol_combo.get_model() + iter = liststore.get_iter_first() + self.ports_protocol_combo.set_active_iter(iter) + self.init_store() + self.edit = True + self.load() + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + if self.edit: + self.load(filter) + else: + self.group_load(filter) + + def init_store(self): + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING , gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + + self.view.set_search_equal_func(self.search) + col = gtk.TreeViewColumn(_("SELinux Port\nType"), gtk.CellRendererText(), text = TYPE_COL) + col.set_sort_column_id(TYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_column_id(TYPE_COL, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("Protocol"), gtk.CellRendererText(), text = PROTOCOL_COL) + col.set_sort_column_id(PROTOCOL_COL) + col.set_resizable(True) + self.view.append_column(col) + + self.mls_col = gtk.TreeViewColumn(_("MLS/MCS\nLevel"), gtk.CellRendererText(), text = MLS_COL) + self.mls_col.set_resizable(True) + self.mls_col.set_sort_column_id(MLS_COL) + self.view.append_column(self.mls_col) + + col = gtk.TreeViewColumn(_("Port"), gtk.CellRendererText(), text = PORT_COL) + col.set_sort_column_id(PORT_COL) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_func(PORT_COL,self.sort_int, "") + + def sort_int(self, treemodel, iter1, iter2, user_data): + try: + p1 = int(treemodel.get_value(iter1,PORT_COL).split('-')[0]) + p2 = int(treemodel.get_value(iter2,PORT_COL).split('-')[0]) + if p1 > p2: + return 1 + if p1 == p2: + return 0 + return -1 + except: + return 0 + + def load(self,filter = ""): + self.filter=filter + self.port = seobject.portRecords() + dict = self.port.get_all(self.local) + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + if not (self.match(str(k[0]), filter) or self.match(dict[k][0], filter) or self.match(k[2], filter) or self.match(dict[k][1], filter) or self.match(dict[k][1], filter)): + continue + iter = self.store.append() + if k[0] == k[1]: + self.store.set_value(iter, PORT_COL, k[0]) + else: + rec = "%s-%s" % k[:2] + self.store.set_value(iter, PORT_COL, rec) + self.store.set_value(iter, TYPE_COL, dict[k][0]) + self.store.set_value(iter, PROTOCOL_COL, k[2]) + self.store.set_value(iter, MLS_COL, dict[k][1]) + self.view.get_selection().select_path ((0,)) + + def group_load(self, filter = ""): + self.filter=filter + self.port = seobject.portRecords() + dict = self.port.get_all_by_type(self.local) + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + ports_string = ", ".join(dict[k]) + if not (self.match(ports_string, filter) or self.match(k[0], filter) or self.match(k[1], filter) ): + continue + iter = self.store.append() + self.store.set_value(iter, TYPE_COL, k[0]) + self.store.set_value(iter, PROTOCOL_COL, k[1]) + self.store.set_value(iter, PORT_COL, ports_string) + self.store.set_value(iter, MLS_COL, "") + self.view.get_selection().select_path ((0,)) + + def propertiesDialog(self): + if self.edit: + semanagePage.propertiesDialog(self) + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.ports_number_entry.set_text(store.get_value(iter, PORT_COL)) + self.ports_number_entry.set_sensitive(False) + self.ports_protocol_combo.set_sensitive(False) + self.ports_name_entry.set_text(store.get_value(iter, TYPE_COL)) + self.ports_mls_entry.set_text(store.get_value(iter, MLS_COL)) + protocol = store.get_value(iter, PROTOCOL_COL) + liststore = self.ports_protocol_combo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != protocol: + iter = liststore.iter_next(iter) + if iter != None: + self.ports_protocol_combo.set_active_iter(iter) + + def dialogClear(self): + self.ports_number_entry.set_text("") + self.ports_number_entry.set_sensitive(True) + self.ports_protocol_combo.set_sensitive(True) + self.ports_name_entry.set_text("") + self.ports_mls_entry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + port = store.get_value(iter, PORT_COL) + protocol = store.get_value(iter, 1) + try: + self.wait() + (rc, out) = commands.getstatusoutput("semanage port -d -p %s %s" % (protocol, port)) + self.ready() + if rc != 0: + return self.error(out) + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + target = self.ports_name_entry.get_text().strip() + mls = self.ports_mls_entry.get_text().strip() + port_number = self.ports_number_entry.get_text().strip() + if port_number == "": + port_number = "1" + for i in port_number.split("-"): + if not i.isdigit(): + self.error(_("Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 ") % port_number ) + return False + list_model = self.ports_protocol_combo.get_model() + iter = self.ports_protocol_combo.get_active_iter() + protocol = list_model.get_value(iter,0) + self.wait() + (rc, out) = commands.getstatusoutput("semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) + self.ready() + if rc != 0: + self.error(out) + return False + iter = self.store.append() + + self.store.set_value(iter, TYPE_COL, target) + self.store.set_value(iter, PORT_COL, port_number) + self.store.set_value(iter, PROTOCOL_COL, protocol) + self.store.set_value(iter, MLS_COL, mls) + + def modify(self): + target = self.ports_name_entry.get_text().strip() + mls = self.ports_mls_entry.get_text().strip() + port_number = self.ports_number_entry.get_text().strip() + list_model = self.ports_protocol_combo.get_model() + iter = self.ports_protocol_combo.get_active_iter() + protocol = list_model.get_value(iter,0) + self.wait() + (rc, out) = commands.getstatusoutput("semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) + self.ready() + if rc != 0: + self.error(out) + return False + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, TYPE_COL, target) + self.store.set_value(iter, PORT_COL, port_number) + self.store.set_value(iter, PROTOCOL_COL, protocol) + self.store.set_value(iter, MLS_COL, mls) + + def on_group_clicked(self, button): + self.ports_add_button.set_sensitive(self.group) + self.ports_properties_button.set_sensitive(self.group) + self.ports_delete_button.set_sensitive(self.group) + self.mls_col.set_visible(self.group) + + self.group = not self.group + if self.group: + button.set_label(_("List View")) + self.group_load(self.filter) + else: + button.set_label(_("Group View")) + self.load(self.filter) + + return True + diff --git a/policycoreutils/gui/selinux.tbl b/policycoreutils/gui/selinux.tbl new file mode 100644 index 0000000..ed5ca6a --- /dev/null +++ b/policycoreutils/gui/selinux.tbl @@ -0,0 +1,234 @@ +acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon") +allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /") +allow_daemons_use_tty _("Admin") _("Allow all daemons the ability to use unallocated ttys") +allow_gadmin_exec_content _("User Privs") _("Allow gadmin SELinux user account to execute files in home directory or /tmp") +allow_guest_exec_content _("User Privs") _("Allow guest SELinux user account to execute files in home directory or /tmp") +allow_java_execstack _("Memory Protection") _("Allow java executable stack") +allow_mount_anyfile _("Mount") _("Allow mount to mount any file") +allow_mounton_anydir _("Mount") _("Allow mount to mount any directory") +allow_mplayer_execstack _("Memory Protection") _("Allow mplayer executable stack") +allow_ssh_keysign _("SSH") _("Allow ssh to run ssh-keysign") +allow_staff_exec_content _("User Privs") _("Allow staff SELinux user account to execute files in home directory or /tmp") +allow_sysadm_exec_content _("User Privs") _("Allow sysadm SELinux user account to execute files in home directory or /tmp") +allow_unconfined_exec_content _("User Privs") _("Allow unconfined SELinux user account to execute files in home directory or /tmp") +allow_unlabeled_packets _("Network Configuration") _("Allow unlabeled packets to flow on the network") +allow_user_exec_content _("User Privs") _("Allow user SELinux user account to execute files in home directory or /tmp") +allow_unconfined_execmem_dyntrans _("Memory Protection") _("Allow unconfined to dyntrans to unconfined_execmem") +allow_user_mysql_connect _("Databases") _("Allow user to connect to mysql socket") +allow_user_postgresql_connect _("Databases") _("Allow user to connect to postgres socket") +allow_write_xshm _("XServer") _("Allow clients to write to X shared memory") +allow_xguest_exec_content _("User Privs") _("Allow xguest SELinux user account to execute files in home directory or /tmp") +allow_ypbind _("NIS") _("Allow daemons to run with NIS") +browser_confine_staff _("Web Applications") _("Transition staff SELinux user to Web Browser Domain") +browser_confine_sysadm _("Web Applications") _("Transition sysadm SELinux user to Web Browser Domain") +browser_confine_user _("Web Applications") _("Transition user SELinux user to Web Browser Domain") +browser_confine_xguest _("Web Applications") _("Transition xguest SELinux user to Web Browser Domain") +browser_write_staff_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_sysadm_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_user_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_xguest_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +amanda_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amanda") +amavis_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amavis") +apmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for apmd daemon") +arpwatch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for arpwatch daemon") +auditd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for auditd daemon") +automount_disable_trans _("Mount") _("Disable SELinux protection for automount daemon") +avahi_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for avahi") +bluetooth_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for bluetooth daemon") +canna_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for canna daemon") +cardmgr_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cardmgr daemon") +ccs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Cluster Server") +cdrecord_read_content _("User Privs") _("Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files") +ciped_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ciped daemon") +clamd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamd daemon") +clamscan_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamscan") +clvmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clvmd") +comsat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for comsat daemon") +courier_authdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_pcp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_pop_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_sqwebmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +cpucontrol_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpucontrol daemon") +cpuspeed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpuspeed daemon") +crond_disable_trans _("Cron") _("Disable SELinux protection for crond daemon") +cupsd_config_disable_trans _("Printing") _("Disable SELinux protection for cupsd back end server") +cupsd_disable_trans _("Printing") _("Disable SELinux protection for cupsd daemon") +cupsd_lpd_disable_trans _("Printing") _("Disable SELinux protection for cupsd_lpd") +cvs_disable_trans _("CVS") _("Disable SELinux protection for cvs daemon") +cyrus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cyrus daemon") +dbskkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbskkd daemon") +dbusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbusd daemon") +dccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccd") +dccifd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccifd") +dccm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccm") +ddt_client_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ddt daemon") +devfsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for devfsd daemon") +dhcpc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpc daemon") +dhcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpd daemon") +dictd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dictd daemon") +direct_sysadm_daemon _("Admin") _("Allow sysadm_t to directly start daemons") +disable_evolution_trans _("Web Applications") _("Disable SELinux protection for Evolution") +disable_games_trans _("Games") _("Disable SELinux protection for games") +disable_mozilla_trans _("Web Applications") _("Disable SELinux protection for the web browsers") +disable_thunderbird_trans _("Web Applications") _("Disable SELinux protection for Thunderbird") +distccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for distccd daemon") +dmesg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dmesg daemon") +dnsmasq_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dnsmasq daemon") +dovecot_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dovecot daemon") +entropyd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for entropyd daemon") +fetchmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fetchmail") +fingerd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fingerd daemon") +freshclam_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for freshclam daemon") +fsdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fsdaemon daemon") +gpm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for gpm daemon") +gssd_disable_trans _("NFS") _("Disable SELinux protection for gss daemon") +hald_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Hal daemon") +hide_broken_symptoms _("Compatibility") _("Do not audit things that we know to be broken but which are not security risks") +hostname_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hostname daemon") +hotplug_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hotplug daemon") +howl_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for howl daemon") +hplip_disable_trans _("Printing") _("Disable SELinux protection for cups hplip daemon") +httpd_rotatelogs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for httpd rotatelogs") +httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec") +hwclock_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hwclock daemon") +i18n_input_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for i18n daemon") +imazesrv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for imazesrv daemon") +inetd_child_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd child daemons") +inetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd daemon") +innd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for innd daemon") +iptables_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iptables daemon") +ircd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ircd daemon") +irqbalance_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for irqbalance daemon") +iscsid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iscsi daemon") +jabberd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for jabberd daemon") +kadmind_disable_trans _("Kerberos") _("Disable SELinux protection for kadmind daemon") +klogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for klogd daemon") +krb5kdc_disable_trans _("Kerberos") _("Disable SELinux protection for krb5kdc daemon") +ktalkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ktalk daemons") +kudzu_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for kudzu daemon") +locate_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for locate daemon") +lpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lpd daemon") +lrrd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lrrd daemon") +lvm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lvm daemon") +mailman_mail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mailman") +mail_read_content _("Web Applications") _("Allow evolution and thunderbird to read user files") +mdadm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mdadm daemon") +monopd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for monopd daemon") +mozilla_read_content _("Web Applications") _("Allow the mozilla browser to read user files") +mrtg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mrtg daemon") +mysqld_disable_trans _("Databases") _("Disable SELinux protection for mysqld daemon") +nagios_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nagios daemon") +named_disable_trans _("Name Service") _("Disable SELinux protection for named daemon") +nessusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nessusd daemon") +NetworkManager_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for NetworkManager") +nfsd_disable_trans _("NFS") _("Disable SELinux protection for nfsd daemon") +nmbd_disable_trans _("Samba") _("Disable SELinux protection for nmbd daemon") +nrpe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nrpe daemon") +nscd_disable_trans _("Name Service") _("Disable SELinux protection for nscd daemon") +nsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nsd daemon") +ntpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ntpd daemon") +oddjob_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob") +oddjob_mkhomedir_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob_mkhomedir") +openvpn_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for openvpn daemon") +pam_console_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pam daemon") +pegasus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pegasus") +perdition_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for perdition daemon") +portmap_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portmap daemon") +portslave_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portslave daemon") +postfix_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for postfix") +postgresql_disable_trans _("Databases") _("Disable SELinux protection for postgresql daemon") +pppd_for_user _("pppd") _("Allow pppd to be run for a regular user") +pptp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pptp") +prelink_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for prelink daemon") +privoxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for privoxy daemon") +ptal_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ptal daemon") +pxe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pxe daemon") +pyzord_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pyzord") +quota_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for quota daemon") +radiusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radiusd daemon") +radvd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radvd daemon") +rdisc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rdisc") +readahead_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for readahead") +read_default_t _("Admin") _("Allow programs to read files in non-standard locations (default_t)") +restorecond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for restorecond") +rhgb_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rhgb daemon") +ricci_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci") +ricci_modclusterd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci_modclusterd") +rlogind_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rlogind daemon") +rpcd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rpcd daemon") +rshd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rshd") +rsync_disable_trans _("rsync") _("Disable SELinux protection for rsync daemon") +run_ssh_inetd _("SSH") _("Allow ssh to run from inetd instead of as a daemon") +samba_share_nfs _("Samba") _("Allow Samba to share nfs directories") +allow_saslauthd_read_shadow _("SASL authentication server") _("Allow sasl authentication server to read /etc/shadow") +allow_xserver_execmem _("XServer") _("Allow X-Windows server to map a memory region as both executable and writable") +saslauthd_disable_trans _("SASL authentication server") _("Disable SELinux protection for saslauthd daemon") +scannerdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for scannerdaemon daemon") +secure_mode _("Admin") _("Do not allow transition to sysadm_t, sudo and su effected") +secure_mode_insmod _("Admin") _("Do not allow any processes to load kernel modules") +secure_mode_policyload _("Admin") _("Do not allow any processes to modify kernel SELinux policy") +sendmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sendmail daemon") +setrans_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setrans") +setroubleshootd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setroubleshoot daemon") +slapd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slapd daemon") +slrnpull_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slrnpull daemon") +smbd_disable_trans _("Samba") _("Disable SELinux protection for smbd daemon") +snmpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snmpd daemon") +snort_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snort daemon") +soundd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for soundd daemon") +sound_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sound daemon") +spamd_disable_trans _("Spam Protection") _("Disable SELinux protection for spamd daemon") +spamd_enable_home_dirs _("Spam Protection") _("Allow spamd to access home directories") +spamassassin_can_network _("Spam Protection") _("Allow Spam Assassin daemon network access") +speedmgmt_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for speedmgmt daemon") +squid_connect_any _("Squid") _("Allow squid daemon to connect to the network") +squid_disable_trans _("Squid") _("Disable SELinux protection for squid daemon") +ssh_keygen_disable_trans _("SSH") _("Disable SELinux protection for ssh daemon") +ssh_sysadm_login _("SSH") _("Allow ssh logins as sysadm_r:sysadm_t") +staff_read_sysadm_file _("Admin") _("Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)") +stunnel_disable_trans _("Universal SSL tunnel") _("Disable SELinux protection for stunnel daemon") +stunnel_is_daemon _("Universal SSL tunnel") _("Allow stunnel daemon to run as standalone, outside of xinetd") +swat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for swat daemon") +sxid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sxid daemon") +syslogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for syslogd daemon") +system_crond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for system cron jobs") +tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tcp daemon") +telnetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for telnet daemon") +tftpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tftpd daemon") +transproxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for transproxy daemon") +udev_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for udev daemon") +uml_switch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uml daemon") +unlimitedInetd _("Admin") _("Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined") +unlimitedRC _("Admin") _("Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined") +unlimitedRPM _("Admin") _("Allow rpm to run unconfined") +unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined") +updfstab_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for updfstab daemon") +uptimed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uptimed daemon") +user_canbe_sysadm _("User Privs") _("Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so") +user_can_mount _("Mount") _("Allow users to execute the mount command") +user_direct_mouse _("User Privs") _("Allow regular users direct mouse access (only allow the X server)") +user_dmesg _("User Privs") _("Allow users to run the dmesg command") +user_net_control _("User Privs") _("Allow users to control network interfaces (also needs USERCTL=true)") +user_ping _("User Privs") _("Allow normal user to execute ping") +user_rw_noexattrfile _("User Privs") _("Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)") +user_rw_usb _("User Privs") _("Allow users to rw usb devices") +user_tcp_server _("User Privs") _("Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols") +user_ttyfile_stat _("User Privs") _("Allow user to stat ttyfiles") +uucpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uucpd daemon") +vmware_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for vmware daemon") +watchdog_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for watchdog daemon") +winbind_disable_trans _("Samba") _("Disable SELinux protection for winbind daemon") +xdm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xdm daemon") +xdm_sysadm_login _("XServer") _("Allow xdm logins as sysadm_r:sysadm_t") +xend_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen daemon") +xen_use_raw_disk _("XEN") _("Allow xen to read/write physical disk devices") +xfs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xfs daemon") +xm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen control") +ypbind_disable_trans _("NIS") _("Disable SELinux protection for ypbind daemon") +yppasswdd_disable_trans _("NIS") _("Disable SELinux protection for NIS Password Daemon") +ypserv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ypserv daemon") +ypxfr_disable_trans _("NIS") _("Disable SELinux protection for NIS Transfer Daemon") +webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories") +webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories") + diff --git a/policycoreutils/gui/semanagePage.py b/policycoreutils/gui/semanagePage.py new file mode 100644 index 0000000..110c654 --- /dev/null +++ b/policycoreutils/gui/semanagePage.py @@ -0,0 +1,168 @@ +## semanagePage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import seobject + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +def idle_func(): + while gtk.events_pending(): + gtk.main_iteration() + +class semanagePage: + def __init__(self, xml, name, description): + self.xml = xml + self.window = self.xml.get_widget("mainWindow").get_root_window() + self.busy_cursor = gtk.gdk.Cursor(gtk.gdk.WATCH) + self.ready_cursor = gtk.gdk.Cursor(gtk.gdk.LEFT_PTR) + + self.local = False + self.view = xml.get_widget("%sView" % name) + self.dialog = xml.get_widget("%sDialog" % name) + self.filter_entry = xml.get_widget("%sFilterEntry" % name ) + self.filter_entry.connect("focus_out_event", self.filter_changed) + self.filter_entry.connect("activate", self.filter_changed) + + self.view.connect("row_activated", self.rowActivated) + self.view.get_selection().connect("changed", self.itemSelected) + self.description = description; + + def wait(self): + self.window.set_cursor(self.busy_cursor) + idle_func() + + def ready(self): + self.window.set_cursor(self.ready_cursor) + idle_func() + + def get_description(self): + return self.description + + def itemSelected(self, args): + return + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.load(filter) + + def search(self, model, col, key, i): + sort_col = self.store.get_sort_column_id()[0] + val = model.get_value(i,sort_col) + if val.lower().startswith(key.lower()): + return False + return True + + def match(self, target, filter): + try: + f=filter.lower() + t=target.lower() + if t.find(f) >= 0: + return True + except: + pass + return False + + def rowActivated(self, view, row, Column): + self.propertiesDialog() + + def verify(self, message, title="" ): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_title(title) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def deleteDialog(self): + store, iter = self.view.get_selection().get_selected() + if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(iter, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES: + self.delete() + + def use_menus(self): + return True + + def addDialog(self): + self.dialogClear() + self.dialog.set_title(_("Add %s" % self.description)) + self.dialog.set_position(gtk.WIN_POS_MOUSE) + + while self.dialog.run() == gtk.RESPONSE_OK: + try: + if self.add() == False: + continue + break; + except ValueError, e: + self.error(e.args[0]) + self.dialog.hide() + + def propertiesDialog(self): + self.dialogInit() + self.dialog.set_title(_("Modify %s" % self.description)) + self.dialog.set_position(gtk.WIN_POS_MOUSE) + while self.dialog.run() == gtk.RESPONSE_OK: + try: + if self.modify() == False: + continue + break; + except ValueError, e: + self.error(e.args[0]) + self.dialog.hide() + + def on_local_clicked(self, button): + self.local = not self.local + if self.local: + button.set_label(_("all")) + else: + button.set_label(_("Customized")) + + self.load(self.filter) + return True + diff --git a/policycoreutils/gui/statusPage.py b/policycoreutils/gui/statusPage.py new file mode 100644 index 0000000..fd6ef4f --- /dev/null +++ b/policycoreutils/gui/statusPage.py @@ -0,0 +1,190 @@ +# statusPage.py - show selinux status +## Copyright (C) 2006-2009 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import tempfile + +INSTALLPATH = '/usr/share/system-config-selinux' +sys.path.append(INSTALLPATH) + +import commands +ENFORCING = 1 +PERMISSIVE = 0 +DISABLED = -1 +modearray = ( "disabled", "permissive", "enforcing" ) + +SELINUXDIR = "/etc/selinux/" +RELABELFILE = "/.autorelabel" + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +import selinux +try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class statusPage: + def __init__(self, xml): + self.xml = xml + self.needRelabel = False + + self.type = selinux.selinux_getpolicytype() + # Bring in widgets from glade file. + self.typeHBox = xml.get_widget("typeHBox") + self.selinuxTypeOptionMenu = xml.get_widget("selinuxTypeOptionMenu") + self.typeLabel = xml.get_widget("typeLabel") + self.enabledOptionMenu = xml.get_widget("enabledOptionMenu") + self.currentOptionMenu = xml.get_widget("currentOptionMenu") + self.relabel_checkbutton = xml.get_widget("relabelCheckbutton") + self.relabel_checkbutton.set_active(self.is_relabel()) + self.relabel_checkbutton.connect("toggled", self.on_relabel_toggle) + if self.get_current_mode() == ENFORCING or self.get_current_mode() == PERMISSIVE: + self.currentOptionMenu.append_text(_("Permissive")) + self.currentOptionMenu.append_text(_("Enforcing")) + self.currentOptionMenu.set_active(self.get_current_mode()) + self.currentOptionMenu.connect("changed", self.set_current_mode) + self.currentOptionMenu.set_sensitive(True) + else: + self.currentOptionMenu.append_text(_("Disabled")) + self.currentOptionMenu.set_active(0) + self.currentOptionMenu.set_sensitive(False) + + if self.read_selinux_config() == None: + self.selinuxsupport = False + else: + self.enabledOptionMenu.connect("changed", self.enabled_changed) + # + # This line must come after read_selinux_config + # + self.selinuxTypeOptionMenu.connect("changed", self.typemenu_changed) + + self.typeLabel.set_mnemonic_widget(self.selinuxTypeOptionMenu) + + def use_menus(self): + return False + + def get_description(self): + return _("Status") + + def get_current_mode(self): + if selinux.is_selinux_enabled(): + if selinux.security_getenforce() > 0: + return ENFORCING + else: + return PERMISSIVE + else: + return DISABLED + + def set_current_mode(self,menu): + selinux.security_setenforce(menu.get_active() == 1) + + def is_relabel(self): + return os.access(RELABELFILE, os.F_OK) != 0 + + def on_relabel_toggle(self,button): + if button.get_active(): + fd = open(RELABELFILE,"w") + fd.close() + else: + if os.access(RELABELFILE, os.F_OK) != 0: + os.unlink(RELABELFILE) + + def verify(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def typemenu_changed(self, menu): + type = self.get_type() + enabled = self.enabledOptionMenu.get_active() + if self.initialtype != type: + if self.verify(_("Changing the policy type will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO: + menu.set_active(self.typeHistory) + return None + + self.relabel_checkbutton.set_active(True) + + self.write_selinux_config(modearray[enabled], type ) + self.typeHistory = menu.get_active() + + def enabled_changed(self, combo): + enabled = combo.get_active() + type = self.get_type() + + if self.initEnabled != DISABLED and enabled == DISABLED: + if self.verify(_("Changing to SELinux disabled requires a reboot. It is not recommended. If you later decide to turn SELinux back on, the system will be required to relabel. If you just want to see if SELinux is causing a problem on your system, you can go to permissive mode which will only log errors and not enforce SELinux policy. Permissive mode does not require a reboot Do you wish to continue?")) == gtk.RESPONSE_NO: + combo.set_active(self.enabled) + return None + + if self.initEnabled == DISABLED and enabled < 2: + if self.verify(_("Changing to SELinux enabled will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO: + combo.set_active(self.enabled) + return None + self.relabel_checkbutton.set_active(True) + + self.write_selinux_config(modearray[enabled], type ) + self.enabled = enabled + + def write_selinux_config(self, enforcing, type): + import commands + commands.getstatusoutput("/usr/sbin/lokkit --selinuxtype=%s --selinux=%s" % (type, enforcing)) + + def read_selinux_config(self): + self.initialtype = selinux.selinux_getpolicytype()[1] + self.initEnabled = selinux.selinux_getenforcemode()[1] + self.enabled = self.initEnabled + self.enabledOptionMenu.set_active(self.enabled + 1 ) + + self.types = [] + + n = 0 + current = n + + for i in os.listdir(SELINUXDIR): + if os.path.isdir(SELINUXDIR+i) and os.path.isdir(SELINUXDIR+i+"/policy"): + self.types.append(i) + self.selinuxTypeOptionMenu.append_text(i) + if i == self.initialtype: + current = n + n = n+1 + self.selinuxTypeOptionMenu.set_active(current) + self.typeHistory = current + + return 0 + + def get_type(self): + return self.types[self.selinuxTypeOptionMenu.get_active()] + + diff --git a/policycoreutils/gui/system-config-selinux.glade b/policycoreutils/gui/system-config-selinux.glade new file mode 100644 index 0000000..05a697e --- /dev/null +++ b/policycoreutils/gui/system-config-selinux.glade @@ -0,0 +1,3005 @@ + + + + + + + + + 5 + False + system-config-selinux + Copyright (c)2006 Red Hat, Inc. +Copyright (c) 2006 Dan Walsh <dwalsh@redhat.com> + False + Daniel Walsh <dwalsh@redhat.com> + + translator-credits + system-config-selinux.png + + + + Add SELinux Login Mapping + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 3 + 2 + False + 4 + 6 + + + + True + Login Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + SELinux User + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + MLS/MCS Range + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux Network Ports + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 4 + 2 + False + 4 + 6 + + + + True + Port Number + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Protocol + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + SELinux Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + tcp +udp + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + MLS/MCS +Level + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 3 + 4 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 3 + 4 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux Login Mapping + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 4 + 2 + False + 4 + 6 + + + + True + File Specification + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + File Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + SELinux Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + all files +regular file +directory +character device +block device +socket +symbolic link +named pipe + + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + MLS + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 3 + 4 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 3 + 4 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux User + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 3 + 2 + False + 4 + 6 + + + + True + SELinux User + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + MLS/MCS Range + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 1 + 2 + + + + + + + True + SELinux Roles + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + 800 + 500 + SELinux Administration + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + system-config-selinux.png + True + False + False + GDK_WINDOW_TYPE_HINT_NORMAL + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + True + + + + True + GTK_SHADOW_NONE + + + + True + GTK_PACK_DIRECTION_LTR + GTK_PACK_DIRECTION_LTR + + + + True + GNOMEUIINFO_MENU_FILE_TREE + + + + + + + True + Add + True + + + + + + True + gtk-add + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + _Properties + True + + + + + + True + gtk-properties + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + _Delete + True + + + + + + True + gtk-delete + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + GNOMEUIINFO_MENU_EXIT_ITEM + + + + + + + + + + + True + GNOMEUIINFO_MENU_HELP_TREE + + + + + + + True + GNOMEUIINFO_MENU_ABOUT_ITEM + + + + + + + + + + + + BONOBO_DOCK_TOP + 0 + 0 + 0 + BONOBO_DOCK_ITEM_BEH_EXCLUSIVE|BONOBO_DOCK_ITEM_BEH_NEVER_VERTICAL|BONOBO_DOCK_ITEM_BEH_LOCKED + + + + + + True + True + + + + 5 + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + Select Management Object + True + False + False + False + True + False + False + False + + + + + + + + True + <b>Select:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + False + True + + + + + + True + False + True + GTK_POS_TOP + False + False + + + + True + False + 0 + + + + True + 4 + 2 + False + 5 + 5 + + + + True + System Default Enforcing Mode + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Disabled +Permissive +Enforcing + + False + True + + + 1 + 2 + 0 + 1 + fill + + + + + + True + Current Enforcing Mode + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + System Default Policy Type: + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + + False + True + + + 1 + 2 + 2 + 3 + fill + fill + + + + + + True + Select if you wish to relabel then entire file system on next reboot. Relabeling can take a very long time, depending on the size of the system. If you are changing policy types or going from disabled to enforcing, a relabel is required. + True + GTK_RELIEF_NORMAL + True + False + False + True + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-refresh + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Relabel on next reboot. + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + 2 + 3 + 4 + fill + fill + + + + + 0 + True + True + + + + + False + True + + + + + + True + label37 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Revert boolean setting to system default + gtk-revert-to-saved + True + True + False + + + + False + True + + + + + + True + Toggle between Customized and All Booleans + Customized + True + gtk-find + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 10 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Boolean + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label50 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add File Context + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify File Context + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete File Context + gtk-delete + True + True + False + + + + False + True + + + + + + True + Toggle between all and customized file context + Customized + True + gtk-find + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 0 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + File Labeling + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label38 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add SELinux User Mapping + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify SELinux User Mapping + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete SELinux User Mapping + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + User Mapping + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label39 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add User + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify User + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete User + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + SELinux User + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label41 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + False + True + + + + True + Add Network Port + gtk-add + True + True + False + + + + False + True + + + + + + True + Edit Network Port + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete Network Port + gtk-delete + True + True + False + + + + False + True + + + + + + True + True + True + False + + + + 32 + True + + + + + False + False + + + + + + True + Toggle between Customized and All Ports + Group View + True + gtk-indent + True + True + False + + + + False + True + + + + + + True + Toggle between Customized and All Ports + Customized + True + gtk-find + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Network Port + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label42 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Generate new policy module + gtk-new + True + True + False + + + + False + True + + + + + + True + Load policy module + gtk-add + True + True + False + + + + False + True + + + + + + True + Remove loadable policy module + gtk-remove + True + True + False + + + + False + True + + + + + + True + True + True + False + + + + 10 + True + + + + + False + False + + + + + + True + Enable/Disable additional audit rules, that are normally not reported in the log files. + Enable Audit + True + gtk-zoom-in + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Policy Module + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label44 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Change process mode to permissive. + Permissive + True + gtk-dialog-warning + True + True + False + + + + False + True + + + + + + True + Change process mode to enforcing + Enforcing + True + gtk-dialog-error + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + • + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + Process Domain + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label59 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + True + True + + + + + + + 0 + True + True + + + + + + True + True + True + + + 0 + True + True + + + + + diff --git a/policycoreutils/gui/system-config-selinux.py b/policycoreutils/gui/system-config-selinux.py new file mode 100644 index 0000000..f080dd9 --- /dev/null +++ b/policycoreutils/gui/system-config-selinux.py @@ -0,0 +1,187 @@ +#!/usr/bin/python -Es +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux +# +# Dan Walsh +# +# Copyright 2006-2009 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import signal +import string +import gtk +import gtk.glade +import os +import gobject +import gnome +import sys +import statusPage +import booleansPage +import loginsPage +import usersPage +import portsPage +import modulesPage +import domainsPage +import fcontextPage +import selinux +## +## I18N +## +PROGNAME="policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +gnome.program_init("SELinux Management Tool", "5") + +version = "1.0" + +sys.path.append('/usr/share/system-config-selinux') + + + +## +## Pull in the Glade file +## +if os.access("system-config-selinux.glade", os.F_OK): + xml = gtk.glade.XML ("system-config-selinux.glade", domain=PROGNAME) +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/system-config-selinux.glade", domain=PROGNAME) + +class childWindow: + def __init__(self): + self.tabs=[] + self.xml = xml + xml.signal_connect("on_quit_activate", self.destroy) + xml.signal_connect("on_delete_clicked", self.delete) + xml.signal_connect("on_add_clicked", self.add) + xml.signal_connect("on_properties_clicked", self.properties) + xml.signal_connect("on_local_clicked", self.on_local_clicked) + self.add_page(statusPage.statusPage(xml)) + if selinux.is_selinux_enabled() > 0: + try: + self.add_page(booleansPage.booleansPage(xml)) + self.add_page(fcontextPage.fcontextPage(xml)) + self.add_page(loginsPage.loginsPage(xml)) + self.add_page(usersPage.usersPage(xml)) + self.add_page(portsPage.portsPage(xml)) + self.add_page(modulesPage.modulesPage(xml)) # modules + self.add_page(domainsPage.domainsPage(xml)) # domains + except ValueError, e: + self.error(e.message) + + xml.signal_connect("on_quit_activate", self.destroy) + xml.signal_connect("on_policy_activate", self.policy) + xml.signal_connect("on_logging_activate", self.logging) + xml.signal_connect("on_about_activate", self.on_about_activate) + + self.add_menu = xml.get_widget("add_menu_item") + self.properties_menu = xml.get_widget("properties_menu_item") + self.delete_menu = xml.get_widget("delete_menu_item") + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def add_page(self, page): + self.tabs.append(page) + + def policy(self, args): + os.spawnl(os.P_NOWAIT, "/usr/share/system-config-selinux/semanagegui.py") + def logging(self, args): + os.spawnl(os.P_NOWAIT, "/usr/bin/seaudit") + + def delete(self, args): + self.tabs[self.notebook.get_current_page()].deleteDialog() + + def add(self, args): + self.tabs[self.notebook.get_current_page()].addDialog() + + def properties(self, args): + self.tabs[self.notebook.get_current_page()].propertiesDialog() + + def on_local_clicked(self, button): + self.tabs[self.notebook.get_current_page()].on_local_clicked(button) + + def on_about_activate(self, args): + dlg = xml.get_widget ("aboutWindow") + dlg.run () + dlg.hide () + + def destroy(self, args): + gtk.main_quit() + + def use_menus(self, use_menus): + self.add_menu.set_sensitive(use_menus) + self.properties_menu.set_sensitive(use_menus) + self.delete_menu.set_sensitive(use_menus) + + def itemSelected(self, selection): + store, rows = selection.get_selected_rows() + if store != None and len(rows) > 0: + self.notebook.set_current_page(rows[0][0]) + self.use_menus(self.tabs[rows[0][0]].use_menus()) + else: + self.notebook.set_current_page(0) + self.use_menus(self.tabs[0].use_menus()) + + + def setupScreen(self): + # Bring in widgets from glade file. + self.mainWindow = self.xml.get_widget("mainWindow") + self.notebook = self.xml.get_widget("notebook") + self.view = self.xml.get_widget("selectView") + self.view.get_selection().connect("changed", self.itemSelected) + self.store = gtk.ListStore(gobject.TYPE_STRING) + self.view.set_model(self.store) + col = gtk.TreeViewColumn("", gtk.CellRendererText(), text = 0) + col.set_resizable(True) + self.view.append_column(col) + + for page in self.tabs: + iter = self.store.append() + self.store.set_value(iter, 0, page.get_description()) + self.view.get_selection().select_path ((0,)) + + def stand_alone(self): + desktopName = _("Configue SELinux") + + self.setupScreen() + + self.mainWindow.connect("destroy", self.destroy) + + self.mainWindow.show_all() + gtk.main() + +if __name__ == "__main__": + signal.signal (signal.SIGINT, signal.SIG_DFL) + + app = childWindow() + app.stand_alone() diff --git a/policycoreutils/gui/templates/__init__.py b/policycoreutils/gui/templates/__init__.py new file mode 100644 index 0000000..683666f --- /dev/null +++ b/policycoreutils/gui/templates/__init__.py @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007-2012 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + diff --git a/policycoreutils/gui/templates/boolean.py b/policycoreutils/gui/templates/boolean.py new file mode 100644 index 0000000..f7af4d8 --- /dev/null +++ b/policycoreutils/gui/templates/boolean.py @@ -0,0 +1,40 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### boolean Template File ########################### + +te_boolean=""" +## +##

+## DESCRIPTION +##

+## +gen_tunable(BOOLEAN, false) +""" + +te_rules=""" +tunable_policy(`BOOLEAN',` +#TRUE +',` +#FALSE +') +""" + diff --git a/policycoreutils/gui/templates/etc_rw.py b/policycoreutils/gui/templates/etc_rw.py new file mode 100644 index 0000000..0d3dbfe --- /dev/null +++ b/policycoreutils/gui/templates/etc_rw.py @@ -0,0 +1,112 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### etc_rw Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_etc_rw_t; +files_type(TEMPLATETYPE_etc_rw_t) +""" +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t) +files_etc_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, { dir file }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE conf directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_conf',` + gen_require(` + type TEMPLATETYPE_etc_rw_t; + ') + + allow $1 TEMPLATETYPE_etc_rw_t:dir search_dir_perms; + files_search_etc($1) +') + +######################################## +## +## Read TEMPLATETYPE conf files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_conf_files',` + gen_require(` + type TEMPLATETYPE_etc_rw_t; + ') + + allow $1 TEMPLATETYPE_etc_rw_t:file read_file_perms; + allow $1 TEMPLATETYPE_etc_rw_t:dir list_dir_perms; + files_search_etc($1) +') + +######################################## +## +## Manage TEMPLATETYPE conf files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_conf_files',` + gen_require(` + type TEMPLATETYPE_etc_rw_t; + ') + + manage_files_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t) + files_search_etc($1) +') + +""" + +if_admin_types=""" + type TEMPLATETYPE_etc_rw_t;""" + +if_admin_rules=""" + files_search_etc($1) + admin_pattern($1, TEMPLATETYPE_etc_rw_t) +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) +""" diff --git a/policycoreutils/gui/templates/executable.py b/policycoreutils/gui/templates/executable.py new file mode 100644 index 0000000..5b39d77 --- /dev/null +++ b/policycoreutils/gui/templates/executable.py @@ -0,0 +1,445 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### Type Enforcement File ############################# +te_daemon_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) + +permissive TEMPLATETYPE_t; +""" + +te_initscript_types=""" +type TEMPLATETYPE_initrc_exec_t; +init_script_file(TEMPLATETYPE_initrc_exec_t) +""" + +te_dbusd_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) + +permissive TEMPLATETYPE_t; +""" + +te_inetd_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) + +permissive TEMPLATETYPE_t; +""" + +te_userapp_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +role system_r types TEMPLATETYPE_t; + +permissive TEMPLATETYPE_t; +""" + +te_sandbox_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +sandbox_x_domain_template(TEMPLATETYPE) + +permissive TEMPLATETYPE_t; +permissive TEMPLATETYPE_client_t; + +""" + +te_cgi_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(TEMPLATETYPE) + +permissive httpd_TEMPLATETYPE_script_t; +""" + +te_daemon_rules="""\ +allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms; +allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; +""" + +te_inetd_rules=""" +""" + +te_dbusd_rules=""" +""" + +te_userapp_rules=""" +allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms; +allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; +""" + +te_cgi_rules=""" +""" + +te_sandbox_rules=""" +""" + +te_uid_rules=""" +auth_use_nsswitch(TEMPLATETYPE_t) +""" + +te_syslog_rules=""" +logging_send_syslog_msg(TEMPLATETYPE_t) +""" + +te_resolve_rules=""" +sysnet_dns_name_resolve(TEMPLATETYPE_t) +""" + +te_pam_rules=""" +auth_domtrans_chk_passwd(TEMPLATETYPE_t) +""" + +te_mail_rules=""" +mta_send_mail(TEMPLATETYPE_t) +""" + +te_dbus_rules=""" +optional_policy(` + dbus_system_bus_client(TEMPLATETYPE_t) + dbus_connect_system_bus(TEMPLATETYPE_t) +') +""" + +te_kerberos_rules=""" +optional_policy(` + kerberos_use(TEMPLATETYPE_t) +') +""" + +te_manage_krb5_rcache_rules=""" +optional_policy(` + kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t) + kerberos_manage_host_rcache(TEMPLATETYPE_t) +') +""" + +te_audit_rules=""" +logging_send_audit_msgs(TEMPLATETYPE_t) +""" + +te_run_rules=""" +optional_policy(` + gen_require(` + type USER_t; + role USER_r; + ') + + TEMPLATETYPE_run(USER_t, USER_r) +') +""" + +te_fd_rules=""" +domain_use_interactive_fds(TEMPLATETYPE_t) +""" + +te_etc_rules=""" +files_read_etc_files(TEMPLATETYPE_t) +""" + +te_localization_rules=""" +miscfiles_read_localization(TEMPLATETYPE_t) +""" + +########################### Interface File ############################# + +if_heading_rules=""" +## policy for TEMPLATETYPE""" + +if_program_rules=""" + +######################################## +## +## Transition to TEMPLATETYPE. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`TEMPLATETYPE_domtrans',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t) +') +""" + +if_user_program_rules=""" +######################################## +## +## Execute TEMPLATETYPE in the TEMPLATETYPE domain, and +## allow the specified role the TEMPLATETYPE domain. +## +## +## +## Domain allowed to transition +## +## +## +## +## The role to be allowed the TEMPLATETYPE domain. +## +## +# +interface(`TEMPLATETYPE_run',` + gen_require(` + type TEMPLATETYPE_t; + ') + + TEMPLATETYPE_domtrans($1) + role $2 types TEMPLATETYPE_t; +') + +######################################## +## +## Role access for TEMPLATETYPE +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`TEMPLATETYPE_role',` + gen_require(` + type TEMPLATETYPE_t; + ') + + role $1 types TEMPLATETYPE_t; + + TEMPLATETYPE_domtrans($2) + + ps_process_pattern($2, TEMPLATETYPE_t) + allow $2 TEMPLATETYPE_t:process signal; +') +""" + +if_sandbox_rules=""" +######################################## +## +## Execute sandbox in the TEMPLATETYPE_t domain, and +## allow the specified role the TEMPLATETYPE_t domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The role to be allowed the TEMPLATETYPE_t domain. +## +## +# +interface(`TEMPLATETYPE_transition',` + gen_require(` + type TEMPLATETYPE_t; + type TEMPLATETYPE_client_t; + ') + + allow $1 TEMPLATETYPE_t:process { signal_perms transition }; + dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh }; + role $2 types TEMPLATETYPE_t; + role $2 types TEMPLATETYPE_client_t; + + allow TEMPLATETYPE_t $1:process { sigchld signull }; + allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms; + allow TEMPLATETYPE_client_t $1:process { sigchld signull }; + allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms; +') +""" + +if_role_change_rules=""" +######################################## +## +## Change to the TEMPLATETYPE role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`TEMPLATETYPE_role_change',` + gen_require(` + role TEMPLATETYPE_r; + ') + + allow $1 TEMPLATETYPE_r; +') +""" + +if_initscript_rules=""" +######################################## +## +## Execute TEMPLATETYPE server in the TEMPLATETYPE domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_initrc_domtrans',` + gen_require(` + type TEMPLATETYPE_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t) +') +""" + +if_dbus_rules=""" +######################################## +## +## Send and receive messages from +## TEMPLATETYPE over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_dbus_chat',` + gen_require(` + type TEMPLATETYPE_t; + class dbus send_msg; + ') + + allow $1 TEMPLATETYPE_t:dbus send_msg; + allow TEMPLATETYPE_t $1:dbus send_msg; +') +""" + +if_begin_admin=""" +######################################## +## +## All of the rules required to administrate +## an TEMPLATETYPE environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`TEMPLATETYPE_admin',` + gen_require(` + type TEMPLATETYPE_t;""" + +if_middle_admin=""" + ') + + allow $1 TEMPLATETYPE_t:process { ptrace signal_perms }; + ps_process_pattern($1, TEMPLATETYPE_t) +""" + +if_initscript_admin_types=""" + type TEMPLATETYPE_initrc_exec_t;""" + +if_initscript_admin=""" + TEMPLATETYPE_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 TEMPLATETYPE_initrc_exec_t system_r; + allow $2 system_r; +""" + +if_end_admin="""\ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') +""" + +########################### File Context ################################## +fc_program="""\ +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) +""" + +fc_user="""\ +# Users do not have file context, leave blank +""" + +fc_initscript="""\ +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0) +""" diff --git a/policycoreutils/gui/templates/network.py b/policycoreutils/gui/templates/network.py new file mode 100644 index 0000000..6a3d445 --- /dev/null +++ b/policycoreutils/gui/templates/network.py @@ -0,0 +1,102 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### Type Enforcement File ############################# +te_port_types=""" +type TEMPLATETYPE_port_t; +corenet_port(TEMPLATETYPE_port_t) +""" + +te_network="""\ +sysnet_dns_name_resolve(TEMPLATETYPE_t) +corenet_all_recvfrom_unlabeled(TEMPLATETYPE_t) +""" + +te_tcp="""\ +allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t) +corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t) +""" + +te_in_tcp="""\ +corenet_tcp_bind_generic_node(TEMPLATETYPE_t) +""" + +te_in_need_port_tcp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_bind; +""" + +te_out_need_port_tcp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_connect; +""" + +te_udp="""\ +allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen }; +corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t) +corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t) +corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t) +""" + +te_in_udp="""\ +corenet_udp_bind_generic_node(TEMPLATETYPE_t) +""" + +te_in_need_port_udp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:udp_socket name_bind; +""" + +te_out_all_ports_tcp="""\ +corenet_tcp_connect_all_ports(TEMPLATETYPE_t) +""" + +te_out_reserved_ports_tcp="""\ +corenet_tcp_connect_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_out_unreserved_ports_tcp="""\ +corenet_tcp_connect_all_unreserved_ports(TEMPLATETYPE_t) +""" + +te_in_all_ports_tcp="""\ +corenet_tcp_bind_all_ports(TEMPLATETYPE_t) +""" + +te_in_reserved_ports_tcp="""\ +corenet_tcp_bind_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_in_unreserved_ports_tcp="""\ +corenet_tcp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + +te_in_all_ports_udp="""\ +corenet_udp_bind_all_ports(TEMPLATETYPE_t) +""" + +te_in_reserved_ports_udp="""\ +corenet_udp_bind_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_in_unreserved_ports_udp="""\ +corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + diff --git a/policycoreutils/gui/templates/rw.py b/policycoreutils/gui/templates/rw.py new file mode 100644 index 0000000..5dfc42f --- /dev/null +++ b/policycoreutils/gui/templates/rw.py @@ -0,0 +1,129 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +te_types=""" +type TEMPLATETYPE_rw_t; +files_type(TEMPLATETYPE_rw_t) +""" + +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE rw directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_rw_dir',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + allow $1 TEMPLATETYPE_rw_t:dir search_dir_perms; + files_search_rw($1) +') + +######################################## +## +## Read TEMPLATETYPE rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_rw_files',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + allow $1 TEMPLATETYPE_rw_t:file read_file_perms; + allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms; + files_search_rw($1) +') + +######################################## +## +## Manage TEMPLATETYPE rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_rw_files',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + manage_files_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t) +') + +######################################## +## +## Create, read, write, and delete +## TEMPLATETYPE rw dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_rw_dirs',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + manage_dirs_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t) +') + +""" + +if_admin_types=""" + type TEMPLATETYPE_rw_t;""" + +if_admin_rules=""" + files_search_etc($1) + admin_pattern($1, TEMPLATETYPE_rw_t) +""" + +########################### File Context ################################## +fc_file=""" +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" + +fc_dir=""" +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" diff --git a/policycoreutils/gui/templates/script.py b/policycoreutils/gui/templates/script.py new file mode 100644 index 0000000..79240ec --- /dev/null +++ b/policycoreutils/gui/templates/script.py @@ -0,0 +1,126 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +compile="""\ +#!/bin/sh -e + +DIRNAME=`dirname $0` +cd $DIRNAME +USAGE="$0 [ --update ]" +if [ `id -u` != 0 ]; then +echo 'You must be root to run this script' +exit 1 +fi + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then + time=`ls -l --time-style="+%x %X" TEMPLATEFILE.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se TEMPLATETYPE` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" + echo -e "$rules" | audit2allow -R + echo "Do you want these changes added to policy [y/n]?" + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" + echo -e "$rules" | audit2allow -R >> TEMPLATEFILE.te + # Fall though and rebuild policy + else + exit 0 + fi + else + echo "No new avcs found" + exit 0 + fi + else + echo -e $USAGE + exit 1 + fi +elif [ $# -ge 2 ] ; then + echo -e $USAGE + exit 1 +fi + +echo "Building and Loading Policy" +set -x +make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit +/usr/sbin/semodule -i TEMPLATEFILE.pp + +""" + +restorecon="""\ +# Fixing the file context on FILENAME +/sbin/restorecon -F -R -v FILENAME +""" + +tcp_ports="""\ +# Adding SELinux tcp port to port PORTNUM +/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p tcp PORTNUM +""" + +udp_ports="""\ +# Adding SELinux udp port to port PORTNUM +/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + +users="""\ +# Adding SELinux user TEMPLATETYPE_u +/usr/sbin/semanage user -a -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u +""" + +eusers="""\ +# Adding roles to SELinux user TEMPLATETYPE_u +/usr/sbin/semanage user -m -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u +""" + +admin_trans="""\ +# Adding roles to SELinux user USER +/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER +""" + +min_login_user_default_context="""\ +if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then +cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF +TEMPLATETYPE_r:TEMPLATETYPE_t:s0 TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t +_EOF +fi +""" + +x_login_user_default_context="""\ +if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then +cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF +TEMPLATETYPE_r:TEMPLATETYPE_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t +system_r:xdm_t TEMPLATETYPE_r:TEMPLATETYPE_t +_EOF +fi +""" diff --git a/policycoreutils/gui/templates/semodule.py b/policycoreutils/gui/templates/semodule.py new file mode 100644 index 0000000..194fb2c --- /dev/null +++ b/policycoreutils/gui/templates/semodule.py @@ -0,0 +1,41 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +compile=""" +#!/bin/sh +make -f /usr/share/selinux/devel/Makefile +semodule -i TEMPLATETYPE.pp +""" + +restorecon=""" +restorecon -R -v FILENAME +""" + +tcp_ports=""" +semanage ports -a -t TEMPLATETYPE_port_t -p tcp PORTNUM +""" + +udp_ports=""" +semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + diff --git a/policycoreutils/gui/templates/tmp.py b/policycoreutils/gui/templates/tmp.py new file mode 100644 index 0000000..d2adaa4 --- /dev/null +++ b/policycoreutils/gui/templates/tmp.py @@ -0,0 +1,102 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### tmp Template File ############################# + +te_types=""" +type TEMPLATETYPE_tmp_t; +files_tmp_file(TEMPLATETYPE_tmp_t) +""" + +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t) +files_tmp_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, { dir file }) +""" + +if_rules=""" +######################################## +## +## Do not audit attempts to read, +## TEMPLATETYPE tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`TEMPLATETYPE_dontaudit_read_tmp_files',` + gen_require(` + type TEMPLATETYPE_tmp_t; + ') + + dontaudit $1 TEMPLATETYPE_tmp_t:file read_file_perms; +') + +######################################## +## +## Read TEMPLATETYPE tmp files +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_tmp_files',` + gen_require(` + type TEMPLATETYPE_tmp_t; + ') + + files_search_tmp($1) + allow $1 TEMPLATETYPE_tmp_t:file read_file_perms; +') + +######################################## +## +## Manage TEMPLATETYPE tmp files +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_tmp',` + gen_require(` + type TEMPLATETYPE_tmp_t; + ') + + files_search_tmp($1) + manage_dirs_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t) + manage_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t) + manage_lnk_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t) +') +""" + +if_admin_types=""" + type TEMPLATETYPE_tmp_t;""" + +if_admin_rules=""" + files_search_tmp($1) + admin_pattern($1, TEMPLATETYPE_tmp_t) +""" diff --git a/policycoreutils/gui/templates/unit_file.py b/policycoreutils/gui/templates/unit_file.py new file mode 100644 index 0000000..60e5844 --- /dev/null +++ b/policycoreutils/gui/templates/unit_file.py @@ -0,0 +1,72 @@ +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### unit Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_unit_file_t; +systemd_unit_file(TEMPLATETYPE_unit_file_t) +""" + +te_rules="" + +########################### Interface File ############################# +if_rules="""\ +######################################## +## +## Execute TEMPLATETYPE server in the TEMPLATETYPE domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`TEMPLATETYPE_systemctl',` + gen_require(` + type TEMPLATETYPE_t; + type TEMPLATETYPE_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_password_run($1) + allow $1 TEMPLATETYPE_unit_file_t:file read_file_perms; + allow $1 TEMPLATETYPE_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, TEMPLATETYPE_t) +') + +""" + +if_admin_types=""" + type TEMPLATETYPE_unit_file_t;""" + +if_admin_rules=""" + TEMPLATETYPE_systemctl($1) + admin_pattern($1, TEMPLATETYPE_unit_file_t) + allow $1 TEMPLATETYPE_unit_file_t:service all_service_perms; +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_unit_file_t,s0) +""" diff --git a/policycoreutils/gui/templates/user.py b/policycoreutils/gui/templates/user.py new file mode 100644 index 0000000..398c6f2 --- /dev/null +++ b/policycoreutils/gui/templates/user.py @@ -0,0 +1,204 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### Type Enforcement File ############################# + +te_login_user_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +userdom_unpriv_user_template(TEMPLATETYPE) +""" + +te_admin_user_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +userdom_admin_user_template(TEMPLATETYPE) +""" + +te_min_login_user_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +userdom_restricted_user_template(TEMPLATETYPE) +""" + +te_x_login_user_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +userdom_restricted_xwindows_user_template(TEMPLATETYPE) +""" + +te_existing_user_types="""\ +policy_module(myTEMPLATETYPE, 1.0.0) + +gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t; + role TEMPLATETYPE_r; +') + +""" + +te_root_user_types="""\ +policy_module(TEMPLATETYPE, 1.0.0) + +######################################## +# +# Declarations +# + +userdom_base_user_template(TEMPLATETYPE) +""" + +te_login_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# + +""" + +te_existing_user_rules="""\ + +######################################## +# +# TEMPLATETYPE customized policy +# + +""" + +te_x_login_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# +""" + +te_root_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# +""" + +te_transition_rules=""" +optional_policy(` + APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t) +') +""" + +te_user_trans_rules=""" +optional_policy(` + gen_require(` + role USER_r; + ') + + TEMPLATETYPE_role_change(USER_r) +') +""" + +te_admin_rules=""" +allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +files_dontaudit_search_all_dirs(TEMPLATETYPE_t) + +selinux_get_enforce_mode(TEMPLATETYPE_t) +seutil_domtrans_setfiles(TEMPLATETYPE_t) +seutil_search_default_contexts(TEMPLATETYPE_t) + +logging_send_syslog_msg(TEMPLATETYPE_t) + +kernel_read_system_state(TEMPLATETYPE_t) + +domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t) +domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t) + +userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t) +userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t) + +bool TEMPLATETYPE_read_user_files false; +bool TEMPLATETYPE_manage_user_files false; + +if (TEMPLATETYPE_read_user_files) { + userdom_read_user_home_content_files(TEMPLATETYPE_t) + userdom_read_user_tmp_files(TEMPLATETYPE_t) +} + +if (TEMPLATETYPE_manage_user_files) { + userdom_manage_user_home_content(TEMPLATETYPE_t) + userdom_manage_user_tmp_files(TEMPLATETYPE_t) +} + +""" + +te_admin_trans_rules=""" +gen_require(` + role USER_r; +') + +allow USER_r TEMPLATETYPE_r; +""" + +te_admin_domain_rules=""" +optional_policy(` + APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r) +') +""" + +te_roles_rules=""" +optional_policy(` + gen_require(` + role ROLE_r; + ') + + allow TEMPLATETYPE_r ROLE_r; +') +""" + +te_sudo_rules=""" +optional_policy(` + sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t) +') +""" + +te_newrole_rules=""" +seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r) +""" diff --git a/policycoreutils/gui/templates/var_cache.py b/policycoreutils/gui/templates/var_cache.py new file mode 100644 index 0000000..8efc1d9 --- /dev/null +++ b/policycoreutils/gui/templates/var_cache.py @@ -0,0 +1,132 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### cache Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_cache_t; +files_type(TEMPLATETYPE_cache_t) +""" +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +files_var_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, { dir file }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE cache directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_cache',` + gen_require(` + type TEMPLATETYPE_cache_t; + ') + + allow $1 TEMPLATETYPE_cache_t:dir search_dir_perms; + files_search_var($1) +') + +######################################## +## +## Read TEMPLATETYPE cache files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_cache_files',` + gen_require(` + type TEMPLATETYPE_cache_t; + ') + + files_search_var($1) + read_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +') + +######################################## +## +## Create, read, write, and delete +## TEMPLATETYPE cache files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_cache_files',` + gen_require(` + type TEMPLATETYPE_cache_t; + ') + + files_search_var($1) + manage_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +') + +######################################## +## +## Manage TEMPLATETYPE cache dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_cache_dirs',` + gen_require(` + type TEMPLATETYPE_cache_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +') + +""" + +if_admin_types=""" + type TEMPLATETYPE_cache_t;""" + +if_admin_rules=""" + files_search_var($1) + admin_pattern($1, TEMPLATETYPE_cache_t) +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0) +""" diff --git a/policycoreutils/gui/templates/var_lib.py b/policycoreutils/gui/templates/var_lib.py new file mode 100644 index 0000000..8bde8c6 --- /dev/null +++ b/policycoreutils/gui/templates/var_lib.py @@ -0,0 +1,160 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_lib Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_var_lib_t; +files_type(TEMPLATETYPE_var_lib_t) +""" +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file }) +""" + +te_stream_rules="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file manage_sock_file_perms; +files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, sock_file) +""" + + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_lib',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + allow $1 TEMPLATETYPE_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read TEMPLATETYPE lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_lib_files',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +') + +######################################## +## +## Manage TEMPLATETYPE lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_lib_files',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +') + +######################################## +## +## Manage TEMPLATETYPE lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_lib_dirs',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +') + +""" + +if_stream_rules=""" +######################################## +## +## Connect to TEMPLATETYPE over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_stream_connect',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t; + ') + + stream_connect_pattern($1, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t) +') +""" + +if_admin_types=""" + type TEMPLATETYPE_var_lib_t;""" + +if_admin_rules=""" + files_search_var_lib($1) + admin_pattern($1, TEMPLATETYPE_var_lib_t) +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" + +fc_sock_file="""\ +FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" diff --git a/policycoreutils/gui/templates/var_log.py b/policycoreutils/gui/templates/var_log.py new file mode 100644 index 0000000..b57b93d --- /dev/null +++ b/policycoreutils/gui/templates/var_log.py @@ -0,0 +1,114 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_log Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_log_t; +logging_log_file(TEMPLATETYPE_log_t) +""" + +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) +logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file }) +""" + +########################### Interface File ############################# +if_rules="""\ +######################################## +## +## Read TEMPLATETYPE's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`TEMPLATETYPE_read_log',` + gen_require(` + type TEMPLATETYPE_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) +') + +######################################## +## +## Append to TEMPLATETYPE log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_append_log',` + gen_require(` + type TEMPLATETYPE_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) +') + +######################################## +## +## Manage TEMPLATETYPE log files +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_log',` + gen_require(` + type TEMPLATETYPE_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) + manage_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) + manage_lnk_files_pattern($1, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t) +') +""" + +if_admin_types=""" + type TEMPLATETYPE_log_t;""" + +if_admin_rules=""" + logging_search_logs($1) + admin_pattern($1, TEMPLATETYPE_log_t) +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" diff --git a/policycoreutils/gui/templates/var_run.py b/policycoreutils/gui/templates/var_run.py new file mode 100644 index 0000000..916f44c --- /dev/null +++ b/policycoreutils/gui/templates/var_run.py @@ -0,0 +1,101 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_run Template File ############################# + +te_types=""" +type TEMPLATETYPE_var_run_t; +files_pid_file(TEMPLATETYPE_var_run_t) +""" + +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t) +files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, { dir file }) +""" + +te_stream_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, sock_file) +""" + +if_rules="""\ +######################################## +## +## Read TEMPLATETYPE PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_pid_files',` + gen_require(` + type TEMPLATETYPE_var_run_t; + ') + + files_search_pids($1) + allow $1 TEMPLATETYPE_var_run_t:file read_file_perms; +') + +""" + +if_stream_rules="""\ +######################################## +## +## Connect to TEMPLATETYPE over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_stream_connect',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_t) +') +""" + +if_admin_types=""" + type TEMPLATETYPE_var_run_t;""" + +if_admin_rules=""" + files_search_pids($1) + admin_pattern($1, TEMPLATETYPE_var_run_t) +""" + +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + +fc_sock_file="""\ +FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" diff --git a/policycoreutils/gui/templates/var_spool.py b/policycoreutils/gui/templates/var_spool.py new file mode 100644 index 0000000..8055a9e --- /dev/null +++ b/policycoreutils/gui/templates/var_spool.py @@ -0,0 +1,131 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_spool Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_spool_t; +files_type(TEMPLATETYPE_spool_t) +""" +te_rules=""" +manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +files_spool_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, { dir file }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_spool',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + allow $1 TEMPLATETYPE_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Read TEMPLATETYPE spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_spool_files',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +') + +######################################## +## +## Manage TEMPLATETYPE spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_spool_files',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +') + +######################################## +## +## Manage TEMPLATETYPE spool dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_spool_dirs',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + files_search_spool($1) + manage_dirs_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +') + +""" + +if_admin_types=""" + type TEMPLATETYPE_spool_t;""" + +if_admin_rules=""" + files_search_spool($1) + admin_pattern($1, TEMPLATETYPE_spool_t) +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" diff --git a/policycoreutils/gui/usersPage.py b/policycoreutils/gui/usersPage.py new file mode 100644 index 0000000..17c99df --- /dev/null +++ b/policycoreutils/gui/usersPage.py @@ -0,0 +1,150 @@ +## usersPage.py - show selinux mappings +## Copyright (C) 2006,2007,2008 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import gobject +import sys +import commands +import seobject +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class usersPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "users", _("SELinux User")) + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("SELinux\nUser"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + + col = gtk.TreeViewColumn(_("MLS/\nMCS Range"), gtk.CellRendererText(), text = 1) + col.set_resizable(True) + self.view.append_column(col) + + col = gtk.TreeViewColumn(_("SELinux Roles"), gtk.CellRendererText(), text = 2) + col.set_resizable(True) + self.view.append_column(col) + + self.load() + self.selinuxUserEntry = xml.get_widget("selinuxUserEntry") + self.mlsRangeEntry = xml.get_widget("mlsRangeEntry") + self.selinuxRolesEntry = xml.get_widget("selinuxRolesEntry") + + def load(self, filter = ""): + self.filter=filter + self.user = seobject.seluserRecords() + dict = self.user.get_all() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + range = seobject.translate(dict[k][2]) + if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter) or self.match(dict[k][3], filter)): + continue + + iter = self.store.append() + self.store.set_value(iter, 0, k) + self.store.set_value(iter, 1, range) + self.store.set_value(iter, 2, dict[k][3]) + self.view.get_selection().select_path ((0,)) + + def delete(self): + if semanagePage.delete(self) == gtk.RESPONSE_NO: + return None + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.selinuxUserEntry.set_text(store.get_value(iter, 0)) + self.selinuxUserEntry.set_sensitive(False) + self.mlsRangeEntry.set_text(store.get_value(iter, 1)) + self.selinuxRolesEntry.set_text(store.get_value(iter, 2)) + + def dialogClear(self): + self.selinuxUserEntry.set_text("") + self.selinuxUserEntry.set_sensitive(True) + self.mlsRangeEntry.set_text("s0") + self.selinuxRolesEntry.set_text("") + + def add(self): + user = self.selinuxUserEntry.get_text() + range = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + self.wait() + (rc, out) = commands.getstatusoutput("semanage user -a -R '%s' -r %s %s" % (roles, range, user)) + self.ready() + if rc != 0: + self.error(out) + return False + iter = self.store.append() + self.store.set_value(iter, 0, user) + self.store.set_value(iter, 1, range) + self.store.set_value(iter, 2, roles) + + def modify(self): + user = self.selinuxUserEntry.get_text() + range = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + self.wait() + (rc, out) = commands.getstatusoutput("semanage user -m -R '%s' -r %s %s" % (roles, range, user)) + self.ready() + + if rc != 0: + self.error(out) + return False + self.load(self.filter) + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + user=store.get_value(iter, 0) + if user == "root" or user == "user_u": + raise ValueError(_("SELinux user '%s' is required") % user) + + self.wait() + (rc, out) = commands.getstatusoutput("semanage user -d %s" % user) + self.ready() + if rc != 0: + self.error(out) + return False + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile index 5da2e0d..0e9d66f 100644 --- a/policycoreutils/load_policy/Makefile +++ b/policycoreutils/load_policy/Makefile @@ -19,7 +19,7 @@ install: all test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 install -m 644 load_policy.8 $(MANDIR)/man8/ -mkdir -p $(USRSBINDIR) - -ln -sf /sbin/load_policy $(USRSBINDIR)/load_policy + -ln -s /sbin/load_policy $(USRSBINDIR)/load_policy clean: -rm -f $(TARGETS) *.o diff --git a/policycoreutils/mcstrans/man/man8/mcstransd.8 b/policycoreutils/mcstrans/man/man8/mcstransd.8 index 4c63965..718fd85 100644 --- a/policycoreutils/mcstrans/man/man8/mcstransd.8 +++ b/policycoreutils/mcstrans/man/man8/mcstransd.8 @@ -3,7 +3,7 @@ mcstransd \- MCS (Multiple Category System) daemon. Translates SELinux MCS/MLS labels to human readable form. .SH "SYNOPSIS" -.B mcstransd +.B mcstransd [-f] [-h] .P .SH "DESCRIPTION" @@ -12,6 +12,13 @@ This manual page describes the program. .P This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans. +.SH "OPTIONS" +.TP +-f +Run mcstransd in the foreground. Do not run as a daemon. +.TP +-h +Output a short summary of available command line options\&. .SH "AUTHOR" This man page was written by Dan Walsh . diff --git a/policycoreutils/mcstrans/src/mcstransd.c b/policycoreutils/mcstrans/src/mcstransd.c index 26d9be8..a65076d 100644 --- a/policycoreutils/mcstrans/src/mcstransd.c +++ b/policycoreutils/mcstrans/src/mcstransd.c @@ -1,5 +1,4 @@ /* Copyright (c) 2006 Trusted Computer Solutions, Inc. */ - #include #include #include @@ -13,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -556,9 +556,31 @@ void dropprivs(void) cap_free(new_caps); } +static void usage(char *program) +{ + printf("%s [-f] [-h] \n", program); +} + int -main(int UNUSED(argc), char *argv[]) +main(int argc, char *argv[]) { + int opt; + int do_fork = 1; + while ((opt = getopt(argc, argv, "hf")) > 0) { + switch (opt) { + case 'f': + do_fork = 0; + break; + case 'h': + usage(argv[0]); + exit(0); + break; + case '?': + usage(argv[0]); + exit(-1); + } + } + #ifndef DEBUG /* Make sure we are root */ if (getuid() != 0) { @@ -576,7 +598,7 @@ main(int UNUSED(argc), char *argv[]) dropprivs(); /* run in the background as a daemon */ - if (daemon(0, 0)) { + if (do_fork && daemon(0, 0)) { syslog(LOG_ERR, "daemon() failed: %m"); cleanup_exit(1); } diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 42f08d0..989817b 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c @@ -543,14 +543,14 @@ static int restore_environment(int preserve_environment, #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) static int drop_capabilities(int full) { + uid_t uid = getuid(); + if (!uid) return 0; + capng_setpid(getpid()); capng_clear(CAPNG_SELECT_BOTH); if (capng_lock() < 0) return -1; - uid_t uid = getuid(); - if (!uid) return 0; - /* Change uid */ if (setresuid(uid, uid, uid)) { fprintf(stderr, _("Error changing uid, aborting.\n")); @@ -1032,10 +1032,11 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ - if (drop_capabilities(FALSE)) { +/* if (drop_capabilities(FALSE)) { perror(_("Sorry, newrole failed to drop capabilities\n")); return -1; } +*/ if (set_signal_handles()) return -1; diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile index a52e4b0..1b8c8c0 100644 --- a/policycoreutils/po/Makefile +++ b/policycoreutils/po/Makefile @@ -45,7 +45,34 @@ POTFILES = \ ../restorecond/stringslist.h \ ../restorecond/restorecond.c \ ../restorecond/utmpwatcher.c \ - ../secon/secon.c \ + ../gui/booleansPage.py \ + ../gui/fcontextPage.py \ + ../gui/loginsPage.py \ + ../gui/mappingsPage.py \ + ../gui/modulesPage.py \ + ../gui/polgen.glade \ + ../gui/polgengui.py \ + ../gui/polgen.py \ + ../gui/portsPage.py \ + ../gui/selinux.tbl \ + ../gui/semanagePage.py \ + ../gui/statusPage.py \ + ../gui/system-config-selinux.glade \ + ../gui/system-config-selinux.py \ + ../gui/usersPage.py \ + ../gui/templates/executable.py \ + ../gui/templates/__init__.py \ + ../gui/templates/network.py \ + ../gui/templates/rw.py \ + ../gui/templates/script.py \ + ../gui/templates/semodule.py \ + ../gui/templates/tmp.py \ + ../gui/templates/user.py \ + ../gui/templates/var_lib.py \ + ../gui/templates/var_log.py \ + ../gui/templates/var_run.py \ + ../gui/templates/var_spool.py \ + ../secon/secon.c #default:: clean diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES index 7d9ad7d..667e394 100644 --- a/policycoreutils/po/POTFILES +++ b/policycoreutils/po/POTFILES @@ -1,26 +1,50 @@ - ../run_init/open_init_pty.c \ - ../run_init/run_init.c \ - ../semodule_link/semodule_link.c \ - ../audit2allow/audit2allow \ - ../semanage/seobject.py \ - ../restorecon/restorecon.c \ - ../setsebool/setsebool.c \ - ../newrole/newrole.c \ - ../load_policy/load_policy.c \ - ../sestatus/sestatus.c \ - ../semodule/semodule.c \ - ../setfiles/setfiles.c \ - ../semodule_package/semodule_package.c \ - ../semodule_deps/semodule_deps.c \ - ../semodule_expand/semodule_expand.c \ - ../scripts/genhomedircon \ - ../scripts/chcat \ - ../scripts/fixfiles \ - ../restorecond/stringslist.c \ - ../restorecond/restorecond.h \ - ../restorecond/utmpwatcher.h \ - ../restorecond/stringslist.h \ - ../restorecond/restorecond.c \ - ../restorecond/utmpwatcher.c \ - ../secon/secon.c \ - + ../run_init/open_init_pty.c + ../run_init/run_init.c + ../semodule_link/semodule_link.c + ../audit2allow/audit2allow + ../semanage/seobject.py + ../setsebool/setsebool.c + ../newrole/newrole.c + ../load_policy/load_policy.c + ../sestatus/sestatus.c + ../semodule/semodule.c + ../setfiles/setfiles.c + ../semodule_package/semodule_package.c + ../semodule_deps/semodule_deps.c + ../semodule_expand/semodule_expand.c + ../scripts/chcat + ../scripts/fixfiles + ../restorecond/stringslist.c + ../restorecond/restorecond.h + ../restorecond/utmpwatcher.h + ../restorecond/stringslist.h + ../restorecond/restorecond.c + ../restorecond/utmpwatcher.c + ../gui/booleansPage.py + ../gui/fcontextPage.py + ../gui/loginsPage.py + ../gui/mappingsPage.py + ../gui/modulesPage.py + ../gui/polgen.glade + ../gui/polgengui.py + ../gui/polgen.py + ../gui/portsPage.py + ../gui/selinux.tbl + ../gui/semanagePage.py + ../gui/statusPage.py + ../gui/system-config-selinux.glade + ../gui/system-config-selinux.py + ../gui/usersPage.py + ../gui/templates/executable.py + ../gui/templates/__init__.py + ../gui/templates/network.py + ../gui/templates/rw.py + ../gui/templates/script.py + ../gui/templates/semodule.py + ../gui/templates/tmp.py + ../gui/templates/user.py + ../gui/templates/var_lib.py + ../gui/templates/var_log.py + ../gui/templates/var_run.py + ../gui/templates/var_spool.py + ../secon/secon.c diff --git a/policycoreutils/po/POTFILES.in b/policycoreutils/po/POTFILES.in index 0cbf0a9..aab1a4e 100644 --- a/policycoreutils/po/POTFILES.in +++ b/policycoreutils/po/POTFILES.in @@ -34,7 +34,6 @@ gui/semanagePage.py gui/statusPage.py gui/system-config-selinux.glade gui/system-config-selinux.py -gui/translationsPage.py gui/usersPage.py gui/templates/executable.py gui/templates/__init__.py diff --git a/policycoreutils/po/af.po b/policycoreutils/po/af.po index afeaa9f..edb1026 100644 --- a/policycoreutils/po/af.po +++ b/policycoreutils/po/af.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2012-03-27 10:49-0400\n" +"POT-Creation-Date: 2012-05-17 16:58-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -90,844 +90,851 @@ msgstr "" msgid "global" msgstr "" -#: ../semanage/seobject.py:222 +#: ../semanage/seobject.py:225 msgid "Could not create semanage handle" msgstr "" -#: ../semanage/seobject.py:230 +#: ../semanage/seobject.py:233 msgid "SELinux policy is not managed or store cannot be accessed." msgstr "" -#: ../semanage/seobject.py:235 +#: ../semanage/seobject.py:238 msgid "Cannot read policy store." msgstr "" -#: ../semanage/seobject.py:240 +#: ../semanage/seobject.py:243 msgid "Could not establish semanage connection" msgstr "" -#: ../semanage/seobject.py:245 +#: ../semanage/seobject.py:248 msgid "Could not test MLS enabled status" msgstr "" -#: ../semanage/seobject.py:251 ../semanage/seobject.py:266 +#: ../semanage/seobject.py:254 ../semanage/seobject.py:269 msgid "Not yet implemented" msgstr "" -#: ../semanage/seobject.py:255 +#: ../semanage/seobject.py:258 msgid "Semanage transaction already in progress" msgstr "" -#: ../semanage/seobject.py:264 +#: ../semanage/seobject.py:267 msgid "Could not start semanage transaction" msgstr "" -#: ../semanage/seobject.py:274 +#: ../semanage/seobject.py:278 msgid "Could not commit semanage transaction" msgstr "" -#: ../semanage/seobject.py:279 +#: ../semanage/seobject.py:283 msgid "Semanage transaction not in progress" msgstr "" -#: ../semanage/seobject.py:291 ../semanage/seobject.py:371 +#: ../semanage/seobject.py:295 ../semanage/seobject.py:375 msgid "Could not list SELinux modules" msgstr "" -#: ../semanage/seobject.py:304 +#: ../semanage/seobject.py:308 msgid "Modules Name" msgstr "" -#: ../semanage/seobject.py:304 +#: ../semanage/seobject.py:308 ../gui/modulesPage.py:62 msgid "Version" msgstr "" -#: ../semanage/seobject.py:307 +#: ../semanage/seobject.py:311 ../gui/statusPage.py:75 msgid "Disabled" msgstr "" -#: ../semanage/seobject.py:322 +#: ../semanage/seobject.py:326 #, python-format msgid "Could not disable module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:333 +#: ../semanage/seobject.py:337 #, python-format msgid "Could not enable module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:348 +#: ../semanage/seobject.py:352 #, python-format msgid "Could not remove module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:358 +#: ../semanage/seobject.py:362 msgid "dontaudit requires either 'on' or 'off'" msgstr "" -#: ../semanage/seobject.py:387 +#: ../semanage/seobject.py:391 msgid "Builtin Permissive Types" msgstr "" -#: ../semanage/seobject.py:397 +#: ../semanage/seobject.py:401 msgid "Customized Permissive Types" msgstr "" -#: ../semanage/seobject.py:438 +#: ../semanage/seobject.py:442 #, python-format msgid "Could not set permissive domain %s (module installation failed)" msgstr "" -#: ../semanage/seobject.py:444 +#: ../semanage/seobject.py:448 #, python-format msgid "Could not remove permissive domain %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:479 ../semanage/seobject.py:553 -#: ../semanage/seobject.py:599 ../semanage/seobject.py:696 -#: ../semanage/seobject.py:726 ../semanage/seobject.py:793 -#: ../semanage/seobject.py:850 ../semanage/seobject.py:1097 -#: ../semanage/seobject.py:1786 ../semanage/seobject.py:1849 -#: ../semanage/seobject.py:1868 ../semanage/seobject.py:1985 -#: ../semanage/seobject.py:2037 +#: ../semanage/seobject.py:483 ../semanage/seobject.py:557 +#: ../semanage/seobject.py:603 ../semanage/seobject.py:700 +#: ../semanage/seobject.py:730 ../semanage/seobject.py:797 +#: ../semanage/seobject.py:854 ../semanage/seobject.py:1101 +#: ../semanage/seobject.py:1790 ../semanage/seobject.py:1853 +#: ../semanage/seobject.py:1872 ../semanage/seobject.py:1993 +#: ../semanage/seobject.py:2045 #, python-format msgid "Could not create a key for %s" msgstr "" -#: ../semanage/seobject.py:483 ../semanage/seobject.py:557 -#: ../semanage/seobject.py:603 ../semanage/seobject.py:609 +#: ../semanage/seobject.py:487 ../semanage/seobject.py:561 +#: ../semanage/seobject.py:607 ../semanage/seobject.py:613 #, python-format msgid "Could not check if login mapping for %s is defined" msgstr "" -#: ../semanage/seobject.py:492 +#: ../semanage/seobject.py:496 #, python-format msgid "Linux Group %s does not exist" msgstr "" -#: ../semanage/seobject.py:497 +#: ../semanage/seobject.py:501 #, python-format msgid "Linux User %s does not exist" msgstr "" -#: ../semanage/seobject.py:501 +#: ../semanage/seobject.py:505 #, python-format msgid "Could not create login mapping for %s" msgstr "" -#: ../semanage/seobject.py:505 ../semanage/seobject.py:741 +#: ../semanage/seobject.py:509 ../semanage/seobject.py:745 #, python-format msgid "Could not set name for %s" msgstr "" -#: ../semanage/seobject.py:510 ../semanage/seobject.py:751 +#: ../semanage/seobject.py:514 ../semanage/seobject.py:755 #, python-format msgid "Could not set MLS range for %s" msgstr "" -#: ../semanage/seobject.py:514 +#: ../semanage/seobject.py:518 #, python-format msgid "Could not set SELinux user for %s" msgstr "" -#: ../semanage/seobject.py:518 +#: ../semanage/seobject.py:522 #, python-format msgid "Could not add login mapping for %s" msgstr "" -#: ../semanage/seobject.py:536 +#: ../semanage/seobject.py:540 msgid "Requires seuser or serange" msgstr "" -#: ../semanage/seobject.py:559 ../semanage/seobject.py:605 +#: ../semanage/seobject.py:563 ../semanage/seobject.py:609 #, python-format msgid "Login mapping for %s is not defined" msgstr "" -#: ../semanage/seobject.py:563 +#: ../semanage/seobject.py:567 #, python-format msgid "Could not query seuser for %s" msgstr "" -#: ../semanage/seobject.py:577 +#: ../semanage/seobject.py:581 #, python-format msgid "Could not modify login mapping for %s" msgstr "" -#: ../semanage/seobject.py:611 +#: ../semanage/seobject.py:615 #, python-format msgid "Login mapping for %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:615 +#: ../semanage/seobject.py:619 #, python-format msgid "Could not delete login mapping for %s" msgstr "" -#: ../semanage/seobject.py:637 ../semanage/seobject.py:655 -#: ../semanage/seobject.py:893 +#: ../semanage/seobject.py:641 ../semanage/seobject.py:659 +#: ../semanage/seobject.py:897 msgid "Could not list login mappings" msgstr "" -#: ../semanage/seobject.py:680 ../semanage/seobject.py:685 +#: ../semanage/seobject.py:684 ../semanage/seobject.py:689 +#: ../gui/system-config-selinux.glade:100 msgid "Login Name" msgstr "" -#: ../semanage/seobject.py:680 ../semanage/seobject.py:685 -#: ../semanage/seobject.py:943 ../semanage/seobject.py:948 +#: ../semanage/seobject.py:684 ../semanage/seobject.py:689 +#: ../semanage/seobject.py:947 ../semanage/seobject.py:952 +#: ../gui/system-config-selinux.glade:128 +#: ../gui/system-config-selinux.glade:915 +#: ../gui/system-config-selinux.glade:2285 ../gui/usersPage.py:44 msgid "SELinux User" msgstr "" -#: ../semanage/seobject.py:680 +#: ../semanage/seobject.py:684 ../gui/system-config-selinux.glade:156 +#: ../gui/system-config-selinux.glade:943 msgid "MLS/MCS Range" msgstr "" -#: ../semanage/seobject.py:699 ../semanage/seobject.py:730 -#: ../semanage/seobject.py:797 ../semanage/seobject.py:854 -#: ../semanage/seobject.py:860 +#: ../semanage/seobject.py:703 ../semanage/seobject.py:734 +#: ../semanage/seobject.py:801 ../semanage/seobject.py:858 +#: ../semanage/seobject.py:864 #, python-format msgid "Could not check if SELinux user %s is defined" msgstr "" -#: ../semanage/seobject.py:702 ../semanage/seobject.py:803 -#: ../semanage/seobject.py:866 +#: ../semanage/seobject.py:706 ../semanage/seobject.py:807 +#: ../semanage/seobject.py:870 #, python-format msgid "Could not query user for %s" msgstr "" -#: ../semanage/seobject.py:722 +#: ../semanage/seobject.py:726 #, python-format msgid "You must add at least one role for %s" msgstr "" -#: ../semanage/seobject.py:737 +#: ../semanage/seobject.py:741 #, python-format msgid "Could not create SELinux user for %s" msgstr "" -#: ../semanage/seobject.py:746 +#: ../semanage/seobject.py:750 #, python-format msgid "Could not add role %s for %s" msgstr "" -#: ../semanage/seobject.py:755 +#: ../semanage/seobject.py:759 #, python-format msgid "Could not set MLS level for %s" msgstr "" -#: ../semanage/seobject.py:758 +#: ../semanage/seobject.py:762 #, python-format msgid "Could not add prefix %s for %s" msgstr "" -#: ../semanage/seobject.py:761 +#: ../semanage/seobject.py:765 #, python-format msgid "Could not extract key for %s" msgstr "" -#: ../semanage/seobject.py:765 +#: ../semanage/seobject.py:769 #, python-format msgid "Could not add SELinux user %s" msgstr "" -#: ../semanage/seobject.py:787 +#: ../semanage/seobject.py:791 msgid "Requires prefix, roles, level or range" msgstr "" -#: ../semanage/seobject.py:789 +#: ../semanage/seobject.py:793 msgid "Requires prefix or roles" msgstr "" -#: ../semanage/seobject.py:799 ../semanage/seobject.py:856 +#: ../semanage/seobject.py:803 ../semanage/seobject.py:860 #, python-format msgid "SELinux user %s is not defined" msgstr "" -#: ../semanage/seobject.py:828 +#: ../semanage/seobject.py:832 #, python-format msgid "Could not modify SELinux user %s" msgstr "" -#: ../semanage/seobject.py:862 +#: ../semanage/seobject.py:866 #, python-format msgid "SELinux user %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:873 +#: ../semanage/seobject.py:877 #, python-format msgid "Could not delete SELinux user %s" msgstr "" -#: ../semanage/seobject.py:911 +#: ../semanage/seobject.py:915 msgid "Could not list SELinux users" msgstr "" -#: ../semanage/seobject.py:917 +#: ../semanage/seobject.py:921 #, python-format msgid "Could not list roles for user %s" msgstr "" -#: ../semanage/seobject.py:942 +#: ../semanage/seobject.py:946 msgid "Labeling" msgstr "" -#: ../semanage/seobject.py:942 +#: ../semanage/seobject.py:946 msgid "MLS/" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "Prefix" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "MCS Level" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "MCS Range" msgstr "" -#: ../semanage/seobject.py:943 ../semanage/seobject.py:948 +#: ../semanage/seobject.py:947 ../semanage/seobject.py:952 +#: ../gui/system-config-selinux.glade:992 ../gui/usersPage.py:59 msgid "SELinux Roles" msgstr "" -#: ../semanage/seobject.py:963 +#: ../semanage/seobject.py:967 msgid "Protocol udp or tcp is required" msgstr "" -#: ../semanage/seobject.py:965 +#: ../semanage/seobject.py:969 msgid "Port is required" msgstr "" -#: ../semanage/seobject.py:975 +#: ../semanage/seobject.py:979 msgid "Invalid Port" msgstr "" -#: ../semanage/seobject.py:979 +#: ../semanage/seobject.py:983 #, python-format msgid "Could not create a key for %s/%s" msgstr "" -#: ../semanage/seobject.py:990 +#: ../semanage/seobject.py:994 msgid "Type is required" msgstr "" -#: ../semanage/seobject.py:996 ../semanage/seobject.py:1055 -#: ../semanage/seobject.py:1110 ../semanage/seobject.py:1116 +#: ../semanage/seobject.py:1000 ../semanage/seobject.py:1059 +#: ../semanage/seobject.py:1114 ../semanage/seobject.py:1120 #, python-format msgid "Could not check if port %s/%s is defined" msgstr "" -#: ../semanage/seobject.py:998 +#: ../semanage/seobject.py:1002 #, python-format msgid "Port %s/%s already defined" msgstr "" -#: ../semanage/seobject.py:1002 +#: ../semanage/seobject.py:1006 #, python-format msgid "Could not create port for %s/%s" msgstr "" -#: ../semanage/seobject.py:1008 +#: ../semanage/seobject.py:1012 #, python-format msgid "Could not create context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1012 +#: ../semanage/seobject.py:1016 #, python-format msgid "Could not set user in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1016 +#: ../semanage/seobject.py:1020 #, python-format msgid "Could not set role in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1020 +#: ../semanage/seobject.py:1024 #, python-format msgid "Could not set type in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1025 +#: ../semanage/seobject.py:1029 #, python-format msgid "Could not set mls fields in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1029 +#: ../semanage/seobject.py:1033 #, python-format msgid "Could not set port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1033 +#: ../semanage/seobject.py:1037 #, python-format msgid "Could not add port %s/%s" msgstr "" -#: ../semanage/seobject.py:1047 ../semanage/seobject.py:1312 -#: ../semanage/seobject.py:1508 +#: ../semanage/seobject.py:1051 ../semanage/seobject.py:1316 +#: ../semanage/seobject.py:1512 msgid "Requires setype or serange" msgstr "" -#: ../semanage/seobject.py:1049 +#: ../semanage/seobject.py:1053 msgid "Requires setype" msgstr "" -#: ../semanage/seobject.py:1057 ../semanage/seobject.py:1112 +#: ../semanage/seobject.py:1061 ../semanage/seobject.py:1116 #, python-format msgid "Port %s/%s is not defined" msgstr "" -#: ../semanage/seobject.py:1061 +#: ../semanage/seobject.py:1065 #, python-format msgid "Could not query port %s/%s" msgstr "" -#: ../semanage/seobject.py:1072 +#: ../semanage/seobject.py:1076 #, python-format msgid "Could not modify port %s/%s" msgstr "" -#: ../semanage/seobject.py:1085 +#: ../semanage/seobject.py:1089 msgid "Could not list the ports" msgstr "" -#: ../semanage/seobject.py:1101 +#: ../semanage/seobject.py:1105 #, python-format msgid "Could not delete the port %s" msgstr "" -#: ../semanage/seobject.py:1118 +#: ../semanage/seobject.py:1122 #, python-format msgid "Port %s/%s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1122 +#: ../semanage/seobject.py:1126 #, python-format msgid "Could not delete port %s/%s" msgstr "" -#: ../semanage/seobject.py:1138 ../semanage/seobject.py:1160 +#: ../semanage/seobject.py:1142 ../semanage/seobject.py:1164 msgid "Could not list ports" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 msgid "SELinux Port Type" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 msgid "Proto" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 ../gui/system-config-selinux.glade:335 msgid "Port Number" msgstr "" -#: ../semanage/seobject.py:1218 +#: ../semanage/seobject.py:1222 msgid "Node Address is required" msgstr "" -#: ../semanage/seobject.py:1233 +#: ../semanage/seobject.py:1237 msgid "Unknown or missing protocol" msgstr "" -#: ../semanage/seobject.py:1247 ../semanage/seobject.py:1446 -#: ../semanage/seobject.py:1724 +#: ../semanage/seobject.py:1251 ../semanage/seobject.py:1450 +#: ../semanage/seobject.py:1728 msgid "SELinux Type is required" msgstr "" -#: ../semanage/seobject.py:1251 ../semanage/seobject.py:1316 -#: ../semanage/seobject.py:1352 ../semanage/seobject.py:1450 -#: ../semanage/seobject.py:1512 ../semanage/seobject.py:1546 -#: ../semanage/seobject.py:1728 +#: ../semanage/seobject.py:1255 ../semanage/seobject.py:1320 +#: ../semanage/seobject.py:1356 ../semanage/seobject.py:1454 +#: ../semanage/seobject.py:1516 ../semanage/seobject.py:1550 +#: ../semanage/seobject.py:1732 #, python-format msgid "Could not create key for %s" msgstr "" -#: ../semanage/seobject.py:1253 ../semanage/seobject.py:1320 -#: ../semanage/seobject.py:1356 ../semanage/seobject.py:1362 +#: ../semanage/seobject.py:1257 ../semanage/seobject.py:1324 +#: ../semanage/seobject.py:1360 ../semanage/seobject.py:1366 #, python-format msgid "Could not check if addr %s is defined" msgstr "" -#: ../semanage/seobject.py:1262 +#: ../semanage/seobject.py:1266 #, python-format msgid "Could not create addr for %s" msgstr "" -#: ../semanage/seobject.py:1268 ../semanage/seobject.py:1466 -#: ../semanage/seobject.py:1686 +#: ../semanage/seobject.py:1272 ../semanage/seobject.py:1470 +#: ../semanage/seobject.py:1690 #, python-format msgid "Could not create context for %s" msgstr "" -#: ../semanage/seobject.py:1272 +#: ../semanage/seobject.py:1276 #, python-format msgid "Could not set mask for %s" msgstr "" -#: ../semanage/seobject.py:1276 +#: ../semanage/seobject.py:1280 #, python-format msgid "Could not set user in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1280 +#: ../semanage/seobject.py:1284 #, python-format msgid "Could not set role in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1284 +#: ../semanage/seobject.py:1288 #, python-format msgid "Could not set type in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1289 +#: ../semanage/seobject.py:1293 #, python-format msgid "Could not set mls fields in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1293 +#: ../semanage/seobject.py:1297 #, python-format msgid "Could not set addr context for %s" msgstr "" -#: ../semanage/seobject.py:1297 +#: ../semanage/seobject.py:1301 #, python-format msgid "Could not add addr %s" msgstr "" -#: ../semanage/seobject.py:1322 ../semanage/seobject.py:1358 +#: ../semanage/seobject.py:1326 ../semanage/seobject.py:1362 #, python-format msgid "Addr %s is not defined" msgstr "" -#: ../semanage/seobject.py:1326 +#: ../semanage/seobject.py:1330 #, python-format msgid "Could not query addr %s" msgstr "" -#: ../semanage/seobject.py:1336 +#: ../semanage/seobject.py:1340 #, python-format msgid "Could not modify addr %s" msgstr "" -#: ../semanage/seobject.py:1364 +#: ../semanage/seobject.py:1368 #, python-format msgid "Addr %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1368 +#: ../semanage/seobject.py:1372 #, python-format msgid "Could not delete addr %s" msgstr "" -#: ../semanage/seobject.py:1380 +#: ../semanage/seobject.py:1384 msgid "Could not deleteall node mappings" msgstr "" -#: ../semanage/seobject.py:1394 +#: ../semanage/seobject.py:1398 msgid "Could not list addrs" msgstr "" -#: ../semanage/seobject.py:1454 ../semanage/seobject.py:1516 -#: ../semanage/seobject.py:1550 ../semanage/seobject.py:1556 +#: ../semanage/seobject.py:1458 ../semanage/seobject.py:1520 +#: ../semanage/seobject.py:1554 ../semanage/seobject.py:1560 #, python-format msgid "Could not check if interface %s is defined" msgstr "" -#: ../semanage/seobject.py:1461 +#: ../semanage/seobject.py:1465 #, python-format msgid "Could not create interface for %s" msgstr "" -#: ../semanage/seobject.py:1470 +#: ../semanage/seobject.py:1474 #, python-format msgid "Could not set user in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1474 +#: ../semanage/seobject.py:1478 #, python-format msgid "Could not set role in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1478 +#: ../semanage/seobject.py:1482 #, python-format msgid "Could not set type in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1483 +#: ../semanage/seobject.py:1487 #, python-format msgid "Could not set mls fields in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1487 +#: ../semanage/seobject.py:1491 #, python-format msgid "Could not set interface context for %s" msgstr "" -#: ../semanage/seobject.py:1491 +#: ../semanage/seobject.py:1495 #, python-format msgid "Could not set message context for %s" msgstr "" -#: ../semanage/seobject.py:1495 +#: ../semanage/seobject.py:1499 #, python-format msgid "Could not add interface %s" msgstr "" -#: ../semanage/seobject.py:1518 ../semanage/seobject.py:1552 +#: ../semanage/seobject.py:1522 ../semanage/seobject.py:1556 #, python-format msgid "Interface %s is not defined" msgstr "" -#: ../semanage/seobject.py:1522 +#: ../semanage/seobject.py:1526 #, python-format msgid "Could not query interface %s" msgstr "" -#: ../semanage/seobject.py:1533 +#: ../semanage/seobject.py:1537 #, python-format msgid "Could not modify interface %s" msgstr "" -#: ../semanage/seobject.py:1558 +#: ../semanage/seobject.py:1562 #, python-format msgid "Interface %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1562 +#: ../semanage/seobject.py:1566 #, python-format msgid "Could not delete interface %s" msgstr "" -#: ../semanage/seobject.py:1574 +#: ../semanage/seobject.py:1578 msgid "Could not delete all interface mappings" msgstr "" -#: ../semanage/seobject.py:1588 +#: ../semanage/seobject.py:1592 msgid "Could not list interfaces" msgstr "" -#: ../semanage/seobject.py:1613 +#: ../semanage/seobject.py:1617 msgid "SELinux Interface" msgstr "" -#: ../semanage/seobject.py:1613 ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1617 ../semanage/seobject.py:1944 msgid "Context" msgstr "" -#: ../semanage/seobject.py:1663 +#: ../semanage/seobject.py:1667 #, python-format msgid "Equivalence class for %s already exists" msgstr "" -#: ../semanage/seobject.py:1669 +#: ../semanage/seobject.py:1673 #, python-format msgid "File spec %s conflicts with equivalency rule '%s %s'" msgstr "" -#: ../semanage/seobject.py:1678 +#: ../semanage/seobject.py:1682 #, python-format msgid "Equivalence class for %s does not exists" msgstr "" -#: ../semanage/seobject.py:1692 +#: ../semanage/seobject.py:1696 #, python-format msgid "Could not set user in file context for %s" msgstr "" -#: ../semanage/seobject.py:1696 +#: ../semanage/seobject.py:1700 #, python-format msgid "Could not set role in file context for %s" msgstr "" -#: ../semanage/seobject.py:1701 ../semanage/seobject.py:1758 +#: ../semanage/seobject.py:1705 ../semanage/seobject.py:1762 #, python-format msgid "Could not set mls fields in file context for %s" msgstr "" -#: ../semanage/seobject.py:1707 +#: ../semanage/seobject.py:1711 msgid "Invalid file specification" msgstr "" -#: ../semanage/seobject.py:1709 +#: ../semanage/seobject.py:1713 msgid "File specification can not include spaces" msgstr "" -#: ../semanage/seobject.py:1714 +#: ../semanage/seobject.py:1718 #, python-format msgid "" "File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead" msgstr "" -#: ../semanage/seobject.py:1732 ../semanage/seobject.py:1737 -#: ../semanage/seobject.py:1790 ../semanage/seobject.py:1872 -#: ../semanage/seobject.py:1876 +#: ../semanage/seobject.py:1736 ../semanage/seobject.py:1741 +#: ../semanage/seobject.py:1794 ../semanage/seobject.py:1876 +#: ../semanage/seobject.py:1880 #, python-format msgid "Could not check if file context for %s is defined" msgstr "" -#: ../semanage/seobject.py:1745 +#: ../semanage/seobject.py:1749 #, python-format msgid "Could not create file context for %s" msgstr "" -#: ../semanage/seobject.py:1753 +#: ../semanage/seobject.py:1757 #, python-format msgid "Could not set type in file context for %s" msgstr "" -#: ../semanage/seobject.py:1761 ../semanage/seobject.py:1818 -#: ../semanage/seobject.py:1822 +#: ../semanage/seobject.py:1765 ../semanage/seobject.py:1822 +#: ../semanage/seobject.py:1826 #, python-format msgid "Could not set file context for %s" msgstr "" -#: ../semanage/seobject.py:1767 +#: ../semanage/seobject.py:1771 #, python-format msgid "Could not add file context for %s" msgstr "" -#: ../semanage/seobject.py:1781 +#: ../semanage/seobject.py:1785 msgid "Requires setype, serange or seuser" msgstr "" -#: ../semanage/seobject.py:1794 ../semanage/seobject.py:1880 +#: ../semanage/seobject.py:1798 ../semanage/seobject.py:1884 #, python-format msgid "File context for %s is not defined" msgstr "" -#: ../semanage/seobject.py:1800 +#: ../semanage/seobject.py:1804 #, python-format msgid "Could not query file context for %s" msgstr "" -#: ../semanage/seobject.py:1826 +#: ../semanage/seobject.py:1830 #, python-format msgid "Could not modify file context for %s" msgstr "" -#: ../semanage/seobject.py:1839 +#: ../semanage/seobject.py:1843 msgid "Could not list the file contexts" msgstr "" -#: ../semanage/seobject.py:1853 +#: ../semanage/seobject.py:1857 #, python-format msgid "Could not delete the file context %s" msgstr "" -#: ../semanage/seobject.py:1878 +#: ../semanage/seobject.py:1882 #, python-format msgid "File context for %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1884 +#: ../semanage/seobject.py:1888 #, python-format msgid "Could not delete file context for %s" msgstr "" -#: ../semanage/seobject.py:1899 +#: ../semanage/seobject.py:1903 msgid "Could not list file contexts" msgstr "" -#: ../semanage/seobject.py:1903 +#: ../semanage/seobject.py:1907 msgid "Could not list local file contexts" msgstr "" -#: ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1944 msgid "SELinux fcontext" msgstr "" -#: ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1944 msgid "type" msgstr "" -#: ../semanage/seobject.py:1949 +#: ../semanage/seobject.py:1957 msgid "" "\n" "SELinux Distribution fcontext Equivalence \n" msgstr "" -#: ../semanage/seobject.py:1954 +#: ../semanage/seobject.py:1962 msgid "" "\n" "SELinux Local fcontext Equivalence \n" msgstr "" -#: ../semanage/seobject.py:1988 ../semanage/seobject.py:2040 -#: ../semanage/seobject.py:2046 +#: ../semanage/seobject.py:1996 ../semanage/seobject.py:2048 +#: ../semanage/seobject.py:2054 #, python-format msgid "Could not check if boolean %s is defined" msgstr "" -#: ../semanage/seobject.py:1990 ../semanage/seobject.py:2042 +#: ../semanage/seobject.py:1998 ../semanage/seobject.py:2050 #, python-format msgid "Boolean %s is not defined" msgstr "" -#: ../semanage/seobject.py:1994 +#: ../semanage/seobject.py:2002 #, python-format msgid "Could not query file context %s" msgstr "" -#: ../semanage/seobject.py:1999 +#: ../semanage/seobject.py:2007 #, python-format msgid "You must specify one of the following values: %s" msgstr "" -#: ../semanage/seobject.py:2004 +#: ../semanage/seobject.py:2012 #, python-format msgid "Could not set active value of boolean %s" msgstr "" -#: ../semanage/seobject.py:2007 +#: ../semanage/seobject.py:2015 #, python-format msgid "Could not modify boolean %s" msgstr "" -#: ../semanage/seobject.py:2025 +#: ../semanage/seobject.py:2033 #, python-format msgid "Bad format %s: Record %s" msgstr "" -#: ../semanage/seobject.py:2048 +#: ../semanage/seobject.py:2056 #, python-format msgid "Boolean %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:2052 +#: ../semanage/seobject.py:2060 #, python-format msgid "Could not delete boolean %s" msgstr "" -#: ../semanage/seobject.py:2064 ../semanage/seobject.py:2081 +#: ../semanage/seobject.py:2072 ../semanage/seobject.py:2089 msgid "Could not list booleans" msgstr "" -#: ../semanage/seobject.py:2104 +#: ../semanage/seobject.py:2112 msgid "unknown" msgstr "" -#: ../semanage/seobject.py:2117 +#: ../semanage/seobject.py:2125 msgid "off" msgstr "" -#: ../semanage/seobject.py:2117 +#: ../semanage/seobject.py:2125 msgid "on" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "SELinux boolean" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "State" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "Default" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 ../gui/polgen.glade:3355 +#: ../gui/polgengui.py:253 msgid "Description" msgstr "" @@ -1264,7 +1271,2088 @@ msgstr "" msgid "chcat -l +CompanyConfidential juser" msgstr "" -#: ../scripts/chcat:399 -#, c-format +#: ../scripts/chcat:399 ../gui/polgen.py:1351 +#, c-format, python-format msgid "Options Error %s " msgstr "" + +#: ../gui/booleansPage.py:186 ../gui/system-config-selinux.glade:1706 +msgid "Boolean" +msgstr "" + +#: ../gui/booleansPage.py:241 ../gui/semanagePage.py:162 +msgid "all" +msgstr "" + +#: ../gui/booleansPage.py:243 ../gui/semanagePage.py:164 +#: ../gui/system-config-selinux.glade:1615 +#: ../gui/system-config-selinux.glade:1820 +#: ../gui/system-config-selinux.glade:2437 +msgid "Customized" +msgstr "" + +#: ../gui/fcontextPage.py:64 ../gui/system-config-selinux.glade:1911 +msgid "File Labeling" +msgstr "" + +#: ../gui/fcontextPage.py:74 +msgid "" +"File\n" +"Specification" +msgstr "" + +#: ../gui/fcontextPage.py:81 +msgid "" +"Selinux\n" +"File Type" +msgstr "" + +#: ../gui/fcontextPage.py:88 +msgid "" +"File\n" +"Type" +msgstr "" + +#: ../gui/loginsPage.py:48 ../gui/system-config-selinux.glade:2098 +msgid "User Mapping" +msgstr "" + +#: ../gui/loginsPage.py:52 +msgid "" +"Login\n" +"Name" +msgstr "" + +#: ../gui/loginsPage.py:56 ../gui/usersPage.py:50 +msgid "" +"SELinux\n" +"User" +msgstr "" + +#: ../gui/loginsPage.py:59 ../gui/usersPage.py:55 +msgid "" +"MLS/\n" +"MCS Range" +msgstr "" + +#: ../gui/loginsPage.py:133 +#, python-format +msgid "Login '%s' is required" +msgstr "" + +#: ../gui/modulesPage.py:48 ../gui/system-config-selinux.glade:2753 +msgid "Policy Module" +msgstr "" + +#: ../gui/modulesPage.py:57 +msgid "Module Name" +msgstr "" + +#: ../gui/modulesPage.py:134 +msgid "Disable Audit" +msgstr "" + +#: ../gui/modulesPage.py:137 ../gui/system-config-selinux.glade:2662 +msgid "Enable Audit" +msgstr "" + +#: ../gui/modulesPage.py:162 +msgid "Load Policy Module" +msgstr "" + +#: ../gui/polgen.glade:79 +msgid "Polgen" +msgstr "" + +#: ../gui/polgen.glade:80 +msgid "Red Hat 2007" +msgstr "" + +#: ../gui/polgen.glade:81 +msgid "GPL" +msgstr "" + +#. TRANSLATORS: Replace this string with your names, one name per line. +#: ../gui/polgen.glade:85 ../gui/system-config-selinux.glade:17 +msgid "translator-credits" +msgstr "" + +#: ../gui/polgen.glade:90 +msgid "SELinux Policy Generation Tool" +msgstr "" + +#: ../gui/polgen.glade:128 +msgid "" +"Select the policy type for the application or user role you want to " +"confine:" +msgstr "" + +#: ../gui/polgen.glade:177 +msgid "Applications" +msgstr "" + +#: ../gui/polgen.glade:239 ../gui/polgen.glade:259 +msgid "" +"Standard Init Daemon are daemons started on boot via init scripts. Usually " +"requires a script in /etc/rc.d/init.d" +msgstr "" + +#: ../gui/polgen.glade:241 ../gui/polgen.py:156 +msgid "Standard Init Daemon" +msgstr "" + +#: ../gui/polgen.glade:261 ../gui/polgen.py:157 +msgid "DBUS System Daemon" +msgstr "" + +#: ../gui/polgen.glade:280 +msgid "Internet Services Daemon are daemons started by xinetd" +msgstr "" + +#: ../gui/polgen.glade:282 +msgid "Internet Services Daemon (inetd)" +msgstr "" + +#: ../gui/polgen.glade:301 +msgid "" +"Web Applications/Script (CGI) CGI scripts started by the web server (apache)" +msgstr "" + +#: ../gui/polgen.glade:303 ../gui/polgen.py:159 +msgid "Web Application/Script (CGI)" +msgstr "" + +#: ../gui/polgen.glade:322 ../gui/polgen.glade:343 +msgid "" +"User Application are any application that you would like to confine that is " +"started by a user" +msgstr "" + +#: ../gui/polgen.glade:324 ../gui/polgen.py:160 +msgid "User Application" +msgstr "" + +#: ../gui/polgen.glade:345 ../gui/polgen.py:161 +msgid "Sandbox" +msgstr "" + +#: ../gui/polgen.glade:391 +msgid "Login Users" +msgstr "" + +#: ../gui/polgen.glade:453 +msgid "Modify an existing login user record." +msgstr "" + +#: ../gui/polgen.glade:455 +msgid "Existing User Roles" +msgstr "" + +#: ../gui/polgen.glade:474 +msgid "" +"This user will login to a machine only via a terminal or remote login. By " +"default this user will have no setuid, no networking, no su, no sudo." +msgstr "" + +#: ../gui/polgen.glade:476 ../gui/polgen.py:162 +msgid "Minimal Terminal User Role" +msgstr "" + +#: ../gui/polgen.glade:495 +msgid "" +"This user can login to a machine via X or terminal. By default this user " +"will have no setuid, no networking, no sudo, no su" +msgstr "" + +#: ../gui/polgen.glade:497 ../gui/polgen.py:163 +msgid "Minimal X Windows User Role" +msgstr "" + +#: ../gui/polgen.glade:516 +msgid "" +"User with full networking, no setuid applications without transition, no " +"sudo, no su." +msgstr "" + +#: ../gui/polgen.glade:518 ../gui/polgen.py:164 +msgid "User Role" +msgstr "" + +#: ../gui/polgen.glade:537 +msgid "" +"User with full networking, no setuid applications without transition, no su, " +"can sudo to Root Administration Roles" +msgstr "" + +#: ../gui/polgen.glade:539 ../gui/polgen.py:165 +msgid "Admin User Role" +msgstr "" + +#: ../gui/polgen.glade:585 +msgid "Root Users" +msgstr "" + +#: ../gui/polgen.glade:647 +msgid "" +"Select Root Administrator User Role, if this user will be used to administer " +"the machine while running as root. This user will not be able to login to " +"the system directly." +msgstr "" + +#: ../gui/polgen.glade:649 ../gui/polgen.py:166 +msgid "Root Admin User Role" +msgstr "" + +#: ../gui/polgen.glade:716 +msgid "label104" +msgstr "" + +#: ../gui/polgen.glade:745 +msgid "Enter name of application or user role:" +msgstr "" + +#: ../gui/polgen.glade:779 ../gui/polgengui.py:251 +msgid "Name" +msgstr "" + +#: ../gui/polgen.glade:807 +msgid "Enter complete path for executable to be confined." +msgstr "" + +#: ../gui/polgen.glade:830 ../gui/polgen.glade:950 ../gui/polgen.glade:3142 +msgid "..." +msgstr "" + +#: ../gui/polgen.glade:849 +msgid "Enter unique name for the confined application or user role." +msgstr "" + +#: ../gui/polgen.glade:871 +msgid "Executable" +msgstr "" + +#: ../gui/polgen.glade:899 +msgid "Init script" +msgstr "" + +#: ../gui/polgen.glade:927 +msgid "" +"Enter complete path to init script used to start the confined application." +msgstr "" + +#: ../gui/polgen.glade:982 +msgid "label105" +msgstr "" + +#: ../gui/polgen.glade:1011 +msgid "Select existing role to modify:" +msgstr "" + +#: ../gui/polgen.glade:1045 +msgid "Select the user roles that will transiton to the %s domain." +msgstr "" + +#: ../gui/polgen.glade:1073 +msgid "label106" +msgstr "" + +#: ../gui/polgen.glade:1102 +msgid "Select roles that %s will transition to:" +msgstr "" + +#: ../gui/polgen.glade:1136 +msgid "Select applications domains that %s will transition to." +msgstr "" + +#: ../gui/polgen.glade:1164 +msgid "label107" +msgstr "" + +#: ../gui/polgen.glade:1193 +msgid "Select the user_roles that will transition to %s:" +msgstr "" + +#: ../gui/polgen.glade:1227 +msgid "Select the user roles that will transiton to this applications domains." +msgstr "" + +#: ../gui/polgen.glade:1255 +msgid "label108" +msgstr "" + +#: ../gui/polgen.glade:1284 +msgid "Select domains that %s will administer:" +msgstr "" + +#: ../gui/polgen.glade:1318 ../gui/polgen.glade:1409 +msgid "Select the domains that you would like this user administer." +msgstr "" + +#: ../gui/polgen.glade:1346 +msgid "label109" +msgstr "" + +#: ../gui/polgen.glade:1375 +msgid "Select additional roles for %s:" +msgstr "" + +#: ../gui/polgen.glade:1437 +msgid "label111" +msgstr "" + +#: ../gui/polgen.glade:1466 +msgid "Enter network ports that %s binds on:" +msgstr "" + +#: ../gui/polgen.glade:1497 ../gui/polgen.glade:1997 +msgid "TCP Ports" +msgstr "" + +#: ../gui/polgen.glade:1565 ../gui/polgen.glade:1785 +msgid "Allows %s to bind to any udp port" +msgstr "" + +#: ../gui/polgen.glade:1567 ../gui/polgen.glade:1787 ../gui/polgen.glade:2061 +#: ../gui/polgen.glade:2215 +msgid "All" +msgstr "" + +#: ../gui/polgen.glade:1585 ../gui/polgen.glade:1805 +msgid "Allow %s to call bindresvport with 0. Binding to port 600-1024" +msgstr "" + +#: ../gui/polgen.glade:1587 ../gui/polgen.glade:1807 +msgid "600-1024" +msgstr "" + +#: ../gui/polgen.glade:1605 ../gui/polgen.glade:1825 +msgid "" +"Enter a comma separated list of udp ports or ranges of ports that %s binds " +"to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:1607 ../gui/polgen.glade:1827 +msgid "Unreserved Ports (>1024)" +msgstr "" + +#: ../gui/polgen.glade:1638 ../gui/polgen.glade:1858 ../gui/polgen.glade:2079 +#: ../gui/polgen.glade:2233 +msgid "Select Ports" +msgstr "" + +#: ../gui/polgen.glade:1663 ../gui/polgen.glade:1883 +msgid "Allows %s to bind to any udp ports > 1024" +msgstr "" + +#: ../gui/polgen.glade:1717 ../gui/polgen.glade:2151 +msgid "UDP Ports" +msgstr "" + +#: ../gui/polgen.glade:1937 +msgid "label113" +msgstr "" + +#: ../gui/polgen.glade:1966 +msgid "Select network ports that %s connects to:" +msgstr "" + +#: ../gui/polgen.glade:2058 +msgid "Allows %s to connect to any tcp port" +msgstr "" + +#: ../gui/polgen.glade:2104 +msgid "" +"Enter a comma separated list of tcp ports or ranges of ports that %s " +"connects to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:2212 +msgid "Allows %s to connect to any udp port" +msgstr "" + +#: ../gui/polgen.glade:2258 +msgid "" +"Enter a comma separated list of udp ports or ranges of ports that %s " +"connects to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:2305 +msgid "label114" +msgstr "" + +#: ../gui/polgen.glade:2334 +msgid "Select common application traits for %s:" +msgstr "" + +#: ../gui/polgen.glade:2366 +msgid "Writes syslog messages\t" +msgstr "" + +#: ../gui/polgen.glade:2385 +msgid "Create/Manipulate temporary files in /tmp" +msgstr "" + +#: ../gui/polgen.glade:2404 +msgid "Uses Pam for authentication" +msgstr "" + +#: ../gui/polgen.glade:2423 +msgid "Uses nsswitch or getpw* calls" +msgstr "" + +#: ../gui/polgen.glade:2442 +msgid "Uses dbus" +msgstr "" + +#: ../gui/polgen.glade:2461 +msgid "Sends audit messages" +msgstr "" + +#: ../gui/polgen.glade:2480 +msgid "Interacts with the terminal" +msgstr "" + +#: ../gui/polgen.glade:2499 +msgid "Sends email" +msgstr "" + +#: ../gui/polgen.glade:2530 +msgid "label115" +msgstr "" + +#: ../gui/polgen.glade:2559 +msgid "Add files/directories that %s manages" +msgstr "" + +#: ../gui/polgen.glade:2788 +msgid "" +"Files/Directories which the %s \"manages\". Pid Files, Log Files, /var/lib " +"Files ..." +msgstr "" + +#: ../gui/polgen.glade:2823 +msgid "label116" +msgstr "" + +#: ../gui/polgen.glade:2852 +msgid "Add booleans from the %s policy:" +msgstr "" + +#: ../gui/polgen.glade:3002 +msgid "Add/Remove booleans used by the %s domain" +msgstr "" + +#: ../gui/polgen.glade:3066 +msgid "Which directory you will generate the %s policy?" +msgstr "" + +#: ../gui/polgen.glade:3097 +msgid "Policy Directory" +msgstr "" + +#: ../gui/polgen.glade:3254 +msgid "Add Booleans Dialog" +msgstr "" + +#: ../gui/polgen.glade:3327 +msgid "Boolean Name" +msgstr "" + +#: ../gui/polgengui.py:261 +msgid "Role" +msgstr "" + +#: ../gui/polgengui.py:268 +msgid "Existing_User" +msgstr "" + +#: ../gui/polgengui.py:282 ../gui/polgengui.py:290 ../gui/polgengui.py:304 +msgid "Application" +msgstr "" + +#: ../gui/polgengui.py:352 +#, python-format +msgid "%s must be a directory" +msgstr "" + +#: ../gui/polgengui.py:412 ../gui/polgengui.py:693 +msgid "You must select a user" +msgstr "" + +#: ../gui/polgengui.py:542 +msgid "Select executable file to be confined." +msgstr "" + +#: ../gui/polgengui.py:553 +msgid "Select init script file to be confined." +msgstr "" + +#: ../gui/polgengui.py:563 +msgid "Select file(s) that confined application creates or writes" +msgstr "" + +#: ../gui/polgengui.py:570 +msgid "Select directory(s) that the confined application owns and writes into" +msgstr "" + +#: ../gui/polgengui.py:632 +msgid "Select directory to generate policy files in" +msgstr "" + +#: ../gui/polgengui.py:649 +#, python-format +msgid "" +"Type %s_t already defined in current policy.\n" +"Do you want to continue?" +msgstr "" + +#: ../gui/polgengui.py:649 ../gui/polgengui.py:653 +msgid "Verify Name" +msgstr "" + +#: ../gui/polgengui.py:653 +#, python-format +msgid "" +"Module %s.pp already loaded in current policy.\n" +"Do you want to continue?" +msgstr "" + +#: ../gui/polgengui.py:699 +msgid "" +"You must add a name made up of letters and numbers and containing no spaces." +msgstr "" + +#: ../gui/polgengui.py:713 +msgid "You must enter a executable" +msgstr "" + +#: ../gui/polgengui.py:738 ../gui/system-config-selinux.py:174 +msgid "Configue SELinux" +msgstr "" + +#: ../gui/polgen.py:158 +msgid "Internet Services Daemon" +msgstr "" + +#: ../gui/polgen.py:197 +#, python-format +msgid "Ports must be numbers or ranges of numbers from 1 to %d " +msgstr "" + +#: ../gui/polgen.py:324 +msgid "You must enter a name for your confined process/user" +msgstr "" + +#: ../gui/polgen.py:326 +msgid "" +"Name must be alpha numberic with no spaces. Consider using option \"-n " +"MODULENAME\"" +msgstr "" + +#: ../gui/polgen.py:414 +msgid "User Role types can not be assigned executables." +msgstr "" + +#: ../gui/polgen.py:420 +msgid "Only Daemon apps can use an init script.." +msgstr "" + +#: ../gui/polgen.py:438 +msgid "use_resolve must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:444 +msgid "use_syslog must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:450 +msgid "use_kerberos must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:456 +msgid "manage_krb5_rcache must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:486 +msgid "USER Types automatically get a tmp type" +msgstr "" + +#: ../gui/polgen.py:1004 +msgid "You must enter the executable path for your confined process" +msgstr "" + +#: ../gui/polgen.py:1182 +msgid "Type Enforcement file" +msgstr "" + +#: ../gui/polgen.py:1183 +msgid "Interface file" +msgstr "" + +#: ../gui/polgen.py:1184 +msgid "File Contexts file" +msgstr "" + +#: ../gui/polgen.py:1185 +msgid "Setup Script" +msgstr "" + +#: ../gui/polgen.py:1306 +#, python-format +msgid "" +"\n" +"%s\n" +"\n" +"sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ]\n" +"valid Types:\n" +msgstr "" + +#: ../gui/polgen.py:1354 +msgid "Executable or Name required" +msgstr "" + +#: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 +msgid "Network Port" +msgstr "" + +#: ../gui/portsPage.py:85 +msgid "" +"SELinux Port\n" +"Type" +msgstr "" + +#: ../gui/portsPage.py:91 ../gui/system-config-selinux.glade:363 +msgid "Protocol" +msgstr "" + +#: ../gui/portsPage.py:96 ../gui/system-config-selinux.glade:479 +msgid "" +"MLS/MCS\n" +"Level" +msgstr "" + +#: ../gui/portsPage.py:101 +msgid "Port" +msgstr "" + +#: ../gui/portsPage.py:207 +#, python-format +msgid "Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 " +msgstr "" + +#: ../gui/portsPage.py:252 +msgid "List View" +msgstr "" + +#: ../gui/portsPage.py:255 ../gui/system-config-selinux.glade:2419 +msgid "Group View" +msgstr "" + +#: ../gui/selinux.tbl:1 ../gui/selinux.tbl:30 ../gui/selinux.tbl:31 +#: ../gui/selinux.tbl:32 ../gui/selinux.tbl:33 ../gui/selinux.tbl:34 +#: ../gui/selinux.tbl:36 ../gui/selinux.tbl:37 ../gui/selinux.tbl:38 +#: ../gui/selinux.tbl:39 ../gui/selinux.tbl:40 ../gui/selinux.tbl:42 +#: ../gui/selinux.tbl:43 ../gui/selinux.tbl:44 ../gui/selinux.tbl:45 +#: ../gui/selinux.tbl:46 ../gui/selinux.tbl:47 ../gui/selinux.tbl:48 +#: ../gui/selinux.tbl:49 ../gui/selinux.tbl:50 ../gui/selinux.tbl:51 +#: ../gui/selinux.tbl:52 ../gui/selinux.tbl:53 ../gui/selinux.tbl:59 +#: ../gui/selinux.tbl:60 ../gui/selinux.tbl:61 ../gui/selinux.tbl:62 +#: ../gui/selinux.tbl:63 ../gui/selinux.tbl:64 ../gui/selinux.tbl:65 +#: ../gui/selinux.tbl:66 ../gui/selinux.tbl:67 ../gui/selinux.tbl:68 +#: ../gui/selinux.tbl:69 ../gui/selinux.tbl:75 ../gui/selinux.tbl:76 +#: ../gui/selinux.tbl:77 ../gui/selinux.tbl:78 ../gui/selinux.tbl:79 +#: ../gui/selinux.tbl:80 ../gui/selinux.tbl:81 ../gui/selinux.tbl:82 +#: ../gui/selinux.tbl:83 ../gui/selinux.tbl:84 ../gui/selinux.tbl:86 +#: ../gui/selinux.tbl:88 ../gui/selinux.tbl:89 ../gui/selinux.tbl:90 +#: ../gui/selinux.tbl:92 ../gui/selinux.tbl:94 ../gui/selinux.tbl:95 +#: ../gui/selinux.tbl:96 ../gui/selinux.tbl:97 ../gui/selinux.tbl:98 +#: ../gui/selinux.tbl:99 ../gui/selinux.tbl:100 ../gui/selinux.tbl:101 +#: ../gui/selinux.tbl:102 ../gui/selinux.tbl:103 ../gui/selinux.tbl:104 +#: ../gui/selinux.tbl:106 ../gui/selinux.tbl:108 ../gui/selinux.tbl:109 +#: ../gui/selinux.tbl:110 ../gui/selinux.tbl:111 ../gui/selinux.tbl:112 +#: ../gui/selinux.tbl:113 ../gui/selinux.tbl:114 ../gui/selinux.tbl:116 +#: ../gui/selinux.tbl:117 ../gui/selinux.tbl:119 ../gui/selinux.tbl:121 +#: ../gui/selinux.tbl:123 ../gui/selinux.tbl:124 ../gui/selinux.tbl:127 +#: ../gui/selinux.tbl:129 ../gui/selinux.tbl:130 ../gui/selinux.tbl:131 +#: ../gui/selinux.tbl:132 ../gui/selinux.tbl:133 ../gui/selinux.tbl:134 +#: ../gui/selinux.tbl:135 ../gui/selinux.tbl:136 ../gui/selinux.tbl:137 +#: ../gui/selinux.tbl:138 ../gui/selinux.tbl:139 ../gui/selinux.tbl:142 +#: ../gui/selinux.tbl:143 ../gui/selinux.tbl:144 ../gui/selinux.tbl:145 +#: ../gui/selinux.tbl:146 ../gui/selinux.tbl:147 ../gui/selinux.tbl:148 +#: ../gui/selinux.tbl:149 ../gui/selinux.tbl:150 ../gui/selinux.tbl:151 +#: ../gui/selinux.tbl:152 ../gui/selinux.tbl:154 ../gui/selinux.tbl:155 +#: ../gui/selinux.tbl:156 ../gui/selinux.tbl:157 ../gui/selinux.tbl:158 +#: ../gui/selinux.tbl:159 ../gui/selinux.tbl:160 ../gui/selinux.tbl:167 +#: ../gui/selinux.tbl:171 ../gui/selinux.tbl:172 ../gui/selinux.tbl:173 +#: ../gui/selinux.tbl:174 ../gui/selinux.tbl:175 ../gui/selinux.tbl:177 +#: ../gui/selinux.tbl:178 ../gui/selinux.tbl:179 ../gui/selinux.tbl:180 +#: ../gui/selinux.tbl:184 ../gui/selinux.tbl:192 ../gui/selinux.tbl:193 +#: ../gui/selinux.tbl:194 ../gui/selinux.tbl:195 ../gui/selinux.tbl:196 +#: ../gui/selinux.tbl:197 ../gui/selinux.tbl:198 ../gui/selinux.tbl:199 +#: ../gui/selinux.tbl:200 ../gui/selinux.tbl:201 ../gui/selinux.tbl:206 +#: ../gui/selinux.tbl:207 ../gui/selinux.tbl:218 ../gui/selinux.tbl:219 +#: ../gui/selinux.tbl:220 ../gui/selinux.tbl:222 ../gui/selinux.tbl:224 +#: ../gui/selinux.tbl:226 ../gui/selinux.tbl:227 ../gui/selinux.tbl:230 +msgid "SELinux Service Protection" +msgstr "" + +#: ../gui/selinux.tbl:1 +msgid "Disable SELinux protection for acct daemon" +msgstr "" + +#: ../gui/selinux.tbl:2 ../gui/selinux.tbl:3 ../gui/selinux.tbl:70 +#: ../gui/selinux.tbl:153 ../gui/selinux.tbl:168 ../gui/selinux.tbl:169 +#: ../gui/selinux.tbl:170 ../gui/selinux.tbl:189 ../gui/selinux.tbl:202 +#: ../gui/selinux.tbl:203 ../gui/selinux.tbl:204 ../gui/selinux.tbl:205 +msgid "Admin" +msgstr "" + +#: ../gui/selinux.tbl:2 +msgid "Allow all daemons to write corefiles to /" +msgstr "" + +#: ../gui/selinux.tbl:3 +msgid "Allow all daemons the ability to use unallocated ttys" +msgstr "" + +#: ../gui/selinux.tbl:4 ../gui/selinux.tbl:5 ../gui/selinux.tbl:11 +#: ../gui/selinux.tbl:12 ../gui/selinux.tbl:13 ../gui/selinux.tbl:15 +#: ../gui/selinux.tbl:20 ../gui/selinux.tbl:41 ../gui/selinux.tbl:208 +#: ../gui/selinux.tbl:210 ../gui/selinux.tbl:211 ../gui/selinux.tbl:212 +#: ../gui/selinux.tbl:213 ../gui/selinux.tbl:214 ../gui/selinux.tbl:215 +#: ../gui/selinux.tbl:216 ../gui/selinux.tbl:217 +msgid "User Privs" +msgstr "" + +#: ../gui/selinux.tbl:4 +msgid "" +"Allow gadmin SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:5 +msgid "" +"Allow guest SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:6 ../gui/selinux.tbl:9 ../gui/selinux.tbl:16 +msgid "Memory Protection" +msgstr "" + +#: ../gui/selinux.tbl:6 +msgid "Allow java executable stack" +msgstr "" + +#: ../gui/selinux.tbl:7 ../gui/selinux.tbl:8 ../gui/selinux.tbl:35 +#: ../gui/selinux.tbl:209 +msgid "Mount" +msgstr "" + +#: ../gui/selinux.tbl:7 +msgid "Allow mount to mount any file" +msgstr "" + +#: ../gui/selinux.tbl:8 +msgid "Allow mount to mount any directory" +msgstr "" + +#: ../gui/selinux.tbl:9 +msgid "Allow mplayer executable stack" +msgstr "" + +#: ../gui/selinux.tbl:10 ../gui/selinux.tbl:162 ../gui/selinux.tbl:187 +#: ../gui/selinux.tbl:188 +msgid "SSH" +msgstr "" + +#: ../gui/selinux.tbl:10 +msgid "Allow ssh to run ssh-keysign" +msgstr "" + +#: ../gui/selinux.tbl:11 +msgid "" +"Allow staff SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:12 +msgid "" +"Allow sysadm SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:13 +msgid "" +"Allow unconfined SELinux user account to execute files in home directory or /" +"tmp" +msgstr "" + +#: ../gui/selinux.tbl:14 +msgid "Network Configuration" +msgstr "" + +#: ../gui/selinux.tbl:14 +msgid "Allow unlabeled packets to flow on the network" +msgstr "" + +#: ../gui/selinux.tbl:15 +msgid "" +"Allow user SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:16 +msgid "Allow unconfined to dyntrans to unconfined_execmem" +msgstr "" + +#: ../gui/selinux.tbl:17 ../gui/selinux.tbl:18 ../gui/selinux.tbl:120 +#: ../gui/selinux.tbl:140 +msgid "Databases" +msgstr "" + +#: ../gui/selinux.tbl:17 +msgid "Allow user to connect to mysql socket" +msgstr "" + +#: ../gui/selinux.tbl:18 +msgid "Allow user to connect to postgres socket" +msgstr "" + +#: ../gui/selinux.tbl:19 ../gui/selinux.tbl:165 ../gui/selinux.tbl:223 +msgid "XServer" +msgstr "" + +#: ../gui/selinux.tbl:19 +msgid "Allow clients to write to X shared memory" +msgstr "" + +#: ../gui/selinux.tbl:20 +msgid "" +"Allow xguest SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:21 ../gui/selinux.tbl:228 ../gui/selinux.tbl:229 +#: ../gui/selinux.tbl:231 +msgid "NIS" +msgstr "" + +#: ../gui/selinux.tbl:21 +msgid "Allow daemons to run with NIS" +msgstr "" + +#: ../gui/selinux.tbl:22 ../gui/selinux.tbl:23 ../gui/selinux.tbl:24 +#: ../gui/selinux.tbl:25 ../gui/selinux.tbl:26 ../gui/selinux.tbl:27 +#: ../gui/selinux.tbl:28 ../gui/selinux.tbl:29 ../gui/selinux.tbl:71 +#: ../gui/selinux.tbl:73 ../gui/selinux.tbl:74 ../gui/selinux.tbl:115 +#: ../gui/selinux.tbl:118 +msgid "Web Applications" +msgstr "" + +#: ../gui/selinux.tbl:22 +msgid "Transition staff SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:23 +msgid "Transition sysadm SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:24 +msgid "Transition user SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:25 +msgid "Transition xguest SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:26 ../gui/selinux.tbl:27 ../gui/selinux.tbl:28 +#: ../gui/selinux.tbl:29 +msgid "Allow staff Web Browsers to write to home directories" +msgstr "" + +#: ../gui/selinux.tbl:30 +msgid "Disable SELinux protection for amanda" +msgstr "" + +#: ../gui/selinux.tbl:31 +msgid "Disable SELinux protection for amavis" +msgstr "" + +#: ../gui/selinux.tbl:32 +msgid "Disable SELinux protection for apmd daemon" +msgstr "" + +#: ../gui/selinux.tbl:33 +msgid "Disable SELinux protection for arpwatch daemon" +msgstr "" + +#: ../gui/selinux.tbl:34 +msgid "Disable SELinux protection for auditd daemon" +msgstr "" + +#: ../gui/selinux.tbl:35 +msgid "Disable SELinux protection for automount daemon" +msgstr "" + +#: ../gui/selinux.tbl:36 +msgid "Disable SELinux protection for avahi" +msgstr "" + +#: ../gui/selinux.tbl:37 +msgid "Disable SELinux protection for bluetooth daemon" +msgstr "" + +#: ../gui/selinux.tbl:38 +msgid "Disable SELinux protection for canna daemon" +msgstr "" + +#: ../gui/selinux.tbl:39 +msgid "Disable SELinux protection for cardmgr daemon" +msgstr "" + +#: ../gui/selinux.tbl:40 +msgid "Disable SELinux protection for Cluster Server" +msgstr "" + +#: ../gui/selinux.tbl:41 +msgid "" +"Allow cdrecord to read various content. nfs, samba, removable devices, user " +"temp and untrusted content files" +msgstr "" + +#: ../gui/selinux.tbl:42 +msgid "Disable SELinux protection for ciped daemon" +msgstr "" + +#: ../gui/selinux.tbl:43 +msgid "Disable SELinux protection for clamd daemon" +msgstr "" + +#: ../gui/selinux.tbl:44 +msgid "Disable SELinux protection for clamscan" +msgstr "" + +#: ../gui/selinux.tbl:45 +msgid "Disable SELinux protection for clvmd" +msgstr "" + +#: ../gui/selinux.tbl:46 +msgid "Disable SELinux protection for comsat daemon" +msgstr "" + +#: ../gui/selinux.tbl:47 ../gui/selinux.tbl:48 ../gui/selinux.tbl:49 +#: ../gui/selinux.tbl:50 ../gui/selinux.tbl:51 +msgid "Disable SELinux protection for courier daemon" +msgstr "" + +#: ../gui/selinux.tbl:52 +msgid "Disable SELinux protection for cpucontrol daemon" +msgstr "" + +#: ../gui/selinux.tbl:53 +msgid "Disable SELinux protection for cpuspeed daemon" +msgstr "" + +#: ../gui/selinux.tbl:54 +msgid "Cron" +msgstr "" + +#: ../gui/selinux.tbl:54 +msgid "Disable SELinux protection for crond daemon" +msgstr "" + +#: ../gui/selinux.tbl:55 ../gui/selinux.tbl:56 ../gui/selinux.tbl:57 +#: ../gui/selinux.tbl:91 +msgid "Printing" +msgstr "" + +#: ../gui/selinux.tbl:55 +msgid "Disable SELinux protection for cupsd back end server" +msgstr "" + +#: ../gui/selinux.tbl:56 +msgid "Disable SELinux protection for cupsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:57 +msgid "Disable SELinux protection for cupsd_lpd" +msgstr "" + +#: ../gui/selinux.tbl:58 +msgid "CVS" +msgstr "" + +#: ../gui/selinux.tbl:58 +msgid "Disable SELinux protection for cvs daemon" +msgstr "" + +#: ../gui/selinux.tbl:59 +msgid "Disable SELinux protection for cyrus daemon" +msgstr "" + +#: ../gui/selinux.tbl:60 +msgid "Disable SELinux protection for dbskkd daemon" +msgstr "" + +#: ../gui/selinux.tbl:61 +msgid "Disable SELinux protection for dbusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:62 +msgid "Disable SELinux protection for dccd" +msgstr "" + +#: ../gui/selinux.tbl:63 +msgid "Disable SELinux protection for dccifd" +msgstr "" + +#: ../gui/selinux.tbl:64 +msgid "Disable SELinux protection for dccm" +msgstr "" + +#: ../gui/selinux.tbl:65 +msgid "Disable SELinux protection for ddt daemon" +msgstr "" + +#: ../gui/selinux.tbl:66 +msgid "Disable SELinux protection for devfsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:67 +msgid "Disable SELinux protection for dhcpc daemon" +msgstr "" + +#: ../gui/selinux.tbl:68 +msgid "Disable SELinux protection for dhcpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:69 +msgid "Disable SELinux protection for dictd daemon" +msgstr "" + +#: ../gui/selinux.tbl:70 +msgid "Allow sysadm_t to directly start daemons" +msgstr "" + +#: ../gui/selinux.tbl:71 +msgid "Disable SELinux protection for Evolution" +msgstr "" + +#: ../gui/selinux.tbl:72 +msgid "Games" +msgstr "" + +#: ../gui/selinux.tbl:72 +msgid "Disable SELinux protection for games" +msgstr "" + +#: ../gui/selinux.tbl:73 +msgid "Disable SELinux protection for the web browsers" +msgstr "" + +#: ../gui/selinux.tbl:74 +msgid "Disable SELinux protection for Thunderbird" +msgstr "" + +#: ../gui/selinux.tbl:75 +msgid "Disable SELinux protection for distccd daemon" +msgstr "" + +#: ../gui/selinux.tbl:76 +msgid "Disable SELinux protection for dmesg daemon" +msgstr "" + +#: ../gui/selinux.tbl:77 +msgid "Disable SELinux protection for dnsmasq daemon" +msgstr "" + +#: ../gui/selinux.tbl:78 +msgid "Disable SELinux protection for dovecot daemon" +msgstr "" + +#: ../gui/selinux.tbl:79 +msgid "Disable SELinux protection for entropyd daemon" +msgstr "" + +#: ../gui/selinux.tbl:80 +msgid "Disable SELinux protection for fetchmail" +msgstr "" + +#: ../gui/selinux.tbl:81 +msgid "Disable SELinux protection for fingerd daemon" +msgstr "" + +#: ../gui/selinux.tbl:82 +msgid "Disable SELinux protection for freshclam daemon" +msgstr "" + +#: ../gui/selinux.tbl:83 +msgid "Disable SELinux protection for fsdaemon daemon" +msgstr "" + +#: ../gui/selinux.tbl:84 +msgid "Disable SELinux protection for gpm daemon" +msgstr "" + +#: ../gui/selinux.tbl:85 ../gui/selinux.tbl:125 +msgid "NFS" +msgstr "" + +#: ../gui/selinux.tbl:85 +msgid "Disable SELinux protection for gss daemon" +msgstr "" + +#: ../gui/selinux.tbl:86 +msgid "Disable SELinux protection for Hal daemon" +msgstr "" + +#: ../gui/selinux.tbl:87 +msgid "Compatibility" +msgstr "" + +#: ../gui/selinux.tbl:87 +msgid "" +"Do not audit things that we know to be broken but which are not security " +"risks" +msgstr "" + +#: ../gui/selinux.tbl:88 +msgid "Disable SELinux protection for hostname daemon" +msgstr "" + +#: ../gui/selinux.tbl:89 +msgid "Disable SELinux protection for hotplug daemon" +msgstr "" + +#: ../gui/selinux.tbl:90 +msgid "Disable SELinux protection for howl daemon" +msgstr "" + +#: ../gui/selinux.tbl:91 +msgid "Disable SELinux protection for cups hplip daemon" +msgstr "" + +#: ../gui/selinux.tbl:92 +msgid "Disable SELinux protection for httpd rotatelogs" +msgstr "" + +#: ../gui/selinux.tbl:93 ../gui/selinux.tbl:232 ../gui/selinux.tbl:233 +msgid "HTTPD Service" +msgstr "" + +#: ../gui/selinux.tbl:93 +msgid "Disable SELinux protection for http suexec" +msgstr "" + +#: ../gui/selinux.tbl:94 +msgid "Disable SELinux protection for hwclock daemon" +msgstr "" + +#: ../gui/selinux.tbl:95 +msgid "Disable SELinux protection for i18n daemon" +msgstr "" + +#: ../gui/selinux.tbl:96 +msgid "Disable SELinux protection for imazesrv daemon" +msgstr "" + +#: ../gui/selinux.tbl:97 +msgid "Disable SELinux protection for inetd child daemons" +msgstr "" + +#: ../gui/selinux.tbl:98 +msgid "Disable SELinux protection for inetd daemon" +msgstr "" + +#: ../gui/selinux.tbl:99 +msgid "Disable SELinux protection for innd daemon" +msgstr "" + +#: ../gui/selinux.tbl:100 +msgid "Disable SELinux protection for iptables daemon" +msgstr "" + +#: ../gui/selinux.tbl:101 +msgid "Disable SELinux protection for ircd daemon" +msgstr "" + +#: ../gui/selinux.tbl:102 +msgid "Disable SELinux protection for irqbalance daemon" +msgstr "" + +#: ../gui/selinux.tbl:103 +msgid "Disable SELinux protection for iscsi daemon" +msgstr "" + +#: ../gui/selinux.tbl:104 +msgid "Disable SELinux protection for jabberd daemon" +msgstr "" + +#: ../gui/selinux.tbl:105 ../gui/selinux.tbl:107 +msgid "Kerberos" +msgstr "" + +#: ../gui/selinux.tbl:105 +msgid "Disable SELinux protection for kadmind daemon" +msgstr "" + +#: ../gui/selinux.tbl:106 +msgid "Disable SELinux protection for klogd daemon" +msgstr "" + +#: ../gui/selinux.tbl:107 +msgid "Disable SELinux protection for krb5kdc daemon" +msgstr "" + +#: ../gui/selinux.tbl:108 +msgid "Disable SELinux protection for ktalk daemons" +msgstr "" + +#: ../gui/selinux.tbl:109 +msgid "Disable SELinux protection for kudzu daemon" +msgstr "" + +#: ../gui/selinux.tbl:110 +msgid "Disable SELinux protection for locate daemon" +msgstr "" + +#: ../gui/selinux.tbl:111 +msgid "Disable SELinux protection for lpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:112 +msgid "Disable SELinux protection for lrrd daemon" +msgstr "" + +#: ../gui/selinux.tbl:113 +msgid "Disable SELinux protection for lvm daemon" +msgstr "" + +#: ../gui/selinux.tbl:114 +msgid "Disable SELinux protection for mailman" +msgstr "" + +#: ../gui/selinux.tbl:115 +msgid "Allow evolution and thunderbird to read user files" +msgstr "" + +#: ../gui/selinux.tbl:116 +msgid "Disable SELinux protection for mdadm daemon" +msgstr "" + +#: ../gui/selinux.tbl:117 +msgid "Disable SELinux protection for monopd daemon" +msgstr "" + +#: ../gui/selinux.tbl:118 +msgid "Allow the mozilla browser to read user files" +msgstr "" + +#: ../gui/selinux.tbl:119 +msgid "Disable SELinux protection for mrtg daemon" +msgstr "" + +#: ../gui/selinux.tbl:120 +msgid "Disable SELinux protection for mysqld daemon" +msgstr "" + +#: ../gui/selinux.tbl:121 +msgid "Disable SELinux protection for nagios daemon" +msgstr "" + +#: ../gui/selinux.tbl:122 ../gui/selinux.tbl:128 +msgid "Name Service" +msgstr "" + +#: ../gui/selinux.tbl:122 +msgid "Disable SELinux protection for named daemon" +msgstr "" + +#: ../gui/selinux.tbl:123 +msgid "Disable SELinux protection for nessusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:124 +msgid "Disable SELinux protection for NetworkManager" +msgstr "" + +#: ../gui/selinux.tbl:125 +msgid "Disable SELinux protection for nfsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:126 ../gui/selinux.tbl:163 ../gui/selinux.tbl:176 +#: ../gui/selinux.tbl:221 +msgid "Samba" +msgstr "" + +#: ../gui/selinux.tbl:126 +msgid "Disable SELinux protection for nmbd daemon" +msgstr "" + +#: ../gui/selinux.tbl:127 +msgid "Disable SELinux protection for nrpe daemon" +msgstr "" + +#: ../gui/selinux.tbl:128 +msgid "Disable SELinux protection for nscd daemon" +msgstr "" + +#: ../gui/selinux.tbl:129 +msgid "Disable SELinux protection for nsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:130 +msgid "Disable SELinux protection for ntpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:131 +msgid "Disable SELinux protection for oddjob" +msgstr "" + +#: ../gui/selinux.tbl:132 +msgid "Disable SELinux protection for oddjob_mkhomedir" +msgstr "" + +#: ../gui/selinux.tbl:133 +msgid "Disable SELinux protection for openvpn daemon" +msgstr "" + +#: ../gui/selinux.tbl:134 +msgid "Disable SELinux protection for pam daemon" +msgstr "" + +#: ../gui/selinux.tbl:135 +msgid "Disable SELinux protection for pegasus" +msgstr "" + +#: ../gui/selinux.tbl:136 +msgid "Disable SELinux protection for perdition daemon" +msgstr "" + +#: ../gui/selinux.tbl:137 +msgid "Disable SELinux protection for portmap daemon" +msgstr "" + +#: ../gui/selinux.tbl:138 +msgid "Disable SELinux protection for portslave daemon" +msgstr "" + +#: ../gui/selinux.tbl:139 +msgid "Disable SELinux protection for postfix" +msgstr "" + +#: ../gui/selinux.tbl:140 +msgid "Disable SELinux protection for postgresql daemon" +msgstr "" + +#: ../gui/selinux.tbl:141 +msgid "pppd" +msgstr "" + +#: ../gui/selinux.tbl:141 +msgid "Allow pppd to be run for a regular user" +msgstr "" + +#: ../gui/selinux.tbl:142 +msgid "Disable SELinux protection for pptp" +msgstr "" + +#: ../gui/selinux.tbl:143 +msgid "Disable SELinux protection for prelink daemon" +msgstr "" + +#: ../gui/selinux.tbl:144 +msgid "Disable SELinux protection for privoxy daemon" +msgstr "" + +#: ../gui/selinux.tbl:145 +msgid "Disable SELinux protection for ptal daemon" +msgstr "" + +#: ../gui/selinux.tbl:146 +msgid "Disable SELinux protection for pxe daemon" +msgstr "" + +#: ../gui/selinux.tbl:147 +msgid "Disable SELinux protection for pyzord" +msgstr "" + +#: ../gui/selinux.tbl:148 +msgid "Disable SELinux protection for quota daemon" +msgstr "" + +#: ../gui/selinux.tbl:149 +msgid "Disable SELinux protection for radiusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:150 +msgid "Disable SELinux protection for radvd daemon" +msgstr "" + +#: ../gui/selinux.tbl:151 +msgid "Disable SELinux protection for rdisc" +msgstr "" + +#: ../gui/selinux.tbl:152 +msgid "Disable SELinux protection for readahead" +msgstr "" + +#: ../gui/selinux.tbl:153 +msgid "Allow programs to read files in non-standard locations (default_t)" +msgstr "" + +#: ../gui/selinux.tbl:154 +msgid "Disable SELinux protection for restorecond" +msgstr "" + +#: ../gui/selinux.tbl:155 +msgid "Disable SELinux protection for rhgb daemon" +msgstr "" + +#: ../gui/selinux.tbl:156 +msgid "Disable SELinux protection for ricci" +msgstr "" + +#: ../gui/selinux.tbl:157 +msgid "Disable SELinux protection for ricci_modclusterd" +msgstr "" + +#: ../gui/selinux.tbl:158 +msgid "Disable SELinux protection for rlogind daemon" +msgstr "" + +#: ../gui/selinux.tbl:159 +msgid "Disable SELinux protection for rpcd daemon" +msgstr "" + +#: ../gui/selinux.tbl:160 +msgid "Disable SELinux protection for rshd" +msgstr "" + +#: ../gui/selinux.tbl:161 +msgid "rsync" +msgstr "" + +#: ../gui/selinux.tbl:161 +msgid "Disable SELinux protection for rsync daemon" +msgstr "" + +#: ../gui/selinux.tbl:162 +msgid "Allow ssh to run from inetd instead of as a daemon" +msgstr "" + +#: ../gui/selinux.tbl:163 +msgid "Allow Samba to share nfs directories" +msgstr "" + +#: ../gui/selinux.tbl:164 ../gui/selinux.tbl:166 +msgid "SASL authentication server" +msgstr "" + +#: ../gui/selinux.tbl:164 +msgid "Allow sasl authentication server to read /etc/shadow" +msgstr "" + +#: ../gui/selinux.tbl:165 +msgid "" +"Allow X-Windows server to map a memory region as both executable and writable" +msgstr "" + +#: ../gui/selinux.tbl:166 +msgid "Disable SELinux protection for saslauthd daemon" +msgstr "" + +#: ../gui/selinux.tbl:167 +msgid "Disable SELinux protection for scannerdaemon daemon" +msgstr "" + +#: ../gui/selinux.tbl:168 +msgid "Do not allow transition to sysadm_t, sudo and su effected" +msgstr "" + +#: ../gui/selinux.tbl:169 +msgid "Do not allow any processes to load kernel modules" +msgstr "" + +#: ../gui/selinux.tbl:170 +msgid "Do not allow any processes to modify kernel SELinux policy" +msgstr "" + +#: ../gui/selinux.tbl:171 +msgid "Disable SELinux protection for sendmail daemon" +msgstr "" + +#: ../gui/selinux.tbl:172 +msgid "Disable SELinux protection for setrans" +msgstr "" + +#: ../gui/selinux.tbl:173 +msgid "Disable SELinux protection for setroubleshoot daemon" +msgstr "" + +#: ../gui/selinux.tbl:174 +msgid "Disable SELinux protection for slapd daemon" +msgstr "" + +#: ../gui/selinux.tbl:175 +msgid "Disable SELinux protection for slrnpull daemon" +msgstr "" + +#: ../gui/selinux.tbl:176 +msgid "Disable SELinux protection for smbd daemon" +msgstr "" + +#: ../gui/selinux.tbl:177 +msgid "Disable SELinux protection for snmpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:178 +msgid "Disable SELinux protection for snort daemon" +msgstr "" + +#: ../gui/selinux.tbl:179 +msgid "Disable SELinux protection for soundd daemon" +msgstr "" + +#: ../gui/selinux.tbl:180 +msgid "Disable SELinux protection for sound daemon" +msgstr "" + +#: ../gui/selinux.tbl:181 ../gui/selinux.tbl:182 ../gui/selinux.tbl:183 +msgid "Spam Protection" +msgstr "" + +#: ../gui/selinux.tbl:181 +msgid "Disable SELinux protection for spamd daemon" +msgstr "" + +#: ../gui/selinux.tbl:182 +msgid "Allow spamd to access home directories" +msgstr "" + +#: ../gui/selinux.tbl:183 +msgid "Allow Spam Assassin daemon network access" +msgstr "" + +#: ../gui/selinux.tbl:184 +msgid "Disable SELinux protection for speedmgmt daemon" +msgstr "" + +#: ../gui/selinux.tbl:185 ../gui/selinux.tbl:186 +msgid "Squid" +msgstr "" + +#: ../gui/selinux.tbl:185 +msgid "Allow squid daemon to connect to the network" +msgstr "" + +#: ../gui/selinux.tbl:186 +msgid "Disable SELinux protection for squid daemon" +msgstr "" + +#: ../gui/selinux.tbl:187 +msgid "Disable SELinux protection for ssh daemon" +msgstr "" + +#: ../gui/selinux.tbl:188 +msgid "Allow ssh logins as sysadm_r:sysadm_t" +msgstr "" + +#: ../gui/selinux.tbl:189 +msgid "" +"Allow staff_r users to search the sysadm home dir and read files (such as ~/." +"bashrc)" +msgstr "" + +#: ../gui/selinux.tbl:190 ../gui/selinux.tbl:191 +msgid "Universal SSL tunnel" +msgstr "" + +#: ../gui/selinux.tbl:190 +msgid "Disable SELinux protection for stunnel daemon" +msgstr "" + +#: ../gui/selinux.tbl:191 +msgid "Allow stunnel daemon to run as standalone, outside of xinetd" +msgstr "" + +#: ../gui/selinux.tbl:192 +msgid "Disable SELinux protection for swat daemon" +msgstr "" + +#: ../gui/selinux.tbl:193 +msgid "Disable SELinux protection for sxid daemon" +msgstr "" + +#: ../gui/selinux.tbl:194 +msgid "Disable SELinux protection for syslogd daemon" +msgstr "" + +#: ../gui/selinux.tbl:195 +msgid "Disable SELinux protection for system cron jobs" +msgstr "" + +#: ../gui/selinux.tbl:196 +msgid "Disable SELinux protection for tcp daemon" +msgstr "" + +#: ../gui/selinux.tbl:197 +msgid "Disable SELinux protection for telnet daemon" +msgstr "" + +#: ../gui/selinux.tbl:198 +msgid "Disable SELinux protection for tftpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:199 +msgid "Disable SELinux protection for transproxy daemon" +msgstr "" + +#: ../gui/selinux.tbl:200 +msgid "Disable SELinux protection for udev daemon" +msgstr "" + +#: ../gui/selinux.tbl:201 +msgid "Disable SELinux protection for uml daemon" +msgstr "" + +#: ../gui/selinux.tbl:202 +msgid "" +"Allow xinetd to run unconfined, including any services it starts that do not " +"have a domain transition explicitly defined" +msgstr "" + +#: ../gui/selinux.tbl:203 +msgid "" +"Allow rc scripts to run unconfined, including any daemon started by an rc " +"script that does not have a domain transition explicitly defined" +msgstr "" + +#: ../gui/selinux.tbl:204 +msgid "Allow rpm to run unconfined" +msgstr "" + +#: ../gui/selinux.tbl:205 +msgid "Allow privileged utilities like hotplug and insmod to run unconfined" +msgstr "" + +#: ../gui/selinux.tbl:206 +msgid "Disable SELinux protection for updfstab daemon" +msgstr "" + +#: ../gui/selinux.tbl:207 +msgid "Disable SELinux protection for uptimed daemon" +msgstr "" + +#: ../gui/selinux.tbl:208 +msgid "" +"Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only " +"staff_r can do so" +msgstr "" + +#: ../gui/selinux.tbl:209 +msgid "Allow users to execute the mount command" +msgstr "" + +#: ../gui/selinux.tbl:210 +msgid "Allow regular users direct mouse access (only allow the X server)" +msgstr "" + +#: ../gui/selinux.tbl:211 +msgid "Allow users to run the dmesg command" +msgstr "" + +#: ../gui/selinux.tbl:212 +msgid "Allow users to control network interfaces (also needs USERCTL=true)" +msgstr "" + +#: ../gui/selinux.tbl:213 +msgid "Allow normal user to execute ping" +msgstr "" + +#: ../gui/selinux.tbl:214 +msgid "Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)" +msgstr "" + +#: ../gui/selinux.tbl:215 +msgid "Allow users to rw usb devices" +msgstr "" + +#: ../gui/selinux.tbl:216 +msgid "" +"Allow users to run TCP servers (bind to ports and accept connection from the " +"same domain and outside users) disabling this forces FTP passive mode and " +"may change other protocols" +msgstr "" + +#: ../gui/selinux.tbl:217 +msgid "Allow user to stat ttyfiles" +msgstr "" + +#: ../gui/selinux.tbl:218 +msgid "Disable SELinux protection for uucpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:219 +msgid "Disable SELinux protection for vmware daemon" +msgstr "" + +#: ../gui/selinux.tbl:220 +msgid "Disable SELinux protection for watchdog daemon" +msgstr "" + +#: ../gui/selinux.tbl:221 +msgid "Disable SELinux protection for winbind daemon" +msgstr "" + +#: ../gui/selinux.tbl:222 +msgid "Disable SELinux protection for xdm daemon" +msgstr "" + +#: ../gui/selinux.tbl:223 +msgid "Allow xdm logins as sysadm_r:sysadm_t" +msgstr "" + +#: ../gui/selinux.tbl:224 +msgid "Disable SELinux protection for xen daemon" +msgstr "" + +#: ../gui/selinux.tbl:225 +msgid "XEN" +msgstr "" + +#: ../gui/selinux.tbl:225 +msgid "Allow xen to read/write physical disk devices" +msgstr "" + +#: ../gui/selinux.tbl:226 +msgid "Disable SELinux protection for xfs daemon" +msgstr "" + +#: ../gui/selinux.tbl:227 +msgid "Disable SELinux protection for xen control" +msgstr "" + +#: ../gui/selinux.tbl:228 +msgid "Disable SELinux protection for ypbind daemon" +msgstr "" + +#: ../gui/selinux.tbl:229 +msgid "Disable SELinux protection for NIS Password Daemon" +msgstr "" + +#: ../gui/selinux.tbl:230 +msgid "Disable SELinux protection for ypserv daemon" +msgstr "" + +#: ../gui/selinux.tbl:231 +msgid "Disable SELinux protection for NIS Transfer Daemon" +msgstr "" + +#: ../gui/selinux.tbl:232 +msgid "Allow SELinux webadm user to manage unprivileged users home directories" +msgstr "" + +#: ../gui/selinux.tbl:233 +msgid "Allow SELinux webadm user to read unprivileged users home directories" +msgstr "" + +#: ../gui/semanagePage.py:126 +#, python-format +msgid "Are you sure you want to delete %s '%s'?" +msgstr "" + +#: ../gui/semanagePage.py:126 +#, python-format +msgid "Delete %s" +msgstr "" + +#: ../gui/semanagePage.py:134 +#, python-format +msgid "Add %s" +msgstr "" + +#: ../gui/semanagePage.py:148 +#, python-format +msgid "Modify %s" +msgstr "" + +#: ../gui/statusPage.py:69 ../gui/system-config-selinux.glade:2819 +msgid "Permissive" +msgstr "" + +#: ../gui/statusPage.py:70 ../gui/system-config-selinux.glade:2837 +msgid "Enforcing" +msgstr "" + +#: ../gui/statusPage.py:94 +msgid "Status" +msgstr "" + +#: ../gui/statusPage.py:133 +msgid "" +"Changing the policy type will cause a relabel of the entire file system on " +"the next boot. Relabeling takes a long time depending on the size of the " +"file system. Do you wish to continue?" +msgstr "" + +#: ../gui/statusPage.py:147 +msgid "" +"Changing to SELinux disabled requires a reboot. It is not recommended. If " +"you later decide to turn SELinux back on, the system will be required to " +"relabel. If you just want to see if SELinux is causing a problem on your " +"system, you can go to permissive mode which will only log errors and not " +"enforce SELinux policy. Permissive mode does not require a reboot Do you " +"wish to continue?" +msgstr "" + +#: ../gui/statusPage.py:152 +msgid "" +"Changing to SELinux enabled will cause a relabel of the entire file system " +"on the next boot. Relabeling takes a long time depending on the size of the " +"file system. Do you wish to continue?" +msgstr "" + +#: ../gui/system-config-selinux.glade:11 +msgid "system-config-selinux" +msgstr "" + +#: ../gui/system-config-selinux.glade:12 +msgid "" +"Copyright (c)2006 Red Hat, Inc.\n" +"Copyright (c) 2006 Dan Walsh " +msgstr "" + +#: ../gui/system-config-selinux.glade:22 +#: ../gui/system-config-selinux.glade:544 +msgid "Add SELinux Login Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:257 +msgid "Add SELinux Network Ports" +msgstr "" + +#: ../gui/system-config-selinux.glade:391 +#: ../gui/system-config-selinux.glade:678 +msgid "SELinux Type" +msgstr "" + +#: ../gui/system-config-selinux.glade:622 +msgid "File Specification" +msgstr "" + +#: ../gui/system-config-selinux.glade:650 +msgid "File Type" +msgstr "" + +#: ../gui/system-config-selinux.glade:727 +msgid "" +"all files\n" +"regular file\n" +"directory\n" +"character device\n" +"block device\n" +"socket\n" +"symbolic link\n" +"named pipe\n" +msgstr "" + +#: ../gui/system-config-selinux.glade:773 +msgid "MLS" +msgstr "" + +#: ../gui/system-config-selinux.glade:837 +msgid "Add SELinux User" +msgstr "" + +#: ../gui/system-config-selinux.glade:1079 +msgid "SELinux Administration" +msgstr "" + +#: ../gui/system-config-selinux.glade:1122 +msgid "Add" +msgstr "" + +#: ../gui/system-config-selinux.glade:1144 +msgid "_Properties" +msgstr "" + +#: ../gui/system-config-selinux.glade:1166 +msgid "_Delete" +msgstr "" + +#: ../gui/system-config-selinux.glade:1256 +msgid "Select Management Object" +msgstr "" + +#: ../gui/system-config-selinux.glade:1273 +msgid "Select:" +msgstr "" + +#: ../gui/system-config-selinux.glade:1326 +msgid "System Default Enforcing Mode" +msgstr "" + +#: ../gui/system-config-selinux.glade:1354 +msgid "" +"Disabled\n" +"Permissive\n" +"Enforcing\n" +msgstr "" + +#: ../gui/system-config-selinux.glade:1373 +msgid "Current Enforcing Mode" +msgstr "" + +#: ../gui/system-config-selinux.glade:1418 +msgid "System Default Policy Type: " +msgstr "" + +#: ../gui/system-config-selinux.glade:1463 +msgid "" +"Select if you wish to relabel then entire file system on next reboot. " +"Relabeling can take a very long time, depending on the size of the system. " +"If you are changing policy types or going from disabled to enforcing, a " +"relabel is required." +msgstr "" + +#: ../gui/system-config-selinux.glade:1509 +msgid "Relabel on next reboot." +msgstr "" + +#: ../gui/system-config-selinux.glade:1561 +msgid "label37" +msgstr "" + +#: ../gui/system-config-selinux.glade:1598 +msgid "Revert boolean setting to system default" +msgstr "" + +#: ../gui/system-config-selinux.glade:1614 +msgid "Toggle between Customized and All Booleans" +msgstr "" + +#: ../gui/system-config-selinux.glade:1645 +#: ../gui/system-config-selinux.glade:1850 +#: ../gui/system-config-selinux.glade:2037 +#: ../gui/system-config-selinux.glade:2224 +#: ../gui/system-config-selinux.glade:2467 +#: ../gui/system-config-selinux.glade:2692 +#: ../gui/system-config-selinux.glade:2867 +msgid "Filter" +msgstr "" + +#: ../gui/system-config-selinux.glade:1734 +msgid "label50" +msgstr "" + +#: ../gui/system-config-selinux.glade:1771 +msgid "Add File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1787 +msgid "Modify File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1803 +msgid "Delete File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1819 +msgid "Toggle between all and customized file context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1939 +msgid "label38" +msgstr "" + +#: ../gui/system-config-selinux.glade:1976 +msgid "Add SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:1992 +msgid "Modify SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:2008 +msgid "Delete SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:2126 +msgid "label39" +msgstr "" + +#: ../gui/system-config-selinux.glade:2163 +msgid "Add User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2179 +msgid "Modify User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2195 +msgid "Delete User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2313 +msgid "label41" +msgstr "" + +#: ../gui/system-config-selinux.glade:2350 +msgid "Add Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2366 +msgid "Edit Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2382 +msgid "Delete Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2418 +#: ../gui/system-config-selinux.glade:2436 +msgid "Toggle between Customized and All Ports" +msgstr "" + +#: ../gui/system-config-selinux.glade:2556 +msgid "label42" +msgstr "" + +#: ../gui/system-config-selinux.glade:2593 +msgid "Generate new policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2609 +msgid "Load policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2625 +msgid "Remove loadable policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2661 +msgid "" +"Enable/Disable additional audit rules, that are normally not reported in the " +"log files." +msgstr "" + +#: ../gui/system-config-selinux.glade:2781 +msgid "label44" +msgstr "" + +#: ../gui/system-config-selinux.glade:2818 +msgid "Change process mode to permissive." +msgstr "" + +#: ../gui/system-config-selinux.glade:2836 +msgid "Change process mode to enforcing" +msgstr "" + +#: ../gui/system-config-selinux.glade:2928 +msgid "Process Domain" +msgstr "" + +#: ../gui/system-config-selinux.glade:2956 +msgid "label59" +msgstr "" + +#: ../gui/usersPage.py:138 +#, python-format +msgid "SELinux user '%s' is required" +msgstr "" diff --git a/policycoreutils/po/am.po b/policycoreutils/po/am.po index afeaa9f..edb1026 100644 --- a/policycoreutils/po/am.po +++ b/policycoreutils/po/am.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2012-03-27 10:49-0400\n" +"POT-Creation-Date: 2012-05-17 16:58-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -90,844 +90,851 @@ msgstr "" msgid "global" msgstr "" -#: ../semanage/seobject.py:222 +#: ../semanage/seobject.py:225 msgid "Could not create semanage handle" msgstr "" -#: ../semanage/seobject.py:230 +#: ../semanage/seobject.py:233 msgid "SELinux policy is not managed or store cannot be accessed." msgstr "" -#: ../semanage/seobject.py:235 +#: ../semanage/seobject.py:238 msgid "Cannot read policy store." msgstr "" -#: ../semanage/seobject.py:240 +#: ../semanage/seobject.py:243 msgid "Could not establish semanage connection" msgstr "" -#: ../semanage/seobject.py:245 +#: ../semanage/seobject.py:248 msgid "Could not test MLS enabled status" msgstr "" -#: ../semanage/seobject.py:251 ../semanage/seobject.py:266 +#: ../semanage/seobject.py:254 ../semanage/seobject.py:269 msgid "Not yet implemented" msgstr "" -#: ../semanage/seobject.py:255 +#: ../semanage/seobject.py:258 msgid "Semanage transaction already in progress" msgstr "" -#: ../semanage/seobject.py:264 +#: ../semanage/seobject.py:267 msgid "Could not start semanage transaction" msgstr "" -#: ../semanage/seobject.py:274 +#: ../semanage/seobject.py:278 msgid "Could not commit semanage transaction" msgstr "" -#: ../semanage/seobject.py:279 +#: ../semanage/seobject.py:283 msgid "Semanage transaction not in progress" msgstr "" -#: ../semanage/seobject.py:291 ../semanage/seobject.py:371 +#: ../semanage/seobject.py:295 ../semanage/seobject.py:375 msgid "Could not list SELinux modules" msgstr "" -#: ../semanage/seobject.py:304 +#: ../semanage/seobject.py:308 msgid "Modules Name" msgstr "" -#: ../semanage/seobject.py:304 +#: ../semanage/seobject.py:308 ../gui/modulesPage.py:62 msgid "Version" msgstr "" -#: ../semanage/seobject.py:307 +#: ../semanage/seobject.py:311 ../gui/statusPage.py:75 msgid "Disabled" msgstr "" -#: ../semanage/seobject.py:322 +#: ../semanage/seobject.py:326 #, python-format msgid "Could not disable module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:333 +#: ../semanage/seobject.py:337 #, python-format msgid "Could not enable module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:348 +#: ../semanage/seobject.py:352 #, python-format msgid "Could not remove module %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:358 +#: ../semanage/seobject.py:362 msgid "dontaudit requires either 'on' or 'off'" msgstr "" -#: ../semanage/seobject.py:387 +#: ../semanage/seobject.py:391 msgid "Builtin Permissive Types" msgstr "" -#: ../semanage/seobject.py:397 +#: ../semanage/seobject.py:401 msgid "Customized Permissive Types" msgstr "" -#: ../semanage/seobject.py:438 +#: ../semanage/seobject.py:442 #, python-format msgid "Could not set permissive domain %s (module installation failed)" msgstr "" -#: ../semanage/seobject.py:444 +#: ../semanage/seobject.py:448 #, python-format msgid "Could not remove permissive domain %s (remove failed)" msgstr "" -#: ../semanage/seobject.py:479 ../semanage/seobject.py:553 -#: ../semanage/seobject.py:599 ../semanage/seobject.py:696 -#: ../semanage/seobject.py:726 ../semanage/seobject.py:793 -#: ../semanage/seobject.py:850 ../semanage/seobject.py:1097 -#: ../semanage/seobject.py:1786 ../semanage/seobject.py:1849 -#: ../semanage/seobject.py:1868 ../semanage/seobject.py:1985 -#: ../semanage/seobject.py:2037 +#: ../semanage/seobject.py:483 ../semanage/seobject.py:557 +#: ../semanage/seobject.py:603 ../semanage/seobject.py:700 +#: ../semanage/seobject.py:730 ../semanage/seobject.py:797 +#: ../semanage/seobject.py:854 ../semanage/seobject.py:1101 +#: ../semanage/seobject.py:1790 ../semanage/seobject.py:1853 +#: ../semanage/seobject.py:1872 ../semanage/seobject.py:1993 +#: ../semanage/seobject.py:2045 #, python-format msgid "Could not create a key for %s" msgstr "" -#: ../semanage/seobject.py:483 ../semanage/seobject.py:557 -#: ../semanage/seobject.py:603 ../semanage/seobject.py:609 +#: ../semanage/seobject.py:487 ../semanage/seobject.py:561 +#: ../semanage/seobject.py:607 ../semanage/seobject.py:613 #, python-format msgid "Could not check if login mapping for %s is defined" msgstr "" -#: ../semanage/seobject.py:492 +#: ../semanage/seobject.py:496 #, python-format msgid "Linux Group %s does not exist" msgstr "" -#: ../semanage/seobject.py:497 +#: ../semanage/seobject.py:501 #, python-format msgid "Linux User %s does not exist" msgstr "" -#: ../semanage/seobject.py:501 +#: ../semanage/seobject.py:505 #, python-format msgid "Could not create login mapping for %s" msgstr "" -#: ../semanage/seobject.py:505 ../semanage/seobject.py:741 +#: ../semanage/seobject.py:509 ../semanage/seobject.py:745 #, python-format msgid "Could not set name for %s" msgstr "" -#: ../semanage/seobject.py:510 ../semanage/seobject.py:751 +#: ../semanage/seobject.py:514 ../semanage/seobject.py:755 #, python-format msgid "Could not set MLS range for %s" msgstr "" -#: ../semanage/seobject.py:514 +#: ../semanage/seobject.py:518 #, python-format msgid "Could not set SELinux user for %s" msgstr "" -#: ../semanage/seobject.py:518 +#: ../semanage/seobject.py:522 #, python-format msgid "Could not add login mapping for %s" msgstr "" -#: ../semanage/seobject.py:536 +#: ../semanage/seobject.py:540 msgid "Requires seuser or serange" msgstr "" -#: ../semanage/seobject.py:559 ../semanage/seobject.py:605 +#: ../semanage/seobject.py:563 ../semanage/seobject.py:609 #, python-format msgid "Login mapping for %s is not defined" msgstr "" -#: ../semanage/seobject.py:563 +#: ../semanage/seobject.py:567 #, python-format msgid "Could not query seuser for %s" msgstr "" -#: ../semanage/seobject.py:577 +#: ../semanage/seobject.py:581 #, python-format msgid "Could not modify login mapping for %s" msgstr "" -#: ../semanage/seobject.py:611 +#: ../semanage/seobject.py:615 #, python-format msgid "Login mapping for %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:615 +#: ../semanage/seobject.py:619 #, python-format msgid "Could not delete login mapping for %s" msgstr "" -#: ../semanage/seobject.py:637 ../semanage/seobject.py:655 -#: ../semanage/seobject.py:893 +#: ../semanage/seobject.py:641 ../semanage/seobject.py:659 +#: ../semanage/seobject.py:897 msgid "Could not list login mappings" msgstr "" -#: ../semanage/seobject.py:680 ../semanage/seobject.py:685 +#: ../semanage/seobject.py:684 ../semanage/seobject.py:689 +#: ../gui/system-config-selinux.glade:100 msgid "Login Name" msgstr "" -#: ../semanage/seobject.py:680 ../semanage/seobject.py:685 -#: ../semanage/seobject.py:943 ../semanage/seobject.py:948 +#: ../semanage/seobject.py:684 ../semanage/seobject.py:689 +#: ../semanage/seobject.py:947 ../semanage/seobject.py:952 +#: ../gui/system-config-selinux.glade:128 +#: ../gui/system-config-selinux.glade:915 +#: ../gui/system-config-selinux.glade:2285 ../gui/usersPage.py:44 msgid "SELinux User" msgstr "" -#: ../semanage/seobject.py:680 +#: ../semanage/seobject.py:684 ../gui/system-config-selinux.glade:156 +#: ../gui/system-config-selinux.glade:943 msgid "MLS/MCS Range" msgstr "" -#: ../semanage/seobject.py:699 ../semanage/seobject.py:730 -#: ../semanage/seobject.py:797 ../semanage/seobject.py:854 -#: ../semanage/seobject.py:860 +#: ../semanage/seobject.py:703 ../semanage/seobject.py:734 +#: ../semanage/seobject.py:801 ../semanage/seobject.py:858 +#: ../semanage/seobject.py:864 #, python-format msgid "Could not check if SELinux user %s is defined" msgstr "" -#: ../semanage/seobject.py:702 ../semanage/seobject.py:803 -#: ../semanage/seobject.py:866 +#: ../semanage/seobject.py:706 ../semanage/seobject.py:807 +#: ../semanage/seobject.py:870 #, python-format msgid "Could not query user for %s" msgstr "" -#: ../semanage/seobject.py:722 +#: ../semanage/seobject.py:726 #, python-format msgid "You must add at least one role for %s" msgstr "" -#: ../semanage/seobject.py:737 +#: ../semanage/seobject.py:741 #, python-format msgid "Could not create SELinux user for %s" msgstr "" -#: ../semanage/seobject.py:746 +#: ../semanage/seobject.py:750 #, python-format msgid "Could not add role %s for %s" msgstr "" -#: ../semanage/seobject.py:755 +#: ../semanage/seobject.py:759 #, python-format msgid "Could not set MLS level for %s" msgstr "" -#: ../semanage/seobject.py:758 +#: ../semanage/seobject.py:762 #, python-format msgid "Could not add prefix %s for %s" msgstr "" -#: ../semanage/seobject.py:761 +#: ../semanage/seobject.py:765 #, python-format msgid "Could not extract key for %s" msgstr "" -#: ../semanage/seobject.py:765 +#: ../semanage/seobject.py:769 #, python-format msgid "Could not add SELinux user %s" msgstr "" -#: ../semanage/seobject.py:787 +#: ../semanage/seobject.py:791 msgid "Requires prefix, roles, level or range" msgstr "" -#: ../semanage/seobject.py:789 +#: ../semanage/seobject.py:793 msgid "Requires prefix or roles" msgstr "" -#: ../semanage/seobject.py:799 ../semanage/seobject.py:856 +#: ../semanage/seobject.py:803 ../semanage/seobject.py:860 #, python-format msgid "SELinux user %s is not defined" msgstr "" -#: ../semanage/seobject.py:828 +#: ../semanage/seobject.py:832 #, python-format msgid "Could not modify SELinux user %s" msgstr "" -#: ../semanage/seobject.py:862 +#: ../semanage/seobject.py:866 #, python-format msgid "SELinux user %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:873 +#: ../semanage/seobject.py:877 #, python-format msgid "Could not delete SELinux user %s" msgstr "" -#: ../semanage/seobject.py:911 +#: ../semanage/seobject.py:915 msgid "Could not list SELinux users" msgstr "" -#: ../semanage/seobject.py:917 +#: ../semanage/seobject.py:921 #, python-format msgid "Could not list roles for user %s" msgstr "" -#: ../semanage/seobject.py:942 +#: ../semanage/seobject.py:946 msgid "Labeling" msgstr "" -#: ../semanage/seobject.py:942 +#: ../semanage/seobject.py:946 msgid "MLS/" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "Prefix" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "MCS Level" msgstr "" -#: ../semanage/seobject.py:943 +#: ../semanage/seobject.py:947 msgid "MCS Range" msgstr "" -#: ../semanage/seobject.py:943 ../semanage/seobject.py:948 +#: ../semanage/seobject.py:947 ../semanage/seobject.py:952 +#: ../gui/system-config-selinux.glade:992 ../gui/usersPage.py:59 msgid "SELinux Roles" msgstr "" -#: ../semanage/seobject.py:963 +#: ../semanage/seobject.py:967 msgid "Protocol udp or tcp is required" msgstr "" -#: ../semanage/seobject.py:965 +#: ../semanage/seobject.py:969 msgid "Port is required" msgstr "" -#: ../semanage/seobject.py:975 +#: ../semanage/seobject.py:979 msgid "Invalid Port" msgstr "" -#: ../semanage/seobject.py:979 +#: ../semanage/seobject.py:983 #, python-format msgid "Could not create a key for %s/%s" msgstr "" -#: ../semanage/seobject.py:990 +#: ../semanage/seobject.py:994 msgid "Type is required" msgstr "" -#: ../semanage/seobject.py:996 ../semanage/seobject.py:1055 -#: ../semanage/seobject.py:1110 ../semanage/seobject.py:1116 +#: ../semanage/seobject.py:1000 ../semanage/seobject.py:1059 +#: ../semanage/seobject.py:1114 ../semanage/seobject.py:1120 #, python-format msgid "Could not check if port %s/%s is defined" msgstr "" -#: ../semanage/seobject.py:998 +#: ../semanage/seobject.py:1002 #, python-format msgid "Port %s/%s already defined" msgstr "" -#: ../semanage/seobject.py:1002 +#: ../semanage/seobject.py:1006 #, python-format msgid "Could not create port for %s/%s" msgstr "" -#: ../semanage/seobject.py:1008 +#: ../semanage/seobject.py:1012 #, python-format msgid "Could not create context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1012 +#: ../semanage/seobject.py:1016 #, python-format msgid "Could not set user in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1016 +#: ../semanage/seobject.py:1020 #, python-format msgid "Could not set role in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1020 +#: ../semanage/seobject.py:1024 #, python-format msgid "Could not set type in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1025 +#: ../semanage/seobject.py:1029 #, python-format msgid "Could not set mls fields in port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1029 +#: ../semanage/seobject.py:1033 #, python-format msgid "Could not set port context for %s/%s" msgstr "" -#: ../semanage/seobject.py:1033 +#: ../semanage/seobject.py:1037 #, python-format msgid "Could not add port %s/%s" msgstr "" -#: ../semanage/seobject.py:1047 ../semanage/seobject.py:1312 -#: ../semanage/seobject.py:1508 +#: ../semanage/seobject.py:1051 ../semanage/seobject.py:1316 +#: ../semanage/seobject.py:1512 msgid "Requires setype or serange" msgstr "" -#: ../semanage/seobject.py:1049 +#: ../semanage/seobject.py:1053 msgid "Requires setype" msgstr "" -#: ../semanage/seobject.py:1057 ../semanage/seobject.py:1112 +#: ../semanage/seobject.py:1061 ../semanage/seobject.py:1116 #, python-format msgid "Port %s/%s is not defined" msgstr "" -#: ../semanage/seobject.py:1061 +#: ../semanage/seobject.py:1065 #, python-format msgid "Could not query port %s/%s" msgstr "" -#: ../semanage/seobject.py:1072 +#: ../semanage/seobject.py:1076 #, python-format msgid "Could not modify port %s/%s" msgstr "" -#: ../semanage/seobject.py:1085 +#: ../semanage/seobject.py:1089 msgid "Could not list the ports" msgstr "" -#: ../semanage/seobject.py:1101 +#: ../semanage/seobject.py:1105 #, python-format msgid "Could not delete the port %s" msgstr "" -#: ../semanage/seobject.py:1118 +#: ../semanage/seobject.py:1122 #, python-format msgid "Port %s/%s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1122 +#: ../semanage/seobject.py:1126 #, python-format msgid "Could not delete port %s/%s" msgstr "" -#: ../semanage/seobject.py:1138 ../semanage/seobject.py:1160 +#: ../semanage/seobject.py:1142 ../semanage/seobject.py:1164 msgid "Could not list ports" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 msgid "SELinux Port Type" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 msgid "Proto" msgstr "" -#: ../semanage/seobject.py:1199 +#: ../semanage/seobject.py:1203 ../gui/system-config-selinux.glade:335 msgid "Port Number" msgstr "" -#: ../semanage/seobject.py:1218 +#: ../semanage/seobject.py:1222 msgid "Node Address is required" msgstr "" -#: ../semanage/seobject.py:1233 +#: ../semanage/seobject.py:1237 msgid "Unknown or missing protocol" msgstr "" -#: ../semanage/seobject.py:1247 ../semanage/seobject.py:1446 -#: ../semanage/seobject.py:1724 +#: ../semanage/seobject.py:1251 ../semanage/seobject.py:1450 +#: ../semanage/seobject.py:1728 msgid "SELinux Type is required" msgstr "" -#: ../semanage/seobject.py:1251 ../semanage/seobject.py:1316 -#: ../semanage/seobject.py:1352 ../semanage/seobject.py:1450 -#: ../semanage/seobject.py:1512 ../semanage/seobject.py:1546 -#: ../semanage/seobject.py:1728 +#: ../semanage/seobject.py:1255 ../semanage/seobject.py:1320 +#: ../semanage/seobject.py:1356 ../semanage/seobject.py:1454 +#: ../semanage/seobject.py:1516 ../semanage/seobject.py:1550 +#: ../semanage/seobject.py:1732 #, python-format msgid "Could not create key for %s" msgstr "" -#: ../semanage/seobject.py:1253 ../semanage/seobject.py:1320 -#: ../semanage/seobject.py:1356 ../semanage/seobject.py:1362 +#: ../semanage/seobject.py:1257 ../semanage/seobject.py:1324 +#: ../semanage/seobject.py:1360 ../semanage/seobject.py:1366 #, python-format msgid "Could not check if addr %s is defined" msgstr "" -#: ../semanage/seobject.py:1262 +#: ../semanage/seobject.py:1266 #, python-format msgid "Could not create addr for %s" msgstr "" -#: ../semanage/seobject.py:1268 ../semanage/seobject.py:1466 -#: ../semanage/seobject.py:1686 +#: ../semanage/seobject.py:1272 ../semanage/seobject.py:1470 +#: ../semanage/seobject.py:1690 #, python-format msgid "Could not create context for %s" msgstr "" -#: ../semanage/seobject.py:1272 +#: ../semanage/seobject.py:1276 #, python-format msgid "Could not set mask for %s" msgstr "" -#: ../semanage/seobject.py:1276 +#: ../semanage/seobject.py:1280 #, python-format msgid "Could not set user in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1280 +#: ../semanage/seobject.py:1284 #, python-format msgid "Could not set role in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1284 +#: ../semanage/seobject.py:1288 #, python-format msgid "Could not set type in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1289 +#: ../semanage/seobject.py:1293 #, python-format msgid "Could not set mls fields in addr context for %s" msgstr "" -#: ../semanage/seobject.py:1293 +#: ../semanage/seobject.py:1297 #, python-format msgid "Could not set addr context for %s" msgstr "" -#: ../semanage/seobject.py:1297 +#: ../semanage/seobject.py:1301 #, python-format msgid "Could not add addr %s" msgstr "" -#: ../semanage/seobject.py:1322 ../semanage/seobject.py:1358 +#: ../semanage/seobject.py:1326 ../semanage/seobject.py:1362 #, python-format msgid "Addr %s is not defined" msgstr "" -#: ../semanage/seobject.py:1326 +#: ../semanage/seobject.py:1330 #, python-format msgid "Could not query addr %s" msgstr "" -#: ../semanage/seobject.py:1336 +#: ../semanage/seobject.py:1340 #, python-format msgid "Could not modify addr %s" msgstr "" -#: ../semanage/seobject.py:1364 +#: ../semanage/seobject.py:1368 #, python-format msgid "Addr %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1368 +#: ../semanage/seobject.py:1372 #, python-format msgid "Could not delete addr %s" msgstr "" -#: ../semanage/seobject.py:1380 +#: ../semanage/seobject.py:1384 msgid "Could not deleteall node mappings" msgstr "" -#: ../semanage/seobject.py:1394 +#: ../semanage/seobject.py:1398 msgid "Could not list addrs" msgstr "" -#: ../semanage/seobject.py:1454 ../semanage/seobject.py:1516 -#: ../semanage/seobject.py:1550 ../semanage/seobject.py:1556 +#: ../semanage/seobject.py:1458 ../semanage/seobject.py:1520 +#: ../semanage/seobject.py:1554 ../semanage/seobject.py:1560 #, python-format msgid "Could not check if interface %s is defined" msgstr "" -#: ../semanage/seobject.py:1461 +#: ../semanage/seobject.py:1465 #, python-format msgid "Could not create interface for %s" msgstr "" -#: ../semanage/seobject.py:1470 +#: ../semanage/seobject.py:1474 #, python-format msgid "Could not set user in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1474 +#: ../semanage/seobject.py:1478 #, python-format msgid "Could not set role in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1478 +#: ../semanage/seobject.py:1482 #, python-format msgid "Could not set type in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1483 +#: ../semanage/seobject.py:1487 #, python-format msgid "Could not set mls fields in interface context for %s" msgstr "" -#: ../semanage/seobject.py:1487 +#: ../semanage/seobject.py:1491 #, python-format msgid "Could not set interface context for %s" msgstr "" -#: ../semanage/seobject.py:1491 +#: ../semanage/seobject.py:1495 #, python-format msgid "Could not set message context for %s" msgstr "" -#: ../semanage/seobject.py:1495 +#: ../semanage/seobject.py:1499 #, python-format msgid "Could not add interface %s" msgstr "" -#: ../semanage/seobject.py:1518 ../semanage/seobject.py:1552 +#: ../semanage/seobject.py:1522 ../semanage/seobject.py:1556 #, python-format msgid "Interface %s is not defined" msgstr "" -#: ../semanage/seobject.py:1522 +#: ../semanage/seobject.py:1526 #, python-format msgid "Could not query interface %s" msgstr "" -#: ../semanage/seobject.py:1533 +#: ../semanage/seobject.py:1537 #, python-format msgid "Could not modify interface %s" msgstr "" -#: ../semanage/seobject.py:1558 +#: ../semanage/seobject.py:1562 #, python-format msgid "Interface %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1562 +#: ../semanage/seobject.py:1566 #, python-format msgid "Could not delete interface %s" msgstr "" -#: ../semanage/seobject.py:1574 +#: ../semanage/seobject.py:1578 msgid "Could not delete all interface mappings" msgstr "" -#: ../semanage/seobject.py:1588 +#: ../semanage/seobject.py:1592 msgid "Could not list interfaces" msgstr "" -#: ../semanage/seobject.py:1613 +#: ../semanage/seobject.py:1617 msgid "SELinux Interface" msgstr "" -#: ../semanage/seobject.py:1613 ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1617 ../semanage/seobject.py:1944 msgid "Context" msgstr "" -#: ../semanage/seobject.py:1663 +#: ../semanage/seobject.py:1667 #, python-format msgid "Equivalence class for %s already exists" msgstr "" -#: ../semanage/seobject.py:1669 +#: ../semanage/seobject.py:1673 #, python-format msgid "File spec %s conflicts with equivalency rule '%s %s'" msgstr "" -#: ../semanage/seobject.py:1678 +#: ../semanage/seobject.py:1682 #, python-format msgid "Equivalence class for %s does not exists" msgstr "" -#: ../semanage/seobject.py:1692 +#: ../semanage/seobject.py:1696 #, python-format msgid "Could not set user in file context for %s" msgstr "" -#: ../semanage/seobject.py:1696 +#: ../semanage/seobject.py:1700 #, python-format msgid "Could not set role in file context for %s" msgstr "" -#: ../semanage/seobject.py:1701 ../semanage/seobject.py:1758 +#: ../semanage/seobject.py:1705 ../semanage/seobject.py:1762 #, python-format msgid "Could not set mls fields in file context for %s" msgstr "" -#: ../semanage/seobject.py:1707 +#: ../semanage/seobject.py:1711 msgid "Invalid file specification" msgstr "" -#: ../semanage/seobject.py:1709 +#: ../semanage/seobject.py:1713 msgid "File specification can not include spaces" msgstr "" -#: ../semanage/seobject.py:1714 +#: ../semanage/seobject.py:1718 #, python-format msgid "" "File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead" msgstr "" -#: ../semanage/seobject.py:1732 ../semanage/seobject.py:1737 -#: ../semanage/seobject.py:1790 ../semanage/seobject.py:1872 -#: ../semanage/seobject.py:1876 +#: ../semanage/seobject.py:1736 ../semanage/seobject.py:1741 +#: ../semanage/seobject.py:1794 ../semanage/seobject.py:1876 +#: ../semanage/seobject.py:1880 #, python-format msgid "Could not check if file context for %s is defined" msgstr "" -#: ../semanage/seobject.py:1745 +#: ../semanage/seobject.py:1749 #, python-format msgid "Could not create file context for %s" msgstr "" -#: ../semanage/seobject.py:1753 +#: ../semanage/seobject.py:1757 #, python-format msgid "Could not set type in file context for %s" msgstr "" -#: ../semanage/seobject.py:1761 ../semanage/seobject.py:1818 -#: ../semanage/seobject.py:1822 +#: ../semanage/seobject.py:1765 ../semanage/seobject.py:1822 +#: ../semanage/seobject.py:1826 #, python-format msgid "Could not set file context for %s" msgstr "" -#: ../semanage/seobject.py:1767 +#: ../semanage/seobject.py:1771 #, python-format msgid "Could not add file context for %s" msgstr "" -#: ../semanage/seobject.py:1781 +#: ../semanage/seobject.py:1785 msgid "Requires setype, serange or seuser" msgstr "" -#: ../semanage/seobject.py:1794 ../semanage/seobject.py:1880 +#: ../semanage/seobject.py:1798 ../semanage/seobject.py:1884 #, python-format msgid "File context for %s is not defined" msgstr "" -#: ../semanage/seobject.py:1800 +#: ../semanage/seobject.py:1804 #, python-format msgid "Could not query file context for %s" msgstr "" -#: ../semanage/seobject.py:1826 +#: ../semanage/seobject.py:1830 #, python-format msgid "Could not modify file context for %s" msgstr "" -#: ../semanage/seobject.py:1839 +#: ../semanage/seobject.py:1843 msgid "Could not list the file contexts" msgstr "" -#: ../semanage/seobject.py:1853 +#: ../semanage/seobject.py:1857 #, python-format msgid "Could not delete the file context %s" msgstr "" -#: ../semanage/seobject.py:1878 +#: ../semanage/seobject.py:1882 #, python-format msgid "File context for %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:1884 +#: ../semanage/seobject.py:1888 #, python-format msgid "Could not delete file context for %s" msgstr "" -#: ../semanage/seobject.py:1899 +#: ../semanage/seobject.py:1903 msgid "Could not list file contexts" msgstr "" -#: ../semanage/seobject.py:1903 +#: ../semanage/seobject.py:1907 msgid "Could not list local file contexts" msgstr "" -#: ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1944 msgid "SELinux fcontext" msgstr "" -#: ../semanage/seobject.py:1936 +#: ../semanage/seobject.py:1944 msgid "type" msgstr "" -#: ../semanage/seobject.py:1949 +#: ../semanage/seobject.py:1957 msgid "" "\n" "SELinux Distribution fcontext Equivalence \n" msgstr "" -#: ../semanage/seobject.py:1954 +#: ../semanage/seobject.py:1962 msgid "" "\n" "SELinux Local fcontext Equivalence \n" msgstr "" -#: ../semanage/seobject.py:1988 ../semanage/seobject.py:2040 -#: ../semanage/seobject.py:2046 +#: ../semanage/seobject.py:1996 ../semanage/seobject.py:2048 +#: ../semanage/seobject.py:2054 #, python-format msgid "Could not check if boolean %s is defined" msgstr "" -#: ../semanage/seobject.py:1990 ../semanage/seobject.py:2042 +#: ../semanage/seobject.py:1998 ../semanage/seobject.py:2050 #, python-format msgid "Boolean %s is not defined" msgstr "" -#: ../semanage/seobject.py:1994 +#: ../semanage/seobject.py:2002 #, python-format msgid "Could not query file context %s" msgstr "" -#: ../semanage/seobject.py:1999 +#: ../semanage/seobject.py:2007 #, python-format msgid "You must specify one of the following values: %s" msgstr "" -#: ../semanage/seobject.py:2004 +#: ../semanage/seobject.py:2012 #, python-format msgid "Could not set active value of boolean %s" msgstr "" -#: ../semanage/seobject.py:2007 +#: ../semanage/seobject.py:2015 #, python-format msgid "Could not modify boolean %s" msgstr "" -#: ../semanage/seobject.py:2025 +#: ../semanage/seobject.py:2033 #, python-format msgid "Bad format %s: Record %s" msgstr "" -#: ../semanage/seobject.py:2048 +#: ../semanage/seobject.py:2056 #, python-format msgid "Boolean %s is defined in policy, cannot be deleted" msgstr "" -#: ../semanage/seobject.py:2052 +#: ../semanage/seobject.py:2060 #, python-format msgid "Could not delete boolean %s" msgstr "" -#: ../semanage/seobject.py:2064 ../semanage/seobject.py:2081 +#: ../semanage/seobject.py:2072 ../semanage/seobject.py:2089 msgid "Could not list booleans" msgstr "" -#: ../semanage/seobject.py:2104 +#: ../semanage/seobject.py:2112 msgid "unknown" msgstr "" -#: ../semanage/seobject.py:2117 +#: ../semanage/seobject.py:2125 msgid "off" msgstr "" -#: ../semanage/seobject.py:2117 +#: ../semanage/seobject.py:2125 msgid "on" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "SELinux boolean" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "State" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 msgid "Default" msgstr "" -#: ../semanage/seobject.py:2131 +#: ../semanage/seobject.py:2139 ../gui/polgen.glade:3355 +#: ../gui/polgengui.py:253 msgid "Description" msgstr "" @@ -1264,7 +1271,2088 @@ msgstr "" msgid "chcat -l +CompanyConfidential juser" msgstr "" -#: ../scripts/chcat:399 -#, c-format +#: ../scripts/chcat:399 ../gui/polgen.py:1351 +#, c-format, python-format msgid "Options Error %s " msgstr "" + +#: ../gui/booleansPage.py:186 ../gui/system-config-selinux.glade:1706 +msgid "Boolean" +msgstr "" + +#: ../gui/booleansPage.py:241 ../gui/semanagePage.py:162 +msgid "all" +msgstr "" + +#: ../gui/booleansPage.py:243 ../gui/semanagePage.py:164 +#: ../gui/system-config-selinux.glade:1615 +#: ../gui/system-config-selinux.glade:1820 +#: ../gui/system-config-selinux.glade:2437 +msgid "Customized" +msgstr "" + +#: ../gui/fcontextPage.py:64 ../gui/system-config-selinux.glade:1911 +msgid "File Labeling" +msgstr "" + +#: ../gui/fcontextPage.py:74 +msgid "" +"File\n" +"Specification" +msgstr "" + +#: ../gui/fcontextPage.py:81 +msgid "" +"Selinux\n" +"File Type" +msgstr "" + +#: ../gui/fcontextPage.py:88 +msgid "" +"File\n" +"Type" +msgstr "" + +#: ../gui/loginsPage.py:48 ../gui/system-config-selinux.glade:2098 +msgid "User Mapping" +msgstr "" + +#: ../gui/loginsPage.py:52 +msgid "" +"Login\n" +"Name" +msgstr "" + +#: ../gui/loginsPage.py:56 ../gui/usersPage.py:50 +msgid "" +"SELinux\n" +"User" +msgstr "" + +#: ../gui/loginsPage.py:59 ../gui/usersPage.py:55 +msgid "" +"MLS/\n" +"MCS Range" +msgstr "" + +#: ../gui/loginsPage.py:133 +#, python-format +msgid "Login '%s' is required" +msgstr "" + +#: ../gui/modulesPage.py:48 ../gui/system-config-selinux.glade:2753 +msgid "Policy Module" +msgstr "" + +#: ../gui/modulesPage.py:57 +msgid "Module Name" +msgstr "" + +#: ../gui/modulesPage.py:134 +msgid "Disable Audit" +msgstr "" + +#: ../gui/modulesPage.py:137 ../gui/system-config-selinux.glade:2662 +msgid "Enable Audit" +msgstr "" + +#: ../gui/modulesPage.py:162 +msgid "Load Policy Module" +msgstr "" + +#: ../gui/polgen.glade:79 +msgid "Polgen" +msgstr "" + +#: ../gui/polgen.glade:80 +msgid "Red Hat 2007" +msgstr "" + +#: ../gui/polgen.glade:81 +msgid "GPL" +msgstr "" + +#. TRANSLATORS: Replace this string with your names, one name per line. +#: ../gui/polgen.glade:85 ../gui/system-config-selinux.glade:17 +msgid "translator-credits" +msgstr "" + +#: ../gui/polgen.glade:90 +msgid "SELinux Policy Generation Tool" +msgstr "" + +#: ../gui/polgen.glade:128 +msgid "" +"Select the policy type for the application or user role you want to " +"confine:" +msgstr "" + +#: ../gui/polgen.glade:177 +msgid "Applications" +msgstr "" + +#: ../gui/polgen.glade:239 ../gui/polgen.glade:259 +msgid "" +"Standard Init Daemon are daemons started on boot via init scripts. Usually " +"requires a script in /etc/rc.d/init.d" +msgstr "" + +#: ../gui/polgen.glade:241 ../gui/polgen.py:156 +msgid "Standard Init Daemon" +msgstr "" + +#: ../gui/polgen.glade:261 ../gui/polgen.py:157 +msgid "DBUS System Daemon" +msgstr "" + +#: ../gui/polgen.glade:280 +msgid "Internet Services Daemon are daemons started by xinetd" +msgstr "" + +#: ../gui/polgen.glade:282 +msgid "Internet Services Daemon (inetd)" +msgstr "" + +#: ../gui/polgen.glade:301 +msgid "" +"Web Applications/Script (CGI) CGI scripts started by the web server (apache)" +msgstr "" + +#: ../gui/polgen.glade:303 ../gui/polgen.py:159 +msgid "Web Application/Script (CGI)" +msgstr "" + +#: ../gui/polgen.glade:322 ../gui/polgen.glade:343 +msgid "" +"User Application are any application that you would like to confine that is " +"started by a user" +msgstr "" + +#: ../gui/polgen.glade:324 ../gui/polgen.py:160 +msgid "User Application" +msgstr "" + +#: ../gui/polgen.glade:345 ../gui/polgen.py:161 +msgid "Sandbox" +msgstr "" + +#: ../gui/polgen.glade:391 +msgid "Login Users" +msgstr "" + +#: ../gui/polgen.glade:453 +msgid "Modify an existing login user record." +msgstr "" + +#: ../gui/polgen.glade:455 +msgid "Existing User Roles" +msgstr "" + +#: ../gui/polgen.glade:474 +msgid "" +"This user will login to a machine only via a terminal or remote login. By " +"default this user will have no setuid, no networking, no su, no sudo." +msgstr "" + +#: ../gui/polgen.glade:476 ../gui/polgen.py:162 +msgid "Minimal Terminal User Role" +msgstr "" + +#: ../gui/polgen.glade:495 +msgid "" +"This user can login to a machine via X or terminal. By default this user " +"will have no setuid, no networking, no sudo, no su" +msgstr "" + +#: ../gui/polgen.glade:497 ../gui/polgen.py:163 +msgid "Minimal X Windows User Role" +msgstr "" + +#: ../gui/polgen.glade:516 +msgid "" +"User with full networking, no setuid applications without transition, no " +"sudo, no su." +msgstr "" + +#: ../gui/polgen.glade:518 ../gui/polgen.py:164 +msgid "User Role" +msgstr "" + +#: ../gui/polgen.glade:537 +msgid "" +"User with full networking, no setuid applications without transition, no su, " +"can sudo to Root Administration Roles" +msgstr "" + +#: ../gui/polgen.glade:539 ../gui/polgen.py:165 +msgid "Admin User Role" +msgstr "" + +#: ../gui/polgen.glade:585 +msgid "Root Users" +msgstr "" + +#: ../gui/polgen.glade:647 +msgid "" +"Select Root Administrator User Role, if this user will be used to administer " +"the machine while running as root. This user will not be able to login to " +"the system directly." +msgstr "" + +#: ../gui/polgen.glade:649 ../gui/polgen.py:166 +msgid "Root Admin User Role" +msgstr "" + +#: ../gui/polgen.glade:716 +msgid "label104" +msgstr "" + +#: ../gui/polgen.glade:745 +msgid "Enter name of application or user role:" +msgstr "" + +#: ../gui/polgen.glade:779 ../gui/polgengui.py:251 +msgid "Name" +msgstr "" + +#: ../gui/polgen.glade:807 +msgid "Enter complete path for executable to be confined." +msgstr "" + +#: ../gui/polgen.glade:830 ../gui/polgen.glade:950 ../gui/polgen.glade:3142 +msgid "..." +msgstr "" + +#: ../gui/polgen.glade:849 +msgid "Enter unique name for the confined application or user role." +msgstr "" + +#: ../gui/polgen.glade:871 +msgid "Executable" +msgstr "" + +#: ../gui/polgen.glade:899 +msgid "Init script" +msgstr "" + +#: ../gui/polgen.glade:927 +msgid "" +"Enter complete path to init script used to start the confined application." +msgstr "" + +#: ../gui/polgen.glade:982 +msgid "label105" +msgstr "" + +#: ../gui/polgen.glade:1011 +msgid "Select existing role to modify:" +msgstr "" + +#: ../gui/polgen.glade:1045 +msgid "Select the user roles that will transiton to the %s domain." +msgstr "" + +#: ../gui/polgen.glade:1073 +msgid "label106" +msgstr "" + +#: ../gui/polgen.glade:1102 +msgid "Select roles that %s will transition to:" +msgstr "" + +#: ../gui/polgen.glade:1136 +msgid "Select applications domains that %s will transition to." +msgstr "" + +#: ../gui/polgen.glade:1164 +msgid "label107" +msgstr "" + +#: ../gui/polgen.glade:1193 +msgid "Select the user_roles that will transition to %s:" +msgstr "" + +#: ../gui/polgen.glade:1227 +msgid "Select the user roles that will transiton to this applications domains." +msgstr "" + +#: ../gui/polgen.glade:1255 +msgid "label108" +msgstr "" + +#: ../gui/polgen.glade:1284 +msgid "Select domains that %s will administer:" +msgstr "" + +#: ../gui/polgen.glade:1318 ../gui/polgen.glade:1409 +msgid "Select the domains that you would like this user administer." +msgstr "" + +#: ../gui/polgen.glade:1346 +msgid "label109" +msgstr "" + +#: ../gui/polgen.glade:1375 +msgid "Select additional roles for %s:" +msgstr "" + +#: ../gui/polgen.glade:1437 +msgid "label111" +msgstr "" + +#: ../gui/polgen.glade:1466 +msgid "Enter network ports that %s binds on:" +msgstr "" + +#: ../gui/polgen.glade:1497 ../gui/polgen.glade:1997 +msgid "TCP Ports" +msgstr "" + +#: ../gui/polgen.glade:1565 ../gui/polgen.glade:1785 +msgid "Allows %s to bind to any udp port" +msgstr "" + +#: ../gui/polgen.glade:1567 ../gui/polgen.glade:1787 ../gui/polgen.glade:2061 +#: ../gui/polgen.glade:2215 +msgid "All" +msgstr "" + +#: ../gui/polgen.glade:1585 ../gui/polgen.glade:1805 +msgid "Allow %s to call bindresvport with 0. Binding to port 600-1024" +msgstr "" + +#: ../gui/polgen.glade:1587 ../gui/polgen.glade:1807 +msgid "600-1024" +msgstr "" + +#: ../gui/polgen.glade:1605 ../gui/polgen.glade:1825 +msgid "" +"Enter a comma separated list of udp ports or ranges of ports that %s binds " +"to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:1607 ../gui/polgen.glade:1827 +msgid "Unreserved Ports (>1024)" +msgstr "" + +#: ../gui/polgen.glade:1638 ../gui/polgen.glade:1858 ../gui/polgen.glade:2079 +#: ../gui/polgen.glade:2233 +msgid "Select Ports" +msgstr "" + +#: ../gui/polgen.glade:1663 ../gui/polgen.glade:1883 +msgid "Allows %s to bind to any udp ports > 1024" +msgstr "" + +#: ../gui/polgen.glade:1717 ../gui/polgen.glade:2151 +msgid "UDP Ports" +msgstr "" + +#: ../gui/polgen.glade:1937 +msgid "label113" +msgstr "" + +#: ../gui/polgen.glade:1966 +msgid "Select network ports that %s connects to:" +msgstr "" + +#: ../gui/polgen.glade:2058 +msgid "Allows %s to connect to any tcp port" +msgstr "" + +#: ../gui/polgen.glade:2104 +msgid "" +"Enter a comma separated list of tcp ports or ranges of ports that %s " +"connects to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:2212 +msgid "Allows %s to connect to any udp port" +msgstr "" + +#: ../gui/polgen.glade:2258 +msgid "" +"Enter a comma separated list of udp ports or ranges of ports that %s " +"connects to. Example: 612, 650-660" +msgstr "" + +#: ../gui/polgen.glade:2305 +msgid "label114" +msgstr "" + +#: ../gui/polgen.glade:2334 +msgid "Select common application traits for %s:" +msgstr "" + +#: ../gui/polgen.glade:2366 +msgid "Writes syslog messages\t" +msgstr "" + +#: ../gui/polgen.glade:2385 +msgid "Create/Manipulate temporary files in /tmp" +msgstr "" + +#: ../gui/polgen.glade:2404 +msgid "Uses Pam for authentication" +msgstr "" + +#: ../gui/polgen.glade:2423 +msgid "Uses nsswitch or getpw* calls" +msgstr "" + +#: ../gui/polgen.glade:2442 +msgid "Uses dbus" +msgstr "" + +#: ../gui/polgen.glade:2461 +msgid "Sends audit messages" +msgstr "" + +#: ../gui/polgen.glade:2480 +msgid "Interacts with the terminal" +msgstr "" + +#: ../gui/polgen.glade:2499 +msgid "Sends email" +msgstr "" + +#: ../gui/polgen.glade:2530 +msgid "label115" +msgstr "" + +#: ../gui/polgen.glade:2559 +msgid "Add files/directories that %s manages" +msgstr "" + +#: ../gui/polgen.glade:2788 +msgid "" +"Files/Directories which the %s \"manages\". Pid Files, Log Files, /var/lib " +"Files ..." +msgstr "" + +#: ../gui/polgen.glade:2823 +msgid "label116" +msgstr "" + +#: ../gui/polgen.glade:2852 +msgid "Add booleans from the %s policy:" +msgstr "" + +#: ../gui/polgen.glade:3002 +msgid "Add/Remove booleans used by the %s domain" +msgstr "" + +#: ../gui/polgen.glade:3066 +msgid "Which directory you will generate the %s policy?" +msgstr "" + +#: ../gui/polgen.glade:3097 +msgid "Policy Directory" +msgstr "" + +#: ../gui/polgen.glade:3254 +msgid "Add Booleans Dialog" +msgstr "" + +#: ../gui/polgen.glade:3327 +msgid "Boolean Name" +msgstr "" + +#: ../gui/polgengui.py:261 +msgid "Role" +msgstr "" + +#: ../gui/polgengui.py:268 +msgid "Existing_User" +msgstr "" + +#: ../gui/polgengui.py:282 ../gui/polgengui.py:290 ../gui/polgengui.py:304 +msgid "Application" +msgstr "" + +#: ../gui/polgengui.py:352 +#, python-format +msgid "%s must be a directory" +msgstr "" + +#: ../gui/polgengui.py:412 ../gui/polgengui.py:693 +msgid "You must select a user" +msgstr "" + +#: ../gui/polgengui.py:542 +msgid "Select executable file to be confined." +msgstr "" + +#: ../gui/polgengui.py:553 +msgid "Select init script file to be confined." +msgstr "" + +#: ../gui/polgengui.py:563 +msgid "Select file(s) that confined application creates or writes" +msgstr "" + +#: ../gui/polgengui.py:570 +msgid "Select directory(s) that the confined application owns and writes into" +msgstr "" + +#: ../gui/polgengui.py:632 +msgid "Select directory to generate policy files in" +msgstr "" + +#: ../gui/polgengui.py:649 +#, python-format +msgid "" +"Type %s_t already defined in current policy.\n" +"Do you want to continue?" +msgstr "" + +#: ../gui/polgengui.py:649 ../gui/polgengui.py:653 +msgid "Verify Name" +msgstr "" + +#: ../gui/polgengui.py:653 +#, python-format +msgid "" +"Module %s.pp already loaded in current policy.\n" +"Do you want to continue?" +msgstr "" + +#: ../gui/polgengui.py:699 +msgid "" +"You must add a name made up of letters and numbers and containing no spaces." +msgstr "" + +#: ../gui/polgengui.py:713 +msgid "You must enter a executable" +msgstr "" + +#: ../gui/polgengui.py:738 ../gui/system-config-selinux.py:174 +msgid "Configue SELinux" +msgstr "" + +#: ../gui/polgen.py:158 +msgid "Internet Services Daemon" +msgstr "" + +#: ../gui/polgen.py:197 +#, python-format +msgid "Ports must be numbers or ranges of numbers from 1 to %d " +msgstr "" + +#: ../gui/polgen.py:324 +msgid "You must enter a name for your confined process/user" +msgstr "" + +#: ../gui/polgen.py:326 +msgid "" +"Name must be alpha numberic with no spaces. Consider using option \"-n " +"MODULENAME\"" +msgstr "" + +#: ../gui/polgen.py:414 +msgid "User Role types can not be assigned executables." +msgstr "" + +#: ../gui/polgen.py:420 +msgid "Only Daemon apps can use an init script.." +msgstr "" + +#: ../gui/polgen.py:438 +msgid "use_resolve must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:444 +msgid "use_syslog must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:450 +msgid "use_kerberos must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:456 +msgid "manage_krb5_rcache must be a boolean value " +msgstr "" + +#: ../gui/polgen.py:486 +msgid "USER Types automatically get a tmp type" +msgstr "" + +#: ../gui/polgen.py:1004 +msgid "You must enter the executable path for your confined process" +msgstr "" + +#: ../gui/polgen.py:1182 +msgid "Type Enforcement file" +msgstr "" + +#: ../gui/polgen.py:1183 +msgid "Interface file" +msgstr "" + +#: ../gui/polgen.py:1184 +msgid "File Contexts file" +msgstr "" + +#: ../gui/polgen.py:1185 +msgid "Setup Script" +msgstr "" + +#: ../gui/polgen.py:1306 +#, python-format +msgid "" +"\n" +"%s\n" +"\n" +"sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ]\n" +"valid Types:\n" +msgstr "" + +#: ../gui/polgen.py:1354 +msgid "Executable or Name required" +msgstr "" + +#: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 +msgid "Network Port" +msgstr "" + +#: ../gui/portsPage.py:85 +msgid "" +"SELinux Port\n" +"Type" +msgstr "" + +#: ../gui/portsPage.py:91 ../gui/system-config-selinux.glade:363 +msgid "Protocol" +msgstr "" + +#: ../gui/portsPage.py:96 ../gui/system-config-selinux.glade:479 +msgid "" +"MLS/MCS\n" +"Level" +msgstr "" + +#: ../gui/portsPage.py:101 +msgid "Port" +msgstr "" + +#: ../gui/portsPage.py:207 +#, python-format +msgid "Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 " +msgstr "" + +#: ../gui/portsPage.py:252 +msgid "List View" +msgstr "" + +#: ../gui/portsPage.py:255 ../gui/system-config-selinux.glade:2419 +msgid "Group View" +msgstr "" + +#: ../gui/selinux.tbl:1 ../gui/selinux.tbl:30 ../gui/selinux.tbl:31 +#: ../gui/selinux.tbl:32 ../gui/selinux.tbl:33 ../gui/selinux.tbl:34 +#: ../gui/selinux.tbl:36 ../gui/selinux.tbl:37 ../gui/selinux.tbl:38 +#: ../gui/selinux.tbl:39 ../gui/selinux.tbl:40 ../gui/selinux.tbl:42 +#: ../gui/selinux.tbl:43 ../gui/selinux.tbl:44 ../gui/selinux.tbl:45 +#: ../gui/selinux.tbl:46 ../gui/selinux.tbl:47 ../gui/selinux.tbl:48 +#: ../gui/selinux.tbl:49 ../gui/selinux.tbl:50 ../gui/selinux.tbl:51 +#: ../gui/selinux.tbl:52 ../gui/selinux.tbl:53 ../gui/selinux.tbl:59 +#: ../gui/selinux.tbl:60 ../gui/selinux.tbl:61 ../gui/selinux.tbl:62 +#: ../gui/selinux.tbl:63 ../gui/selinux.tbl:64 ../gui/selinux.tbl:65 +#: ../gui/selinux.tbl:66 ../gui/selinux.tbl:67 ../gui/selinux.tbl:68 +#: ../gui/selinux.tbl:69 ../gui/selinux.tbl:75 ../gui/selinux.tbl:76 +#: ../gui/selinux.tbl:77 ../gui/selinux.tbl:78 ../gui/selinux.tbl:79 +#: ../gui/selinux.tbl:80 ../gui/selinux.tbl:81 ../gui/selinux.tbl:82 +#: ../gui/selinux.tbl:83 ../gui/selinux.tbl:84 ../gui/selinux.tbl:86 +#: ../gui/selinux.tbl:88 ../gui/selinux.tbl:89 ../gui/selinux.tbl:90 +#: ../gui/selinux.tbl:92 ../gui/selinux.tbl:94 ../gui/selinux.tbl:95 +#: ../gui/selinux.tbl:96 ../gui/selinux.tbl:97 ../gui/selinux.tbl:98 +#: ../gui/selinux.tbl:99 ../gui/selinux.tbl:100 ../gui/selinux.tbl:101 +#: ../gui/selinux.tbl:102 ../gui/selinux.tbl:103 ../gui/selinux.tbl:104 +#: ../gui/selinux.tbl:106 ../gui/selinux.tbl:108 ../gui/selinux.tbl:109 +#: ../gui/selinux.tbl:110 ../gui/selinux.tbl:111 ../gui/selinux.tbl:112 +#: ../gui/selinux.tbl:113 ../gui/selinux.tbl:114 ../gui/selinux.tbl:116 +#: ../gui/selinux.tbl:117 ../gui/selinux.tbl:119 ../gui/selinux.tbl:121 +#: ../gui/selinux.tbl:123 ../gui/selinux.tbl:124 ../gui/selinux.tbl:127 +#: ../gui/selinux.tbl:129 ../gui/selinux.tbl:130 ../gui/selinux.tbl:131 +#: ../gui/selinux.tbl:132 ../gui/selinux.tbl:133 ../gui/selinux.tbl:134 +#: ../gui/selinux.tbl:135 ../gui/selinux.tbl:136 ../gui/selinux.tbl:137 +#: ../gui/selinux.tbl:138 ../gui/selinux.tbl:139 ../gui/selinux.tbl:142 +#: ../gui/selinux.tbl:143 ../gui/selinux.tbl:144 ../gui/selinux.tbl:145 +#: ../gui/selinux.tbl:146 ../gui/selinux.tbl:147 ../gui/selinux.tbl:148 +#: ../gui/selinux.tbl:149 ../gui/selinux.tbl:150 ../gui/selinux.tbl:151 +#: ../gui/selinux.tbl:152 ../gui/selinux.tbl:154 ../gui/selinux.tbl:155 +#: ../gui/selinux.tbl:156 ../gui/selinux.tbl:157 ../gui/selinux.tbl:158 +#: ../gui/selinux.tbl:159 ../gui/selinux.tbl:160 ../gui/selinux.tbl:167 +#: ../gui/selinux.tbl:171 ../gui/selinux.tbl:172 ../gui/selinux.tbl:173 +#: ../gui/selinux.tbl:174 ../gui/selinux.tbl:175 ../gui/selinux.tbl:177 +#: ../gui/selinux.tbl:178 ../gui/selinux.tbl:179 ../gui/selinux.tbl:180 +#: ../gui/selinux.tbl:184 ../gui/selinux.tbl:192 ../gui/selinux.tbl:193 +#: ../gui/selinux.tbl:194 ../gui/selinux.tbl:195 ../gui/selinux.tbl:196 +#: ../gui/selinux.tbl:197 ../gui/selinux.tbl:198 ../gui/selinux.tbl:199 +#: ../gui/selinux.tbl:200 ../gui/selinux.tbl:201 ../gui/selinux.tbl:206 +#: ../gui/selinux.tbl:207 ../gui/selinux.tbl:218 ../gui/selinux.tbl:219 +#: ../gui/selinux.tbl:220 ../gui/selinux.tbl:222 ../gui/selinux.tbl:224 +#: ../gui/selinux.tbl:226 ../gui/selinux.tbl:227 ../gui/selinux.tbl:230 +msgid "SELinux Service Protection" +msgstr "" + +#: ../gui/selinux.tbl:1 +msgid "Disable SELinux protection for acct daemon" +msgstr "" + +#: ../gui/selinux.tbl:2 ../gui/selinux.tbl:3 ../gui/selinux.tbl:70 +#: ../gui/selinux.tbl:153 ../gui/selinux.tbl:168 ../gui/selinux.tbl:169 +#: ../gui/selinux.tbl:170 ../gui/selinux.tbl:189 ../gui/selinux.tbl:202 +#: ../gui/selinux.tbl:203 ../gui/selinux.tbl:204 ../gui/selinux.tbl:205 +msgid "Admin" +msgstr "" + +#: ../gui/selinux.tbl:2 +msgid "Allow all daemons to write corefiles to /" +msgstr "" + +#: ../gui/selinux.tbl:3 +msgid "Allow all daemons the ability to use unallocated ttys" +msgstr "" + +#: ../gui/selinux.tbl:4 ../gui/selinux.tbl:5 ../gui/selinux.tbl:11 +#: ../gui/selinux.tbl:12 ../gui/selinux.tbl:13 ../gui/selinux.tbl:15 +#: ../gui/selinux.tbl:20 ../gui/selinux.tbl:41 ../gui/selinux.tbl:208 +#: ../gui/selinux.tbl:210 ../gui/selinux.tbl:211 ../gui/selinux.tbl:212 +#: ../gui/selinux.tbl:213 ../gui/selinux.tbl:214 ../gui/selinux.tbl:215 +#: ../gui/selinux.tbl:216 ../gui/selinux.tbl:217 +msgid "User Privs" +msgstr "" + +#: ../gui/selinux.tbl:4 +msgid "" +"Allow gadmin SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:5 +msgid "" +"Allow guest SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:6 ../gui/selinux.tbl:9 ../gui/selinux.tbl:16 +msgid "Memory Protection" +msgstr "" + +#: ../gui/selinux.tbl:6 +msgid "Allow java executable stack" +msgstr "" + +#: ../gui/selinux.tbl:7 ../gui/selinux.tbl:8 ../gui/selinux.tbl:35 +#: ../gui/selinux.tbl:209 +msgid "Mount" +msgstr "" + +#: ../gui/selinux.tbl:7 +msgid "Allow mount to mount any file" +msgstr "" + +#: ../gui/selinux.tbl:8 +msgid "Allow mount to mount any directory" +msgstr "" + +#: ../gui/selinux.tbl:9 +msgid "Allow mplayer executable stack" +msgstr "" + +#: ../gui/selinux.tbl:10 ../gui/selinux.tbl:162 ../gui/selinux.tbl:187 +#: ../gui/selinux.tbl:188 +msgid "SSH" +msgstr "" + +#: ../gui/selinux.tbl:10 +msgid "Allow ssh to run ssh-keysign" +msgstr "" + +#: ../gui/selinux.tbl:11 +msgid "" +"Allow staff SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:12 +msgid "" +"Allow sysadm SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:13 +msgid "" +"Allow unconfined SELinux user account to execute files in home directory or /" +"tmp" +msgstr "" + +#: ../gui/selinux.tbl:14 +msgid "Network Configuration" +msgstr "" + +#: ../gui/selinux.tbl:14 +msgid "Allow unlabeled packets to flow on the network" +msgstr "" + +#: ../gui/selinux.tbl:15 +msgid "" +"Allow user SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:16 +msgid "Allow unconfined to dyntrans to unconfined_execmem" +msgstr "" + +#: ../gui/selinux.tbl:17 ../gui/selinux.tbl:18 ../gui/selinux.tbl:120 +#: ../gui/selinux.tbl:140 +msgid "Databases" +msgstr "" + +#: ../gui/selinux.tbl:17 +msgid "Allow user to connect to mysql socket" +msgstr "" + +#: ../gui/selinux.tbl:18 +msgid "Allow user to connect to postgres socket" +msgstr "" + +#: ../gui/selinux.tbl:19 ../gui/selinux.tbl:165 ../gui/selinux.tbl:223 +msgid "XServer" +msgstr "" + +#: ../gui/selinux.tbl:19 +msgid "Allow clients to write to X shared memory" +msgstr "" + +#: ../gui/selinux.tbl:20 +msgid "" +"Allow xguest SELinux user account to execute files in home directory or /tmp" +msgstr "" + +#: ../gui/selinux.tbl:21 ../gui/selinux.tbl:228 ../gui/selinux.tbl:229 +#: ../gui/selinux.tbl:231 +msgid "NIS" +msgstr "" + +#: ../gui/selinux.tbl:21 +msgid "Allow daemons to run with NIS" +msgstr "" + +#: ../gui/selinux.tbl:22 ../gui/selinux.tbl:23 ../gui/selinux.tbl:24 +#: ../gui/selinux.tbl:25 ../gui/selinux.tbl:26 ../gui/selinux.tbl:27 +#: ../gui/selinux.tbl:28 ../gui/selinux.tbl:29 ../gui/selinux.tbl:71 +#: ../gui/selinux.tbl:73 ../gui/selinux.tbl:74 ../gui/selinux.tbl:115 +#: ../gui/selinux.tbl:118 +msgid "Web Applications" +msgstr "" + +#: ../gui/selinux.tbl:22 +msgid "Transition staff SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:23 +msgid "Transition sysadm SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:24 +msgid "Transition user SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:25 +msgid "Transition xguest SELinux user to Web Browser Domain" +msgstr "" + +#: ../gui/selinux.tbl:26 ../gui/selinux.tbl:27 ../gui/selinux.tbl:28 +#: ../gui/selinux.tbl:29 +msgid "Allow staff Web Browsers to write to home directories" +msgstr "" + +#: ../gui/selinux.tbl:30 +msgid "Disable SELinux protection for amanda" +msgstr "" + +#: ../gui/selinux.tbl:31 +msgid "Disable SELinux protection for amavis" +msgstr "" + +#: ../gui/selinux.tbl:32 +msgid "Disable SELinux protection for apmd daemon" +msgstr "" + +#: ../gui/selinux.tbl:33 +msgid "Disable SELinux protection for arpwatch daemon" +msgstr "" + +#: ../gui/selinux.tbl:34 +msgid "Disable SELinux protection for auditd daemon" +msgstr "" + +#: ../gui/selinux.tbl:35 +msgid "Disable SELinux protection for automount daemon" +msgstr "" + +#: ../gui/selinux.tbl:36 +msgid "Disable SELinux protection for avahi" +msgstr "" + +#: ../gui/selinux.tbl:37 +msgid "Disable SELinux protection for bluetooth daemon" +msgstr "" + +#: ../gui/selinux.tbl:38 +msgid "Disable SELinux protection for canna daemon" +msgstr "" + +#: ../gui/selinux.tbl:39 +msgid "Disable SELinux protection for cardmgr daemon" +msgstr "" + +#: ../gui/selinux.tbl:40 +msgid "Disable SELinux protection for Cluster Server" +msgstr "" + +#: ../gui/selinux.tbl:41 +msgid "" +"Allow cdrecord to read various content. nfs, samba, removable devices, user " +"temp and untrusted content files" +msgstr "" + +#: ../gui/selinux.tbl:42 +msgid "Disable SELinux protection for ciped daemon" +msgstr "" + +#: ../gui/selinux.tbl:43 +msgid "Disable SELinux protection for clamd daemon" +msgstr "" + +#: ../gui/selinux.tbl:44 +msgid "Disable SELinux protection for clamscan" +msgstr "" + +#: ../gui/selinux.tbl:45 +msgid "Disable SELinux protection for clvmd" +msgstr "" + +#: ../gui/selinux.tbl:46 +msgid "Disable SELinux protection for comsat daemon" +msgstr "" + +#: ../gui/selinux.tbl:47 ../gui/selinux.tbl:48 ../gui/selinux.tbl:49 +#: ../gui/selinux.tbl:50 ../gui/selinux.tbl:51 +msgid "Disable SELinux protection for courier daemon" +msgstr "" + +#: ../gui/selinux.tbl:52 +msgid "Disable SELinux protection for cpucontrol daemon" +msgstr "" + +#: ../gui/selinux.tbl:53 +msgid "Disable SELinux protection for cpuspeed daemon" +msgstr "" + +#: ../gui/selinux.tbl:54 +msgid "Cron" +msgstr "" + +#: ../gui/selinux.tbl:54 +msgid "Disable SELinux protection for crond daemon" +msgstr "" + +#: ../gui/selinux.tbl:55 ../gui/selinux.tbl:56 ../gui/selinux.tbl:57 +#: ../gui/selinux.tbl:91 +msgid "Printing" +msgstr "" + +#: ../gui/selinux.tbl:55 +msgid "Disable SELinux protection for cupsd back end server" +msgstr "" + +#: ../gui/selinux.tbl:56 +msgid "Disable SELinux protection for cupsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:57 +msgid "Disable SELinux protection for cupsd_lpd" +msgstr "" + +#: ../gui/selinux.tbl:58 +msgid "CVS" +msgstr "" + +#: ../gui/selinux.tbl:58 +msgid "Disable SELinux protection for cvs daemon" +msgstr "" + +#: ../gui/selinux.tbl:59 +msgid "Disable SELinux protection for cyrus daemon" +msgstr "" + +#: ../gui/selinux.tbl:60 +msgid "Disable SELinux protection for dbskkd daemon" +msgstr "" + +#: ../gui/selinux.tbl:61 +msgid "Disable SELinux protection for dbusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:62 +msgid "Disable SELinux protection for dccd" +msgstr "" + +#: ../gui/selinux.tbl:63 +msgid "Disable SELinux protection for dccifd" +msgstr "" + +#: ../gui/selinux.tbl:64 +msgid "Disable SELinux protection for dccm" +msgstr "" + +#: ../gui/selinux.tbl:65 +msgid "Disable SELinux protection for ddt daemon" +msgstr "" + +#: ../gui/selinux.tbl:66 +msgid "Disable SELinux protection for devfsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:67 +msgid "Disable SELinux protection for dhcpc daemon" +msgstr "" + +#: ../gui/selinux.tbl:68 +msgid "Disable SELinux protection for dhcpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:69 +msgid "Disable SELinux protection for dictd daemon" +msgstr "" + +#: ../gui/selinux.tbl:70 +msgid "Allow sysadm_t to directly start daemons" +msgstr "" + +#: ../gui/selinux.tbl:71 +msgid "Disable SELinux protection for Evolution" +msgstr "" + +#: ../gui/selinux.tbl:72 +msgid "Games" +msgstr "" + +#: ../gui/selinux.tbl:72 +msgid "Disable SELinux protection for games" +msgstr "" + +#: ../gui/selinux.tbl:73 +msgid "Disable SELinux protection for the web browsers" +msgstr "" + +#: ../gui/selinux.tbl:74 +msgid "Disable SELinux protection for Thunderbird" +msgstr "" + +#: ../gui/selinux.tbl:75 +msgid "Disable SELinux protection for distccd daemon" +msgstr "" + +#: ../gui/selinux.tbl:76 +msgid "Disable SELinux protection for dmesg daemon" +msgstr "" + +#: ../gui/selinux.tbl:77 +msgid "Disable SELinux protection for dnsmasq daemon" +msgstr "" + +#: ../gui/selinux.tbl:78 +msgid "Disable SELinux protection for dovecot daemon" +msgstr "" + +#: ../gui/selinux.tbl:79 +msgid "Disable SELinux protection for entropyd daemon" +msgstr "" + +#: ../gui/selinux.tbl:80 +msgid "Disable SELinux protection for fetchmail" +msgstr "" + +#: ../gui/selinux.tbl:81 +msgid "Disable SELinux protection for fingerd daemon" +msgstr "" + +#: ../gui/selinux.tbl:82 +msgid "Disable SELinux protection for freshclam daemon" +msgstr "" + +#: ../gui/selinux.tbl:83 +msgid "Disable SELinux protection for fsdaemon daemon" +msgstr "" + +#: ../gui/selinux.tbl:84 +msgid "Disable SELinux protection for gpm daemon" +msgstr "" + +#: ../gui/selinux.tbl:85 ../gui/selinux.tbl:125 +msgid "NFS" +msgstr "" + +#: ../gui/selinux.tbl:85 +msgid "Disable SELinux protection for gss daemon" +msgstr "" + +#: ../gui/selinux.tbl:86 +msgid "Disable SELinux protection for Hal daemon" +msgstr "" + +#: ../gui/selinux.tbl:87 +msgid "Compatibility" +msgstr "" + +#: ../gui/selinux.tbl:87 +msgid "" +"Do not audit things that we know to be broken but which are not security " +"risks" +msgstr "" + +#: ../gui/selinux.tbl:88 +msgid "Disable SELinux protection for hostname daemon" +msgstr "" + +#: ../gui/selinux.tbl:89 +msgid "Disable SELinux protection for hotplug daemon" +msgstr "" + +#: ../gui/selinux.tbl:90 +msgid "Disable SELinux protection for howl daemon" +msgstr "" + +#: ../gui/selinux.tbl:91 +msgid "Disable SELinux protection for cups hplip daemon" +msgstr "" + +#: ../gui/selinux.tbl:92 +msgid "Disable SELinux protection for httpd rotatelogs" +msgstr "" + +#: ../gui/selinux.tbl:93 ../gui/selinux.tbl:232 ../gui/selinux.tbl:233 +msgid "HTTPD Service" +msgstr "" + +#: ../gui/selinux.tbl:93 +msgid "Disable SELinux protection for http suexec" +msgstr "" + +#: ../gui/selinux.tbl:94 +msgid "Disable SELinux protection for hwclock daemon" +msgstr "" + +#: ../gui/selinux.tbl:95 +msgid "Disable SELinux protection for i18n daemon" +msgstr "" + +#: ../gui/selinux.tbl:96 +msgid "Disable SELinux protection for imazesrv daemon" +msgstr "" + +#: ../gui/selinux.tbl:97 +msgid "Disable SELinux protection for inetd child daemons" +msgstr "" + +#: ../gui/selinux.tbl:98 +msgid "Disable SELinux protection for inetd daemon" +msgstr "" + +#: ../gui/selinux.tbl:99 +msgid "Disable SELinux protection for innd daemon" +msgstr "" + +#: ../gui/selinux.tbl:100 +msgid "Disable SELinux protection for iptables daemon" +msgstr "" + +#: ../gui/selinux.tbl:101 +msgid "Disable SELinux protection for ircd daemon" +msgstr "" + +#: ../gui/selinux.tbl:102 +msgid "Disable SELinux protection for irqbalance daemon" +msgstr "" + +#: ../gui/selinux.tbl:103 +msgid "Disable SELinux protection for iscsi daemon" +msgstr "" + +#: ../gui/selinux.tbl:104 +msgid "Disable SELinux protection for jabberd daemon" +msgstr "" + +#: ../gui/selinux.tbl:105 ../gui/selinux.tbl:107 +msgid "Kerberos" +msgstr "" + +#: ../gui/selinux.tbl:105 +msgid "Disable SELinux protection for kadmind daemon" +msgstr "" + +#: ../gui/selinux.tbl:106 +msgid "Disable SELinux protection for klogd daemon" +msgstr "" + +#: ../gui/selinux.tbl:107 +msgid "Disable SELinux protection for krb5kdc daemon" +msgstr "" + +#: ../gui/selinux.tbl:108 +msgid "Disable SELinux protection for ktalk daemons" +msgstr "" + +#: ../gui/selinux.tbl:109 +msgid "Disable SELinux protection for kudzu daemon" +msgstr "" + +#: ../gui/selinux.tbl:110 +msgid "Disable SELinux protection for locate daemon" +msgstr "" + +#: ../gui/selinux.tbl:111 +msgid "Disable SELinux protection for lpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:112 +msgid "Disable SELinux protection for lrrd daemon" +msgstr "" + +#: ../gui/selinux.tbl:113 +msgid "Disable SELinux protection for lvm daemon" +msgstr "" + +#: ../gui/selinux.tbl:114 +msgid "Disable SELinux protection for mailman" +msgstr "" + +#: ../gui/selinux.tbl:115 +msgid "Allow evolution and thunderbird to read user files" +msgstr "" + +#: ../gui/selinux.tbl:116 +msgid "Disable SELinux protection for mdadm daemon" +msgstr "" + +#: ../gui/selinux.tbl:117 +msgid "Disable SELinux protection for monopd daemon" +msgstr "" + +#: ../gui/selinux.tbl:118 +msgid "Allow the mozilla browser to read user files" +msgstr "" + +#: ../gui/selinux.tbl:119 +msgid "Disable SELinux protection for mrtg daemon" +msgstr "" + +#: ../gui/selinux.tbl:120 +msgid "Disable SELinux protection for mysqld daemon" +msgstr "" + +#: ../gui/selinux.tbl:121 +msgid "Disable SELinux protection for nagios daemon" +msgstr "" + +#: ../gui/selinux.tbl:122 ../gui/selinux.tbl:128 +msgid "Name Service" +msgstr "" + +#: ../gui/selinux.tbl:122 +msgid "Disable SELinux protection for named daemon" +msgstr "" + +#: ../gui/selinux.tbl:123 +msgid "Disable SELinux protection for nessusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:124 +msgid "Disable SELinux protection for NetworkManager" +msgstr "" + +#: ../gui/selinux.tbl:125 +msgid "Disable SELinux protection for nfsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:126 ../gui/selinux.tbl:163 ../gui/selinux.tbl:176 +#: ../gui/selinux.tbl:221 +msgid "Samba" +msgstr "" + +#: ../gui/selinux.tbl:126 +msgid "Disable SELinux protection for nmbd daemon" +msgstr "" + +#: ../gui/selinux.tbl:127 +msgid "Disable SELinux protection for nrpe daemon" +msgstr "" + +#: ../gui/selinux.tbl:128 +msgid "Disable SELinux protection for nscd daemon" +msgstr "" + +#: ../gui/selinux.tbl:129 +msgid "Disable SELinux protection for nsd daemon" +msgstr "" + +#: ../gui/selinux.tbl:130 +msgid "Disable SELinux protection for ntpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:131 +msgid "Disable SELinux protection for oddjob" +msgstr "" + +#: ../gui/selinux.tbl:132 +msgid "Disable SELinux protection for oddjob_mkhomedir" +msgstr "" + +#: ../gui/selinux.tbl:133 +msgid "Disable SELinux protection for openvpn daemon" +msgstr "" + +#: ../gui/selinux.tbl:134 +msgid "Disable SELinux protection for pam daemon" +msgstr "" + +#: ../gui/selinux.tbl:135 +msgid "Disable SELinux protection for pegasus" +msgstr "" + +#: ../gui/selinux.tbl:136 +msgid "Disable SELinux protection for perdition daemon" +msgstr "" + +#: ../gui/selinux.tbl:137 +msgid "Disable SELinux protection for portmap daemon" +msgstr "" + +#: ../gui/selinux.tbl:138 +msgid "Disable SELinux protection for portslave daemon" +msgstr "" + +#: ../gui/selinux.tbl:139 +msgid "Disable SELinux protection for postfix" +msgstr "" + +#: ../gui/selinux.tbl:140 +msgid "Disable SELinux protection for postgresql daemon" +msgstr "" + +#: ../gui/selinux.tbl:141 +msgid "pppd" +msgstr "" + +#: ../gui/selinux.tbl:141 +msgid "Allow pppd to be run for a regular user" +msgstr "" + +#: ../gui/selinux.tbl:142 +msgid "Disable SELinux protection for pptp" +msgstr "" + +#: ../gui/selinux.tbl:143 +msgid "Disable SELinux protection for prelink daemon" +msgstr "" + +#: ../gui/selinux.tbl:144 +msgid "Disable SELinux protection for privoxy daemon" +msgstr "" + +#: ../gui/selinux.tbl:145 +msgid "Disable SELinux protection for ptal daemon" +msgstr "" + +#: ../gui/selinux.tbl:146 +msgid "Disable SELinux protection for pxe daemon" +msgstr "" + +#: ../gui/selinux.tbl:147 +msgid "Disable SELinux protection for pyzord" +msgstr "" + +#: ../gui/selinux.tbl:148 +msgid "Disable SELinux protection for quota daemon" +msgstr "" + +#: ../gui/selinux.tbl:149 +msgid "Disable SELinux protection for radiusd daemon" +msgstr "" + +#: ../gui/selinux.tbl:150 +msgid "Disable SELinux protection for radvd daemon" +msgstr "" + +#: ../gui/selinux.tbl:151 +msgid "Disable SELinux protection for rdisc" +msgstr "" + +#: ../gui/selinux.tbl:152 +msgid "Disable SELinux protection for readahead" +msgstr "" + +#: ../gui/selinux.tbl:153 +msgid "Allow programs to read files in non-standard locations (default_t)" +msgstr "" + +#: ../gui/selinux.tbl:154 +msgid "Disable SELinux protection for restorecond" +msgstr "" + +#: ../gui/selinux.tbl:155 +msgid "Disable SELinux protection for rhgb daemon" +msgstr "" + +#: ../gui/selinux.tbl:156 +msgid "Disable SELinux protection for ricci" +msgstr "" + +#: ../gui/selinux.tbl:157 +msgid "Disable SELinux protection for ricci_modclusterd" +msgstr "" + +#: ../gui/selinux.tbl:158 +msgid "Disable SELinux protection for rlogind daemon" +msgstr "" + +#: ../gui/selinux.tbl:159 +msgid "Disable SELinux protection for rpcd daemon" +msgstr "" + +#: ../gui/selinux.tbl:160 +msgid "Disable SELinux protection for rshd" +msgstr "" + +#: ../gui/selinux.tbl:161 +msgid "rsync" +msgstr "" + +#: ../gui/selinux.tbl:161 +msgid "Disable SELinux protection for rsync daemon" +msgstr "" + +#: ../gui/selinux.tbl:162 +msgid "Allow ssh to run from inetd instead of as a daemon" +msgstr "" + +#: ../gui/selinux.tbl:163 +msgid "Allow Samba to share nfs directories" +msgstr "" + +#: ../gui/selinux.tbl:164 ../gui/selinux.tbl:166 +msgid "SASL authentication server" +msgstr "" + +#: ../gui/selinux.tbl:164 +msgid "Allow sasl authentication server to read /etc/shadow" +msgstr "" + +#: ../gui/selinux.tbl:165 +msgid "" +"Allow X-Windows server to map a memory region as both executable and writable" +msgstr "" + +#: ../gui/selinux.tbl:166 +msgid "Disable SELinux protection for saslauthd daemon" +msgstr "" + +#: ../gui/selinux.tbl:167 +msgid "Disable SELinux protection for scannerdaemon daemon" +msgstr "" + +#: ../gui/selinux.tbl:168 +msgid "Do not allow transition to sysadm_t, sudo and su effected" +msgstr "" + +#: ../gui/selinux.tbl:169 +msgid "Do not allow any processes to load kernel modules" +msgstr "" + +#: ../gui/selinux.tbl:170 +msgid "Do not allow any processes to modify kernel SELinux policy" +msgstr "" + +#: ../gui/selinux.tbl:171 +msgid "Disable SELinux protection for sendmail daemon" +msgstr "" + +#: ../gui/selinux.tbl:172 +msgid "Disable SELinux protection for setrans" +msgstr "" + +#: ../gui/selinux.tbl:173 +msgid "Disable SELinux protection for setroubleshoot daemon" +msgstr "" + +#: ../gui/selinux.tbl:174 +msgid "Disable SELinux protection for slapd daemon" +msgstr "" + +#: ../gui/selinux.tbl:175 +msgid "Disable SELinux protection for slrnpull daemon" +msgstr "" + +#: ../gui/selinux.tbl:176 +msgid "Disable SELinux protection for smbd daemon" +msgstr "" + +#: ../gui/selinux.tbl:177 +msgid "Disable SELinux protection for snmpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:178 +msgid "Disable SELinux protection for snort daemon" +msgstr "" + +#: ../gui/selinux.tbl:179 +msgid "Disable SELinux protection for soundd daemon" +msgstr "" + +#: ../gui/selinux.tbl:180 +msgid "Disable SELinux protection for sound daemon" +msgstr "" + +#: ../gui/selinux.tbl:181 ../gui/selinux.tbl:182 ../gui/selinux.tbl:183 +msgid "Spam Protection" +msgstr "" + +#: ../gui/selinux.tbl:181 +msgid "Disable SELinux protection for spamd daemon" +msgstr "" + +#: ../gui/selinux.tbl:182 +msgid "Allow spamd to access home directories" +msgstr "" + +#: ../gui/selinux.tbl:183 +msgid "Allow Spam Assassin daemon network access" +msgstr "" + +#: ../gui/selinux.tbl:184 +msgid "Disable SELinux protection for speedmgmt daemon" +msgstr "" + +#: ../gui/selinux.tbl:185 ../gui/selinux.tbl:186 +msgid "Squid" +msgstr "" + +#: ../gui/selinux.tbl:185 +msgid "Allow squid daemon to connect to the network" +msgstr "" + +#: ../gui/selinux.tbl:186 +msgid "Disable SELinux protection for squid daemon" +msgstr "" + +#: ../gui/selinux.tbl:187 +msgid "Disable SELinux protection for ssh daemon" +msgstr "" + +#: ../gui/selinux.tbl:188 +msgid "Allow ssh logins as sysadm_r:sysadm_t" +msgstr "" + +#: ../gui/selinux.tbl:189 +msgid "" +"Allow staff_r users to search the sysadm home dir and read files (such as ~/." +"bashrc)" +msgstr "" + +#: ../gui/selinux.tbl:190 ../gui/selinux.tbl:191 +msgid "Universal SSL tunnel" +msgstr "" + +#: ../gui/selinux.tbl:190 +msgid "Disable SELinux protection for stunnel daemon" +msgstr "" + +#: ../gui/selinux.tbl:191 +msgid "Allow stunnel daemon to run as standalone, outside of xinetd" +msgstr "" + +#: ../gui/selinux.tbl:192 +msgid "Disable SELinux protection for swat daemon" +msgstr "" + +#: ../gui/selinux.tbl:193 +msgid "Disable SELinux protection for sxid daemon" +msgstr "" + +#: ../gui/selinux.tbl:194 +msgid "Disable SELinux protection for syslogd daemon" +msgstr "" + +#: ../gui/selinux.tbl:195 +msgid "Disable SELinux protection for system cron jobs" +msgstr "" + +#: ../gui/selinux.tbl:196 +msgid "Disable SELinux protection for tcp daemon" +msgstr "" + +#: ../gui/selinux.tbl:197 +msgid "Disable SELinux protection for telnet daemon" +msgstr "" + +#: ../gui/selinux.tbl:198 +msgid "Disable SELinux protection for tftpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:199 +msgid "Disable SELinux protection for transproxy daemon" +msgstr "" + +#: ../gui/selinux.tbl:200 +msgid "Disable SELinux protection for udev daemon" +msgstr "" + +#: ../gui/selinux.tbl:201 +msgid "Disable SELinux protection for uml daemon" +msgstr "" + +#: ../gui/selinux.tbl:202 +msgid "" +"Allow xinetd to run unconfined, including any services it starts that do not " +"have a domain transition explicitly defined" +msgstr "" + +#: ../gui/selinux.tbl:203 +msgid "" +"Allow rc scripts to run unconfined, including any daemon started by an rc " +"script that does not have a domain transition explicitly defined" +msgstr "" + +#: ../gui/selinux.tbl:204 +msgid "Allow rpm to run unconfined" +msgstr "" + +#: ../gui/selinux.tbl:205 +msgid "Allow privileged utilities like hotplug and insmod to run unconfined" +msgstr "" + +#: ../gui/selinux.tbl:206 +msgid "Disable SELinux protection for updfstab daemon" +msgstr "" + +#: ../gui/selinux.tbl:207 +msgid "Disable SELinux protection for uptimed daemon" +msgstr "" + +#: ../gui/selinux.tbl:208 +msgid "" +"Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only " +"staff_r can do so" +msgstr "" + +#: ../gui/selinux.tbl:209 +msgid "Allow users to execute the mount command" +msgstr "" + +#: ../gui/selinux.tbl:210 +msgid "Allow regular users direct mouse access (only allow the X server)" +msgstr "" + +#: ../gui/selinux.tbl:211 +msgid "Allow users to run the dmesg command" +msgstr "" + +#: ../gui/selinux.tbl:212 +msgid "Allow users to control network interfaces (also needs USERCTL=true)" +msgstr "" + +#: ../gui/selinux.tbl:213 +msgid "Allow normal user to execute ping" +msgstr "" + +#: ../gui/selinux.tbl:214 +msgid "Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)" +msgstr "" + +#: ../gui/selinux.tbl:215 +msgid "Allow users to rw usb devices" +msgstr "" + +#: ../gui/selinux.tbl:216 +msgid "" +"Allow users to run TCP servers (bind to ports and accept connection from the " +"same domain and outside users) disabling this forces FTP passive mode and " +"may change other protocols" +msgstr "" + +#: ../gui/selinux.tbl:217 +msgid "Allow user to stat ttyfiles" +msgstr "" + +#: ../gui/selinux.tbl:218 +msgid "Disable SELinux protection for uucpd daemon" +msgstr "" + +#: ../gui/selinux.tbl:219 +msgid "Disable SELinux protection for vmware daemon" +msgstr "" + +#: ../gui/selinux.tbl:220 +msgid "Disable SELinux protection for watchdog daemon" +msgstr "" + +#: ../gui/selinux.tbl:221 +msgid "Disable SELinux protection for winbind daemon" +msgstr "" + +#: ../gui/selinux.tbl:222 +msgid "Disable SELinux protection for xdm daemon" +msgstr "" + +#: ../gui/selinux.tbl:223 +msgid "Allow xdm logins as sysadm_r:sysadm_t" +msgstr "" + +#: ../gui/selinux.tbl:224 +msgid "Disable SELinux protection for xen daemon" +msgstr "" + +#: ../gui/selinux.tbl:225 +msgid "XEN" +msgstr "" + +#: ../gui/selinux.tbl:225 +msgid "Allow xen to read/write physical disk devices" +msgstr "" + +#: ../gui/selinux.tbl:226 +msgid "Disable SELinux protection for xfs daemon" +msgstr "" + +#: ../gui/selinux.tbl:227 +msgid "Disable SELinux protection for xen control" +msgstr "" + +#: ../gui/selinux.tbl:228 +msgid "Disable SELinux protection for ypbind daemon" +msgstr "" + +#: ../gui/selinux.tbl:229 +msgid "Disable SELinux protection for NIS Password Daemon" +msgstr "" + +#: ../gui/selinux.tbl:230 +msgid "Disable SELinux protection for ypserv daemon" +msgstr "" + +#: ../gui/selinux.tbl:231 +msgid "Disable SELinux protection for NIS Transfer Daemon" +msgstr "" + +#: ../gui/selinux.tbl:232 +msgid "Allow SELinux webadm user to manage unprivileged users home directories" +msgstr "" + +#: ../gui/selinux.tbl:233 +msgid "Allow SELinux webadm user to read unprivileged users home directories" +msgstr "" + +#: ../gui/semanagePage.py:126 +#, python-format +msgid "Are you sure you want to delete %s '%s'?" +msgstr "" + +#: ../gui/semanagePage.py:126 +#, python-format +msgid "Delete %s" +msgstr "" + +#: ../gui/semanagePage.py:134 +#, python-format +msgid "Add %s" +msgstr "" + +#: ../gui/semanagePage.py:148 +#, python-format +msgid "Modify %s" +msgstr "" + +#: ../gui/statusPage.py:69 ../gui/system-config-selinux.glade:2819 +msgid "Permissive" +msgstr "" + +#: ../gui/statusPage.py:70 ../gui/system-config-selinux.glade:2837 +msgid "Enforcing" +msgstr "" + +#: ../gui/statusPage.py:94 +msgid "Status" +msgstr "" + +#: ../gui/statusPage.py:133 +msgid "" +"Changing the policy type will cause a relabel of the entire file system on " +"the next boot. Relabeling takes a long time depending on the size of the " +"file system. Do you wish to continue?" +msgstr "" + +#: ../gui/statusPage.py:147 +msgid "" +"Changing to SELinux disabled requires a reboot. It is not recommended. If " +"you later decide to turn SELinux back on, the system will be required to " +"relabel. If you just want to see if SELinux is causing a problem on your " +"system, you can go to permissive mode which will only log errors and not " +"enforce SELinux policy. Permissive mode does not require a reboot Do you " +"wish to continue?" +msgstr "" + +#: ../gui/statusPage.py:152 +msgid "" +"Changing to SELinux enabled will cause a relabel of the entire file system " +"on the next boot. Relabeling takes a long time depending on the size of the " +"file system. Do you wish to continue?" +msgstr "" + +#: ../gui/system-config-selinux.glade:11 +msgid "system-config-selinux" +msgstr "" + +#: ../gui/system-config-selinux.glade:12 +msgid "" +"Copyright (c)2006 Red Hat, Inc.\n" +"Copyright (c) 2006 Dan Walsh " +msgstr "" + +#: ../gui/system-config-selinux.glade:22 +#: ../gui/system-config-selinux.glade:544 +msgid "Add SELinux Login Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:257 +msgid "Add SELinux Network Ports" +msgstr "" + +#: ../gui/system-config-selinux.glade:391 +#: ../gui/system-config-selinux.glade:678 +msgid "SELinux Type" +msgstr "" + +#: ../gui/system-config-selinux.glade:622 +msgid "File Specification" +msgstr "" + +#: ../gui/system-config-selinux.glade:650 +msgid "File Type" +msgstr "" + +#: ../gui/system-config-selinux.glade:727 +msgid "" +"all files\n" +"regular file\n" +"directory\n" +"character device\n" +"block device\n" +"socket\n" +"symbolic link\n" +"named pipe\n" +msgstr "" + +#: ../gui/system-config-selinux.glade:773 +msgid "MLS" +msgstr "" + +#: ../gui/system-config-selinux.glade:837 +msgid "Add SELinux User" +msgstr "" + +#: ../gui/system-config-selinux.glade:1079 +msgid "SELinux Administration" +msgstr "" + +#: ../gui/system-config-selinux.glade:1122 +msgid "Add" +msgstr "" + +#: ../gui/system-config-selinux.glade:1144 +msgid "_Properties" +msgstr "" + +#: ../gui/system-config-selinux.glade:1166 +msgid "_Delete" +msgstr "" + +#: ../gui/system-config-selinux.glade:1256 +msgid "Select Management Object" +msgstr "" + +#: ../gui/system-config-selinux.glade:1273 +msgid "Select:" +msgstr "" + +#: ../gui/system-config-selinux.glade:1326 +msgid "System Default Enforcing Mode" +msgstr "" + +#: ../gui/system-config-selinux.glade:1354 +msgid "" +"Disabled\n" +"Permissive\n" +"Enforcing\n" +msgstr "" + +#: ../gui/system-config-selinux.glade:1373 +msgid "Current Enforcing Mode" +msgstr "" + +#: ../gui/system-config-selinux.glade:1418 +msgid "System Default Policy Type: " +msgstr "" + +#: ../gui/system-config-selinux.glade:1463 +msgid "" +"Select if you wish to relabel then entire file system on next reboot. " +"Relabeling can take a very long time, depending on the size of the system. " +"If you are changing policy types or going from disabled to enforcing, a " +"relabel is required." +msgstr "" + +#: ../gui/system-config-selinux.glade:1509 +msgid "Relabel on next reboot." +msgstr "" + +#: ../gui/system-config-selinux.glade:1561 +msgid "label37" +msgstr "" + +#: ../gui/system-config-selinux.glade:1598 +msgid "Revert boolean setting to system default" +msgstr "" + +#: ../gui/system-config-selinux.glade:1614 +msgid "Toggle between Customized and All Booleans" +msgstr "" + +#: ../gui/system-config-selinux.glade:1645 +#: ../gui/system-config-selinux.glade:1850 +#: ../gui/system-config-selinux.glade:2037 +#: ../gui/system-config-selinux.glade:2224 +#: ../gui/system-config-selinux.glade:2467 +#: ../gui/system-config-selinux.glade:2692 +#: ../gui/system-config-selinux.glade:2867 +msgid "Filter" +msgstr "" + +#: ../gui/system-config-selinux.glade:1734 +msgid "label50" +msgstr "" + +#: ../gui/system-config-selinux.glade:1771 +msgid "Add File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1787 +msgid "Modify File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1803 +msgid "Delete File Context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1819 +msgid "Toggle between all and customized file context" +msgstr "" + +#: ../gui/system-config-selinux.glade:1939 +msgid "label38" +msgstr "" + +#: ../gui/system-config-selinux.glade:1976 +msgid "Add SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:1992 +msgid "Modify SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:2008 +msgid "Delete SELinux User Mapping" +msgstr "" + +#: ../gui/system-config-selinux.glade:2126 +msgid "label39" +msgstr "" + +#: ../gui/system-config-selinux.glade:2163 +msgid "Add User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2179 +msgid "Modify User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2195 +msgid "Delete User" +msgstr "" + +#: ../gui/system-config-selinux.glade:2313 +msgid "label41" +msgstr "" + +#: ../gui/system-config-selinux.glade:2350 +msgid "Add Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2366 +msgid "Edit Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2382 +msgid "Delete Network Port" +msgstr "" + +#: ../gui/system-config-selinux.glade:2418 +#: ../gui/system-config-selinux.glade:2436 +msgid "Toggle between Customized and All Ports" +msgstr "" + +#: ../gui/system-config-selinux.glade:2556 +msgid "label42" +msgstr "" + +#: ../gui/system-config-selinux.glade:2593 +msgid "Generate new policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2609 +msgid "Load policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2625 +msgid "Remove loadable policy module" +msgstr "" + +#: ../gui/system-config-selinux.glade:2661 +msgid "" +"Enable/Disable additional audit rules, that are normally not reported in the " +"log files." +msgstr "" + +#: ../gui/system-config-selinux.glade:2781 +msgid "label44" +msgstr "" + +#: ../gui/system-config-selinux.glade:2818 +msgid "Change process mode to permissive." +msgstr "" + +#: ../gui/system-config-selinux.glade:2836 +msgid "Change process mode to enforcing" +msgstr "" + +#: ../gui/system-config-selinux.glade:2928 +msgid "Process Domain" +msgstr "" + +#: ../gui/system-config-selinux.glade:2956 +msgid "label59" +msgstr "" + +#: ../gui/usersPage.py:138 +#, python-format +msgid "SELinux user '%s' is required" +msgstr "" diff --git a/policycoreutils/po/ar.po b/policycoreutils/po/ar.po index afeaa9f..0ba98f2 100644 --- a/policycoreutils/po/ar.po +++ b/policycoreutils/po/ar.po @@ -1,21 +1,27 @@ # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. -# FIRST AUTHOR , YEAR. # -#, fuzzy +# Translators: +# Ali Al-Ammari , 2010. +# Amjad Al-Obaili , 2010. +# Majed Abdullah , 2010. +# Munzir Taha , 2012. +# Saud Al-Otaibi , 2010. msgid "" msgstr "" -"Project-Id-Version: PACKAGE VERSION\n" +"Project-Id-Version: Policycoreutils\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2012-03-27 10:49-0400\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" +"POT-Creation-Date: 2012-05-17 16:58-0400\n" +"PO-Revision-Date: 2012-04-02 20:30+0000\n" +"Last-Translator: dwalsh \n" +"Language-Team: Arabic \n" +"Language: ar\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=6; plural=n==0 ? 0 : n==1 ? 1 : n==2 ? 2 : n%100>=3 " +"&& n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5\n" #: ../run_init/run_init.c:67 msgid "" @@ -23,1248 +29,3339 @@ msgid "" " where: