diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2why/audit2why.1 policycoreutils-1.23.10/audit2why/audit2why.1 --- nsapolicycoreutils/audit2why/audit2why.1 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.23.10/audit2why/audit2why.1 2005-05-17 08:31:39.000000000 -0400 @@ -0,0 +1,62 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 2005 Dan Walsh +.\" +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, write to the Free +.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, +.\" USA. +.\" +.\" +.TH AUDIT2ALLOW "1" "May 2005" "Security Enhanced Linux" NSA +.SH NAME +audit2why \- Translates auditmessages into a description of why the access was denied +.SH SYNOPSIS +.B audit2why +.RI [ options "] " +.SH OPTIONS +.TP + +.B "\-\-help" +Print a short usage message +.TP +.B "\-p " +Specify an alternate policy file. +.SH DESCRIPTION +.PP +This utility scans stdin (logfiles) for messages logged when the +system denied permission for operations, and generates a reason why the +access was denied +.PP +.SH EXAMPLE +$ /usr/sbin/audit2why < /var/log/audit/audit.log + +type=KERNEL msg=audit(1115316525.803:399552): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir + Was caused by: + Missing TE allow rule for the type pair (use audit2allow). + +type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file + Was caused by: + Constraint violation (add type attribute to domain to satisfy constraints or alter constraint). + + +.PP +.SH AUTHOR +This manual page was written by +.I Dan Walsh , +.B audit2why +utility was written by Stephen Smalley . diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2why/Makefile policycoreutils-1.23.10/audit2why/Makefile --- nsapolicycoreutils/audit2why/Makefile 2005-05-16 15:40:11.000000000 -0400 +++ policycoreutils-1.23.10/audit2why/Makefile 2005-05-17 08:31:39.000000000 -0400 @@ -17,6 +17,8 @@ install: all -mkdir -p $(BINDIR) install -m 755 $(TARGETS) $(BINDIR) + -mkdir -p $(MANDIR)/man1 + install -m 644 audit2why.1 $(MANDIR)/man1/ clean: rm -f $(TARGETS) *.o diff --exclude-from=exclude -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.23.10/newrole/newrole.c --- nsapolicycoreutils/newrole/newrole.c 2005-01-27 10:01:39.000000000 -0500 +++ policycoreutils-1.23.10/newrole/newrole.c 2005-05-19 11:51:37.000000000 -0400 @@ -193,6 +193,11 @@ result = 1; /* user authenticated OK! */ } + /* Ask PAM to verify acct_mgmt */ + if( PAM_SUCCESS != pam_acct_mgmt(pam_handle,0) ) { + result = 0; /* user authenticated OK! */ + } + /* We're done with PAM. Free `pam_handle'. */ pam_end( pam_handle, PAM_SUCCESS ); diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.23.10/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2005-04-29 14:11:23.000000000 -0400 +++ policycoreutils-1.23.10/scripts/fixfiles 2005-05-17 08:31:39.000000000 -0400 @@ -164,7 +164,7 @@ fi # See how we were called. -while getopts "C:Fo:R:l:" i; do +while getopts "C:Ffo:R:l:" i; do case "$i" in f) fullFlag=1