diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/audit2allow 2008-01-10 13:33:37.000000000 -0500 @@ -28,6 +28,7 @@ import sepolgen.objectmodel as objectmodel import sepolgen.defaults as defaults import sepolgen.module as module +#import sepolgen.audit2why as audit2why from sepolgen.sepolgeni18n import _ class AuditToPolicy: @@ -60,7 +61,10 @@ parser.add_option("-o", "--output", dest="output", help="append output to , conflicts with -M") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", - default=False, help="generate refpolicy style output") + default=True, help="generate refpolicy style output") + + parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", + default=False, help="do not generate refpolicy style output") parser.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, help="explain generated output") parser.add_option("-e", "--explain", action="store_true", dest="explain_long", @@ -72,6 +76,9 @@ parser.add_option("--debug", dest="debug", action="store_true", default=False, help="leave generated modules for -M") + parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False, + help="Translates SELinux audit messages into a description of why the access was denied") + options, args = parser.parse_args() # Make -d, -a, and -i conflict @@ -149,8 +156,10 @@ if self.__options.type: filter = audit.TypeFilter(self.__options.type) self.__avs = self.__parser.to_access(filter) + self.__selinux_errs = self.__parser.to_role(filter) else: self.__avs = self.__parser.to_access() + self.__selinux_errs = self.__parser.to_role() def __load_interface_info(self): # Load interface info file @@ -210,7 +219,71 @@ sys.stdout.write((_("To make this policy package active, execute:" +\ "\n\nsemodule -i %s\n\n") % packagename)) + def __output_audit2why(self): + import selinux + import selinux.audit2why as audit2why + audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers())) + for i in self.__parser.avc_msgs: + rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses) + if rc >= 0: + print "%s\n\tWas caused by:" % i.message + if rc == audit2why.NOPOLICY: + raise "Must call policy_init first" + if rc == audit2why.BADTCON: + print "Invalid Target Context %s\n" % i.tcontext + continue + if rc == audit2why.BADSCON: + print "Invalid Source Context %s\n" % i.scontext + continue + if rc == audit2why.BADSCON: + print "Invalid Type Class %s\n" % i.tclass + continue + if rc == audit2why.BADPERM: + print "Invalid permission %s\n" % i.accesses + continue + if rc == audit2why. BADCOMPUTE: + raise "Error during access vector computation" + if rc == audit2why.ALLOW: + print "\t\tUnknown - would be allowed by active policy\n", + print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" + print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n" + continue + if rc == audit2why.BOOLEAN: + if len(bools) > 1: + print "\tOne of the following booleans being set incorrectly." + for b in bools: + print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1]) + print "\t# setsebool -P %s %d" % (b[0], b[1]) + else: + print "\tThe boolean %s set incorrectly. Allow access by executing:" % bools[0][0] + print "\t# setsebool -P %s %d\n" % (bools[0][0], bools[0][1]) + + continue + + if rc == audit2why.TERULE: + print "\t\tMissing or disabled type enforcingment (TE) allow rule.\n" + print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n" + continue + + if rc == audit2why.CONSTRAINT: + print "\t\tConstraint violation.\n" + print "\t\tCheck policy/constraints.\n" + print "\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n" + continue + + if rc == audit2why.RBAC: + print "\t\tMissing role allow rule.\n" + print "\t\tAdd allow rule for the role pair.\n" + continue + + audit2why.finish() + return + def __output(self): + + if self.__options.audit2why: + return self.__output_audit2why() + g = policygen.PolicyGenerator() if self.__options.module: @@ -251,6 +324,12 @@ fd = sys.stdout writer.write(g.get_module(), fd) + if len(self.__selinux_errs) > 0: + fd.write("\n=========== ROLES ===============\n") + + for role in self.__selinux_errs: + fd.write(role.output()) + def main(self): try: self.__parse_options() diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/audit2allow.1 2007-12-19 06:05:50.000000000 -0500 @@ -65,8 +65,11 @@ .B "\-r" | "\-\-requires" Generate require output syntax for loadable modules. .TP +.B "\-N" | "\-\-noreference" +Do not generate reference policy, traditional style allow rules. +.TP .B "\-R" | "\-\-reference" -Generate reference policy using installed macros. Requires the selinux-policy-devel package. +Generate reference policy using installed macros.Default .TP .B "\-t " | "\-\-tefile" Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen --- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500 @@ -80,7 +80,10 @@ if_set.to_file(f) f.close() - return 0 + if refparser.success: + return 0 + else: + return 1 if __name__ == "__main__": sys.exit(main()) diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why policycoreutils-2.0.34/audit2why/audit2why --- nsapolicycoreutils/audit2why/audit2why 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.34/audit2why/audit2why 2008-01-10 13:37:42.000000000 -0500 @@ -0,0 +1,2 @@ +#!/bin/sh +audit2allow -w $* diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.8 policycoreutils-2.0.34/audit2why/audit2why.8 --- nsapolicycoreutils/audit2why/audit2why.8 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2why/audit2why.8 2008-01-10 13:37:18.000000000 -0500 @@ -1,79 +1 @@ -.\" Hey, Emacs! This is an -*- nroff -*- source file. -.\" Copyright (c) 2005 Dan Walsh -.\" -.\" This is free documentation; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" The GNU General Public License's references to "object code" -.\" and "executables" are to be interpreted as the output of any -.\" document formatting or typesetting system, including -.\" intermediate and printed output. -.\" -.\" This manual is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public -.\" License along with this manual; if not, write to the Free -.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, -.\" USA. -.\" -.\" -.TH AUDIT2WHY "8" "May 2005" "Security Enhanced Linux" NSA -.SH NAME -audit2why \- Translates SELinux audit messages into a description of why the access was denied -.SH SYNOPSIS -.B audit2why -.RI [ options "] " -.SH OPTIONS -.TP - -.B "\-\-help" -Print a short usage message -.TP -.B "\-p " -Specify an alternate policy file. -.SH DESCRIPTION -.PP -This utility processes SELinux audit messages from standard -input and and reports which component of the policy caused each -permission denial based on the specified policy file if the -p option -was used or the active policy otherwise. There are three possible -causes: 1) a missing or disabled TE allow rule, 2) a constraint violation, -or 3) a missing role allow rule. In the first case, the TE allow -rule may exist in the policy but may be disabled due to boolean settings. -See -.BR booleans (8). -If the allow rule is not present at all, it can be generated via -.BR audit2allow (1). -In the second case, a constraint is being violated; see policy/constraints -or policy/mls to identify the particular constraint. Typically, this can -be resolved by adding a type attribute to the domain. In the third case, -a role transition was attempted but no allow rule existed for the role pair. -This can be resolved by adding an allow rule for the role pair to the policy. -.PP -.SH EXAMPLE -.nf -$ /usr/sbin/audit2why < /var/log/audit/audit.log - -type=KERNEL msg=audit(1115316408.926:336418): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir - Was caused by: - Missing or disabled TE allow rule. - Allow rules may exist but be disabled by boolean settings; check boolean settings. - You can see the necessary allow rules by running audit2allow with this audit message as input. - -type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file - Was caused by: - Constraint violation. - Check policy/constraints. - Typically, you just need to add a type attribute to the domain to satisfy the constraint. -.fi -.PP -.SH AUTHOR -This manual page was written by -.I Dan Walsh , -.B audit2why -utility was written by Stephen Smalley . +.so man8/audit2allow.3 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c --- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2why/audit2why.c 1969-12-31 19:00:00.000000000 -0500 @@ -1,313 +0,0 @@ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define AVCPREFIX "avc: denied { " -#define SCONTEXT "scontext=" -#define TCONTEXT "tcontext=" -#define TCLASS "tclass=" - -void usage(char *progname, int rc) -{ - fprintf(stderr, "usage: %s [-p policy] < /var/log/audit/audit.log\n", - progname); - exit(rc); -} - -int main(int argc, char **argv) -{ - char path[PATH_MAX]; - char *buffer = NULL, *bufcopy = NULL; - unsigned int lineno = 0; - size_t len = 0, bufcopy_len = 0; - FILE *fp; - int opt, rc, set_path = 0; - char *p, *scon, *tcon, *tclassstr, *permstr; - sepol_security_id_t ssid, tsid; - sepol_security_class_t tclass; - sepol_access_vector_t perm, av; - struct sepol_av_decision avd; - unsigned int reason; - int vers = 0; - sidtab_t sidtab; - policydb_t policydb; - struct policy_file pf; - - while ((opt = getopt(argc, argv, "p:?h")) > 0) { - switch (opt) { - case 'p': - set_path = 1; - strncpy(path, optarg, PATH_MAX); - fp = fopen(path, "r"); - if (!fp) { - fprintf(stderr, "%s: unable to open %s: %s\n", - argv[0], path, strerror(errno)); - exit(1); - } - break; - default: - usage(argv[0], 0); - } - } - - if (argc - optind) - usage(argv[0], 1); - - if (!set_path) { - if (!is_selinux_enabled()) { - fprintf(stderr, - "%s: Must specify -p policy on non-SELinux systems\n", - argv[0]); - exit(1); - } - vers = security_policyvers(); - if (vers < 0) { - fprintf(stderr, - "%s: Could not get policy version: %s\n", - argv[0], strerror(errno)); - exit(1); - } - snprintf(path, PATH_MAX, "%s.%d", - selinux_binary_policy_path(), vers); - fp = fopen(path, "r"); - while (!fp && errno == ENOENT && --vers) { - snprintf(path, PATH_MAX, "%s.%d", - selinux_binary_policy_path(), vers); - fp = fopen(path, "r"); - } - if (!fp) { - snprintf(path, PATH_MAX, "%s.%d", - selinux_binary_policy_path(), - security_policyvers()); - fprintf(stderr, "%s: unable to open %s: %s\n", - argv[0], path, strerror(errno)); - exit(1); - } - } - - /* Set up a policydb directly so that we can mutate it later - for booleans and user settings. Otherwise we would just use - sepol_set_policydb_from_file() here. */ - pf.fp = fp; - pf.type = PF_USE_STDIO; - if (policydb_init(&policydb)) { - fprintf(stderr, "%s: policydb_init failed: %s\n", - argv[0], strerror(errno)); - exit(1); - } - if (policydb_read(&policydb, &pf, 0)) { - fprintf(stderr, "%s: invalid binary policy %s\n", - argv[0], path); - exit(1); - } - fclose(fp); - sepol_set_policydb(&policydb); - - if (!set_path) { - /* If they didn't specify a full path of a binary policy file, - then also try loading any boolean settings and user - definitions from the active locations. Otherwise, - they can use genpolbools and genpolusers to build a - binary policy file that includes any desired settings - and then apply audit2why -p to the resulting file. - Errors are non-fatal as such settings are optional. */ - sepol_debug(0); - (void)sepol_genbools_policydb(&policydb, - selinux_booleans_path()); - (void)sepol_genusers_policydb(&policydb, selinux_users_path()); - } - - /* Initialize the sidtab for subsequent use by sepol_context_to_sid - and sepol_compute_av_reason. */ - rc = sepol_sidtab_init(&sidtab); - if (rc < 0) { - fprintf(stderr, "%s: unable to init sidtab\n", argv[0]); - exit(1); - } - sepol_set_sidtab(&sidtab); - - /* Process the audit messages. */ - while (getline(&buffer, &len, stdin) > 0) { - size_t len2 = strlen(buffer); - - if (buffer[len2 - 1] == '\n') - buffer[len2 - 1] = 0; - lineno++; - - p = buffer; - while (*p && strncmp(p, AVCPREFIX, sizeof(AVCPREFIX) - 1)) - p++; - if (!(*p)) - continue; /* not an avc denial */ - - p += sizeof(AVCPREFIX) - 1; - - /* Save a copy of the original unmodified buffer. */ - if (!bufcopy) { - /* Initial allocation */ - bufcopy_len = len; - bufcopy = malloc(len); - } else if (bufcopy_len < len) { - /* Grow */ - bufcopy_len = len; - bufcopy = realloc(bufcopy, len); - } - if (!bufcopy) { - fprintf(stderr, "%s: OOM on buffer copy\n", argv[0]); - exit(2); - } - memcpy(bufcopy, buffer, len); - - /* Remember where the permission list begins, - and terminate the list. */ - permstr = p; - while (*p && *p != '}') - p++; - if (!(*p)) { - fprintf(stderr, - "Missing closing bracket on line %u, skipping...\n", - lineno); - continue; - } - *p++ = 0; - - /* Get scontext and convert to SID. */ - while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1)) - p++; - if (!(*p)) { - fprintf(stderr, "Missing %s on line %u, skipping...\n", - SCONTEXT, lineno); - continue; - } - p += sizeof(SCONTEXT) - 1; - scon = p; - while (*p && !isspace(*p)) - p++; - if (*p) - *p++ = 0; - rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); - if (rc < 0) { - fprintf(stderr, - "Invalid %s%s on line %u, skipping...\n", - SCONTEXT, scon, lineno); - continue; - } - - /* Get tcontext and convert to SID. */ - while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1)) - p++; - if (!(*p)) { - fprintf(stderr, "Missing %s on line %u, skipping...\n", - TCONTEXT, lineno); - continue; - } - p += sizeof(TCONTEXT) - 1; - tcon = p; - while (*p && !isspace(*p)) - p++; - if (*p) - *p++ = 0; - rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); - if (rc < 0) { - fprintf(stderr, - "Invalid %s%s on line %u, skipping...\n", - TCONTEXT, tcon, lineno); - continue; - } - - /* Get tclass= and convert to value. */ - while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1)) - p++; - if (!(*p)) { - fprintf(stderr, "Missing %s on line %u, skipping...\n", - TCLASS, lineno); - continue; - } - p += sizeof(TCLASS) - 1; - tclassstr = p; - while (*p && !isspace(*p)) - p++; - if (*p) - *p = 0; - tclass = string_to_security_class(tclassstr); - if (!tclass) { - fprintf(stderr, - "Invalid %s%s on line %u, skipping...\n", - TCLASS, tclassstr, lineno); - continue; - } - - /* Convert the permission list to an AV. */ - p = permstr; - av = 0; - while (*p) { - while (*p && !isspace(*p)) - p++; - if (*p) - *p++ = 0; - perm = string_to_av_perm(tclass, permstr); - if (!perm) { - fprintf(stderr, - "Invalid permission %s on line %u, skipping...\n", - permstr, lineno); - continue; - } - av |= perm; - permstr = p; - } - - /* Reproduce the computation. */ - rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, - &reason); - if (rc < 0) { - fprintf(stderr, - "Error during access vector computation on line %u, skipping...\n", - lineno); - continue; - } - - printf("%s\n\tWas caused by:\n", bufcopy); - - if (!reason) { - printf("\t\tUnknown - would be allowed by %s policy\n", - set_path ? "specified" : "active"); - printf - ("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"); - printf - ("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"); - } - - if (reason & SEPOL_COMPUTEAV_TE) { - printf("\t\tMissing or disabled TE allow rule.\n"); - printf - ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n"); - printf - ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); - } - - if (reason & SEPOL_COMPUTEAV_CONS) { - printf("\t\tConstraint violation.\n"); - printf("\t\tCheck policy/constraints.\n"); - printf - ("\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n"); - } - - if (reason & SEPOL_COMPUTEAV_RBAC) { - printf("\t\tMissing role allow rule.\n"); - printf("\t\tAdd allow rule for the role pair.\n"); - } - - printf("\n"); - } - free(buffer); - free(bufcopy); - exit(0); -} diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/Makefile policycoreutils-2.0.34/audit2why/Makefile --- nsapolicycoreutils/audit2why/Makefile 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2why/Makefile 2008-01-10 13:38:49.000000000 -0500 @@ -1,15 +1,7 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr BINDIR ?= $(PREFIX)/bin -LIBDIR ?= ${PREFIX}/lib MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale -INCLUDEDIR ?= ${PREFIX}/include - - -CFLAGS ?= -Werror -Wall -W -override CFLAGS += -I$(INCLUDEDIR) -LDLIBS = ${LIBDIR}/libsepol.a -lselinux -L$(LIBDIR) TARGETS=audit2why @@ -20,11 +12,3 @@ install -m 755 $(TARGETS) $(BINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 audit2why.8 $(MANDIR)/man8/ - -clean: - -rm -f $(TARGETS) *.o - -indent: - ../../scripts/Lindent $(wildcard *.[ch]) - -relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile --- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500 +++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.34/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/restorecond/restorecond.c 2007-12-19 06:05:50.000000000 -0500 @@ -210,9 +210,10 @@ } if (fsetfilecon(fd, scontext) < 0) { - syslog(LOG_ERR, - "set context %s->%s failed:'%s'\n", - filename, scontext, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, + "set context %s->%s failed:'%s'\n", + filename, scontext, strerror(errno)); if (retcontext >= 0) free(prev_context); free(scontext); @@ -225,8 +226,9 @@ if (retcontext >= 0) free(prev_context); } else { - syslog(LOG_ERR, "get context on %s failed: '%s'\n", - filename, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, "get context on %s failed: '%s'\n", + filename, strerror(errno)); } free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.34/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2007-08-23 16:52:26.000000000 -0400 +++ policycoreutils-2.0.34/scripts/chcat 2007-12-19 06:05:50.000000000 -0500 @@ -25,10 +25,6 @@ import commands, sys, os, pwd, string, getopt, selinux import seobject import gettext -import codecs -import locale -sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') -sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') try: gettext.install('policycoreutils') diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.34/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2007-12-10 21:42:28.000000000 -0500 +++ policycoreutils-2.0.34/scripts/fixfiles 2008-01-08 09:56:34.000000000 -0500 @@ -126,17 +126,15 @@ done exit $? fi -if [ ! -z "$DIRS" ]; then +if [ ! -z "$FILEPATH" ]; then if [ -x /usr/bin/find ]; then - for d in ${DIRS} ; do find $d \ + /usr/bin/find "$FILEPATH" \ ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o -print | \ ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -f - 2>&1 >> $LOGFILE - done else - ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $DIRS 2>&1 >> $LOGFILE + ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE fi - - exit $? + return fi LogReadOnly ${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE @@ -173,6 +171,20 @@ fi } +process() { +# +# Make sure they specified one of the three valid commands +# +case "$1" in + restore) restore -p ;; + check) restore -n -v;; + verify) restore -n -o -;; + relabel) relabel;; + *) + usage + exit 1 +esac +} usage() { echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " echo or @@ -229,22 +241,19 @@ shift 1 if [ ! -z "$RPMFILES" ]; then + process $command if [ $# -gt 0 ]; then usage fi else - DIRS=$* + if [ -z "$1" ]; then + process $command + else + while [ -n "$1" ]; do + FILEPATH=$1 + process $command + shift + done + fi fi - -# -# Make sure they specified one of the three valid commands -# -case "$command" in - restore) restore -p ;; - check) restore -n -v ;; - verify) restore -n -o -;; - relabel) relabel;; - *) - usage - exit 1 -esac +exit $? diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.34/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400 +++ policycoreutils-2.0.34/semanage/semanage 2007-12-19 06:05:50.000000000 -0500 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005 Red Hat +# Copyright (C) 2005, 2006, 2007 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -28,10 +28,6 @@ import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) -import codecs -import locale -sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace') -sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace') try: gettext.install(PROGNAME, @@ -115,7 +111,7 @@ valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] - valid_option["boolean"] += valid_everyone + valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] return valid_option # @@ -135,7 +131,7 @@ seuser = "" prefix = "" heading=1 - + value=0 add = 0 modify = 0 delete = 0 @@ -154,7 +150,7 @@ args = sys.argv[2:] gopts, cmds = getopt.getopt(args, - 'adf:lhmnp:s:CDR:L:r:t:T:P:S:', + '01adf:lhmnp:s:CDR:L:r:t:T:P:S:', ['add', 'delete', 'deleteall', @@ -164,6 +160,8 @@ 'modify', 'noheading', 'localist', + 'off', + 'on', 'proto=', 'seuser=', 'store=', @@ -242,6 +240,11 @@ if o == "-T" or o == "--trans": setrans = a + if o == "--on" or o == "-1": + value = 1 + if o == "-off" or o == "-0": + value = 0 + if object == "login": OBJECT = seobject.loginRecords(store)