diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile index 3980799..6624804 100644 --- a/policycoreutils/Makefile +++ b/policycoreutils/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui +SUBDIRS = sepolicy setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --git a/policycoreutils/audit2allow/Makefile b/policycoreutils/audit2allow/Makefile index 88635d4..fc290ea 100644 --- a/policycoreutils/audit2allow/Makefile +++ b/policycoreutils/audit2allow/Makefile @@ -5,14 +5,19 @@ LIBDIR ?= $(PREFIX)/lib MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -all: ; +all: audit2why + +audit2why: + ln -sf audit2allow audit2why install: all -mkdir -p $(BINDIR) install -m 755 audit2allow $(BINDIR) + (cd $(BINDIR); ln -sf audit2allow audit2why) install -m 755 sepolgen-ifgen $(BINDIR) -mkdir -p $(MANDIR)/man1 install -m 644 audit2allow.1 $(MANDIR)/man1/ + install -m 644 audit2why.1 $(MANDIR)/man1/ clean: rm -f *~ diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 8e0c396..d282eee 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -18,7 +18,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -import sys +import sys, os import sepolgen.audit as audit import sepolgen.policygen as policygen @@ -29,6 +29,8 @@ import sepolgen.defaults as defaults import sepolgen.module as module from sepolgen.sepolgeni18n import _ import selinux.audit2why as audit2why +import locale +locale.setlocale(locale.LC_ALL, '') class AuditToPolicy: VERSION = "%prog .1" @@ -80,8 +82,7 @@ class AuditToPolicy: parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") parser.add_option("--debug", dest="debug", action="store_true", default=False, help="leave generated modules for -M") - - parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False, + parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0])=="audit2why"), help="Translates SELinux audit messages into a description of why the access was denied") options, args = parser.parse_args() @@ -267,12 +268,10 @@ class AuditToPolicy: continue if rc == audit2why.CONSTRAINT: - print "\t\tPolicy constraint violation.\n" - print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n" - print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n" - for reason in data: - print "\t\tNote: Possible cause is the source and target %s differ\n" % reason - continue + print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" + print "#Constraint rule: \n\t" + data[0] + for reason in data[1:]: + print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason if rc == audit2why.RBAC: print "\t\tMissing role allow rule.\n" diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index a854a45..bc70938 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -171,7 +171,7 @@ $ semodule -i local.pp .B Using audit2allow to generate and build module policy $ cat /var/log/audit/audit.log | audit2allow -M local -Generating type enforcment file: local.te +Generating type enforcement file: local.te Compiling policy: checkmodule -M -m -o local.mod local.te Building package: semodule_package -o local.pp -m local.mod diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1 new file mode 100644 index 0000000..a9e8893 --- /dev/null +++ b/policycoreutils/audit2allow/audit2why.1 @@ -0,0 +1 @@ +.so man1/audit2allow.1 diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen index ef4bec3..3967ba5 100644 --- a/policycoreutils/audit2allow/sepolgen-ifgen +++ b/policycoreutils/audit2allow/sepolgen-ifgen @@ -62,6 +62,9 @@ def parse_options(): return options def get_policy(): + p = selinux.selinux_current_policy_path() + if os.path.exists(p): + return p i = selinux.security_policyvers() p = selinux.selinux_binary_policy_path() + "." + str(i) while i > 0 and not os.path.exists(p): diff --git a/policycoreutils/audit2why/Makefile b/policycoreutils/audit2why/Makefile deleted file mode 100644 index 63eb8b3..0000000 --- a/policycoreutils/audit2why/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -# Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man - -TARGETS=audit2why - -all: $(TARGETS) - -install: all - -mkdir -p $(BINDIR) - install -m 755 $(TARGETS) $(BINDIR) - -mkdir -p $(MANDIR)/man1 - install -m 644 audit2why.1 $(MANDIR)/man1/ - -clean: - -relabel: diff --git a/policycoreutils/audit2why/audit2why b/policycoreutils/audit2why/audit2why deleted file mode 100644 index 21a72aa..0000000 --- a/policycoreutils/audit2why/audit2why +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/usr/bin/audit2allow -w $* diff --git a/policycoreutils/audit2why/audit2why.1 b/policycoreutils/audit2why/audit2why.1 deleted file mode 100644 index a9e8893..0000000 --- a/policycoreutils/audit2why/audit2why.1 +++ /dev/null @@ -1 +0,0 @@ -.so man1/audit2allow.1 diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile index b5abbb9..513f2c4 100644 --- a/policycoreutils/gui/Makefile +++ b/policycoreutils/gui/Makefile @@ -1,7 +1,9 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr +SYSCONFDIR ?= ${DESTDIR}/etc BINDIR ?= $(PREFIX)/bin SHAREDIR ?= $(PREFIX)/share/system-config-selinux +DATADIR ?= $(PREFIX)/share TARGETS= \ booleansPage.py \ @@ -16,6 +18,7 @@ portsPage.py \ semanagePage.py \ statusPage.py \ system-config-selinux.glade \ +system-config-selinux.png \ usersPage.py all: $(TARGETS) system-config-selinux.py polgengui.py @@ -23,11 +26,19 @@ all: $(TARGETS) system-config-selinux.py polgengui.py install: all -mkdir -p $(SHAREDIR) -mkdir -p $(BINDIR) + -mkdir -p $(DATADIR)/pixmaps + -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps + -mkdir -p $(SYSCONFDIR) + -mkdir -p $(DATADIR)/polkit-1/actions/ install -m 755 system-config-selinux.py $(SHAREDIR) + install -m 755 system-config-selinux $(BINDIR) install -m 755 polgengui.py $(SHAREDIR) - install -m 755 sepolgen $(BINDIR) install -m 644 $(TARGETS) $(SHAREDIR) - + install -m 644 system-config-selinux.png $(DATADIR)/pixmaps + install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps + install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux + install -m 644 *.desktop $(DATADIR)/system-config-selinux + install -m 644 org.fedoraproject.config.selinux.policy $(DATADIR)/polkit-1/actions/ clean: indent: diff --git a/policycoreutils/gui/org.fedoraproject.config.selinux.policy b/policycoreutils/gui/org.fedoraproject.config.selinux.policy new file mode 100644 index 0000000..fcfa81d --- /dev/null +++ b/policycoreutils/gui/org.fedoraproject.config.selinux.policy @@ -0,0 +1,22 @@ + + + + + System Config SELinux + http://fedorahosted.org/system-config-selinux + + + Run System Config SELinux + Authentication is required to run system-config-selinux + system-selinux + + no + no + auth_admin + + /usr/share/system-config-selinux/system-config-selinux.py + true + + diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop new file mode 100644 index 0000000..0c2f399 --- /dev/null +++ b/policycoreutils/gui/selinux-polgengui.desktop @@ -0,0 +1,67 @@ +[Desktop Entry] +Name=SELinux Policy Generation Tool +Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী +Name[ca]=Eina de generació de polítiques del SELinux +Name[da]=Regelsætgenereringsværktøj til SELinux +Name[de]=Tool zur Erstellung von SELinux-Richtlinien +Name[es]=Generador de Políticas de SELinux +Name[fi]=SELinux-käytäntöjen generointityökalu +Name[fr]=Outil de génération de stratégies SELinux +Name[gu]=SELinux પોલિસી બનાવટ સાધન +Name[hi]=SELinux पॉलिसी जनन औजार +Name[it]=Tool di generazione della policy di SELinux +Name[ja]=SELinux ポリシー生成ツール +Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ +Name[ko]=SELinux 정책 생성 도구 +Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം +Name[mr]=SELinux करार निर्माण साधन +Name[nl]=SELinux tactiek generatie gereedschap +Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ +Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ +Name[pl]=Narzędzie tworzenia polityki SELinuksa +Name[pt]=Ferramenta de Geração de Políticas SELinux +Name[pt_BR]=Ferramenta de criação de políticas do SELinux +Name[ru]=Средство создания политики SELinux +Name[sv]=Genereringsverktyg för SELinuxpolicy +Name[ta]=SELinux பாலிசி உற்பத்தி கருவி +Name[te]=SELinux నిర్వహణ +Name[uk]=Утиліта генерації правил SELinux +Name[zh_CN]=SELinux 策略生成工具 +Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool) +Comment=Generate SELinux policy modules +Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন +Comment[ca]=Genera els mòduls de les polítiques de SELinux +Comment[da]=Generér SELinux-regelsætmodul +Comment[de]=Tool zur Erstellung von SELinux-Richtlinien +Comment[es]=Generar módulos de política de SELinux +Comment[fi]=Generoi SELinuxin käytäntömoduuleja +Comment[fr]=Génére des modules de stratégie SELinux +Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો +Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें +Comment[it]=Genera moduli della politica di SELinux +Comment[ja]=新しいポリシーモジュールの作成 +Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು +Comment[ko]=SELinux 정책 모듈 생성 +Comment[ml]=SELinux യ പോളിസി ഘങ്ങള്‍ തയ്യാറാക്കുക +Comment[mr]=SELinux करार घटके निर्माण करा +Comment[nl]=Maak een SELinux tactiek module aan +Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ +Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ +Comment[pl]=Tworzenie nowych modułów polityki SELinuksa +Comment[pt]=Gerar módulos de políticas SELinux +Comment[pt_BR]=Gerar módulos de política do SELinux +Comment[ru]=Генерация модулей политики SELinux +Comment[sv]=Generera SELinux-policymoduler +Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும் +Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము +Comment[uk]=Створення модулів контролю доступу SELinux +Comment[zh_CN]=生成 SELinux 策略模块 +Comment[zh_TW]=產生 SELinux 政策模組 +StartupNotify=true +Icon=system-config-selinux +Exec=/usr/bin/selinux-polgengui +Type=Application +Terminal=false +Categories=System;Security; +X-Desktop-File-Install-Version=0.2 +Keywords=policy;security;selinux;avc;permission;mac; diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux new file mode 100755 index 0000000..5be5ccd --- /dev/null +++ b/policycoreutils/gui/system-config-selinux @@ -0,0 +1,3 @@ +#!/bin/sh + +exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop new file mode 100644 index 0000000..8822ce2 --- /dev/null +++ b/policycoreutils/gui/system-config-selinux.desktop @@ -0,0 +1,67 @@ +[Desktop Entry] +Name=SELinux Management +Name[bn_IN]=SELinux পরিচালনা +Name[da]=Håndtering af SELinux +Name[de]=SELinux-Management +Name[ca]=Gestió de SELinux +Name[es]=Administración de SELinux +Name[fi]=SELinuxin ylläpito +Name[fr]=Gestion de SELinux +Name[gu]=SELinux સંચાલન +Name[hi]=SELinux प्रबंधन +Name[jp]=SELinux 管理 +Name[it]=Gestione di SELinux +Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ +Name[ko]=SELinux 관리 +Name[ml]=SELinux മാനേജ്മെന്റ് +Name[mr]=SELinux मॅनेजमेंट +Name[nl]=SELinux beheer +Name[or]=SELinux ପରିଚାଳନା +Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ +Name[pl]=Zarządzanie SELinuksem +Name[pt_BR]=Gerenciamento do SELinux +Name[pt]=Gestão de SELinux +Name[ru]=Управление SELinux +Name[sv]=SELinux-hantering +Name[ta]=SELinux மேலாண்மை +Name[te]=SELinux నిర్వహణ +Name[uk]=Керування SELinux +Name[zh_CN]=SELinux 管理 +Name[zh_TW]=SELinux 管理 +Comment=Configure SELinux in a graphical setting +Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন +Comment[ca]=Configura SELinuc an mode de preferències gràfiques +Comment[da]=Konfigurér SELinux i et grafisk miljø +Comment[de]=SELinux in einer grafischen Einstellung konfigurieren +Comment[es]=Defina SELinux en una configuración de interfaz gráfica +Comment[fi]=Tee SELinuxin asetukset graafisesti +Comment[fr]=Configure SELinux dans un environnement graphique +Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો +Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें +Comment[it]=Configura SELinux in una impostazione grafica +Comment[jp]=グラフィカルな設定画面で SELinux を設定する +Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정 +Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ +Comment[ml]=ഒരു ഗ്രാഫിക്കല്‍ സജ്ജീകരണത്തില്‍ SELinux ക്രമീകരിയ്ക്കുക +Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा +Comment[nl]=Configureer SELinux in een grafische omgeving +Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ +Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ +Comment[pl]=Konfiguracja SELinuksa w trybie graficznym +Comment[pt]=Configurar o SELinux num ambiente gráfico +Comment[pt_BR]=Configure o SELinux em uma configuração gráfica +Comment[ru]=Настройка SELinux в графическом режиме +Comment[sv]=Konfigurera SELinux i en grafisk miljö +Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும் +Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము +Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом +Comment[zh_CN]=在图形设置中配置 SELinux +Comment[zh_TW]=在圖形話設定中配置 SELinux +StartupNotify=true +Icon=system-config-selinux +Exec=/usr/bin/system-config-selinux +Type=Application +Terminal=false +Categories=System;Security; +X-Desktop-File-Install-Version=0.2 +Keywords=policy;security;selinux;avc;permission;mac; diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png new file mode 100644 index 0000000..68ffcb7 Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ diff --git a/policycoreutils/load_policy/load_policy.8 b/policycoreutils/load_policy/load_policy.8 index f9ca36e..a86073f 100644 --- a/policycoreutils/load_policy/load_policy.8 +++ b/policycoreutils/load_policy/load_policy.8 @@ -19,7 +19,7 @@ values in the policy file. suppress warning messages. .TP .B \-i -inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs). +initial policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs). .SH "EXIT STATUS" .TP diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5 index 4963cdc..a55dbed 100644 --- a/policycoreutils/man/man5/selinux_config.5 +++ b/policycoreutils/man/man5/selinux_config.5 @@ -92,7 +92,7 @@ The binary policy name has by convention the SELinux policy version that it supp .RS This entry is deprecated and should be removed or set to \fI0\fR. .sp -If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customisation for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)). +If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customization for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)). .RE .sp .B REQUIRESEUSERS diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 8fbf2d0..4e59a06 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c @@ -547,9 +547,7 @@ static int drop_capabilities(int full) if (!uid) return 0; capng_setpid(getpid()); - capng_clear(CAPNG_SELECT_BOTH); - if (capng_lock() < 0) - return -1; + capng_clear(CAPNG_SELECT_CAPS); /* Change uid */ if (setresuid(uid, uid, uid)) { @@ -558,7 +556,7 @@ static int drop_capabilities(int full) } if (! full) capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); - return capng_apply(CAPNG_SELECT_BOTH); + return capng_apply(CAPNG_SELECT_CAPS); } #elif defined(NAMESPACE_PRIV) /** @@ -576,20 +574,21 @@ static int drop_capabilities(int full) */ static int drop_capabilities(int full) { + uid_t uid = getuid(); + if (!uid) return 0; + capng_setpid(getpid()); - capng_clear(CAPNG_SELECT_BOTH); - if (capng_lock() < 0) - return -1; + capng_clear(CAPNG_SELECT_CAPS); - uid_t uid = getuid(); /* Change uid */ if (setresuid(uid, uid, uid)) { fprintf(stderr, _("Error changing uid, aborting.\n")); return -1; } if (! full) - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1); - return capng_apply(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1); + + return capng_apply(CAPNG_SELECT_CAPS); } #else @@ -680,7 +679,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, security_context_t * tty_context, security_context_t * new_tty_context) { - int fd; + int fd, rc; int enforcing = security_getenforce(); security_context_t tty_con = NULL; security_context_t new_tty_con = NULL; @@ -699,7 +698,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); return fd; } - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + /* this craziness is to make sure we cann't block on open and deadlock */ + rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + if (rc) { + fprintf(stderr, _("Error! Could not clear O_NONBLOCK on %s\n"), ttyn); + close(fd); + return rc; + } if (fgetfilecon(fd, &tty_con) < 0) { fprintf(stderr, _("%s! Could not get current context " @@ -1010,9 +1015,9 @@ int main(int argc, char *argv[]) int fd; pid_t childPid = 0; char *shell_argv0 = NULL; + int rc; #ifdef USE_PAM - int rc; int pam_status; /* pam return code */ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ @@ -1226,15 +1231,23 @@ int main(int argc, char *argv[]) fd = open(ttyn, O_RDONLY | O_NONBLOCK); if (fd != 0) goto err_close_pam; - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + if (rc) + goto err_close_pam; + fd = open(ttyn, O_RDWR | O_NONBLOCK); if (fd != 1) goto err_close_pam; - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + if (rc) + goto err_close_pam; + fd = open(ttyn, O_RDWR | O_NONBLOCK); if (fd != 2) goto err_close_pam; - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); + if (rc) + goto err_close_pam; } /* @@ -1268,19 +1281,24 @@ int main(int argc, char *argv[]) } #endif - if (send_audit_message(1, old_context, new_context, ttyn)) + if (send_audit_message(1, old_context, new_context, ttyn)) { + fprintf(stderr, _("Failed to send audit message")); goto err_close_pam_session; + } freecon(old_context); old_context=NULL; freecon(new_context); new_context=NULL; #ifdef NAMESPACE_PRIV - if (transition_to_caller_uid()) + if (transition_to_caller_uid()) { + fprintf(stderr, _("Failed to transition to namespace\n")); goto err_close_pam_session; + } #endif - if (drop_capabilities(TRUE)) + if (drop_capabilities(TRUE)) { + fprintf(stderr, _("Failed to drop capabilities %m\n")); goto err_close_pam_session; - + } /* Handle environment changes */ if (restore_environment(preserve_environment, old_environ, &pw)) { fprintf(stderr, _("Unable to restore the environment, " diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd index d1b435c..de3582f 100644 --- a/policycoreutils/newrole/newrole.pamd +++ b/policycoreutils/newrole/newrole.pamd @@ -1,4 +1,6 @@ #%PAM-1.0 +# Uncomment the next line if you do not want to enter your passwd everytime +# auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile index a377996..9c1486e 100644 --- a/policycoreutils/po/Makefile +++ b/policycoreutils/po/Makefile @@ -81,12 +81,16 @@ POTFILES = \ ../sepolicy/sepolicy/templates/var_log.py \ ../sepolicy/sepolicy/templates/var_run.py \ ../sepolicy/sepolicy/templates/var_spool.py \ + booleans.py #default:: clean all:: $(MOFILES) -$(POTFILE): $(POTFILES) +booleans.py: + sepolicy booleans -a > booleans.py + +$(POTFILE): $(POTFILES) booleans.py $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ rm -f $(NLSPACKAGE).po; \ @@ -95,6 +99,7 @@ $(POTFILE): $(POTFILES) fi; \ update-po: Makefile $(POTFILE) refresh-po + @rm -f booleans.py refresh-po: Makefile for cat in $(POFILES); do \ diff --git a/policycoreutils/po/es.po b/policycoreutils/po/es.po index e84995e..a60b20e 100644 --- a/policycoreutils/po/es.po +++ b/policycoreutils/po/es.po @@ -3,7 +3,9 @@ # This file is distributed under the same license as the PACKAGE package. # # Translators: +# Adolfo Jayme Barrientos , 2013. # Domingo Becker , 2006, 2008. +# , 2013. # Gladys Guerrero , 2010,2012. # Héctor Daniel Cabrera , 2010. msgid "" @@ -11,8 +13,8 @@ msgstr "" "Project-Id-Version: Policycoreutils\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-01-04 12:01-0500\n" -"PO-Revision-Date: 2013-01-04 17:02+0000\n" -"Last-Translator: dwalsh \n" +"PO-Revision-Date: 2013-02-23 11:46+0000\n" +"Last-Translator: vareli \n" "Language-Team: Spanish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -288,7 +290,7 @@ msgstr "Rango MLS/MCS" #: ../semanage/seobject.py:672 msgid "Service" -msgstr "" +msgstr "Servicio" #: ../semanage/seobject.py:698 ../semanage/seobject.py:729 #: ../semanage/seobject.py:796 ../semanage/seobject.py:853 @@ -425,7 +427,7 @@ msgstr "Se requiere tipo" #: ../semanage/seobject.py:1814 #, python-format msgid "Type %s is invalid, must be a port type" -msgstr "" +msgstr "Tipo %s es no válido, debe ser un tipo de puerto" #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062 #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123 @@ -547,12 +549,12 @@ msgstr "Falta el protocolo o es desconocido" #: ../semanage/seobject.py:1256 msgid "SELinux node type is required" -msgstr "" +msgstr "Se requiere tipo de nodo SELinux" #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327 #, python-format msgid "Type %s is invalid, must be a node type" -msgstr "" +msgstr "Tipo %s es no válido, debe ser un tipo nodo" #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331 #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465 @@ -786,7 +788,7 @@ msgstr "La especificación de archivo %s choca con la regla de equivalencia '%s #: ../semanage/seobject.py:1755 #, python-format msgid "Type %s is invalid, must be a file or device type" -msgstr "" +msgstr "Tipo %s es no válido, debe ser un tipo fichero o dispositivo" #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768 #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906 @@ -2174,11 +2176,11 @@ msgstr "La ruta en la cual se almacenarán las páginas de manual generadas " #: ../sepolicy/sepolicy.py:207 msgid "name of the OS for man pages" -msgstr "" +msgstr "nombre del SO para las páginas de manual" #: ../sepolicy/sepolicy.py:209 msgid "Generate HTML man pages structure for selected SELinux man page" -msgstr "" +msgstr "General páginas de manual de estructura HTML para la página de manual SELinux seleccionada" #: ../sepolicy/sepolicy.py:213 msgid "All domains" @@ -2226,7 +2228,7 @@ msgstr "Solicita la política de SELinux para ver la descripción de booleanos" #: ../sepolicy/sepolicy.py:280 msgid "get all booleans descriptions" -msgstr "" +msgstr "obtiene todas las descripciones booleanas" #: ../sepolicy/sepolicy.py:282 msgid "boolean to get description" @@ -2248,11 +2250,11 @@ msgstr "Dominio de proceso de destino" #: ../sepolicy/sepolicy.py:327 msgid "Command required for this type of policy" -msgstr "" +msgstr "Comando requerido para este tipo de política" #: ../sepolicy/sepolicy.py:347 msgid "List SELinux Policy interfaces" -msgstr "" +msgstr "Lista las interfaces de la Política SELinux" #: ../sepolicy/sepolicy.py:362 msgid "Generate SELinux Policy module template" @@ -2260,15 +2262,15 @@ msgstr "Generar plantilla para módulo de política SELinux" #: ../sepolicy/sepolicy.py:365 msgid "Enter domain type which you will be extending" -msgstr "" +msgstr "Introduzca el tipo de dominio que usted estaría extendiendo" #: ../sepolicy/sepolicy.py:368 msgid "Enter SELinux user(s) which will transition to this domain" -msgstr "" +msgstr "Introduzca el usuario(s) SELinux que transicionará a este dominio" #: ../sepolicy/sepolicy.py:371 msgid "Enter domain(s) that this confined admin will administrate" -msgstr "" +msgstr "Introduzca el dominio(s) que este administrador confinado administrará" #: ../sepolicy/sepolicy.py:374 msgid "name of policy to generate" @@ -2276,7 +2278,7 @@ msgstr "Nombre de política a generar" #: ../sepolicy/sepolicy.py:378 msgid "path in which the generated policy files will be stored" -msgstr "" +msgstr "ruta en la que los ficheros de política generados serán almacenados" #: ../sepolicy/sepolicy.py:380 msgid "executable to confine" @@ -2290,7 +2292,7 @@ msgstr "Ejecutable a confinar" #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417 #, python-format msgid "Generate Policy for %s" -msgstr "" +msgstr "Generar Política para %s" #: ../sepolicy/sepolicy.py:422 msgid "commands" @@ -2298,16 +2300,16 @@ msgstr "Comandos" #: ../sepolicy/sepolicy.py:425 msgid "Alternate SELinux policy, defaults to /sys/fs/selinux/policy" -msgstr "" +msgstr "Política SELinux suplente, por defecto a /sys/fs/selinux/policy" #: ../sepolicy/sepolicy/__init__.py:48 msgid "No SELinux Policy installed" -msgstr "" +msgstr "No hay Política SELinux instalada" #: ../sepolicy/sepolicy/__init__.py:54 #, python-format msgid "Failed to read %s policy file" -msgstr "" +msgstr "Fallo al leer el fichero de política %s" #: ../sepolicy/sepolicy/__init__.py:127 msgid "unknown" @@ -2319,27 +2321,27 @@ msgstr "Demonio de los servicios de Internet" #: ../sepolicy/sepolicy/generate.py:177 msgid "Existing Domain Type" -msgstr "" +msgstr "Tipo de Dominio Existente" #: ../sepolicy/sepolicy/generate.py:178 msgid "Minimal Terminal Login User Role" -msgstr "" +msgstr "Rol de Acceso de Usuario de Terminal Mínimo" #: ../sepolicy/sepolicy/generate.py:179 msgid "Minimal X Windows Login User Role" -msgstr "" +msgstr "Rol de Acceso de Usuario de X Windows Mínima" #: ../sepolicy/sepolicy/generate.py:180 msgid "Desktop Login User Role" -msgstr "" +msgstr "Rol de Acceso de Usuario a Escritorio" #: ../sepolicy/sepolicy/generate.py:181 msgid "Administrator Login User Role" -msgstr "" +msgstr "Rol de Acceso de Usuario Administrador" #: ../sepolicy/sepolicy/generate.py:182 msgid "Confined Root Administrator Role" -msgstr "" +msgstr "Rol de Administrador Confinado Root" #: ../sepolicy/sepolicy/generate.py:187 msgid "Valid Types:\n" @@ -2352,12 +2354,12 @@ msgstr "Los puertos deben ser números o rangos de números entre 1 y %d" #: ../sepolicy/sepolicy/generate.py:231 msgid "You must enter a valid policy type" -msgstr "" +msgstr "Debe introducir un tipo válido de política" #: ../sepolicy/sepolicy/generate.py:234 #, python-format msgid "You must enter a name for your policy module for your %s." -msgstr "" +msgstr "Debe introducir un nombre para su módulo de política para su %s." #: ../sepolicy/sepolicy/generate.py:355 msgid "" @@ -2396,7 +2398,7 @@ msgstr "USER Types automáticamente obtiene un tipo tmp" #: ../sepolicy/sepolicy/generate.py:857 #, python-format msgid "%s policy modules require existing domains" -msgstr "" +msgstr "%s módulo de política requieren dominios existentes" #: ../sepolicy/sepolicy/generate.py:1059 msgid "You must enter the executable path for your confined process" @@ -2416,7 +2418,7 @@ msgstr "Archivo de contextos de archivo" #: ../sepolicy/sepolicy/generate.py:1324 msgid "Spec file" -msgstr "" +msgstr "Fichero spec" #: ../sepolicy/sepolicy/generate.py:1325 msgid "Setup Script" @@ -2438,11 +2440,11 @@ msgstr "Permite a amavis usar un compilador de JIT" #: booleans.py:4 msgid "Allow antivirus programs to read non security files on a system" -msgstr "" +msgstr "Permitir a programas antivirus leer ficheros no asegurados sobre un sistema" #: booleans.py:5 msgid "Allow auditadm to exec content" -msgstr "" +msgstr "Permitir al administrador de auditoria ejecutar contenido" #: booleans.py:6 msgid "" @@ -2456,11 +2458,11 @@ msgstr "Permite a usuarios iniciar sesión mediante un servidor Radius" #: booleans.py:8 msgid "Allow users to login using a yubikey server" -msgstr "" +msgstr "Permite a los usuario acceder usando una servidor yubikey" #: booleans.py:9 msgid "Allow awstats to purge Apache logs" -msgstr "" +msgstr "Permitir a awstats purgar los registros de Apache" #: booleans.py:10 msgid "" @@ -2528,11 +2530,11 @@ msgstr "Permite a todos los demonios la lectura y escritura de terminales" #: booleans.py:25 msgid "Allow dan to manage user files" -msgstr "" +msgstr "Permitir a dan gestionar los archivos del usuario" #: booleans.py:26 msgid "Allow dan to read user files" -msgstr "" +msgstr "Permitir a dan leer los archivos del usuario" #: booleans.py:27 msgid "Allow dbadm to manage files in users home directories" @@ -2599,7 +2601,7 @@ msgstr "Permite al dominio en valla ejecutar ssh." #: booleans.py:42 msgid "Allow all domains to execute in fips_mode" -msgstr "" +msgstr "Permite ejecutar todos los dominios en modo fips" #: booleans.py:43 msgid "Allow ftp to read and write files in the user home directories" @@ -2699,7 +2701,7 @@ msgstr "Permite a GSSD leer el directorio temp. Para acceder a kerberos tgt." #: booleans.py:64 msgid "Allow guest to exec content" -msgstr "" +msgstr "Permite al invitado ejecutar contenido" #: booleans.py:65 msgid "" @@ -2854,7 +2856,7 @@ msgstr "Permite a HTTPD acceder a puertos Openstack" #: booleans.py:100 msgid "Allow Apache to query NS records" -msgstr "" +msgstr "Permite a Apache consultar registros NS" #: booleans.py:101 msgid "Allow icecast to connect to all ports, not just sound ports." @@ -2951,7 +2953,7 @@ msgstr "Permite a las aplicaciones confinadas usar memoria compartida NSCD " #: booleans.py:122 msgid "Allow openshift to lockdown app" -msgstr "" +msgstr "Permite openshift para lockdown app" #: booleans.py:123 msgid "Allow openvpn to read home directories" @@ -3116,7 +3118,7 @@ msgstr "Permite a SASL leer sombra" #: booleans.py:161 msgid "Allow secadm to exec content" -msgstr "" +msgstr "Permita a secadm ejecutar contenido" #: booleans.py:162 msgid "" @@ -3188,7 +3190,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" #: booleans.py:174 msgid "Allow user to use ssh chroot environment." -msgstr "" +msgstr "Permite al usuario usar el entorno ssh chroot" #: booleans.py:175 msgid "Allow user music sharing" @@ -3270,7 +3272,7 @@ msgstr "Permitir ingresos ssh como sysadm_r:sysadm_t" #: booleans.py:191 msgid "Allow staff to exec content" -msgstr "" +msgstr "Permite a staff ejecutar contenido" #: booleans.py:192 msgid "allow staff user to create and transition to svirt domains." @@ -3278,7 +3280,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" #: booleans.py:193 msgid "Allow sysadm to exec content" -msgstr "" +msgstr "Permite a sysadm ejecutar contenido" #: booleans.py:194 msgid "" @@ -3297,7 +3299,7 @@ msgstr "Permite a tftp modificar los archivos públicos utilizados para servicio #: booleans.py:197 msgid "Allow tftp to read and write files in the user home directories" -msgstr "" +msgstr "Permite a tftp leer y escribir archivos en los directorios home de usuario" #: booleans.py:198 msgid "Allow tor daemon to bind tcp sockets to all unreserved ports." @@ -3305,7 +3307,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" #: booleans.py:199 msgid "Allow tor to act as a relay" -msgstr "" +msgstr "Permite a tor actuar como relé" #: booleans.py:200 msgid "" @@ -3353,7 +3355,7 @@ msgstr "Soporta directorios principales de Samba" #: booleans.py:210 msgid "Allow user to exec content" -msgstr "" +msgstr "Permite al usuario ejecutar contenido" #: booleans.py:211 msgid "Allow varnishd to connect to all ports, not just HTTP." @@ -3383,7 +3385,7 @@ msgstr "Permite a los huéspedes virtuales confinados administrar archivos NFS" #: booleans.py:217 msgid "Allow confined virtual guests to interact with rawip sockets" -msgstr "" +msgstr "Permite a los invitados virtuales confinados interactuar con sockets rawip" #: booleans.py:218 msgid "Allow confined virtual guests to manage cifs files" @@ -3447,7 +3449,7 @@ msgstr "Permite a los usuario xguest configurar el Network Manager y conectar #: booleans.py:232 msgid "Allow xguest to exec content" -msgstr "" +msgstr "Permite a xguest ejecutar contenido" #: booleans.py:233 msgid "Allow xguest users to mount removable media" diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po index 72ae12d..649d288 100644 --- a/policycoreutils/po/ja.po +++ b/policycoreutils/po/ja.po @@ -9,14 +9,14 @@ # , 2012. # Noriko Mizumoto , 2006, 2008, 2009. # Takuro Nagamoto , 2006. -# Tomoyuki KATO , 2012. +# Tomoyuki KATO , 2012-2013. msgid "" msgstr "" "Project-Id-Version: Policycoreutils\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-01-04 12:01-0500\n" -"PO-Revision-Date: 2013-01-04 17:02+0000\n" -"Last-Translator: dwalsh \n" +"PO-Revision-Date: 2013-02-14 03:32+0000\n" +"Last-Translator: Tomoyuki KATO \n" "Language-Team: Japanese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -292,7 +292,7 @@ msgstr "MLS/MCS 範囲" #: ../semanage/seobject.py:672 msgid "Service" -msgstr "" +msgstr "サービス" #: ../semanage/seobject.py:698 ../semanage/seobject.py:729 #: ../semanage/seobject.py:796 ../semanage/seobject.py:853 @@ -429,7 +429,7 @@ msgstr "タイプが必要です" #: ../semanage/seobject.py:1814 #, python-format msgid "Type %s is invalid, must be a port type" -msgstr "" +msgstr "形式 %s が無効です、ポート形式である必要があります" #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062 #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123 @@ -551,12 +551,12 @@ msgstr "不明又は欠如したプロトコル" #: ../semanage/seobject.py:1256 msgid "SELinux node type is required" -msgstr "" +msgstr "SELinux ノード形式が必要です" #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327 #, python-format msgid "Type %s is invalid, must be a node type" -msgstr "" +msgstr "形式 %s が無効です、ノード形式である必要があります" #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331 #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465 @@ -790,7 +790,7 @@ msgstr "ファイル仕様 %s は、等価規則 '%s %s' と競合します; 代 #: ../semanage/seobject.py:1755 #, python-format msgid "Type %s is invalid, must be a file or device type" -msgstr "" +msgstr "形式 %s が無効です、ファイルまたはデバイス形式である必要があります" #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768 #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906 @@ -2178,11 +2178,11 @@ msgstr "生成された SELinux の man ページの格納先となるパス" #: ../sepolicy/sepolicy.py:207 msgid "name of the OS for man pages" -msgstr "" +msgstr "マニュアルページ向け OS 名称" #: ../sepolicy/sepolicy.py:209 msgid "Generate HTML man pages structure for selected SELinux man page" -msgstr "" +msgstr "選択された SELinux マニュアルページ向けの HTML マニュアルページの構成を生成する" #: ../sepolicy/sepolicy.py:213 msgid "All domains" @@ -2230,7 +2230,7 @@ msgstr "SELinux に問い合わせて boolean の詳細を表示する" #: ../sepolicy/sepolicy.py:280 msgid "get all booleans descriptions" -msgstr "" +msgstr "すべてのブーリアンの説明を取得する" #: ../sepolicy/sepolicy.py:282 msgid "boolean to get description" @@ -2252,11 +2252,11 @@ msgstr "ターゲットプロセスドメイン" #: ../sepolicy/sepolicy.py:327 msgid "Command required for this type of policy" -msgstr "" +msgstr "この種類のポリシーに対して要求されるコマンド" #: ../sepolicy/sepolicy.py:347 msgid "List SELinux Policy interfaces" -msgstr "" +msgstr "SELinux ポリシー・インターフェースの一覧表示" #: ../sepolicy/sepolicy.py:362 msgid "Generate SELinux Policy module template" @@ -2294,7 +2294,7 @@ msgstr "制限を課す実行ファイル" #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417 #, python-format msgid "Generate Policy for %s" -msgstr "" +msgstr "%s 向けのポリシーの生成" #: ../sepolicy/sepolicy.py:422 msgid "commands" @@ -2306,12 +2306,12 @@ msgstr "" #: ../sepolicy/sepolicy/__init__.py:48 msgid "No SELinux Policy installed" -msgstr "" +msgstr "インストールされている SELinux ポリシーがありません" #: ../sepolicy/sepolicy/__init__.py:54 #, python-format msgid "Failed to read %s policy file" -msgstr "" +msgstr "%s ポリシーファイルの読み込みに失敗しました" #: ../sepolicy/sepolicy/__init__.py:127 msgid "unknown" @@ -2335,15 +2335,15 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:180 msgid "Desktop Login User Role" -msgstr "" +msgstr "デスクトップログインユーザーロール" #: ../sepolicy/sepolicy/generate.py:181 msgid "Administrator Login User Role" -msgstr "" +msgstr "管理者のログインユーザーロール" #: ../sepolicy/sepolicy/generate.py:182 msgid "Confined Root Administrator Role" -msgstr "" +msgstr "制限された root 管理者ロール" #: ../sepolicy/sepolicy/generate.py:187 msgid "Valid Types:\n" @@ -2356,7 +2356,7 @@ msgstr "ポートは数字、又は 1 から %d までの数字の範囲でな #: ../sepolicy/sepolicy/generate.py:231 msgid "You must enter a valid policy type" -msgstr "" +msgstr "有効なポリシー種別を入力する必要があります" #: ../sepolicy/sepolicy/generate.py:234 #, python-format @@ -2460,11 +2460,11 @@ msgstr "ユーザーが RADIUS サーバーを使用してログインするこ #: booleans.py:8 msgid "Allow users to login using a yubikey server" -msgstr "" +msgstr "ユーザーが yubikey サーバーを使用してログインすることを許可する" #: booleans.py:9 msgid "Allow awstats to purge Apache logs" -msgstr "" +msgstr "awstats が Apache のログを消去することを許可する" #: booleans.py:10 msgid "" @@ -2532,11 +2532,11 @@ msgstr "すべてのデーモンが端末を読み書きすることを許可し #: booleans.py:25 msgid "Allow dan to manage user files" -msgstr "" +msgstr "dan がユーザーファイルを管理することを許可する" #: booleans.py:26 msgid "Allow dan to read user files" -msgstr "" +msgstr "dan がユーザーファイルを読み取ることを許可する" #: booleans.py:27 msgid "Allow dbadm to manage files in users home directories" @@ -2603,7 +2603,7 @@ msgstr "隔離ドメインによる ssh の実行を許可します。" #: booleans.py:42 msgid "Allow all domains to execute in fips_mode" -msgstr "" +msgstr "すべてのドメインが fips_mode で実行することを許可する" #: booleans.py:43 msgid "Allow ftp to read and write files in the user home directories" @@ -2872,7 +2872,7 @@ msgstr "あらゆるポートへの接続および予約されていないポー #: booleans.py:103 msgid "Allow confined applications to run with kerberos." -msgstr "" +msgstr "制限されたアプリケーションが Kerberos とともに動作することを許可する" #: booleans.py:104 msgid "Allow syslogd daemon to send mail" @@ -2880,11 +2880,11 @@ msgstr "syslogd デーモンがメールを送信することを許可します #: booleans.py:105 msgid "Allow syslogd the ability to read/write terminals" -msgstr "" +msgstr "syslogd が端末を読み書きすることを許可する" #: booleans.py:106 msgid "Allow logging in and using the system from /dev/console." -msgstr "" +msgstr "/dev/console からログインしてシステムを使用することを許可する" #: booleans.py:107 msgid "" @@ -2947,7 +2947,7 @@ msgstr "" #: booleans.py:120 msgid "Allow system to run with NIS" -msgstr "" +msgstr "システムが NIS を使用することを許可する" #: booleans.py:121 msgid "Allow confined applications to use nscd shared memory." @@ -3361,7 +3361,7 @@ msgstr "" #: booleans.py:211 msgid "Allow varnishd to connect to all ports, not just HTTP." -msgstr "" +msgstr "varnishd が HTTP 以外のすべてのポートに接続することを許可する" #: booleans.py:212 msgid "Ignore vbetool mmap_zero errors." @@ -3370,20 +3370,20 @@ msgstr "vbetool mmap_zero エラーを無視します。" #: booleans.py:213 msgid "" "Allow confined virtual guests to use serial/parallel communication ports" -msgstr "" +msgstr "制限された仮想マシンがシリアル/パラレル通信ポートを使用することを許可する" #: booleans.py:214 msgid "" "Allow confined virtual guests to use executable memory and executable stack" -msgstr "" +msgstr "制限された仮想マシンが実行可能なメモリおよび実行可能なスタックを使用することを許可する" #: booleans.py:215 msgid "Allow confined virtual guests to read fuse files" -msgstr "" +msgstr "制限された仮想マシンが FUSE ファイルを読み込むことを許可する" #: booleans.py:216 msgid "Allow confined virtual guests to manage nfs files" -msgstr "" +msgstr "制限された仮想マシンが NFS ファイルを管理することを許可する" #: booleans.py:217 msgid "Allow confined virtual guests to interact with rawip sockets" @@ -3391,15 +3391,15 @@ msgstr "" #: booleans.py:218 msgid "Allow confined virtual guests to manage cifs files" -msgstr "" +msgstr "制限された仮想マシンが CIFS ファイルを管理することを許可する" #: booleans.py:219 msgid "Allow confined virtual guests to interact with the sanlock" -msgstr "" +msgstr "制限された仮想マシンが sanlock と通信することを許可する" #: booleans.py:220 msgid "Allow confined virtual guests to manage device configuration, (pci)" -msgstr "" +msgstr "制限された仮想マシンがデバイス設定 (pci) を管理することを許可する" #: booleans.py:221 msgid "Allow confined virtual guests to use usb devices" @@ -3438,11 +3438,11 @@ msgstr "Xen が NFS ファイルを管理することを許可する" msgid "" "Allow xend to run blktapctrl/tapdisk. Not required if using dedicated " "logical volumes for disk images." -msgstr "" +msgstr "xend が blktapctrl/tapdisk を実行することを許可する。ディスクイメージ用の専用論理ボリュームを使用していなければ、必要ありません。" #: booleans.py:230 msgid "Allow xend to run qemu-dm. Not required if using paravirt and no vfb." -msgstr "" +msgstr "xend が qemu-dm を実行することを許可する。準仮想化を使用していて、vfb がなければ、必要ありません。" #: booleans.py:231 msgid "" @@ -3455,11 +3455,11 @@ msgstr "" #: booleans.py:233 msgid "Allow xguest users to mount removable media" -msgstr "" +msgstr "xguest ユーザーがリムーバブルメディアをマウントすることを許可する" #: booleans.py:234 msgid "Allow xguest to use blue tooth devices" -msgstr "" +msgstr "xguest が Bluetooth デバイスを使用することを許可する" #: booleans.py:235 msgid "Allows clients to write to the X server shared memory segments." diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile index 3074542..3b704d8 100644 --- a/policycoreutils/restorecond/Makefile +++ b/policycoreutils/restorecond/Makefile @@ -5,6 +5,7 @@ LIBDIR ?= $(PREFIX)/lib MANDIR = $(PREFIX)/share/man AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services +SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd autostart_DATA = sealertauto.desktop INITDIR = $(DESTDIR)/etc/rc.d/init.d @@ -39,7 +40,8 @@ install: all install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop -mkdir -p $(DBUSSERVICEDIR) install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service - + -mkdir -p $(SYSTEMDDIR)/system + install -m 644 restorecond.service $(SYSTEMDDIR)/system/ relabel: install /sbin/restorecon $(SBINDIR)/restorecond diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service new file mode 100644 index 0000000..11f4ffd --- /dev/null +++ b/policycoreutils/restorecond/restorecond.service @@ -0,0 +1,12 @@ +[Unit] +Description=Restorecon maintaining path file context +After=syslog.target +ConditionPathExists=/etc/selinux/restorecond.conf + +[Service] +Type=oneshot +ExecStart=/usr/sbin/restorecond +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c index 00a646f..2c28676 100644 --- a/policycoreutils/restorecond/user.c +++ b/policycoreutils/restorecond/user.c @@ -54,6 +54,7 @@ static const char *PATH="/org/selinux/Restorecond"; static const char *INTERFACE="org.selinux.RestorecondIface"; static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'"; +static int local_lock_fd = -1; static DBusHandlerResult signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data) @@ -201,17 +202,18 @@ static int local_server() { perror("asprintf"); return -1; } - int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); + local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); if (debug_mode) g_warning ("Lock file: %s", ptr); free(ptr); - if (fd < 0) { + if (local_lock_fd < 0) { if (debug_mode) perror("open"); return -1; } - if (flock(fd, LOCK_EX | LOCK_NB) < 0) { + if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) { + close(local_lock_fd); if (debug_mode) perror("flock"); return -1; @@ -226,6 +228,12 @@ static int local_server() { return 0; } +static void end_local_server(void) { + if (local_lock_fd >= 0) + close(local_lock_fd); + local_lock_fd = -1; +} + int server(int master_fd, const char *watch_file) { GMainLoop *loop; @@ -253,6 +261,7 @@ int server(int master_fd, const char *watch_file) { g_main_loop_run (loop); end: + end_local_server(); g_main_loop_unref (loop); return 0; } diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd index d1b435c..1c323d2 100644 --- a/policycoreutils/run_init/run_init.pamd +++ b/policycoreutils/run_init/run_init.pamd @@ -1,4 +1,6 @@ #%PAM-1.0 +# Uncomment the next line if you do not want to enter your passwd everytime +#auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index b629006..6631c2d 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -243,7 +243,7 @@ class Sandbox: copyfile(f, "/tmp", self.__tmpdir) copyfile(f, "/var/tmp", self.__tmpdir) - def __setup_sandboxrc(self, wm = "/usr/bin/matchbox-window-manager -use_titlebar no"): + def __setup_sandboxrc(self, wm = "/usr/bin/openbox"): execfile =self.__homedir + "/.sandboxrc" fd = open(execfile, "w+") if self.__options.session: @@ -333,7 +333,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile parser.add_option("-W", "--windowmanager", dest="wm", type="string", - default="/usr/bin/matchbox-window-manager -use_titlebar no", + default="/usr/bin/openbox", help=_("alternate window manager")) parser.add_option("-l", "--level", dest="level", diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 index 521afcd..ef90ce6 100644 --- a/policycoreutils/sandbox/sandbox.8 +++ b/policycoreutils/sandbox/sandbox.8 @@ -59,7 +59,7 @@ sandbox_net_t - All network ports .TP \fB\-T\ tmpdir -Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. +Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. .TP \fB\-S Run a full desktop session, Requires level, and home and tmpdir. @@ -70,14 +70,14 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz \fB\-W windowmanager\fR Select alternative window manager to run within .B sandbox -X. -Default to /usr/bin/matchbox-window-manager. +Default to /usr/bin/openbox. .TP \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t .TP \fB\-d\fR -Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI. +Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. .TP \fB\-c\fR Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh index 23de6f6..171bb05 100644 --- a/policycoreutils/sandbox/sandboxX.sh +++ b/policycoreutils/sandbox/sandboxX.sh @@ -6,6 +6,20 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 [ -z $2 ] && export DPI="96" || export DPI="$2" trap "exit 0" HUP +mkdir -p ~/.config/openbox +cat > ~/.config/openbox/rc.xml << EOF + + + + no + all + yes + + + +EOF + (/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D cat > ~/seremote << __EOF diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c index dbd5977..b3f1275 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -617,8 +617,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src, free(cmdbuf); cmdbuf = NULL; /* remove runtime temporary directory */ - if ((uid_t)setfsuid(0) != pwd->pw_uid) { - fprintf(stderr, _("Unable to switch to root to clear tmp dir\n")); + if ((uid_t)setfsuid(0) != 0) { + /* setfsuid does not return errror, but this check makes code checkers happy */ rc++; } @@ -961,6 +961,7 @@ int main(int argc, char **argv) { char *display = NULL; char *LANG = NULL; int rc = -1; + char *resolved_path = NULL; if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); @@ -977,8 +978,10 @@ int main(int argc, char **argv) { /* assume fsuid==ruid after this point */ if ((uid_t)setfsuid(uid) != 0) goto childerr; + resolved_path = realpath(pwd->pw_dir,NULL); + if (! resolved_path) goto childerr; /* mount homedir and tmpdir, in this order */ - if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir, + if (homedir_s && seunshare_mount(homedir_s, resolved_path, &st_homedir) != 0) goto childerr; if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", &st_tmpdir_r) != 0) goto childerr; @@ -1033,6 +1036,7 @@ int main(int argc, char **argv) { execv(argv[optind], argv + optind); fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); childerr: + free(resolved_path); free(display); free(LANG); exit(-1); diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile index 201a988..f5d6e9d 100644 --- a/policycoreutils/scripts/Makefile +++ b/policycoreutils/scripts/Makefile @@ -9,23 +9,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale .PHONY: all genhomedircon all: fixfiles genhomedircon chcat -genhomedircon: - @echo "#!/bin/sh" > genhomedircon - @echo >> genhomedircon - @if [ -z "${SEMODULE_PATH}" ]; then \ - echo "${USRSBINDIR}/semodule -Bn" >> genhomedircon; \ - else \ - echo "${SEMODULE_PATH}/semodule -Bn" >> genhomedircon; \ - fi - install: all -mkdir -p $(BINDIR) install -m 755 chcat $(BINDIR) install -m 755 fixfiles $(SBINDIR) - install -m 755 genhomedircon $(USRSBINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ - install -m 644 genhomedircon.8 $(MANDIR)/man8/ install -m 644 chcat.8 $(MANDIR)/man8/ clean: diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 6901e4d..5acb111 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -3,7 +3,7 @@ # # Script to restore labels on a SELinux box # -# Copyright (C) 2004-2011 Red Hat, Inc. +# Copyright (C) 2004-2013 Red Hat, Inc. # Authors: Dan Walsh # # This program is free software; you can redistribute it and/or modify @@ -26,11 +26,11 @@ # number if the current is less than 2.6.30 and 0 if they are the same. # function useseclabel { - VER=`uname -r` - SUP=2.6.30 - expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ - '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ - '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' + VER=`uname -r` + SUP=2.6.30 + expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ + '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ + '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' } # @@ -65,7 +65,7 @@ done } # -# Get the default label returned from the kernel for a file with a lable the +# Get the default label returned from the kernel for a file with a lable the # kernel does not understand # get_undefined_type() { @@ -78,25 +78,25 @@ get_undefined_type() { # get_unlabeled_type() { SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` - cat $SELINUXMNT/initial_contexts/file | secon -t + cat $SELINUXMNT/initial_contexts/file | secon -t } exclude_dirs_from_relabelling() { exclude_from_relabelling= if [ -e /etc/selinux/fixfiles_exclude_dirs ] then - while read i - do - # skip blank line and comment - # skip not absolute path - # skip not directory - [ -z "${i}" ] && continue - [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue - [[ ! "${i}" =~ ^/.* ]] && continue - [[ ! -d "${i}" ]] && continue - exclude_from_relabelling="$exclude_from_relabelling -e $i" - logit "skipping the directory $i from relabelling" - done < /etc/selinux/fixfiles_exclude_dirs + while read i + do + # skip blank line and comment + # skip not absolute path + # skip not directory + [ -z "${i}" ] && continue + [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue + [[ ! "${i}" =~ ^/.* ]] && continue + [[ ! -d "${i}" ]] && continue + exclude_from_relabelling="$exclude_from_relabelling -e $i" + logit "skipping the directory $i from relabelling" + done < /etc/selinux/fixfiles_exclude_dirs fi echo "$exclude_from_relabelling" } @@ -104,7 +104,7 @@ exclude_dirs_from_relabelling() { exclude_dirs() { exclude= for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do - [ -e $i ] && exclude="$exclude -e $i"; + [ -e $i ] && exclude="$exclude -e $i"; done exclude="$exclude `exclude_dirs_from_relabelling`" echo "$exclude" @@ -133,7 +133,7 @@ FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config - FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts + FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts else FC=/etc/security/selinux/file_contexts fi @@ -158,7 +158,7 @@ newer() { } # -# Compare PREVious File Context to currently installed File Context and +# Compare PREVious File Context to currently installed File Context and # run restorecon on all files affected by the differences. # diff_filecontext() { @@ -172,30 +172,31 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then grep '^[<>]'|cut -c3-| grep ^/ | \ egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ sed -r -e 's,[[:blank:]].*,,g' \ - -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ + -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ -e 's|([/[:alnum:]])\?|{\1,}|g' \ - -e 's|\?.*|*|g' \ + -e 's|\?.*|*|g' \ + -e 's|\{.*|*|g' \ -e 's|\(.*|*|g' \ -e 's|\[.*|*|g' \ - -e 's|\.\*.*|*|g' \ - -e 's|\.\+.*|*|g' | \ + -e 's|\.\*.*|*|g' \ + -e 's|\.\+.*|*|g' | \ # These two sorts need to be separate commands \ sort -u | \ sort -d | \ - while read pattern ; \ + while read pattern ; \ do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \ - echo "$pattern"; \ - case "$pattern" in *"*") \ - echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; - esac; \ - fi; \ - done | \ + echo "$pattern"; \ + case "$pattern" in *"*") \ + echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; + esac; \ + fi; \ + done | \ ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ rm -f ${TEMPFILE} ${PREFCTEMPFILE} fi } # -# Log all Read Only file systems +# Log all Read Only file systems # LogReadOnly() { if [ ! -z "$FILESYSTEMSRO" ]; then @@ -209,7 +210,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' [ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr } -# +# # restore # if called with -n will only check file context # @@ -241,8 +242,8 @@ then TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` test -z "$TEMPFCFILE" && exit /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit - exclude_dirs=${exclude_dirs//-e/} - for p in ${exclude_dirs} + tmpdirs=${tempdirs//-e/} + for p in ${tmpdirs} do p="${p%/}" p1="${p}(/.*)? -- <>" @@ -253,7 +254,7 @@ FC=$TEMPFCFILE fi if [ -n "${FILESYSTEMSRW}" ]; then echo "Relabeling `echo ${FILESYSTEMSRW}`" - ${SETFILES} ${VERBOSE} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE + ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE else echo >&2 "fixfiles: No suitable file systems found" fi @@ -278,7 +279,7 @@ fullrelabel() { relabel() { if [ ! -z "$RPMFILES" ]; then - restore + restore fi if [ $fullFlag == 1 ]; then @@ -286,13 +287,13 @@ relabel() { fi echo -n " - Files in the /tmp directory may be labeled incorrectly, this command - can remove all files in /tmp. If you choose to remove files from /tmp, + Files in the /tmp directory may be labeled incorrectly, this command + can remove all files in /tmp. If you choose to remove files from /tmp, a reboot will be required after completion. - + Do you wish to clean out the /tmp directory [N]? " read answer - if [ "$answer" = y -o "$answer" = Y ]; then + if [ "$answer" = y -o "$answer" = Y ]; then fullrelabel else restore @@ -322,8 +323,8 @@ case "$1" in esac } usage() { - echo $""" -Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] + echo $""" +Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] or Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } or @@ -351,13 +352,13 @@ while getopts "N:BC:FfR:l:v" i; do v) VERBOSE="-v" ;; - R) + R) RPMFILES=$OPTARG ;; - l) + l) LOGFILE=$OPTARG ;; - C) + C) PREFC=$OPTARG ;; F) @@ -397,11 +398,11 @@ else if [ -z "$1" ]; then process $command else - while [ -n "$1" ]; do + while [ -n "$1" ]; do FILEPATH=$1 - process $command + process $command shift - done + done fi fi exit $? diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 9ab7334..f263805 100644 --- a/policycoreutils/scripts/fixfiles.8 +++ b/policycoreutils/scripts/fixfiles.8 @@ -30,7 +30,7 @@ as you expect. By default it will relabel all mounted ext2, ext3, xfs and jfs file systems as long as they do not have a security context mount option. You can use the -R flag to use rpmpackages as an alternative. The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories -excluded from relabelling. +excluded from relabeling. .P .B fixfiles onboot will setup the machine to relabel on the next reboot. @@ -56,7 +56,7 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and .TP .B -v -Modify verbosity from progess to verbose. (Run restorecon with -v instead of -p) +Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p) .SH "ARGUMENTS" One of: diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 deleted file mode 100644 index 8ec509c..0000000 --- a/policycoreutils/scripts/genhomedircon.8 +++ /dev/null @@ -1,24 +0,0 @@ -.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux" -.SH NAME -genhomedircon \- generate SELinux file context configuration entries for user home directories -.SH SYNOPSIS -.B genhomedircon -is a script that executes -.B semodule -to rebuild the currently active SELinux policy (without reloading it) and to create the -labels for each user home directory based on directory paths returned by calls to getpwent(). - -The latter functionality depends on the "usepasswd" parameter being set to "true" (default) -in /etc/selinux/semanage.conf. - -This script is usually executed by -.B semanage -although this default behavior can be optionally modified by setting to "true" the -"disable-genhomedircon" in /etc/selinux/semanage.conf. - -.SH AUTHOR -This manual page was written by -.I Dan Walsh - -.SH "SEE ALSO" -semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3) diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1 index 6c30734..5e7f885 100644 --- a/policycoreutils/secon/secon.1 +++ b/policycoreutils/secon/secon.1 @@ -96,7 +96,7 @@ If that argument is .I - then the context will be read from stdin. .br -If there is no arugment, +If there is no argument, .B secon will try reading a context from stdin, if that is not a tty, otherwise .B secon diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile index 24d6a21..b797d83 100644 --- a/policycoreutils/semanage/Makefile +++ b/policycoreutils/semanage/Makefile @@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) -BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/ +BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions TARGETS=semanage @@ -21,7 +21,7 @@ install: all test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages -mkdir -p $(BASHCOMPLETIONDIR) - install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR) + install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage clean: diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile new file mode 100644 index 0000000..e15a877 --- /dev/null +++ b/policycoreutils/semanage/default_encoding/Makefile @@ -0,0 +1,8 @@ +all: + LDFLAGS="" python setup.py build + +install: all + LDFLAGS="" python setup.py install --root=$(DESTDIR)/ + +clean: + rm -rf build *~ diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c new file mode 100644 index 0000000..023b8f4 --- /dev/null +++ b/policycoreutils/semanage/default_encoding/default_encoding.c @@ -0,0 +1,57 @@ +/* + * Authors: + * John Dennis + * + * Copyright (C) 2009 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include + +PyDoc_STRVAR(setdefaultencoding_doc, +"setdefaultencoding(encoding='utf-8')\n\ +\n\ +Set the current default string encoding used by the Unicode implementation.\n\ +Defaults to utf-8." +); + +static PyObject * +setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds) +{ + static char *kwlist[] = {"utf-8", NULL}; + char *encoding; + + if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding)) + return NULL; + + if (PyUnicode_SetDefaultEncoding(encoding)) + return NULL; + + Py_RETURN_NONE; +} + +static PyMethodDef methods[] = { + {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc}, + {NULL, NULL} /* sentinel */ +}; + + +PyMODINIT_FUNC +initdefault_encoding_utf8(void) +{ + PyUnicode_SetDefaultEncoding("utf-8"); + Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); +} diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py new file mode 100644 index 0000000..ccb6b8b --- /dev/null +++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py @@ -0,0 +1,17 @@ +# +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py new file mode 100644 index 0000000..e2befdb --- /dev/null +++ b/policycoreutils/semanage/default_encoding/setup.py @@ -0,0 +1,38 @@ +# Authors: +# John Dennis +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +from distutils.core import setup, Extension + +default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c']) + +setup(name = 'policycoreutils-default-encoding', + version = '0.1', + description = 'Forces the default encoding in Python to be utf-8', + long_description = 'Forces the default encoding in Python to be utf-8', + author = 'John Dennis', + author_email = 'jdennis@redhat.com', + maintainer = 'John Dennis', + maintainer_email = 'jdennis@redhat.com', + license = 'GPLv3+', + platforms = 'posix', + url = '', + download_url = '', + ext_modules = [default_encoding_utf8], + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage index 6e33c85..89b8b24 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -20,6 +20,7 @@ # 02111-1307 USA # # +import policycoreutils.default_encoding_utf8 import sys, getopt, re import seobject import selinux @@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir="/usr/share/locale", - unicode=False, + unicode=True, codeset = 'utf-8') except IOError: import __builtin__ @@ -60,7 +61,7 @@ semanage interface -{a|d|m|l|D|E} [-Nntr] interface_spec semanage module -{a|d|m} [--enable|--disable] [-N] module semanage node -{a|d|m|l|D|E} [-Nntr] [ -p protocol ] [-M netmask] addr semanage fcontext -{a|d|m|l|D|E} [-Nefnrst] file_spec -semanage boolean -{d|m} [--on|--off|-1|-0] [-N] -F boolean | boolean_file +semanage boolean -{d|m} {--on|--off|-1|-0} [-N] -F boolean | boolean_file semanage permissive -{d|a|l} [-Nn] type semanage dontaudit [ on | off ] [-N] @@ -444,6 +445,8 @@ Object-specific Options (see above): if modify: if object == "boolean": + if not value: + raise ValueError(_("Value Required [ --on | --off ]")) OBJECT.modify(target, value, use_file) return diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 85bc37f..f703aed 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -32,11 +32,10 @@ from IPy import IP import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) -try: - gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1) -except IOError: - import __builtin__ - __builtin__.__dict__['_'] = unicode + +import gettext +translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True) +_=translation.ugettext import syslog @@ -461,7 +460,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: - raise ValueError(_("Login mapping for %s is already defined") % name) + semanage_seuser_key_free(k) + return self.__modify(name, sename, serange) + if name[0] == '%': try: grp.getgrnam(name[1:]) @@ -731,7 +732,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: - raise ValueError(_("SELinux user %s is already defined") % name) + semanage_user_key_free(k) + return self.__modify(name, roles, selevel, serange, prefix) (rc, u) = semanage_user_create(self.sh) if rc < 0: @@ -1274,7 +1276,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: - raise ValueError(_("Addr %s already defined") % addr) + semanage_node_key_free(k) + return self.__modify(addr, mask, self.protocol[proto], serange, ctype) (rc, node) = semanage_node_create(self.sh) if rc < 0: @@ -1475,7 +1478,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: - raise ValueError(_("Interface %s already defined") % interface) + semanage_iface_key_free(k) + return self.__modify(interface, serange, ctype) (rc, iface) = semanage_iface_create(self.sh) if rc < 0: @@ -1777,7 +1781,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: - raise ValueError(_("File context for %s already defined") % target) + semanage_fcontext_key_free(k) + return self.__modify(target, type, ftype, serange, seuser) (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: @@ -2026,6 +2031,9 @@ class booleanRecords(semanageRecords): self.modify_local = False def __mod(self, name, value): + if not value: + raise ValueError(_("Value Required for %s") % name) + name = selinux.selinux_boolean_sub(name) (rc, k) = semanage_bool_key_create(self.sh, name) diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile index 4c5243a..036c418 100644 --- a/policycoreutils/semodule/Makefile +++ b/policycoreutils/semodule/Makefile @@ -11,7 +11,7 @@ LDLIBS = -lsepol -lselinux -lsemanage -L$(LIBDIR) SEMODULE_OBJS = semodule.o .PHONY: all semodule_path -all: semodule semodule_path +all: semodule semodule_path genhomedircon semodule_path: @echo -n $(SBINDIR) > ../scripts/semodule_path @@ -19,11 +19,16 @@ semodule_path: semodule: $(SEMODULE_OBJS) $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) +genhomedircon: + ln -sf semodule genhomedircon + install: all -mkdir -p $(SBINDIR) install -m 755 semodule $(SBINDIR) + (cd $(SBINDIR); ln -sf semodule genhomedircon) test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 install -m 644 semodule.8 $(MANDIR)/man8/ + install -m 644 genhomedircon.8 $(MANDIR)/man8/ relabel: diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8 new file mode 100644 index 0000000..8ec509c --- /dev/null +++ b/policycoreutils/semodule/genhomedircon.8 @@ -0,0 +1,24 @@ +.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux" +.SH NAME +genhomedircon \- generate SELinux file context configuration entries for user home directories +.SH SYNOPSIS +.B genhomedircon +is a script that executes +.B semodule +to rebuild the currently active SELinux policy (without reloading it) and to create the +labels for each user home directory based on directory paths returned by calls to getpwent(). + +The latter functionality depends on the "usepasswd" parameter being set to "true" (default) +in /etc/selinux/semanage.conf. + +This script is usually executed by +.B semanage +although this default behavior can be optionally modified by setting to "true" the +"disable-genhomedircon" in /etc/selinux/semanage.conf. + +.SH AUTHOR +This manual page was written by +.I Dan Walsh + +.SH "SEE ALSO" +semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3) diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c index 17b4fa5..6947b37 100644 --- a/policycoreutils/semodule/semodule.c +++ b/policycoreutils/semodule/semodule.c @@ -19,6 +19,7 @@ #include #include #include +#include #include @@ -284,8 +285,12 @@ int main(int argc, char *argv[]) int i, commit = 0; int result; int status = EXIT_FAILURE; - + char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; create_signal_handlers(); + if (strcmp(basename(argv[0]), "genhomedircon") == 0) { + argc = 3; + argv=genhomedirconargv; + } parse_command_line(argc, argv); if (build) diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8 index 62dd53e..d6e1be0 100644 --- a/policycoreutils/semodule_package/semodule_unpackage.8 +++ b/policycoreutils/semodule_package/semodule_unpackage.8 @@ -1,6 +1,6 @@ .TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA .SH NAME -semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage. +semodule_unpackage \- Extract policy module and file context file from an SELinux policy module unpackage. .SH SYNOPSIS .B semodule_unpackage [] diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile index 11b534f..ae064c4 100644 --- a/policycoreutils/sepolicy/Makefile +++ b/policycoreutils/sepolicy/Makefile @@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale PYTHON ?= /usr/bin/python -BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/ +BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions SHAREDIR ?= $(PREFIX)/share/sandbox override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared @@ -22,11 +22,15 @@ clean: $(PYTHON) setup.py clean -rm -rf build *~ \#* *pyc .#* +sepolgen: + ln -sf sepolicy sepolgen + install: $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy + (cd $(BINDIR); ln -sf sepolicy sepolgen) -mkdir -p $(MANDIR)/man8 install -m 644 *.8 $(MANDIR)/man8 -mkdir -p $(BASHCOMPLETIONDIR) - install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR) + install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/sepolicy diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c index 4eca22d..eeee0ab 100644 --- a/policycoreutils/sepolicy/policy.c +++ b/policycoreutils/sepolicy/policy.c @@ -66,7 +66,6 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){ } apol_vector_destroy(&mod_paths); - policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM; policy = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL); apol_policy_path_destroy(&pol_path); if (!policy) { diff --git a/policycoreutils/sepolicy/sepolgen.8 b/policycoreutils/sepolicy/sepolgen.8 new file mode 100644 index 0000000..3ecf3eb --- /dev/null +++ b/policycoreutils/sepolicy/sepolgen.8 @@ -0,0 +1 @@ +.so man8/sepolicy-generate.8 diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh index 82fea52..29f9428 100644 --- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh @@ -81,7 +81,7 @@ _sepolicy () { [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user' [interface]='-h --help -a --list_admin" -u --list_user -l --list' - [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' + [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web -r --root' [network]='-h --help -d --domain -l --list -p --port -t --type ' [transition]='-h --help -s --source -t --target' ) @@ -156,6 +156,10 @@ _sepolicy () { if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) return 0 + elif test "$prev" = "-r" || test "$prev" = "--root" ; then + COMPREPLY=( $( compgen -d -- "$cur") ) + compopt -o filenames + return 0 elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then return 0 elif test "$prev" = "-p" || test "$prev" = "--path" ; then diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 index fb84af6..c2fa601 100644 --- a/policycoreutils/sepolicy/sepolicy-generate.8 +++ b/policycoreutils/sepolicy/sepolicy-generate.8 @@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template. .B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] .SH "DESCRIPTION" -Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files. +Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files. + +If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files. + .B Type Enforcing File NAME.te .br This file can be used to define all the types rules for a particular domain. +.I Note: +Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode. + .B Interface File NAME.if .br This file defines the interfaces for the types generated in the te file, which can be used by other policy domains. @@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to .B RPM Spec File NAME_selinux.spec .br -This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page. +This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page. .B Shell File NAME.sh .br diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8 index b6abdf5..c05c943 100644 --- a/policycoreutils/sepolicy/sepolicy-manpage.8 +++ b/policycoreutils/sepolicy/sepolicy-manpage.8 @@ -5,7 +5,7 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy .SH "SYNOPSIS" .br -.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-a | \-d ] +.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ] .SH "DESCRIPTION" Use sepolicy manpage to generate manpages based on SELinux Policy. @@ -24,6 +24,9 @@ Display help message .I \-p, \-\-path Specify the directory to store the created man pages. (Default to /tmp) .TP +.I \-r, \-\-root +Specify alternate root directory to generate man pages from. (Default to /) +.TP .I \-w, \-\-web Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py index b25d3b2..1146bb3 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ # # import os, sys +import selinux +import sepolicy from sepolicy import get_os_version import argparse import gettext @@ -45,7 +47,7 @@ class CheckPath(argparse.Action): class CheckType(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): - from sepolicy.network import domains + domains = sepolicy.get_all_domains() if isinstance(values,str): setattr(namespace, self.dest, values) @@ -58,9 +60,30 @@ class CheckType(argparse.Action): newval.append(v) setattr(namespace, self.dest, newval) +class CheckBoolean(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + booleans = sepolicy.get_all_booleans() + newval = getattr(namespace, self.dest) + if not newval: + newval = [] + + if isinstance(values,str): + v = selinux.selinux_boolean_sub(values) + if v not in booleans: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(booleans))) + newval.append(v) + setattr(namespace, self.dest, newval) + else: + for value in values: + v = selinux.selinux_boolean_sub(value) + if v not in booleans: + raise ValueError("%s must be an SELinux boolean:\nValid boolean: %s" % (v, ", ".join(booleans))) + newval.append(v) + setattr(namespace, self.dest, newval) + class CheckDomain(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): - from sepolicy.network import domains + domains = sepolicy.get_all_domains() if isinstance(values,str): if values not in domains: @@ -80,7 +103,6 @@ class CheckDomain(argparse.Action): all_classes = None class CheckClass(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): - import sepolicy global all_classes if not all_classes: all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) @@ -114,7 +136,7 @@ class CheckPort(argparse.Action): class CheckPortType(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): - from sepolicy.network import port_types + port_types = sepolicy.get_all_port_types() newval = getattr(namespace, self.dest) if not newval: newval = [] @@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action): class CheckUser(argparse.Action): def __call__(self, parser, namespace, value, option_string=None): - from sepolicy import get_all_users newval = getattr(namespace, self.dest) if not newval: newval = [] - users = get_all_users() + users = sepolicy.get_all_users() if value not in users: raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users))) newval.append(value) setattr(namespace, self.dest, newval) def _print_net(src, protocol, perm): - from sepolicy.network import get_network_connect - portdict = get_network_connect(src, protocol, perm) + import sepolicy.network + portdict = sepolicy.network.get_network_connect(src, protocol, perm) if len(portdict) > 0: print "%s: %s %s" % (src, protocol, perm) for p in portdict: @@ -160,7 +181,7 @@ def _print_net(src, protocol, perm): print "\t" + recs def network(args): - from sepolicy.network import portrecsbynum, portrecs, get_network_connect + portrecs, portrecsbynum = sepolicy.gen_port_dict() if args.list_ports: all_ports = [] for i in portrecs: @@ -201,41 +222,41 @@ def manpage(args): from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path - if args.policy: - for f in ( "policy.xml", "file_context", "file_context.homedirs"): - if not os.path.exists(path + f): - raise ValueError("manpage creation with alternate policy requires the %s file exist" % (path + f)) - + if not args.policy and args.root != "/": + sepolicy.policy(sepolicy.get_installed_policy(args.root)) + if args.all: test_domains = gen_domains() else: test_domains = args.domain for domain in test_domains: - m = ManPage(domain, path, args.web) + m = ManPage(domain, path, args.root, args.web) print m.get_man_page_path() if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) def gen_manpage_args(parser): - man = parser.add_parser("manpage", - help=_('Generate SELinux man pages')) - - man.add_argument("-p", "--path", dest="path", default="/tmp", - help=_("path in which the generated SELinux man pages will be stored")) - man.add_argument("-o", "--os", dest="os", default=get_os_version(), - help=_("name of the OS for man pages")) - man.add_argument("-w", "--web", dest="web", default=False, action="store_true", - help=_("Generate HTML man pages structure for selected SELinux man page")) - group = man.add_mutually_exclusive_group(required=True) - group.add_argument("-a", "--all", dest="all", default=False, - action="store_true", - help=_("All domains")) - group.add_argument("-d", "--domain", nargs="+", - action=CheckDomain, - help=_("Domain name(s) of man pages to be created")) - man.set_defaults(func=manpage) + man = parser.add_parser("manpage", + help=_('Generate SELinux man pages')) + + man.add_argument("-p", "--path", dest="path", default="/tmp", + help=_("path in which the generated SELinux man pages will be stored")) + man.add_argument("-o", "--os", dest="os", default=get_os_version(), + help=_("name of the OS for man pages")) + man.add_argument("-w", "--web", dest="web", default=False, action="store_true", + help=_("Generate HTML man pages structure for selected SELinux man page")) + man.add_argument("-r", "--root", dest="root", default="/", + help=_("Alternate root directory, defaults to /")) + group = man.add_mutually_exclusive_group(required=True) + group.add_argument("-a", "--all", dest="all", default=False, + action="store_true", + help=_("All domains")) + group.add_argument("-d", "--domain", nargs="+", + action=CheckDomain, + help=_("Domain name(s) of man pages to be created")) + man.set_defaults(func=manpage) def gen_network_args(parser): net = parser.add_parser("network", @@ -283,7 +304,6 @@ def gen_communicate_args(parser): comm.set_defaults(func=communicate) def booleans(args): - import selinux from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() @@ -300,6 +320,7 @@ def gen_booleans_args(parser): action="store_true", help=_("get all booleans descriptions")) group.add_argument("-b", "--boolean", dest="booleans", nargs="+", + action=CheckBoolean, required=False, help=_("boolean to get description")) bools.set_defaults(func=booleans) @@ -320,7 +341,7 @@ def gen_transition_args(parser): trans.set_defaults(func=transition) def interface(args): - from sepolicy.interface import get_admin, get, get_user + from sepolicy.interface import get_admin, get_user if args.list_admin: for a in get_admin(): print a @@ -328,13 +349,13 @@ def interface(args): for a in get_user(): print a if args.list: - for m in get(): + for m in sepolicy.get_methods(): print m def generate(args): from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE cmd = None - if args.policytype not in USERS + [ SANDBOX, NEWTYPE]: + if args.policytype in APPLICATIONS: if not args.command: raise ValueError(_("Command required for this type of policy")) cmd = os.path.realpath(args.command) @@ -368,10 +389,10 @@ def gen_interface_args(parser): help=_('List SELinux Policy interfaces')) group = itf.add_mutually_exclusive_group(required=True) group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, - help="List all domains with admin interface") + help="List all domains with admin interface - DOMAIN_admin()") group.add_argument("-u", "--list_user", dest="list_user",action="store_true", default=False, - help="List all domains with SELinux user role interface") + help="List all domains with SELinux user role interface - DOMAIN_role()") group.add_argument("-l", "--list", dest="list",action="store_true", default=False, help="List all interfaces") @@ -461,7 +482,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: - args = parser.parse_args() + if os.path.basename(sys.argv[0]) == "sepolgen": + args = parser.parse_args([ "generate" ] + sys.argv[1:]) + else: + args = parser.parse_args() args.func(args) sys.exit(0) except ValueError,e: diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py index 5e7415c..5267ed9 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -7,6 +7,9 @@ import _policy import selinux, glob PROGNAME="policycoreutils" import gettext +import sepolgen.defaults as defaults +import sepolgen.interfaces as interfaces +import sys gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: @@ -37,9 +40,30 @@ CLASS = 'class' TRANSITION = 'transition' ROLE_ALLOW = 'role_allow' -def __get_installed_policy(): +def info(setype, name=None): + dict_list = _policy.info(setype, name) + return dict_list + +def search(types, info = {} ): + valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] + for type in types: + if type not in valid_types: + raise ValueError("Type has to be in %s" % valid_types) + info[type] = True + + perms = [] + if PERMS in info: + perms = info[PERMS] + info[PERMS] = ",".join(info[PERMS]) + + dict_list = _policy.search(info) + if dict_list and len(perms) != 0: + dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) + return dict_list + +def get_installed_policy(root = "/"): try: - path = selinux.selinux_binary_policy_path() + path = root + selinux.selinux_binary_policy_path() policies = glob.glob ("%s.*" % path ) policies.sort() return policies[-1] @@ -47,6 +71,26 @@ def __get_installed_policy(): pass raise ValueError(_("No SELinux Policy installed")) +methods = [] +def get_methods(): + global methods + if len(methods) > 0: + return methods + fn = defaults.interface_info() + try: + fd = open(fn) + # List of per_role_template interfaces + ifs = interfaces.InterfaceSet() + ifs.from_file(fd) + methods = ifs.interfaces.keys() + fd.close() + except: + sys.stderr.write("could not open interface info [%s]\n" % fn) + sys.exit(1) + + methods.sort() + return methods + all_types = None def get_all_types(): global all_types @@ -54,6 +98,13 @@ def get_all_types(): all_types = map(lambda x: x['name'], info(TYPE)) return all_types +user_types = None +def get_user_types(): + global user_types + if user_types == None: + user_types = info(ATTRIBUTE,"userdomain")[0]["types"] + return user_types + role_allows = None def get_all_role_allows(): global role_allows @@ -71,6 +122,7 @@ def get_all_role_allows(): return role_allows def get_all_entrypoint_domains(): + import re all_domains = [] types=get_all_types() types.sort() @@ -81,11 +133,35 @@ def get_all_entrypoint_domains(): all_domains.append(m[0]) return all_domains +portrecs = None +portrecsbynum = None + +def gen_port_dict(): + global portrecs + global portrecsbynum + if portrecs: + return ( portrecs, portrecsbynum ) + portrecsbynum = {} + portrecs = {} + for i in info(PORT): + if i['low'] == i['high']: + port = str(i['low']) + else: + port = "%s-%s" % (str(i['low']), str(i['high'])) + + if (i['type'], i['protocol']) in portrecs: + portrecs [(i['type'], i['protocol'])].append(port) + else: + portrecs [(i['type'], i['protocol'])] = [port] + + portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range']) + return ( portrecs, portrecsbynum ) + all_domains = None def get_all_domains(): global all_domains if not all_domains: - all_domains = info(ATTRIBUTE,"domain")[0]["types"] + all_domains = info(ATTRIBUTE,"domain")[0]["types"] return all_domains roles = None @@ -139,48 +215,48 @@ def get_all_attributes(): return all_attributes def policy(policy_file): + global all_domains + global all_attributes + global bools + global all_types + global role_allows + global users + global roles + global file_types + global port_types + all_domains = None + all_attributes = None + bools = None + all_types = None + role_allows = None + users = None + roles = None + file_types = None + port_types = None try: _policy.policy(policy_file) except: raise ValueError(_("Failed to read %s policy file") % policy_file) - -policy_file = selinux.selinux_current_policy_path() -if not policy_file: - policy_file = __get_installed_policy() - try: + policy_file = get_installed_policy() policy(policy_file) except ValueError, e: if selinux.is_selinux_enabled() == 1: raise e -def search(types, info = {} ): - valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] - for type in types: - if type not in valid_types: - raise ValueError("Type has to be in %s" % valid_types) - info[type] = True - - perms = [] - if PERMS in info: - perms = info[PERMS] - info[PERMS] = ",".join(info[PERMS]) - - dict_list = _policy.search(info) - if dict_list and len(perms) != 0: - dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) - return dict_list - def _dict_has_perms(dict, perms): for perm in perms: if perm not in dict[PERMS]: return False return True -def info(setype, name=None): - dict_list = _policy.info(setype, name) - return dict_list +booleans = None +def get_all_booleans(): + global booleans + if not booleans: + booleans = selinux.security_get_boolean_names()[1] + return booleans booleans_dict = None def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py index 26f8390..95b3ac0 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py @@ -63,20 +63,6 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode -user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"] -methods = [] -fn = defaults.interface_info() -try: - fd = open(fn) - # List of per_role_template interfaces - ifs = interfaces.InterfaceSet() - ifs.from_file(fd) - methods = ifs.interfaces.keys() - fd.close() -except: - sys.stderr.write("could not open interface info [%s]\n" % fn) - sys.exit(1) - def get_rpm_nvr_from_header(hdr): 'Given an RPM header return the package NVR as a string' name = hdr['name'] @@ -164,7 +150,7 @@ def get_poltype_desc(): return msg APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] -USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] +USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER] def verify_ports(ports): if ports == "": @@ -587,7 +573,7 @@ class policy: def generate_network_action(self, protocol, action, port_name): line = "" method = "corenet_%s_%s_%s" % (protocol, action, port_name) - if method in methods: + if method in sepolicy.get_methods(): line = "%s(%s_t)\n" % (method, self.name) else: line = """ @@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s; if len(self.DEFAULT_DIRS[d][1]) > 0: # CGI scripts already have a rw_t if self.type != CGI or d != "rw": - newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) if self.type != EUSER: newte +=""" ######################################## # # %s local policy -#""" % self.name +# +""" % self.name newte += self.generate_capabilities() newte += self.generate_process() newte += self.generate_network_types() @@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s; for d in self.DEFAULT_KEYS: if len(self.DEFAULT_DIRS[d][1]) > 0: - newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) - for i in self.DEFAULT_DIRS[d][1]: - if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): - newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) - break + if self.type == EUSER: + for domain in self.existing_domains: + newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules) + else: + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) + for i in self.DEFAULT_DIRS[d][1]: + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + if self.type == EUSER: + for domain in self.existing_domains: + newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules) + + else: + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) + break newte += self.generate_tmp_rules() newte += self.generate_network_rules() @@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s; fclist = [] if self.type in USERS + [ SANDBOX ]: return executable.fc_user - if self.type != NEWTYPE and not self.program: + if self.type not in [ EUSER, NEWTYPE ] and not self.program: raise ValueError(_("You must enter the executable path for your confined process")) if self.program: diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py index 8b063ca..c9036c3 100644 --- a/policycoreutils/sepolicy/sepolicy/interface.py +++ b/policycoreutils/sepolicy/sepolicy/interface.py @@ -22,14 +22,12 @@ # # import re - -import sepolgen.interfaces as interfaces -import sepolgen.defaults as defaults +import sepolicy ADMIN_TRANSITION_INTERFACE = "_admin$" USER_TRANSITION_INTERFACE = "_role$" -from sepolicy.generate import get_all_types +import selinux -__all__ = [ 'get', 'get_admin', 'get_user' ] +__all__ = [ 'get_admin', 'get_user' ] ## ## I18N @@ -48,24 +46,10 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode -def get(): - """ Get all Methods """ - fn = defaults.interface_info() - try: - fd = open(fn) - ifs = interfaces.InterfaceSet() - ifs.from_file(fd) - methods = ifs.interfaces.keys() - fd.close() - except: - raise ValueError(_("could not open interface info [%s]\n") % fn) - - return methods - def get_admin(): """ Get all domains with an admin interface""" admin_list = [] - for i in get(): + for i in sepolicy.get_methods(): if i.endswith("_admin"): admin_list.append(i.split("_admin")[0]) return admin_list @@ -73,9 +57,9 @@ def get_admin(): def get_user(): """ Get all domains with SELinux user role interface""" trans_list = [] - for i in get(): + for i in sepolicy.get_methods(): m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i) if len(m) > 0: - if "%s_exec_t" % m[0] in get_all_types(): + if "%s_exec_t" % m[0] in sepolicy.get_all_types(): trans_list.append(m[0]) return trans_list diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py index 25062da..f184b0c 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py @@ -28,12 +28,12 @@ import string import argparse import selinux import sepolicy -from sepolicy import network, gen_bool_dict, get_all_file_types, get_all_domains, get_all_roles, get_all_users, get_all_port_types, get_all_bools, get_all_attributes, get_all_role_allows +from sepolicy import * import commands import sys, os, re, time -equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] } +equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] } equiv_dirs=[ "/var" ] modules_dict = None @@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list): return alphabet_manpages def convert_manpage_to_html(html_manpage,manpage): - fd = open(html_manpage,'w') - rc, output = commands.getstatusoutput("man2html -r %s" % manpage) + rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage) if rc == 0: + print html_manpage, " has been created" + fd = open(html_manpage,'w') fd.write(output) - else: - fd.write("Man page does not exist") - - fd.close() + fd.close() class HTMLManPages: """ @@ -416,40 +414,33 @@ class ManPage: """ Generate a Manpage on an SELinux domain in the specified path """ - all_attributes = get_all_attributes() - all_domains = get_all_domains() - all_bools = get_all_bools() - all_port_types = get_all_port_types() - all_roles = get_all_roles() - all_users = get_all_users_info()[0] - all_users_range = get_all_users_info()[1] - all_file_types = get_all_file_types() - types = _gen_types() modules_dict = None - domains = gen_domains() - role_allows = get_all_role_allows() enabled_str = ["Disabled", "Enabled"] - def __init__(self, domainname, path = "/tmp", html = False): + def __init__(self, domainname, path = "/tmp", root="/", html = False): self.html = html - self.portrecs = network.portrecs - - fcpath = path + "/file_contexts" - if os.path.exists(fcpath): - self.fcpath = fcpath - else: - self.fcpath = selinux.selinux_file_context_path() + self.root = root + self.portrecs = gen_port_dict()[0] + self.domains = gen_domains() + self.all_domains = get_all_domains() + self.all_attributes = get_all_attributes() + self.all_bools = get_all_bools() + self.all_port_types = get_all_port_types() + self.all_roles = get_all_roles() + self.all_users = get_all_users_info()[0] + self.all_users_range = get_all_users_info()[1] + self.all_file_types = get_all_file_types() + self.role_allows = get_all_role_allows() + self.types = _gen_types() + + self.fcpath = self.root + selinux.selinux_file_context_path() self.fcdict = _gen_fcdict(self.fcpath) if not os.path.exists(path): os.makedirs(path) - self.path = path - xmlpath = path + "/policy.xml" - if os.path.exists(xmlpath): - self.xmlpath = xmlpath - else: - self.xmlpath = "/usr/share/selinux/devel/policy.xml" + self.path = path + self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml" self.booleans_dict = gen_bool_dict(self.xmlpath) if domainname.endswith("_t"): @@ -459,7 +450,10 @@ class ManPage: if self.domainname + "_t" not in self.all_domains: raise ValueError("domain %s_t does not exist" % self.domainname) - self.short_name = self.domainname + if self.domainname[-1]=='d': + self.short_name = self.domainname[:-1] + "_" + else: + self.short_name = self.domainname + "_" self.type = self.domainname + "_t" self._gen_bools() @@ -483,16 +477,23 @@ class ManPage: def _gen_bools(self): self.bools=[] self.domainbools=[] - for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))): - for b in i: - if not isinstance(b,tuple): - continue - if b[0].startswith(self.short_name): - if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools: - self.domainbools.append(b) - else: - if b not in self.bools and (b[0], not b[1]) not in self.bools: - self.bools.append(b) + types = [self.type] + if self.domainname in equiv_dict: + for t in equiv_dict[self.domainname]: + if t + "_t" in self.all_domains: + types.append(t+"_t") + + for t in types: + for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))): + for b in i: + if not isinstance(b,tuple): + continue + if b[0].startswith(self.short_name) or b[0].startswith(self.domainname): + if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools: + self.domainbools.append(b) + else: + if b not in self.bools and (b[0], not b[1]) not in self.bools: + self.bools.append(b) self.bools.sort() self.domainbools.sort() @@ -538,9 +539,6 @@ class ManPage: print path def __gen_man_page(self): - if self.domainname[-1]=='d': - self.short_name = self.domainname[:-1] - self.anon_list = [] self.attributes = {} @@ -563,19 +561,8 @@ class ManPage: def _get_ptypes(self): for f in self.all_domains: - if f.startswith(self.short_name): - self.ptypes.append(f) - - def __whoami(self): - import pwd - fd = open("/proc/self/loginuid", "r") - uid = int(fd.read()) - fd.close() - pw = pwd.getpwuid(uid) - if len(pw.pw_gecos) > 0: - return pw.pw_gecos - else: - return pw.pw_name + if f.startswith(self.short_name) or f.startswith(self.domainname): + self.ptypes.append(f) def _header(self): self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy documentation for %(domainname)s"' @@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n def _port_types(self): self.ports = [] for f in self.all_port_types: - if f.startswith(self.short_name): + if f.startswith(self.short_name) or f.startswith(self.domainname): self.ports.append(f) if len(self.ports) == 0: @@ -923,13 +910,12 @@ to apply the labels. def _see_also(self): ret = "" - prefix = self.short_name.split("_")[0] for d in self.domains: if d == self.domainname: continue - if d.startswith(prefix): + if d.startswith(self.short_name): ret += ", %s_selinux(8)" % d - if self.domainname.startswith(d): + if d.startswith(self.domainname + "_"): ret += ", %s_selinux(8)" % d self.fd.write(ret) @@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" .B restorecon -F -R -v /var/%(domainname)s .pp .TP -Allow %(domainname)s servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_%(domainname)sd_anon_write boolean to be set. +Allow %(domainname)s servers to read and write /var/%(domainname)s/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. You also need to turn on the %(domainname)s_anon_write boolean. .PP .B semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?" .br .B restorecon -F -R -v /var/%(domainname)s/incoming - +.br +.B setsebool -P %(domainname)s_anon_write 1 """ % {'domainname':self.domainname}) for b in self.anon_list: desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] @@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings. .SH AUTHOR This manual page was auto-generated using -.B "sepolicy manpage" -by %s. +.B "sepolicy manpage". .SH "SEE ALSO" selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -""" % (self.__whoami(), self.domainname)) +""" % (self.domainname)) if self.booltext != "": self.fd.write(", setsebool(8)") @@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login. """ % self.domainname) def _network(self): + from sepolicy import network self.fd.write(""" .SH NETWORK """) diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py index 66efe26..a446d68 100755 --- a/policycoreutils/sepolicy/sepolicy/network.py +++ b/policycoreutils/sepolicy/sepolicy/network.py @@ -25,27 +25,6 @@ import sepolicy search=sepolicy.search info=sepolicy.info -def _gen_port_dict(): - portrecsbynum = {} - portrecs = {} - for i in info(sepolicy.PORT): - if i['low'] == i['high']: - port = str(i['low']) - else: - port = "%s-%s" % (str(i['low']), str(i['high'])) - - if (i['type'], i['protocol']) in portrecs: - portrecs [(i['type'], i['protocol'])].append(port) - else: - portrecs [(i['type'], i['protocol'])] = [port] - - portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range']) - return ( portrecs, portrecsbynum ) -portrecs, portrecsbynum = _gen_port_dict() - -port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"] -domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"] - def get_types(src, tclass, perm): allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm}) nlist=[] @@ -57,6 +36,7 @@ def get_types(src, tclass, perm): def get_network_connect(src, protocol, perm): + portrecs, portrecsbynum = sepolicy.gen_port_dict() d={} tlist = get_types(src, "%s_socket" % protocol, [perm]) if len(tlist) > 0: diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index 80b6d6e..07c5ee2 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts. .SH "SYNOPSIS" .B restorecon -.I [\-o outfilename] [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname... +.I [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname... .P .B restorecon -.I \-f infilename [\-o outfilename] [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F] +.I \-f infilename [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F] .SH "DESCRIPTION" This manual page describes the @@ -49,7 +49,7 @@ ignore files that do not exist. don't change any file labels (passive check). .TP .B \-o outfilename -save list of files with incorrect context in outfilename. +Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. .TP .B \-p show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.) diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 index 89d2a49..12bca43 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts. .SH "SYNOPSIS" .B setfiles -.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... +.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... .SH "DESCRIPTION" This manual page describes the .BR setfiles @@ -57,7 +57,7 @@ log changes in file labels to syslog. don't change any file labels (passive check). .TP .B \-o filename -save list of files with incorrect context in filename. +Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. .TP .B \-p show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.) diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index b11e49f..ac1c39a 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -45,18 +45,18 @@ void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, - "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] pathname...\n" - "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] -f filename\n", + "usage: %s [-iFnprRv0] [-e excludedir] pathname...\n" + "usage: %s [-iFnprRv0] [-e excludedir] -f filename\n", name, name); } else { fprintf(stderr, - "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file pathname...\n" - "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file -f filename\n" - "usage: %s -s [-dilnpqvFW] [-o filename] spec_file\n" + "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" + "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" + "usage: %s -s [-dilnpqvFW] spec_file\n" "usage: %s -c policyfile spec_file\n", name, name, name, name); } - exit(1); + exit(-1); } static int nerr = 0; @@ -66,7 +66,7 @@ void inc_err() nerr++; if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) { fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS); - exit(1); + exit(-1); } } @@ -80,7 +80,7 @@ void set_rootpath(const char *arg) if (NULL == r_opts.rootpath) { fprintf(stderr, "%s: insufficient memory for r_opts.rootpath\n", r_opts.progname); - exit(1); + exit(-1); } /* trim trailing /, if present */ @@ -98,7 +98,7 @@ int canoncon(char **contextp) if (policyfile) { if (sepol_check_context(context) < 0) { fprintf(stderr, "invalid context %s\n", context); - exit(1); + exit(-1); } } else if (security_canonicalize_context_raw(context, &tmpcon) == 0) { free(context); @@ -175,7 +175,7 @@ int main(int argc, char **argv) r_opts.progname = strdup(argv[0]); if (!r_opts.progname) { fprintf(stderr, "%s: Out of memory!\n", argv[0]); - exit(1); + exit(-1); } base = basename(r_opts.progname); @@ -242,7 +242,7 @@ int main(int argc, char **argv) fprintf(stderr, "Error opening %s: %s\n", policyfile, strerror(errno)); - exit(1); + exit(-1); } __fsetlocking(policystream, FSETLOCKING_BYCALLER); @@ -252,7 +252,7 @@ int main(int argc, char **argv) fprintf(stderr, "Error reading policy %s: %s\n", policyfile, strerror(errno)); - exit(1); + exit(-1); } fclose(policystream); @@ -268,7 +268,7 @@ int main(int argc, char **argv) break; } if (add_exclude(optarg)) - exit(1); + exit(-1); break; case 'f': use_input_file = 1; @@ -318,13 +318,13 @@ int main(int argc, char **argv) if (optind + 1 >= argc) { fprintf(stderr, "usage: %s -r rootpath\n", argv[0]); - exit(1); + exit(-1); } if (NULL != r_opts.rootpath) { fprintf(stderr, "%s: only one -r can be specified\n", argv[0]); - exit(1); + exit(-1); } set_rootpath(argv[optind++]); break; @@ -337,7 +337,7 @@ int main(int argc, char **argv) if (r_opts.progress) { fprintf(stderr, "Progress and Verbose mutually exclusive\n"); - exit(1); + exit(-1); } r_opts.verbose++; break; @@ -391,12 +391,12 @@ int main(int argc, char **argv) if (stat(argv[optind], &sb) < 0) { perror(argv[optind]); - exit(1); + exit(-1); } if (!S_ISREG(sb.st_mode)) { fprintf(stderr, "%s: spec file %s is not a regular file.\n", argv[0], argv[optind]); - exit(1); + exit(-1); } altpath = argv[optind]; @@ -409,7 +409,7 @@ int main(int argc, char **argv) r_opts.selabel_opt_path = altpath; if (nerr) - exit(1); + exit(-1); restore_init(&r_opts); if (use_input_file) { @@ -452,5 +452,5 @@ int main(int argc, char **argv) if (r_opts.progress && r_opts.count >= STAR_COUNT) printf("\n"); - exit(errors); + exit(errors ? -1: 0); } diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile index a6addc5..45d6538 100644 --- a/policycoreutils/setsebool/Makefile +++ b/policycoreutils/setsebool/Makefile @@ -4,7 +4,7 @@ INCLUDEDIR ?= $(PREFIX)/include SBINDIR ?= $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man LIBDIR ?= $(PREFIX)/lib -BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/ +BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions CFLAGS ?= -Werror -Wall -W override CFLAGS += -I$(INCLUDEDIR) @@ -23,7 +23,7 @@ install: all -mkdir -p $(MANDIR)/man8 install -m 644 setsebool.8 $(MANDIR)/man8/ -mkdir -p $(BASHCOMPLETIONDIR) - install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR) + install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/setsebool relabel: