diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.55/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/Makefile 2008-08-29 14:34:58.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.55/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/restorecond/restorecond.conf 2008-09-03 17:38:35.000000000 -0400 @@ -1,7 +1,8 @@ +/etc/services /etc/resolv.conf /etc/samba/secrets.tdb /etc/mtab /var/run/utmp /var/log/wtmp -~/public_html +~/* ~/.mozilla/plugins/libflashplayer.so diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/stringslist.c policycoreutils-2.0.55/restorecond/stringslist.c --- nsapolicycoreutils/restorecond/stringslist.c 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/restorecond/stringslist.c 2008-09-03 17:43:40.000000000 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Red Hat + * Copyright (C) 2006, 2008 Red Hat * see file 'COPYING' for use and warranty information * * This program is free software; you can redistribute it and/or @@ -27,6 +27,7 @@ #include #include "stringslist.h" #include "restorecond.h" +#include /* Sorted lists */ void strings_list_add(struct stringsList **list, const char *string) @@ -57,11 +58,9 @@ int strings_list_find(struct stringsList *ptr, const char *string) { while (ptr) { - int cmp = strcmp(string, ptr->string); - if (cmp < 0) - return -1; /* Not on list break out to add */ - if (cmp == 0) - return 0; /* Already on list */ + int cmp = fnmatch(ptr->string, string, 0); + if (cmp == 0) + return 0; /* Match found */ ptr = ptr->next; } return -1; @@ -120,6 +119,7 @@ if (strings_list_diff(list, list1) == 0) printf("strings_list_diff test2 bug\n"); strings_list_add(&list1, "/etc/walsh"); + strings_list_add(&list1, "/etc/walsh/*"); strings_list_add(&list1, "/etc/resolv.conf"); strings_list_add(&list1, "/etc/mtab1"); if (strings_list_diff(list, list1) == 0) @@ -127,6 +127,7 @@ printf("strings list\n"); strings_list_print(list); printf("strings list1\n"); + strings_list_find(list1, "/etc/walsh/dan"); strings_list_print(list1); strings_list_free(list); strings_list_free(list1); diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.55/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/scripts/fixfiles 2008-09-08 14:08:57.000000000 -0400 @@ -139,14 +139,14 @@ LogReadOnly ${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* -find /tmp -context "*:file_t*" -exec chcon -t tmp_t {} \; -find /var/tmp -context "*:file_t*" -exec chcon -t tmp_t {} \; +find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; +find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; exit $? } fullrelabel() { logit "Cleaning out /tmp" - rm -rf /tmp/.??* /tmp/* + find /tmp/ -mindepth 1 -print0 | xargs -0 /bin/rm -f LogReadOnly restore } diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.55/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/semanage/semanage 2008-08-29 14:34:58.000000000 -0400 @@ -20,7 +20,7 @@ # 02111-1307 USA # # -import os, sys, getopt +import sys, getopt, re import seobject import selinux PROGNAME="policycoreutils" @@ -43,13 +43,14 @@ if __name__ == '__main__': def usage(message = ""): - print _(""" -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n] + raise ValueError(_(""" +semanage [ -S store ] -i [ input_file | - ] + +semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] semanage login -{a|d|m} [-sr] login_name | %groupname semanage user -{a|d|m} [-LrRP] selinux_name semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range semanage interface -{a|d|m} [-tr] interface_spec -semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr semanage fcontext -{a|d|m} [-frst] file_spec semanage translation -{a|d|m} [-T] level semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file @@ -60,6 +61,7 @@ -a, --add Add a OBJECT record NAME -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME + -i, --input Input multiple semange commands in a transaction -l, --list List the OBJECTS -C, --locallist List OBJECTS local customizations -D, --deleteall Remove all OBJECTS local customizations @@ -81,8 +83,7 @@ -p (named pipe) -F, --file Treat target as an input file for command, change multiple settings - -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) - -M, --mask Netmask + -p, --proto Port protocol (tcp or udp) -P, --prefix Prefix for home directory labeling -L, --level Default SELinux Level (MLS/MCS Systems only) -R, --roles SELinux Roles (ex: "sysadm_r staff_r") @@ -91,9 +92,8 @@ -s, --seuser SELinux User Name -t, --type SELinux Type for the object -r, --range MLS/MCS Security Range (MLS/MCS Systems only) -""") - print message - sys.exit(1) +%s +""") % message) def errorExit(error): sys.stderr.write("%s: " % sys.argv[0]) @@ -111,9 +111,7 @@ valid_option["port"] = [] valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ] valid_option["interface"] = [] - valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] - valid_option["node"] = [] - valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] + valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] valid_option["fcontext"] = [] valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] valid_option["translation"] = [] @@ -124,16 +122,56 @@ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] return valid_option - # - # - # - try: - input = sys.stdin - output = sys.stdout + def mkargv(line): + dquote = "\"" + squote = "\'" + l = line.split() + ret = [] + i = 0 + while i < len(l): + cnt = len(re.findall(dquote, l[i])) + if cnt > 1: + ret.append(l[i].strip(dquote)) + i = i + 1 + continue + if cnt == 1: + quote = [ l[i].strip(dquote) ] + i = i + 1 + + while i < len(l) and dquote not in l[i]: + quote.append(l[i]) + i = i + 1 + quote.append(l[i].strip(dquote)) + ret.append(" ".join(quote)) + i = i + 1 + continue + + cnt = len(re.findall(squote, l[i])) + if cnt > 1: + ret.append(l[i].strip(squote)) + i = i + 1 + continue + if cnt == 1: + quote = [ l[i].strip(squote) ] + i = i + 1 + while i < len(l) and squote not in l[i]: + quote.append(l[i]) + i = i + 1 + + quote.append(l[i].strip(squote)) + ret.append(" ".join(quote)) + i = i + 1 + continue + + ret.append(l[i]) + i = i + 1 + + return ret + + def process_args(argv): serange = "" port = "" proto = "" - mask = "" selevel = "" setype = "" ftype = "" @@ -151,24 +189,23 @@ locallist = False use_file = False store = "" - if len(sys.argv) < 3: - usage(_("Requires 2 or more arguments")) - object = sys.argv[1] + object = argv[0] option_dict=get_options() if object not in option_dict.keys(): usage(_("%s not defined") % object) - args = sys.argv[2:] + args = argv[1:] gopts, cmds = getopt.getopt(args, - '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:M:', + '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', ['add', 'delete', 'deleteall', 'ftype=', 'file', 'help', + 'input=', 'list', 'modify', 'noheading', @@ -183,8 +220,7 @@ 'roles=', 'type=', 'trans=', - 'prefix=', - 'mask=' + 'prefix=' ]) for o, a in gopts: if o not in option_dict[object]: @@ -193,16 +229,16 @@ for o,a in gopts: if o == "-a" or o == "--add": if modify or delete: - usage() + raise ValueError(_("%s bad option") % o) add = True if o == "-d" or o == "--delete": if modify or add: - usage() + raise ValueError(_("%s bad option") % o) delete = True if o == "-D" or o == "--deleteall": if modify: - usage() + raise ValueError(_("%s bad option") % o) deleteall = True if o == "-f" or o == "--ftype": ftype=a @@ -211,7 +247,7 @@ use_file = True if o == "-h" or o == "--help": - usage() + raise ValueError(_("%s bad option") % o) if o == "-n" or o == "--noheading": heading = False @@ -221,7 +257,7 @@ if o == "-m"or o == "--modify": if delete or add: - usage() + raise ValueError(_("%s bad option") % o) modify = True if o == "-S" or o == '--store': @@ -229,7 +265,7 @@ if o == "-r" or o == '--range': if is_mls_enabled == 0: - errorExit(_("range not supported on Non MLS machines")) + raise ValueError(_("range not supported on Non MLS machines")) serange = a if o == "-l" or o == "--list": @@ -237,7 +273,7 @@ if o == "-L" or o == '--level': if is_mls_enabled == 0: - errorExit(_("range not supported on Non MLS machines")) + raise ValueError(_("range not supported on Non MLS machines")) selevel = a if o == "-p" or o == '--proto': @@ -252,9 +288,6 @@ if o == "-s" or o == "--seuser": seuser = a - if o == "-M" or o == '--mask': - mask = a - if o == "-t" or o == "--type": setype = a @@ -277,9 +310,6 @@ if object == "interface": OBJECT = seobject.interfaceRecords(store) - - if object == "node": - OBJECT = seobject.nodeRecords(store) if object == "fcontext": OBJECT = seobject.fcontextRecords(store) @@ -298,14 +328,14 @@ OBJECT.list(heading, locallist, use_file) else: OBJECT.list(heading, locallist) - sys.exit(0); + return if deleteall: OBJECT.deleteall() - sys.exit(0); + return if len(cmds) != 1: - usage() + raise ValueError(_("%s bad option") % o) target = cmds[0] @@ -317,10 +347,7 @@ OBJECT.add(target, setrans) if object == "user": - rlist = [] - if not use_file: - rlist = roles.split() - OBJECT.add(target, rlist, selevel, serange, prefix) + OBJECT.add(target, roles.split(), selevel, serange, prefix) if object == "port": OBJECT.add(target, proto, serange, setype) @@ -328,15 +355,12 @@ if object == "interface": OBJECT.add(target, serange, setype) - if object == "node": - OBJECT.add(target, mask, proto, serange, setype) - if object == "fcontext": OBJECT.add(target, setype, ftype, serange, seuser) if object == "permissive": OBJECT.add(target) - sys.exit(0); + return if modify: if object == "boolean": @@ -358,13 +382,10 @@ if object == "interface": OBJECT.modify(target, serange, setype) - if object == "node": - OBJECT.modify(target, mask, proto, serange, setype) - if object == "fcontext": OBJECT.modify(target, setype, ftype, serange, seuser) - sys.exit(0); + return if delete: if object == "port": @@ -373,22 +394,72 @@ elif object == "fcontext": OBJECT.delete(target, ftype) - elif object == "node": - OBJECT.delete(target, mask, proto) - else: OBJECT.delete(target) - sys.exit(0); - usage() + return + + raise ValueError(_("Invalid command") % " ".join(argv)) + + # + # + # + try: + input = None + store = "" + + if len(sys.argv) < 3: + usage(_("Requires 2 or more arguments")) + + gopts, cmds = getopt.getopt(sys.argv[1:], + '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', + ['add', + 'delete', + 'deleteall', + 'ftype=', + 'file', + 'help', + 'input=', + 'list', + 'modify', + 'noheading', + 'localist', + 'off', + 'on', + 'proto=', + 'seuser=', + 'store=', + 'range=', + 'level=', + 'roles=', + 'type=', + 'trans=', + 'prefix=' + ]) + for o, a in gopts: + if o == "-S" or o == '--store': + store = a + if o == "-i" or o == '--input': + input = a + + if input != None: + if input == "-": + fd = sys.stdin + else: + fd = open(input, 'r') + trans = seobject.semanageRecords(store) + trans.begin() + for l in fd.readlines(): + process_args(mkargv(l)) + trans.commit() + else: + process_args(sys.argv[1:]) except getopt.error, error: - errorExit(_("Options Error %s ") % error.msg) + usage(_("Options Error %s ") % error.msg) except ValueError, error: errorExit(error.args[0]) except KeyError, error: errorExit(_("Invalid value %s") % error.args[0]) except IOError, error: errorExit(error.args[1]) - except KeyboardInterrupt, error: - sys.exit(0) diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.55/semanage/semanage.8 --- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/semanage/semanage.8 2008-08-29 14:34:58.000000000 -0400 @@ -3,7 +3,7 @@ semanage \- SELinux Policy Management tool .SH "SYNOPSIS" -.B semanage {boolean|login|user|port|interface|node|fcontext|translation} \-{l|D} [\-n] [\-S store] +.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store] .br .B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file .br @@ -15,8 +15,6 @@ .br .B semanage interface \-{a|d|m} [\-tr] interface_spec .br -.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address -.br .B semanage fcontext \-{a|d|m} [\-frst] file_spec .br .B semanage permissive \-{a|d} type @@ -80,7 +78,7 @@ Do not print heading when listing OBJECTS. .TP .I \-p, \-\-proto -Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). +Protocol for the specified port (tcp|udp). .TP .I \-r, \-\-range MLS/MCS Security Range (MLS/MCS Systems only) diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.55/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.55/semanage/seobject.py 2008-08-29 14:34:58.000000000 -0400 @@ -26,7 +26,6 @@ PROGNAME="policycoreutils" import sepolgen.module as module -import commands import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) @@ -40,6 +39,33 @@ import syslog +handle = None + +def get_handle(store): + global handle + + handle = semanage_handle_create() + if not handle: + raise ValueError(_("Could not create semanage handle")) + + if store != "": + semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); + + if not semanage_is_managed(handle): + semanage_handle_destroy(handle) + raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) + + rc = semanage_access_check(handle) + if rc < SEMANAGE_CAN_READ: + semanage_handle_destroy(handle) + raise ValueError(_("Cannot read policy store.")) + + rc = semanage_connect(handle) + if rc < 0: + semanage_handle_destroy(handle) + raise ValueError(_("Could not establish semanage connection")) + return handle + file_types = {} file_types[""] = SEMANAGE_FCONTEXT_ALL; file_types["all files"] = SEMANAGE_FCONTEXT_ALL; @@ -90,8 +116,6 @@ mylog = logger() -import sys, os -import re import xml.etree.ElementTree booleans_dict={} @@ -249,31 +273,36 @@ os.rename(newfilename, self.filename) os.system("/sbin/service mcstrans reload > /dev/null") -class permissiveRecords: +class semanageRecords: def __init__(self, store): - self.store = store - self.sh = semanage_handle_create() - if not self.sh: - raise ValueError(_("Could not create semanage handle")) - - if store != "": - semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT); + global handle - self.semanaged = semanage_is_managed(self.sh) - - if not self.semanaged: - semanage_handle_destroy(self.sh) - raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) - - rc = semanage_access_check(self.sh) - if rc < SEMANAGE_CAN_READ: - semanage_handle_destroy(self.sh) - raise ValueError(_("Cannot read policy store.")) + if handle != None: + self.transaction = True + self.sh = handle + else: + self.sh=get_handle(store) + self.transaction = False + + def deleteall(self): + raise ValueError(_("Not yet implemented")) - rc = semanage_connect(self.sh) + def begin(self): + if self.transaction: + return + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError(_("Could not start semanage transaction")) + def commit(self): + if self.transaction: + return + rc = semanage_commit(self.sh) if rc < 0: - semanage_handle_destroy(self.sh) - raise ValueError(_("Could not establish semanage connection")) + raise ValueError(_("Could not commit semanage transaction")) + +class permissiveRecords(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) def get_all(self): l = [] @@ -321,9 +350,9 @@ rc = semanage_module_install(self.sh, data, len(data)); if rc < 0: raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not set permissive domain %s (commit failed)") % name) + + self.commit() + for root, dirs, files in os.walk("tmp", topdown=False): for name in files: os.remove(os.path.join(root, name)) @@ -331,13 +360,12 @@ os.rmdir(os.path.join(root, name)) def delete(self, name): - for n in name.split(): - rc = semanage_module_remove(self.sh, "permissive_%s" % n) - if rc < 0: - raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name) + for n in name.split(): + rc = semanage_module_remove(self.sh, "permissive_%s" % n) + if rc < 0: + raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) + + self.commit() def deleteall(self): l = self.get_all() @@ -345,39 +373,11 @@ all = " ".join(l) self.delete(all) -class semanageRecords: - def __init__(self, store): - self.sh = semanage_handle_create() - if not self.sh: - raise ValueError(_("Could not create semanage handle")) - - if store != "": - semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT); - - self.semanaged = semanage_is_managed(self.sh) - - if not self.semanaged: - semanage_handle_destroy(self.sh) - raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) - - rc = semanage_access_check(self.sh) - if rc < SEMANAGE_CAN_READ: - semanage_handle_destroy(self.sh) - raise ValueError(_("Cannot read policy store.")) - - rc = semanage_connect(self.sh) - if rc < 0: - semanage_handle_destroy(self.sh) - raise ValueError(_("Could not establish semanage connection")) - def deleteall(self): - raise ValueError(_("Not yet implemented")) - - class loginRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) - def add(self, name, sename, serange): + def __add(self, name, sename, serange): if is_mls_enabled == 1: if serange == "": serange = "s0" @@ -387,153 +387,145 @@ if sename == "": sename = "user_u" - try: - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if exists: - raise ValueError(_("Login mapping for %s is already defined") % name) - if name[0] == '%': - try: - grp.getgrnam(name[1:]) - except: - raise ValueError(_("Linux Group %s does not exist") % name[1:]) - else: - try: - pwd.getpwnam(name) - except: - raise ValueError(_("Linux User %s does not exist") % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if exists: + raise ValueError(_("Login mapping for %s is already defined") % name) + if name[0] == '%': + try: + grp.getgrnam(name[1:]) + except: + raise ValueError(_("Linux Group %s does not exist") % name[1:]) + else: + try: + pwd.getpwnam(name) + except: + raise ValueError(_("Linux User %s does not exist") % name) - (rc,u) = semanage_seuser_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create login mapping for %s") % name) + (rc,u) = semanage_seuser_create(self.sh) + if rc < 0: + raise ValueError(_("Could not create login mapping for %s") % name) - rc = semanage_seuser_set_name(self.sh, u, name) - if rc < 0: - raise ValueError(_("Could not set name for %s") % name) + rc = semanage_seuser_set_name(self.sh, u, name) + if rc < 0: + raise ValueError(_("Could not set name for %s") % name) - if serange != "": - rc = semanage_seuser_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError(_("Could not set MLS range for %s") % name) + if serange != "": + rc = semanage_seuser_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError(_("Could not set MLS range for %s") % name) - rc = semanage_seuser_set_sename(self.sh, u, sename) - if rc < 0: - raise ValueError(_("Could not set SELinux user for %s") % name) + rc = semanage_seuser_set_sename(self.sh, u, sename) + if rc < 0: + raise ValueError(_("Could not set SELinux user for %s") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not add login mapping for %s") % name) - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not add login mapping for %s") % name) + semanage_seuser_key_free(k) + semanage_seuser_free(u) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add login mapping for %s") % name) + def add(self, name, sename, serange): + try: + self.begin() + self.__add(name, sename, serange) + self.commit() except ValueError, error: mylog.log(0, _("add SELinux user mapping"), name, sename, "", serange); raise error mylog.log(1, _("add SELinux user mapping"), name, sename, "", serange); - semanage_seuser_key_free(k) - semanage_seuser_free(u) - def modify(self, name, sename = "", serange = ""): - oldsename = "" - oldserange = "" - try: - if sename == "" and serange == "": - raise ValueError(_("Requires seuser or serange")) + def __modify(self, name, sename = "", serange = ""): + if sename == "" and serange == "": + raise ValueError(_("Requires seuser or serange")) - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if not exists: - raise ValueError(_("Login mapping for %s is not defined") % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if not exists: + raise ValueError(_("Login mapping for %s is not defined") % name) - (rc,u) = semanage_seuser_query(self.sh, k) - if rc < 0: - raise ValueError(_("Could not query seuser for %s") % name) + (rc,u) = semanage_seuser_query(self.sh, k) + if rc < 0: + raise ValueError(_("Could not query seuser for %s") % name) - oldserange = semanage_seuser_get_mlsrange(u) - oldsename = semanage_seuser_get_sename(u) - if serange != "": - semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) - else: - serange = oldserange - if sename != "": - semanage_seuser_set_sename(self.sh, u, sename) - else: - sename = oldsename + oldserange = semanage_seuser_get_mlsrange(u) + oldsename = semanage_seuser_get_sename(u) + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) + else: + serange = oldserange - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + if sename != "": + semanage_seuser_set_sename(self.sh, u, sename) + else: + sename = oldsename - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not modify login mapping for %s") % name) + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not modify login mapping for %s") % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify login mapping for %s") % name) + semanage_seuser_key_free(k) + semanage_seuser_free(u) - except ValueError, error: - mylog.log(0,"modify selinux user mapping", name, sename,"", serange, oldsename, "", oldserange); - raise error - - mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); - semanage_seuser_key_free(k) - semanage_seuser_free(u) + mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); - def delete(self, name): + def modify(self, name, sename = "", serange = ""): try: - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + self.begin() + self.__modify(name, sename, serange) + self.commit() - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if not exists: - raise ValueError(_("Login mapping for %s is not defined") % name) + except ValueError, error: + mylog.log(0,"modify selinux user mapping", name, sename,"", serange, "", "", ""); + raise error + + def __delete(self, name): + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if not exists: - raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if not exists: + raise ValueError(_("Login mapping for %s is not defined") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + (rc,exists) = semanage_seuser_exists_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if not exists: + raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name) - rc = semanage_seuser_del_local(self.sh, k) + rc = semanage_seuser_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete login mapping for %s") % name) - if rc < 0: - raise ValueError(_("Could not delete login mapping for %s") % name) + semanage_seuser_key_free(k) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete login mapping for %s") % name) + def delete(self, name): + try: + self.begin() + self.__delete(name) + self.commit() except ValueError, error: mylog.log(0,"delete SELinux user mapping", name); raise error mylog.log(1,"delete SELinux user mapping", name); - semanage_seuser_key_free(k) def get_all(self, locallist = 0): ddict = {} @@ -568,7 +560,7 @@ def __init__(self, store = ""): semanageRecords.__init__(self, store) - def add(self, name, roles, selevel, serange, prefix): + def __add(self, name, roles, selevel, serange, prefix): if is_mls_enabled == 1: if serange == "": serange = "s0" @@ -580,170 +572,167 @@ else: selevel = untranslate(selevel) - seroles = " ".join(roles) - try: - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + if len(roles) < 1: + raise ValueError(_("You must add at least one role for %s") % name) + + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if exists: - raise ValueError(_("SELinux user %s is already defined") % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if exists: + raise ValueError(_("SELinux user %s is already defined") % name) - (rc,u) = semanage_user_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create SELinux user for %s") % name) + (rc,u) = semanage_user_create(self.sh) + if rc < 0: + raise ValueError(_("Could not create SELinux user for %s") % name) - rc = semanage_user_set_name(self.sh, u, name) - if rc < 0: - raise ValueError(_("Could not set name for %s") % name) + rc = semanage_user_set_name(self.sh, u, name) + if rc < 0: + raise ValueError(_("Could not set name for %s") % name) - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) - if rc < 0: - raise ValueError(_("Could not add role %s for %s") % (r, name)) + for r in roles: + rc = semanage_user_add_role(self.sh, u, r) + if rc < 0: + raise ValueError(_("Could not add role %s for %s") % (r, name)) - if is_mls_enabled == 1: - rc = semanage_user_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError(_("Could not set MLS range for %s") % name) - - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError(_("Could not set MLS level for %s") % name) - rc = semanage_user_set_prefix(self.sh, u, prefix) - if rc < 0: - raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError(_("Could not extract key for %s") % name) + if is_mls_enabled == 1: + rc = semanage_user_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError(_("Could not set MLS range for %s") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + rc = semanage_user_set_mlslevel(self.sh, u, selevel) + if rc < 0: + raise ValueError(_("Could not set MLS level for %s") % name) + rc = semanage_user_set_prefix(self.sh, u, prefix) + if rc < 0: + raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) + (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: + raise ValueError(_("Could not extract key for %s") % name) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not add SELinux user %s") % name) + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not add SELinux user %s") % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add SELinux user %s") % name) + semanage_user_key_free(k) + semanage_user_free(u) + def add(self, name, roles, selevel, serange, prefix): + seroles = " ".join(roles) + try: + self.begin() + self.__add( name, roles, selevel, serange, prefix) + self.commit() except ValueError, error: mylog.log(0,"add SELinux user record", name, name, seroles, serange) raise error mylog.log(1,"add SELinux user record", name, name, seroles, serange) - semanage_user_key_free(k) - semanage_user_free(u) - def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): + def __modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): oldroles = "" oldserange = "" newroles = string.join(roles, ' '); - try: - if prefix == "" and len(roles) == 0 and serange == "" and selevel == "": - if is_mls_enabled == 1: - raise ValueError(_("Requires prefix, roles, level or range")) - else: - raise ValueError(_("Requires prefix or roles")) - - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if not exists: - raise ValueError(_("SELinux user %s is not defined") % name) + if prefix == "" and len(roles) == 0 and serange == "" and selevel == "": + if is_mls_enabled == 1: + raise ValueError(_("Requires prefix, roles, level or range")) + else: + raise ValueError(_("Requires prefix or roles")) - (rc,u) = semanage_user_query(self.sh, k) - if rc < 0: - raise ValueError(_("Could not query user for %s") % name) + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - oldserange = semanage_user_get_mlsrange(u) - (rc, rlist) = semanage_user_get_roles(self.sh, u) - if rc >= 0: - oldroles = string.join(rlist, ' '); - newroles = newroles + ' ' + oldroles; - - - if serange != "": - semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) - if selevel != "": - semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) - - if prefix != "": - semanage_user_set_prefix(self.sh, u, prefix) - - if len(roles) != 0: - for r in rlist: - if r not in roles: - semanage_user_del_role(u, r) - for r in roles: - if r not in rlist: - semanage_user_add_role(self.sh, u, r) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if not exists: + raise ValueError(_("SELinux user %s is not defined") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + (rc,u) = semanage_user_query(self.sh, k) + if rc < 0: + raise ValueError(_("Could not query user for %s") % name) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not modify SELinux user %s") % name) + oldserange = semanage_user_get_mlsrange(u) + (rc, rlist) = semanage_user_get_roles(self.sh, u) + if rc >= 0: + oldroles = string.join(rlist, ' '); + newroles = newroles + ' ' + oldroles; + + + if serange != "": + semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) + if selevel != "": + semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) + + if prefix != "": + semanage_user_set_prefix(self.sh, u, prefix) + + if len(roles) != 0: + for r in rlist: + if r not in roles: + semanage_user_del_role(u, r) + for r in roles: + if r not in rlist: + semanage_user_add_role(self.sh, u, r) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify SELinux user %s") % name) + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not modify SELinux user %s") % name) - except ValueError, error: - mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) - raise error + semanage_user_key_free(k) + semanage_user_free(u) mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) - semanage_user_key_free(k) - semanage_user_free(u) - def delete(self, name): + def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): try: - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + self.begin() + self.__modify(name, roles, selevel, serange, prefix) + self.commit() + + except ValueError, error: + mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "") + raise error + + def __delete(self, name): + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if not exists: - raise ValueError(_("SELinux user %s is not defined") % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if not exists: + raise ValueError(_("SELinux user %s is not defined") % name) - (rc,exists) = semanage_user_exists_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if not exists: - raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) + (rc,exists) = semanage_user_exists_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if not exists: + raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + rc = semanage_user_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete SELinux user %s") % name) - rc = semanage_user_del_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not delete SELinux user %s") % name) + semanage_user_key_free(k) + + def delete(self, name): + try: + self.begin() + self.__delete(name) + self.commit() - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete SELinux user %s") % name) except ValueError, error: mylog.log(0,"delete SELinux user record", name) raise error mylog.log(1,"delete SELinux user record", name) - semanage_user_key_free(k) def get_all(self, locallist = 0): ddict = {} @@ -808,7 +797,7 @@ raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) return ( k, proto_d, low, high ) - def add(self, port, proto, serange, type): + def __add(self, port, proto, serange, type): if is_mls_enabled == 1: if serange == "": serange = "s0" @@ -857,23 +846,20 @@ if rc < 0: raise ValueError(_("Could not set port context for %s/%s") % (proto, port)) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_port_modify_local(self.sh, k, p) if rc < 0: raise ValueError(_("Could not add port %s/%s") % (proto, port)) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add port %s/%s") % (proto, port)) - semanage_context_free(con) semanage_port_key_free(k) semanage_port_free(p) - def modify(self, port, proto, serange, setype): + def add(self, port, proto, serange, type): + self.begin() + self.__add(port, proto, serange, type) + self.commit() + + def __modify(self, port, proto, serange, setype): if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) @@ -899,29 +885,24 @@ if setype != "": semanage_context_set_type(self.sh, con, setype) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_port_modify_local(self.sh, k, p) if rc < 0: raise ValueError(_("Could not modify port %s/%s") % (proto, port)) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify port %s/%s") % (proto, port)) - semanage_port_key_free(k) semanage_port_free(p) + def modify(self, port, proto, serange, setype): + self.begin() + self.__modify(port, proto, serange, setype) + self.commit() + def deleteall(self): (rc, plist) = semanage_port_list_local(self.sh) if rc < 0: raise ValueError(_("Could not list the ports")) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + self.begin() for port in plist: proto = semanage_port_get_proto(port) @@ -938,11 +919,9 @@ raise ValueError(_("Could not delete the port %s") % port_str) semanage_port_key_free(k) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete the %s") % port_str) + self.commit() - def delete(self, port, proto): + def __delete(self, port, proto): ( k, proto_d, low, high ) = self.__genkey(port, proto) (rc,exists) = semanage_port_exists(self.sh, k) if rc < 0: @@ -956,20 +935,17 @@ if not exists: raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port)) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_port_del_local(self.sh, k) if rc < 0: raise ValueError(_("Could not delete port %s/%s") % (proto, port)) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete port %s/%s") % (proto, port)) - semanage_port_key_free(k) + def delete(self, port, proto): + self.begin() + self.__delete(port, proto) + self.commit() + def get_all(self, locallist = 0): ddict = {} if locallist: @@ -1031,236 +1007,11 @@ rec += ", %s" % p print rec -class nodeRecords(semanageRecords): - def __init__(self, store = ""): - semanageRecords.__init__(self,store) - - def add(self, addr, mask, proto, serange, ctype): - if addr == "": - raise ValueError(_("Node Address is required")) - - if mask == "": - raise ValueError(_("Node Netmask is required")) - - if proto == "ipv4": - proto = 0 - elif proto == "ipv6": - proto = 1 - else: - raise ValueError(_("Unknown or missing protocol")) - - - if is_mls_enabled == 1: - if serange == "": - serange = "s0" - else: - serange = untranslate(serange) - - if ctype == "": - raise ValueError(_("SELinux Type is required")) - - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) - if rc < 0: - raise ValueError(_("Could not create key for %s") % addr) - if rc < 0: - raise ValueError(_("Could not check if addr %s is defined") % addr) - - (rc,exists) = semanage_node_exists(self.sh, k) - if exists: - raise ValueError(_("Addr %s already defined") % addr) - - (rc,node) = semanage_node_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create addr for %s") % addr) - - rc = semanage_node_set_addr(self.sh, node, proto, addr) - (rc, con) = semanage_context_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create context for %s") % addr) - - rc = semanage_node_set_mask(self.sh, node, proto, mask) - if rc < 0: - raise ValueError(_("Could not set mask for %s") % addr) - - - rc = semanage_context_set_user(self.sh, con, "system_u") - if rc < 0: - raise ValueError(_("Could not set user in addr context for %s") % addr) - - rc = semanage_context_set_role(self.sh, con, "object_r") - if rc < 0: - raise ValueError(_("Could not set role in addr context for %s") % addr) - - rc = semanage_context_set_type(self.sh, con, ctype) - if rc < 0: - raise ValueError(_("Could not set type in addr context for %s") % addr) - - if serange != "": - rc = semanage_context_set_mls(self.sh, con, serange) - if rc < 0: - raise ValueError(_("Could not set mls fields in addr context for %s") % addr) - - rc = semanage_node_set_con(self.sh, node, con) - if rc < 0: - raise ValueError(_("Could not set addr context for %s") % addr) - - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - - rc = semanage_node_modify_local(self.sh, k, node) - if rc < 0: - raise ValueError(_("Could not add addr %s") % addr) - - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add addr %s") % addr) - - semanage_context_free(con) - semanage_node_key_free(k) - semanage_node_free(node) - - def modify(self, addr, mask, proto, serange, setype): - if addr == "": - raise ValueError(_("Node Address is required")) - - if mask == "": - raise ValueError(_("Node Netmask is required")) - if proto == "ipv4": - proto = 0 - elif proto == "ipv6": - proto = 1 - else: - raise ValueError(_("Unknown or missing protocol")) - - - if serange == "" and setype == "": - raise ValueError(_("Requires setype or serange")) - - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) - if rc < 0: - raise ValueError(_("Could not create key for %s") % addr) - - (rc,exists) = semanage_node_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if addr %s is defined") % addr) - if not exists: - raise ValueError(_("Addr %s is not defined") % addr) - - (rc,node) = semanage_node_query(self.sh, k) - if rc < 0: - raise ValueError(_("Could not query addr %s") % addr) - - con = semanage_node_get_con(node) - - if serange != "": - semanage_context_set_mls(self.sh, con, untranslate(serange)) - if setype != "": - semanage_context_set_type(self.sh, con, setype) - - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - - rc = semanage_node_modify_local(self.sh, k, node) - if rc < 0: - raise ValueError(_("Could not modify addr %s") % addr) - - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify addr %s") % addr) - - semanage_node_key_free(k) - semanage_node_free(node) - - def delete(self, addr, mask, proto): - if addr == "": - raise ValueError(_("Node Address is required")) - - if mask == "": - raise ValueError(_("Node Netmask is required")) - - if proto == "ipv4": - proto = 0 - elif proto == "ipv6": - proto = 1 - else: - raise ValueError(_("Unknown or missing protocol")) - - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) - if rc < 0: - raise ValueError(_("Could not create key for %s") % addr) - - (rc,exists) = semanage_node_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if addr %s is defined") % addr) - if not exists: - raise ValueError(_("Addr %s is not defined") % addr) - - (rc,exists) = semanage_node_exists_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if addr %s is defined") % addr) - if not exists: - raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr) - - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - - rc = semanage_node_del_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not delete addr %s") % addr) - - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete addr %s") % addr) - - semanage_node_key_free(k) - - def get_all(self, locallist = 0): - ddict = {} - if locallist : - (rc, self.ilist) = semanage_node_list_local(self.sh) - else: - (rc, self.ilist) = semanage_node_list(self.sh) - if rc < 0: - raise ValueError(_("Could not list addrs")) - - for node in self.ilist: - con = semanage_node_get_con(node) - addr = semanage_node_get_addr(self.sh, node) - mask = semanage_node_get_mask(self.sh, node) - proto = semanage_node_get_proto(node) - if proto == 0: - proto = "ipv4" - elif proto == 1: - proto = "ipv6" - ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) - - return ddict - - def list(self, heading = 1, locallist = 0): - if heading: - print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") - ddict = self.get_all(locallist) - keys = ddict.keys() - keys.sort() - if is_mls_enabled: - for k in keys: - val = '' - for fields in k: - val = val + '\t' + str(fields) - print "%-18s %-18s %-5s %s:%s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False)) - else: - for k in keys: - print "%-18s %-18s %-5s %s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2]) - - class interfaceRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) - def add(self, interface, serange, ctype): + def __add(self, interface, serange, ctype): if is_mls_enabled == 1: if serange == "": serange = "s0" @@ -1314,23 +1065,20 @@ if rc < 0: raise ValueError(_("Could not set message context for %s") % interface) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_iface_modify_local(self.sh, k, iface) if rc < 0: raise ValueError(_("Could not add interface %s") % interface) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add interface %s") % interface) - semanage_context_free(con) semanage_iface_key_free(k) semanage_iface_free(iface) - def modify(self, interface, serange, setype): + def add(self, interface, serange, ctype): + self.begin() + self.__add(interface, serange, ctype) + self.commit() + + def __modify(self, interface, serange, setype): if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -1355,22 +1103,19 @@ if setype != "": semanage_context_set_type(self.sh, con, setype) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_iface_modify_local(self.sh, k, iface) if rc < 0: raise ValueError(_("Could not modify interface %s") % interface) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify interface %s") % interface) - semanage_iface_key_free(k) semanage_iface_free(iface) - def delete(self, interface): + def modify(self, interface, serange, setype): + self.begin() + self.__modify(interface, serange, setype) + self.commit() + + def __delete(self, interface): (rc,k) = semanage_iface_key_create(self.sh, interface) if rc < 0: raise ValueError(_("Could not create key for %s") % interface) @@ -1387,20 +1132,17 @@ if not exists: raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_iface_del_local(self.sh, k) if rc < 0: raise ValueError(_("Could not delete interface %s") % interface) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete interface %s") % interface) - semanage_iface_key_free(k) + def delete(self, interface): + self.begin() + self.__delete(interface) + self.commit() + def get_all(self, locallist = 0): ddict = {} if locallist: @@ -1459,7 +1201,7 @@ if target == "" or target.find("\n") >= 0: raise ValueError(_("Invalid file specification")) - def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): self.validate(target) if is_mls_enabled == 1: @@ -1500,24 +1242,22 @@ semanage_fcontext_set_type(fcontext, file_types[ftype]) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_fcontext_modify_local(self.sh, k, fcontext) if rc < 0: raise ValueError(_("Could not add file context for %s") % target) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not add file context for %s") % target) - if type != "<>": semanage_context_free(con) semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) - def modify(self, target, setype, ftype, serange, seuser): + + def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + self.begin() + self.__add(target, type, ftype, serange, seuser) + self.commit() + + def __modify(self, target, setype, ftype, serange, seuser): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) self.validate(target) @@ -1558,29 +1298,25 @@ if rc < 0: raise ValueError(_("Could not set file context for %s") % target) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_fcontext_modify_local(self.sh, k, fcontext) if rc < 0: raise ValueError(_("Could not modify file context for %s") % target) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify file context for %s") % target) - semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) + def modify(self, target, setype, ftype, serange, seuser): + self.begin() + self.__modify(target, setype, ftype, serange, seuser) + self.commit() + + def deleteall(self): (rc, flist) = semanage_fcontext_list_local(self.sh) if rc < 0: raise ValueError(_("Could not list the file contexts")) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + self.begin() for fcontext in flist: target = semanage_fcontext_get_expr(fcontext) @@ -1595,11 +1331,9 @@ raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete the file context %s") % target) + self.commit() - def delete(self, target, ftype): + def __delete(self, target, ftype): (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) @@ -1616,20 +1350,17 @@ else: raise ValueError(_("File context for %s is not defined") % target) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_fcontext_del_local(self.sh, k) if rc < 0: raise ValueError(_("Could not delete file context for %s") % target) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete file context for %s") % target) - semanage_fcontext_key_free(k) + def delete(self, target, ftype): + self.begin() + self.__delete( target, ftype) + self.commit() + def get_all(self, locallist = 0): l = [] if locallist: @@ -1711,9 +1442,8 @@ def modify(self, name, value=None, use_file=False): - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + self.begin() + if use_file: fd = open(name) for b in fd.read().split("\n"): @@ -1723,18 +1453,16 @@ try: boolname, val = b.split("=") - except ValueError, e: + except ValueError: raise ValueError(_("Bad format %s: Record %s" % ( name, b) )) self.__mod(boolname.strip(), val.strip()) fd.close() else: self.__mod(name, value) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not modify boolean %s") % name) + self.commit() - def delete(self, name): + def __delete(self, name): (rc,k) = semanage_bool_key_create(self.sh, name) if rc < 0: @@ -1751,42 +1479,30 @@ if not exists: raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) - rc = semanage_bool_del_local(self.sh, k) if rc < 0: raise ValueError(_("Could not delete boolean %s") % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete boolean %s") % name) semanage_bool_key_free(k) + def delete(self, name): + self.begin() + self.__delete(name) + self.commit() + def deleteall(self): (rc, self.blist) = semanage_bool_list_local(self.sh) if rc < 0: raise ValueError(_("Could not list booleans")) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) + self.begin() for boolean in self.blist: name = semanage_bool_get_name(boolean) - (rc,k) = semanage_bool_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) + self.__delete(name) - rc = semanage_bool_del_local(self.sh, k) - if rc < 0: - raise ValueError(_("Could not delete boolean %s") % name) - semanage_bool_key_free(k) + self.commit() - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError(_("Could not delete boolean %s") % name) def get_all(self, locallist = 0): ddict = {} if locallist: