diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.31/audit2why/audit2why.c --- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.31/audit2why/audit2why.c 2007-11-02 15:54:42.000000000 -0400 @@ -137,6 +137,8 @@ /* Process the audit messages. */ while (getline(&buffer, &len, stdin) > 0) { size_t len2 = strlen(buffer); + char *begin, *end, *search_buf; + int slen = 0; if (buffer[len2 - 1] == '\n') buffer[len2 - 1] = 0; @@ -179,6 +181,7 @@ } *p++ = 0; + search_buf = p; /* Get scontext and convert to SID. */ while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1)) p++; @@ -188,11 +191,14 @@ continue; } p += sizeof(SCONTEXT) - 1; - scon = p; + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p++ = 0; + end = p; + slen=end - begin; + scon = calloc(slen+1, 1); + strncpy(scon, begin, slen); + rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); if (rc < 0) { fprintf(stderr, @@ -201,6 +207,10 @@ continue; } + free(scon); + /* start searching at the beginning again */ + p = search_buf; + /* Get tcontext and convert to SID. */ while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1)) p++; @@ -210,11 +220,15 @@ continue; } p += sizeof(TCONTEXT) - 1; - tcon = p; + + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p++ = 0; + end = p; + slen=end - begin; + tcon = calloc(slen+1, 1); + strncpy(tcon, begin, slen); + rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (rc < 0) { fprintf(stderr, @@ -222,6 +236,9 @@ TCONTEXT, tcon, lineno); continue; } + free(tcon); + /* start searching at the beginning again */ + p = search_buf; /* Get tclass= and convert to value. */ while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1)) @@ -232,12 +249,17 @@ continue; } p += sizeof(TCLASS) - 1; - tclassstr = p; + begin = p; while (*p && !isspace(*p)) p++; - if (*p) - *p = 0; + + end = p; + slen=end - begin; + tclassstr = calloc(slen+1, 1); + strncpy(tclassstr, begin, slen); + tclass = string_to_security_class(tclassstr); + free(tclassstr); if (!tclass) { fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.31/Makefile --- nsapolicycoreutils/Makefile 2007-07-16 14:20:43.000000000 -0400 +++ policycoreutils-2.0.31/Makefile 2007-11-02 15:54:42.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui all install relabel clean indent: @for subdir in $(SUBDIRS); do \ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.31/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.31/restorecond/restorecond.c 2007-11-02 15:54:42.000000000 -0400 @@ -210,9 +210,10 @@ } if (fsetfilecon(fd, scontext) < 0) { - syslog(LOG_ERR, - "set context %s->%s failed:'%s'\n", - filename, scontext, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, + "set context %s->%s failed:'%s'\n", + filename, scontext, strerror(errno)); if (retcontext >= 0) free(prev_context); free(scontext); @@ -225,8 +226,9 @@ if (retcontext >= 0) free(prev_context); } else { - syslog(LOG_ERR, "get context on %s failed: '%s'\n", - filename, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, "get context on %s failed: '%s'\n", + filename, strerror(errno)); } free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.31/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2007-08-23 16:52:26.000000000 -0400 +++ policycoreutils-2.0.31/scripts/fixfiles 2007-11-16 10:54:53.000000000 -0500 @@ -92,7 +92,7 @@ ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \ \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \ done 2> /dev/null | \ - ${RESTORECON} $2 -v -f - + ${RESTORECON} $2 -f - rm -f ${TEMPFILE} ${PREFCTEMPFILE} fi } @@ -189,21 +189,27 @@ case "$i" in f) fullFlag=1 + shift 1 ;; R) RPMFILES=$OPTARG + shift 2 ;; o) OUTFILES=$OPTARG + shift 2 ;; l) LOGFILE=$OPTARG + shift 2 ;; C) PREFC=$OPTARG + shift 2 ;; F) FORCEFLAG="-F" + shift 1 ;; *) usage @@ -211,10 +217,8 @@ esac done - # Check for the command -eval command=\$${OPTIND} -let OPTIND=$OPTIND+1 +command=$1 if [ -z $command ]; then usage fi @@ -223,17 +227,16 @@ # check if they specified both DIRS and RPMFILES # +shift 1 if [ ! -z "$RPMFILES" ]; then - if [ $OPTIND -le $# ]; then + if [ $# -gt 0 ]; then + echo broken usage fi else - while [ $OPTIND -le $# ]; do - eval DIR=\$${OPTIND} - DIRS="$DIRS $DIR" - let OPTIND=$OPTIND+1 - done + DIRS=$* fi + # # Make sure they specified one of the three valid commands # diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400 +++ policycoreutils-2.0.31/semanage/semanage 2007-11-02 15:54:42.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005 Red Hat +# Copyright (C) 2005, 2006, 2007 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -115,7 +115,7 @@ valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] - valid_option["boolean"] += valid_everyone + valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] return valid_option # @@ -135,7 +135,7 @@ seuser = "" prefix = "" heading=1 - + value=0 add = 0 modify = 0 delete = 0 @@ -154,7 +154,7 @@ args = sys.argv[2:] gopts, cmds = getopt.getopt(args, - 'adf:lhmnp:s:CDR:L:r:t:T:P:S:', + '01adf:lhmnp:s:CDR:L:r:t:T:P:S:', ['add', 'delete', 'deleteall', @@ -164,6 +164,8 @@ 'modify', 'noheading', 'localist', + 'off', + 'on', 'proto=', 'seuser=', 'store=', @@ -242,6 +244,11 @@ if o == "-T" or o == "--trans": setrans = a + if o == "--on" or o == "-1": + value = 1 + if o == "-off" or o == "-0": + value = 0 + if object == "login": OBJECT = seobject.loginRecords(store) diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2007-10-07 21:46:43.000000000 -0400 +++ policycoreutils-2.0.31/semanage/seobject.py 2007-11-09 12:00:35.000000000 -0500 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005 Red Hat +# Copyright (C) 2005, 2006, 2007 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -88,6 +88,35 @@ mylog = logger() +import sys, os +import re +import xml.etree.ElementTree + +booleans_dict={} +try: + tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml") + for l in tree.findall("layer"): + for m in l.findall("module"): + for b in m.findall("tunable"): + desc = b.find("desc").find("p").text.strip("\n") + desc = re.sub("\n", " ", desc) + booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc) + for b in m.findall("bool"): + desc = b.find("desc").find("p").text.strip("\n") + desc = re.sub("\n", " ", desc) + booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc) + for i in tree.findall("bool"): + desc = i.find("desc").find("p").text.strip("\n") + desc = re.sub("\n", " ", desc) + booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc) + for i in tree.findall("tunable"): + desc = i.find("desc").find("p").text.strip("\n") + desc = re.sub("\n", " ", desc) + booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc) +except IOError, e: + print _("Failed to translate booleans.\n%s") % e + pass + def validate_level(raw): sensitivity = "s[0-9]*" category = "c[0-9]*" @@ -139,7 +168,7 @@ translations = fd.readlines() fd.close() except IOError, e: - raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines: %s") % (self.filename, e) ) + raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines") % (self.filename) ) self.ddict = {} self.comments = [] @@ -236,9 +265,6 @@ if rc < 0: semanage_handle_destroy(self.sh) raise ValueError(_("Could not establish semanage connection")) - def deleteall(self): - raise ValueError(_("Not yet implemented")) - class loginRecords(semanageRecords): def __init__(self, store = ""): @@ -1095,7 +1121,13 @@ return con + def validate(self, target): + if target == "" or target.find("\n") >= 0: + raise ValueError(_("Invalid file specification")) + def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + self.validate(target) + if is_mls_enabled == 1: serange = untranslate(serange) @@ -1154,6 +1186,7 @@ def modify(self, target, setype, ftype, serange, seuser): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) + self.validate(target) (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: @@ -1304,6 +1337,7 @@ print "%-50s %-18s <>" % (fcon[0], fcon[1]) class booleanRecords(semanageRecords): + def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -1328,11 +1362,14 @@ if value != "": nvalue = int(value) semanage_bool_set_value(b, nvalue) + else: + raise ValueError(_("You must specify a value")) rc = semanage_begin_transaction(self.sh) if rc < 0: raise ValueError(_("Could not start semanage transaction")) + rc = semanage_bool_set_active(self.sh, k, b) rc = semanage_bool_modify_local(self.sh, k, b) if rc < 0: raise ValueError(_("Could not modify boolean %s") % name) @@ -1416,11 +1453,25 @@ return ddict + def get_desc(self, boolean): + if boolean in booleans_dict: + return _(booleans_dict[boolean][2]) + else: + return boolean + + def get_category(self, boolean): + if boolean in booleans_dict: + return _(booleans_dict[boolean][0]) + else: + return _("unknown") + def list(self, heading = 1, locallist = 0): + on_off = (_("off"),_("on")) if heading: - print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"), _("active") ) + print "%-40s %s\n" % (_("SELinux boolean"), _("Description")) ddict = self.get_all(locallist) keys = ddict.keys() for k in keys: if ddict[k]: - print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2]) + print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k)) +