05f43b88db
- Fix system-config-selinux - Add first version of booleans lockdown - Update translations - Allow semanage to add a single role at a time - Update to upstream * Update semanage man page for booleans from Dan Walsh. * Add further error checking to seobject.py for setting booleans.
561 lines
19 KiB
Diff
561 lines
19 KiB
Diff
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.8 policycoreutils-2.0.46/audit2why/audit2why.8
|
|
--- nsapolicycoreutils/audit2why/audit2why.8 2006-11-16 17:14:26.000000000 -0500
|
|
+++ policycoreutils-2.0.46/audit2why/audit2why.8 1969-12-31 19:00:00.000000000 -0500
|
|
@@ -1,79 +0,0 @@
|
|
-.\" Hey, Emacs! This is an -*- nroff -*- source file.
|
|
-.\" Copyright (c) 2005 Dan Walsh <dwalsh@redhat.com>
|
|
-.\"
|
|
-.\" This is free documentation; you can redistribute it and/or
|
|
-.\" modify it under the terms of the GNU General Public License as
|
|
-.\" published by the Free Software Foundation; either version 2 of
|
|
-.\" the License, or (at your option) any later version.
|
|
-.\"
|
|
-.\" The GNU General Public License's references to "object code"
|
|
-.\" and "executables" are to be interpreted as the output of any
|
|
-.\" document formatting or typesetting system, including
|
|
-.\" intermediate and printed output.
|
|
-.\"
|
|
-.\" This manual is distributed in the hope that it will be useful,
|
|
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
-.\" GNU General Public License for more details.
|
|
-.\"
|
|
-.\" You should have received a copy of the GNU General Public
|
|
-.\" License along with this manual; if not, write to the Free
|
|
-.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
|
-.\" USA.
|
|
-.\"
|
|
-.\"
|
|
-.TH AUDIT2WHY "8" "May 2005" "Security Enhanced Linux" NSA
|
|
-.SH NAME
|
|
-audit2why \- Translates SELinux audit messages into a description of why the access was denied
|
|
-.SH SYNOPSIS
|
|
-.B audit2why
|
|
-.RI [ options "] "
|
|
-.SH OPTIONS
|
|
-.TP
|
|
-
|
|
-.B "\-\-help"
|
|
-Print a short usage message
|
|
-.TP
|
|
-.B "\-p <policyfile>"
|
|
-Specify an alternate policy file.
|
|
-.SH DESCRIPTION
|
|
-.PP
|
|
-This utility processes SELinux audit messages from standard
|
|
-input and and reports which component of the policy caused each
|
|
-permission denial based on the specified policy file if the -p option
|
|
-was used or the active policy otherwise. There are three possible
|
|
-causes: 1) a missing or disabled TE allow rule, 2) a constraint violation,
|
|
-or 3) a missing role allow rule. In the first case, the TE allow
|
|
-rule may exist in the policy but may be disabled due to boolean settings.
|
|
-See
|
|
-.BR booleans (8).
|
|
-If the allow rule is not present at all, it can be generated via
|
|
-.BR audit2allow (1).
|
|
-In the second case, a constraint is being violated; see policy/constraints
|
|
-or policy/mls to identify the particular constraint. Typically, this can
|
|
-be resolved by adding a type attribute to the domain. In the third case,
|
|
-a role transition was attempted but no allow rule existed for the role pair.
|
|
-This can be resolved by adding an allow rule for the role pair to the policy.
|
|
-.PP
|
|
-.SH EXAMPLE
|
|
-.nf
|
|
-$ /usr/sbin/audit2why < /var/log/audit/audit.log
|
|
-
|
|
-type=KERNEL msg=audit(1115316408.926:336418): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
|
|
- Was caused by:
|
|
- Missing or disabled TE allow rule.
|
|
- Allow rules may exist but be disabled by boolean settings; check boolean settings.
|
|
- You can see the necessary allow rules by running audit2allow with this audit message as input.
|
|
-
|
|
-type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
|
|
- Was caused by:
|
|
- Constraint violation.
|
|
- Check policy/constraints.
|
|
- Typically, you just need to add a type attribute to the domain to satisfy the constraint.
|
|
-.fi
|
|
-.PP
|
|
-.SH AUTHOR
|
|
-This manual page was written by
|
|
-.I Dan Walsh <dwalsh@redhat.com>,
|
|
-.B audit2why
|
|
-utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.46/audit2why/audit2why.c
|
|
--- nsapolicycoreutils/audit2why/audit2why.c 2006-11-16 17:14:26.000000000 -0500
|
|
+++ policycoreutils-2.0.46/audit2why/audit2why.c 1969-12-31 19:00:00.000000000 -0500
|
|
@@ -1,313 +0,0 @@
|
|
-#define _GNU_SOURCE
|
|
-#include <unistd.h>
|
|
-#include <stdio.h>
|
|
-#include <stdlib.h>
|
|
-#include <ctype.h>
|
|
-#include <errno.h>
|
|
-#include <getopt.h>
|
|
-#include <limits.h>
|
|
-#include <sepol/sepol.h>
|
|
-#include <sepol/policydb/services.h>
|
|
-#include <selinux/selinux.h>
|
|
-
|
|
-#define AVCPREFIX "avc: denied { "
|
|
-#define SCONTEXT "scontext="
|
|
-#define TCONTEXT "tcontext="
|
|
-#define TCLASS "tclass="
|
|
-
|
|
-void usage(char *progname, int rc)
|
|
-{
|
|
- fprintf(stderr, "usage: %s [-p policy] < /var/log/audit/audit.log\n",
|
|
- progname);
|
|
- exit(rc);
|
|
-}
|
|
-
|
|
-int main(int argc, char **argv)
|
|
-{
|
|
- char path[PATH_MAX];
|
|
- char *buffer = NULL, *bufcopy = NULL;
|
|
- unsigned int lineno = 0;
|
|
- size_t len = 0, bufcopy_len = 0;
|
|
- FILE *fp;
|
|
- int opt, rc, set_path = 0;
|
|
- char *p, *scon, *tcon, *tclassstr, *permstr;
|
|
- sepol_security_id_t ssid, tsid;
|
|
- sepol_security_class_t tclass;
|
|
- sepol_access_vector_t perm, av;
|
|
- struct sepol_av_decision avd;
|
|
- unsigned int reason;
|
|
- int vers = 0;
|
|
- sidtab_t sidtab;
|
|
- policydb_t policydb;
|
|
- struct policy_file pf;
|
|
-
|
|
- while ((opt = getopt(argc, argv, "p:?h")) > 0) {
|
|
- switch (opt) {
|
|
- case 'p':
|
|
- set_path = 1;
|
|
- strncpy(path, optarg, PATH_MAX);
|
|
- fp = fopen(path, "r");
|
|
- if (!fp) {
|
|
- fprintf(stderr, "%s: unable to open %s: %s\n",
|
|
- argv[0], path, strerror(errno));
|
|
- exit(1);
|
|
- }
|
|
- break;
|
|
- default:
|
|
- usage(argv[0], 0);
|
|
- }
|
|
- }
|
|
-
|
|
- if (argc - optind)
|
|
- usage(argv[0], 1);
|
|
-
|
|
- if (!set_path) {
|
|
- if (!is_selinux_enabled()) {
|
|
- fprintf(stderr,
|
|
- "%s: Must specify -p policy on non-SELinux systems\n",
|
|
- argv[0]);
|
|
- exit(1);
|
|
- }
|
|
- vers = security_policyvers();
|
|
- if (vers < 0) {
|
|
- fprintf(stderr,
|
|
- "%s: Could not get policy version: %s\n",
|
|
- argv[0], strerror(errno));
|
|
- exit(1);
|
|
- }
|
|
- snprintf(path, PATH_MAX, "%s.%d",
|
|
- selinux_binary_policy_path(), vers);
|
|
- fp = fopen(path, "r");
|
|
- while (!fp && errno == ENOENT && --vers) {
|
|
- snprintf(path, PATH_MAX, "%s.%d",
|
|
- selinux_binary_policy_path(), vers);
|
|
- fp = fopen(path, "r");
|
|
- }
|
|
- if (!fp) {
|
|
- snprintf(path, PATH_MAX, "%s.%d",
|
|
- selinux_binary_policy_path(),
|
|
- security_policyvers());
|
|
- fprintf(stderr, "%s: unable to open %s: %s\n",
|
|
- argv[0], path, strerror(errno));
|
|
- exit(1);
|
|
- }
|
|
- }
|
|
-
|
|
- /* Set up a policydb directly so that we can mutate it later
|
|
- for booleans and user settings. Otherwise we would just use
|
|
- sepol_set_policydb_from_file() here. */
|
|
- pf.fp = fp;
|
|
- pf.type = PF_USE_STDIO;
|
|
- if (policydb_init(&policydb)) {
|
|
- fprintf(stderr, "%s: policydb_init failed: %s\n",
|
|
- argv[0], strerror(errno));
|
|
- exit(1);
|
|
- }
|
|
- if (policydb_read(&policydb, &pf, 0)) {
|
|
- fprintf(stderr, "%s: invalid binary policy %s\n",
|
|
- argv[0], path);
|
|
- exit(1);
|
|
- }
|
|
- fclose(fp);
|
|
- sepol_set_policydb(&policydb);
|
|
-
|
|
- if (!set_path) {
|
|
- /* If they didn't specify a full path of a binary policy file,
|
|
- then also try loading any boolean settings and user
|
|
- definitions from the active locations. Otherwise,
|
|
- they can use genpolbools and genpolusers to build a
|
|
- binary policy file that includes any desired settings
|
|
- and then apply audit2why -p to the resulting file.
|
|
- Errors are non-fatal as such settings are optional. */
|
|
- sepol_debug(0);
|
|
- (void)sepol_genbools_policydb(&policydb,
|
|
- selinux_booleans_path());
|
|
- (void)sepol_genusers_policydb(&policydb, selinux_users_path());
|
|
- }
|
|
-
|
|
- /* Initialize the sidtab for subsequent use by sepol_context_to_sid
|
|
- and sepol_compute_av_reason. */
|
|
- rc = sepol_sidtab_init(&sidtab);
|
|
- if (rc < 0) {
|
|
- fprintf(stderr, "%s: unable to init sidtab\n", argv[0]);
|
|
- exit(1);
|
|
- }
|
|
- sepol_set_sidtab(&sidtab);
|
|
-
|
|
- /* Process the audit messages. */
|
|
- while (getline(&buffer, &len, stdin) > 0) {
|
|
- size_t len2 = strlen(buffer);
|
|
-
|
|
- if (buffer[len2 - 1] == '\n')
|
|
- buffer[len2 - 1] = 0;
|
|
- lineno++;
|
|
-
|
|
- p = buffer;
|
|
- while (*p && strncmp(p, AVCPREFIX, sizeof(AVCPREFIX) - 1))
|
|
- p++;
|
|
- if (!(*p))
|
|
- continue; /* not an avc denial */
|
|
-
|
|
- p += sizeof(AVCPREFIX) - 1;
|
|
-
|
|
- /* Save a copy of the original unmodified buffer. */
|
|
- if (!bufcopy) {
|
|
- /* Initial allocation */
|
|
- bufcopy_len = len;
|
|
- bufcopy = malloc(len);
|
|
- } else if (bufcopy_len < len) {
|
|
- /* Grow */
|
|
- bufcopy_len = len;
|
|
- bufcopy = realloc(bufcopy, len);
|
|
- }
|
|
- if (!bufcopy) {
|
|
- fprintf(stderr, "%s: OOM on buffer copy\n", argv[0]);
|
|
- exit(2);
|
|
- }
|
|
- memcpy(bufcopy, buffer, len);
|
|
-
|
|
- /* Remember where the permission list begins,
|
|
- and terminate the list. */
|
|
- permstr = p;
|
|
- while (*p && *p != '}')
|
|
- p++;
|
|
- if (!(*p)) {
|
|
- fprintf(stderr,
|
|
- "Missing closing bracket on line %u, skipping...\n",
|
|
- lineno);
|
|
- continue;
|
|
- }
|
|
- *p++ = 0;
|
|
-
|
|
- /* Get scontext and convert to SID. */
|
|
- while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
|
|
- p++;
|
|
- if (!(*p)) {
|
|
- fprintf(stderr, "Missing %s on line %u, skipping...\n",
|
|
- SCONTEXT, lineno);
|
|
- continue;
|
|
- }
|
|
- p += sizeof(SCONTEXT) - 1;
|
|
- scon = p;
|
|
- while (*p && !isspace(*p))
|
|
- p++;
|
|
- if (*p)
|
|
- *p++ = 0;
|
|
- rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
|
|
- if (rc < 0) {
|
|
- fprintf(stderr,
|
|
- "Invalid %s%s on line %u, skipping...\n",
|
|
- SCONTEXT, scon, lineno);
|
|
- continue;
|
|
- }
|
|
-
|
|
- /* Get tcontext and convert to SID. */
|
|
- while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
|
|
- p++;
|
|
- if (!(*p)) {
|
|
- fprintf(stderr, "Missing %s on line %u, skipping...\n",
|
|
- TCONTEXT, lineno);
|
|
- continue;
|
|
- }
|
|
- p += sizeof(TCONTEXT) - 1;
|
|
- tcon = p;
|
|
- while (*p && !isspace(*p))
|
|
- p++;
|
|
- if (*p)
|
|
- *p++ = 0;
|
|
- rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
|
|
- if (rc < 0) {
|
|
- fprintf(stderr,
|
|
- "Invalid %s%s on line %u, skipping...\n",
|
|
- TCONTEXT, tcon, lineno);
|
|
- continue;
|
|
- }
|
|
-
|
|
- /* Get tclass= and convert to value. */
|
|
- while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
|
|
- p++;
|
|
- if (!(*p)) {
|
|
- fprintf(stderr, "Missing %s on line %u, skipping...\n",
|
|
- TCLASS, lineno);
|
|
- continue;
|
|
- }
|
|
- p += sizeof(TCLASS) - 1;
|
|
- tclassstr = p;
|
|
- while (*p && !isspace(*p))
|
|
- p++;
|
|
- if (*p)
|
|
- *p = 0;
|
|
- tclass = string_to_security_class(tclassstr);
|
|
- if (!tclass) {
|
|
- fprintf(stderr,
|
|
- "Invalid %s%s on line %u, skipping...\n",
|
|
- TCLASS, tclassstr, lineno);
|
|
- continue;
|
|
- }
|
|
-
|
|
- /* Convert the permission list to an AV. */
|
|
- p = permstr;
|
|
- av = 0;
|
|
- while (*p) {
|
|
- while (*p && !isspace(*p))
|
|
- p++;
|
|
- if (*p)
|
|
- *p++ = 0;
|
|
- perm = string_to_av_perm(tclass, permstr);
|
|
- if (!perm) {
|
|
- fprintf(stderr,
|
|
- "Invalid permission %s on line %u, skipping...\n",
|
|
- permstr, lineno);
|
|
- continue;
|
|
- }
|
|
- av |= perm;
|
|
- permstr = p;
|
|
- }
|
|
-
|
|
- /* Reproduce the computation. */
|
|
- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd,
|
|
- &reason);
|
|
- if (rc < 0) {
|
|
- fprintf(stderr,
|
|
- "Error during access vector computation on line %u, skipping...\n",
|
|
- lineno);
|
|
- continue;
|
|
- }
|
|
-
|
|
- printf("%s\n\tWas caused by:\n", bufcopy);
|
|
-
|
|
- if (!reason) {
|
|
- printf("\t\tUnknown - would be allowed by %s policy\n",
|
|
- set_path ? "specified" : "active");
|
|
- printf
|
|
- ("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n");
|
|
- printf
|
|
- ("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n");
|
|
- }
|
|
-
|
|
- if (reason & SEPOL_COMPUTEAV_TE) {
|
|
- printf("\t\tMissing or disabled TE allow rule.\n");
|
|
- printf
|
|
- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
|
|
- printf
|
|
- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
|
|
- }
|
|
-
|
|
- if (reason & SEPOL_COMPUTEAV_CONS) {
|
|
- printf("\t\tConstraint violation.\n");
|
|
- printf("\t\tCheck policy/constraints.\n");
|
|
- printf
|
|
- ("\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n");
|
|
- }
|
|
-
|
|
- if (reason & SEPOL_COMPUTEAV_RBAC) {
|
|
- printf("\t\tMissing role allow rule.\n");
|
|
- printf("\t\tAdd allow rule for the role pair.\n");
|
|
- }
|
|
-
|
|
- printf("\n");
|
|
- }
|
|
- free(buffer);
|
|
- free(bufcopy);
|
|
- exit(0);
|
|
-}
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.46/Makefile
|
|
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
|
|
+++ policycoreutils-2.0.46/Makefile 2008-04-30 14:17:41.297583000 -0400
|
|
@@ -1,4 +1,4 @@
|
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.46/restorecond/restorecond.c
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.46/restorecond/restorecond.c 2008-04-30 14:17:41.305576000 -0400
|
|
@@ -210,9 +210,10 @@
|
|
}
|
|
|
|
if (fsetfilecon(fd, scontext) < 0) {
|
|
- syslog(LOG_ERR,
|
|
- "set context %s->%s failed:'%s'\n",
|
|
- filename, scontext, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR,
|
|
+ "set context %s->%s failed:'%s'\n",
|
|
+ filename, scontext, strerror(errno));
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
free(scontext);
|
|
@@ -225,8 +226,9 @@
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
} else {
|
|
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
- filename, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
+ filename, strerror(errno));
|
|
}
|
|
free(scontext);
|
|
close(fd);
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.46/scripts/genhomedircon.8
|
|
--- nsapolicycoreutils/scripts/genhomedircon.8 2007-01-17 11:11:34.000000000 -0500
|
|
+++ policycoreutils-2.0.46/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500
|
|
@@ -1,82 +0,0 @@
|
|
-.\" Hey, Emacs! This is an -*- nroff -*- source file.
|
|
-.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
|
|
-.\"
|
|
-.\" This is free documentation; you can redistribute it and/or
|
|
-.\" modify it under the terms of the GNU General Public License as
|
|
-.\" published by the Free Software Foundation; either version 2 of
|
|
-.\" the License, or (at your option) any later version.
|
|
-.\"
|
|
-.\" The GNU General Public License's references to "object code"
|
|
-.\" and "executables" are to be interpreted as the output of any
|
|
-.\" document formatting or typesetting system, including
|
|
-.\" intermediate and printed output.
|
|
-.\"
|
|
-.\" This manual is distributed in the hope that it will be useful,
|
|
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
-.\" GNU General Public License for more details.
|
|
-.\"
|
|
-.\" You should have received a copy of the GNU General Public
|
|
-.\" License along with this manual; if not, write to the Free
|
|
-.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
|
-.\" USA.
|
|
-.\"
|
|
-.\"
|
|
-.TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" ""
|
|
-.SH NAME
|
|
-genhomedircon \- generate SELinux file context configuration entries for user home directories
|
|
-.SH SYNOPSIS
|
|
-.B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h]
|
|
-
|
|
-.SH OPTIONS
|
|
-.TP
|
|
-.B "\-h"
|
|
-Print a short usage message
|
|
-.TP
|
|
-.B "\-d selinuxdir (\-\-directory)"
|
|
-Directory where selinux files are installed defaults to /etc/selinux
|
|
-.TP
|
|
-.B
|
|
-\-n \-\-nopasswd
|
|
-Indicates to the utility not to read homedirectories out of the password database.
|
|
-.TP
|
|
-\-t selinuxtype (\-\-type)
|
|
-Indicates the selinux type of this install. Defaults to "targeted".
|
|
-.SH DESCRIPTION
|
|
-.PP
|
|
-This utility is used to generate file context configuration entries for
|
|
-user home directories based on their
|
|
-.B prefix
|
|
-entry in the the
|
|
-.B semanage user record.
|
|
-genhomedircon is run when building
|
|
-the policy. It is also run automaticaly when ever the
|
|
-.B semanage
|
|
-utility modifies
|
|
-.B user
|
|
-or
|
|
-.B login
|
|
-records.
|
|
-Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
|
|
-.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
|
|
-file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the
|
|
-.B user
|
|
-record.
|
|
-.PP
|
|
-genhomedircon searches through all password entires for all "login" user home directories, (as opposed
|
|
-to system users). Login users are those whose UID is greater than or equal
|
|
-.I STARTING_UID
|
|
-(default 500) and whose login shell is not "/sbin/nologin", or
|
|
-"/bin/false".
|
|
-.PP
|
|
-.SH AUTHOR
|
|
-This manual page was originally written by
|
|
-.I Manoj Srivastava <srivasta@debian.org>,
|
|
-for the Debian GNU/Linux system, based on the comments and the code
|
|
-in the utility, and then updated by Dan Walsh of Red Hat. The
|
|
-.B genhomedircon
|
|
-utility was originally written by
|
|
-.I Dan Walsh of Red Hat
|
|
-with some modifications by
|
|
-.I Tresys Technology, LLC.
|
|
-
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.46/semanage/semanage
|
|
--- nsapolicycoreutils/semanage/semanage 2008-04-08 09:37:20.000000000 -0400
|
|
+++ policycoreutils-2.0.46/semanage/semanage 2008-04-30 14:18:15.329826000 -0400
|
|
@@ -129,7 +129,7 @@
|
|
setrans = ""
|
|
roles = ""
|
|
seuser = ""
|
|
- prefix = ""
|
|
+ prefix = "user"
|
|
heading=1
|
|
value=0
|
|
add = 0
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.46/semanage/semanage.8
|
|
--- nsapolicycoreutils/semanage/semanage.8 2008-04-22 16:18:44.000000000 -0400
|
|
+++ policycoreutils-2.0.46/semanage/semanage.8 2008-04-30 14:20:11.178770000 -0400
|
|
@@ -77,7 +74,7 @@
|
|
MLS/MCS Security Range (MLS/MCS Systems only)
|
|
.TP
|
|
.I \-R, \-\-role
|
|
-SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
|
|
+SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. If you want to add just one role, you \-R +role with the modify qualifier will add a single role.
|
|
.TP
|
|
.I \-P, \-\-prefix
|
|
SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.46/semanage/seobject.py
|
|
--- nsapolicycoreutils/semanage/seobject.py 2008-04-22 16:18:44.000000000 -0400
|
|
+++ policycoreutils-2.0.46/semanage/seobject.py 2008-04-30 14:17:41.350530000 -0400
|
|
@@ -464,7 +464,7 @@
|
|
def __init__(self, store = ""):
|
|
semanageRecords.__init__(self, store)
|
|
|
|
- def add(self, name, roles, selevel, serange, prefix):
|
|
+ def add(self, name, roles, selevel, serange, prefix = "user"):
|
|
if is_mls_enabled == 1:
|
|
if serange == "":
|
|
serange = "s0"
|