From 72cdfcb7ad61bdab857a86c1f2caaac05d555ccb Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 14 Feb 2013 08:18:40 -0500 Subject: [PATCH] Revert some changes which are causing the wrong policy version file to be created --- libselinux-rhat.patch | 2194 ----------------------------------------- 1 file changed, 2194 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 16d56c7..3b459f6 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -245,2197 +245,3 @@ index 2d7369e..2a00807 100644 va_end(ap); } -diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h -index c27275e..0165eed 100644 ---- a/libsepol/include/sepol/policydb/policydb.h -+++ b/libsepol/include/sepol/policydb/policydb.h -@@ -683,10 +683,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); - #define POLICYDB_VERSION_ROLETRANS 26 - #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 - #define POLICYDB_VERSION_DEFAULT_TYPE 28 -+#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 - - /* Range of policy versions we understand*/ - #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE --#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE -+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES - - /* Module versions and specific changes*/ - #define MOD_POLICYDB_VERSION_BASE 4 -@@ -704,9 +705,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); - #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 - #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 - #define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 -+#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 - - #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE --#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_DEFAULT_TYPE -+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES - - #define POLICYDB_CONFIG_MLS 1 - -diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h -index aef0c7b..1969a10 100644 ---- a/libsepol/include/sepol/policydb/services.h -+++ b/libsepol/include/sepol/policydb/services.h -@@ -58,6 +58,38 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid, - struct sepol_av_decision *avd, - unsigned int *reason); - -+/* -+ * Same as above, but also returns the constraint expression calculations -+ * whether allowed or denied in a buffer. This buffer is allocated by -+ * this call and must be free'd by the caller using free(3). The contraint -+ * buffer will contain any constraints in infix notation. -+ * If the SHOW_GRANTED flag is set it will show granted and denied -+ * constraints. The default is to show only denied constraints. -+ */ -+#define SHOW_GRANTED 1 -+extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid, -+ sepol_security_id_t tsid, -+ sepol_security_class_t tclass, -+ sepol_access_vector_t requested, -+ struct sepol_av_decision *avd, -+ unsigned int *reason, -+ char **reason_buf, -+ unsigned int flags); -+/* -+ * Return a class ID associated with the class string representation -+ * specified by `class_name'. -+ */ -+extern int sepol_class_name_to_id(const char *class_name, -+ sepol_security_class_t *tclass); -+ -+/* -+ * Return a permission av bit associated with tclass and the string -+ * representation of the `perm_name'. -+ */ -+extern int sepol_perm_name_to_av(sepol_security_class_t tclass, -+ const char *perm_name, -+ sepol_access_vector_t *av); -+ - /* - * Compute a SID to use for labeling a new object in the - * class `tclass' based on a SID pair. -diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c -index f0555bb..6fd992f 100644 ---- a/libsepol/src/expand.c -+++ b/libsepol/src/expand.c -@@ -384,6 +384,17 @@ static int constraint_node_clone(constraint_node_t ** dst, - new_expr->op = expr->op; - if (new_expr->expr_type == CEXPR_NAMES) { - if (new_expr->attr & CEXPR_TYPE) { -+ /* -+ * Copy over constraint policy source types and/or -+ * attributes for sepol_compute_av_reason_buffer(3) so that -+ * utilities can analyse constraint errors. -+ */ -+ if (map_ebitmap(&expr->type_names->types, -+ &new_expr->type_names->types, -+ state->typemap)) { -+ ERR(NULL, "Failed to map type_names->types"); -+ goto out_of_mem; -+ } - /* Type sets require expansion and conversion. */ - if (expand_convert_type_set(state->out, - state-> -diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c -index 1f49261..8c7efbc 100644 ---- a/libsepol/src/policydb.c -+++ b/libsepol/src/policydb.c -@@ -165,6 +165,13 @@ static struct policydb_compat_info policydb_compat[] = { - .target_platform = SEPOL_TARGET_SELINUX, - }, - { -+ .type = POLICY_KERN, -+ .version = POLICYDB_VERSION_CONSTRAINT_NAMES, -+ .sym_num = SYM_NUM, -+ .ocon_num = OCON_NODE6 + 1, -+ .target_platform = SEPOL_TARGET_SELINUX, -+ }, -+ { - .type = POLICY_BASE, - .version = MOD_POLICYDB_VERSION_BASE, - .sym_num = SYM_NUM, -@@ -256,6 +263,13 @@ static struct policydb_compat_info policydb_compat[] = { - .target_platform = SEPOL_TARGET_SELINUX, - }, - { -+ .type = POLICY_BASE, -+ .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES, -+ .sym_num = SYM_NUM, -+ .ocon_num = OCON_NODE6 + 1, -+ .target_platform = SEPOL_TARGET_SELINUX, -+ }, -+ { - .type = POLICY_MOD, - .version = MOD_POLICYDB_VERSION_BASE, - .sym_num = SYM_NUM, -@@ -346,6 +360,13 @@ static struct policydb_compat_info policydb_compat[] = { - .ocon_num = 0, - .target_platform = SEPOL_TARGET_SELINUX, - }, -+ { -+ .type = POLICY_MOD, -+ .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES, -+ .sym_num = SYM_NUM, -+ .ocon_num = 0, -+ .target_platform = SEPOL_TARGET_SELINUX, -+ }, - }; - - #if 0 -@@ -2019,6 +2040,10 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep, - if (p->policy_type != POLICY_KERN && - type_set_read(e->type_names, fp)) - return -1; -+ else if (p->policy_type == POLICY_KERN && -+ p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES && -+ type_set_read(e->type_names, fp)) -+ return -1; - break; - default: - return -1; -diff --git a/libsepol/src/services.c b/libsepol/src/services.c -index 7fac4a0..43ec07e 100644 ---- a/libsepol/src/services.c -+++ b/libsepol/src/services.c -@@ -43,6 +43,11 @@ - * Implementation of the security services. - */ - -+/* The initial sizes malloc'd for sepol_compute_av_reason_buffer() support */ -+#define REASON_BUF_SIZE 2048 -+#define EXPR_BUF_SIZE 1024 -+#define STACK_LEN 32 -+ - #include - #include - #include -@@ -54,6 +59,7 @@ - #include - #include - #include -+#include - - #include "debug.h" - #include "private.h" -@@ -70,6 +76,50 @@ static int selinux_enforcing = 1; - static sidtab_t mysidtab, *sidtab = &mysidtab; - static policydb_t mypolicydb, *policydb = &mypolicydb; - -+/* Used by sepol_compute_av_reason_buffer() to keep track of entries */ -+static int reason_buf_used; -+static int reason_buf_len; -+ -+/* Stack services for RPN to infix conversion. */ -+static char **stack; -+static int stack_len; -+static int next_stack_entry; -+ -+static void push(char * expr_ptr) -+{ -+ if (next_stack_entry >= stack_len) { -+ char **new_stack = stack; -+ int new_stack_len; -+ -+ if (stack_len == 0) -+ new_stack_len = STACK_LEN; -+ else -+ new_stack_len = stack_len * 2; -+ -+ new_stack = realloc(stack, new_stack_len * sizeof(*stack)); -+ if (!new_stack) { -+ ERR(NULL, "unable to allocate stack space"); -+ return; -+ } -+ stack_len = new_stack_len; -+ stack = new_stack; -+ } -+ stack[next_stack_entry] = expr_ptr; -+ next_stack_entry++; -+} -+ -+static char *pop(void) -+{ -+ next_stack_entry--; -+ if (next_stack_entry < 0) { -+ next_stack_entry = 0; -+ ERR(NULL, "pop called with no stack entries"); -+ return NULL; -+ } -+ return stack[next_stack_entry]; -+} -+/* End Stack services */ -+ - int hidden sepol_set_sidtab(sidtab_t * s) - { - sidtab = s; -@@ -113,20 +163,195 @@ int sepol_set_policydb_from_file(FILE * fp) - static uint32_t latest_granting = 0; - - /* -- * Return the boolean value of a constraint expression -- * when it is applied to the specified source and target -+ * cat_expr_buf adds a string to an expression buffer and handles realloc's if -+ * buffer is too small. The array of expression text buffer pointers and its -+ * counter are globally defined here as constraint_expr_eval_reason() sets -+ * them up and cat_expr_buf updates the e_buf pointer if the buffer is realloc'ed. -+ */ -+static int expr_counter; -+static char **expr_list; -+static int expr_buf_used; -+static int expr_buf_len; -+ -+static void cat_expr_buf(char *e_buf, char *string) -+{ -+ int len, new_buf_len; -+ char *p, *new_buf = e_buf; -+ -+ while (1) { -+ p = e_buf + expr_buf_used; -+ len = snprintf(p, expr_buf_len - expr_buf_used, "%s", string); -+ if (len < 0 || len >= expr_buf_len - expr_buf_used) { -+ new_buf_len = expr_buf_len + EXPR_BUF_SIZE; -+ new_buf = realloc(e_buf, new_buf_len); -+ if (!new_buf) { -+ ERR(NULL, "failed to realloc expr buffer"); -+ return; -+ } -+ /* Update the new ptr in the expr list and locally + new len */ -+ expr_list[expr_counter] = new_buf; -+ e_buf = new_buf; -+ expr_buf_len = new_buf_len; -+ } else { -+ expr_buf_used += len; -+ return; -+ } -+ } -+} -+ -+/* -+ * If the POLICY_KERN version is < POLICYDB_VERSION_CONSTRAINT_NAMES, -+ * then just return. -+ * -+ * If the POLICY_KERN version is >= POLICYDB_VERSION_CONSTRAINT_NAMES, -+ * then for 'types' only, read the types_names->types list as it will -+ * contain a list of types and attributes that were defined in the -+ * policy source. -+ */ -+static void get_names_list(constraint_expr_t *e, int type) -+{ -+ ebitmap_t *types; -+ types = &e->type_names->types; -+ int rc = 0; -+ unsigned int i; -+ char tmp_buf[128]; -+ /* if -type_names->types is 0, then output string */ -+ int empty_set = 0; -+ -+ if (policydb->policy_type == POLICY_KERN && -+ policydb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES && -+ type == CEXPR_TYPE) { -+ /* -+ * Process >= POLICYDB_VERSION_CONSTRAINT_NAMES with CEXPR_TYPE, then -+ * obtain the list of names defined in the policy source. -+ */ -+ cat_expr_buf(expr_list[expr_counter], "{ POLICY_SOURCE: "); -+ for (i = ebitmap_startbit(types); i < ebitmap_length(types); i++) { -+ if ((rc = ebitmap_get_bit(types, i)) == 0) -+ continue; -+ /* Collect entries */ -+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); -+ cat_expr_buf(expr_list[expr_counter], tmp_buf); -+ empty_set++; -+ } -+ if (empty_set == 0) -+ cat_expr_buf(expr_list[expr_counter], " "); -+ cat_expr_buf(expr_list[expr_counter], "} "); -+ } -+ return; -+} -+ -+static void msgcat(char *src, char *tgt, char *rel, int failed) -+{ -+ char tmp_buf[1024]; -+ if (failed) -+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-) ", -+ src, rel, tgt); -+ else -+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-) ", -+ src, rel, tgt); -+ cat_expr_buf(expr_list[expr_counter], tmp_buf); -+} -+ -+/* Returns a buffer with class, statement type and permissions */ -+static char *get_class_info(sepol_security_class_t tclass, -+ constraint_node_t *constraint, -+ context_struct_t * xcontext) -+{ -+ constraint_expr_t *e; -+ int mls, state_num; -+ -+ /* Find if MLS statement or not */ -+ mls = 0; -+ for (e = constraint->expr; e; e = e->next) { -+ if (e->attr >= CEXPR_L1L2) { -+ mls = 1; -+ break; -+ } -+ } -+ -+ /* Determine statement type */ -+ char *statements[] = { -+ "constrain ", /* 0 */ -+ "mlsconstrain ", /* 1 */ -+ "validatetrans ", /* 2 */ -+ "mlsvalidatetrans ", /* 3 */ -+ 0 }; -+ -+ if (xcontext == NULL) -+ state_num = mls + 0; -+ else -+ state_num = mls + 2; -+ -+ int class_buf_len = 0; -+ int new_class_buf_len; -+ int len, buf_used; -+ char *class_buf = NULL, *p; -+ char *new_class_buf = NULL; -+ -+ while (1) { -+ new_class_buf_len = class_buf_len + EXPR_BUF_SIZE; -+ new_class_buf = realloc(class_buf, new_class_buf_len); -+ if (!new_class_buf) -+ return NULL; -+ class_buf_len = new_class_buf_len; -+ class_buf = new_class_buf; -+ buf_used = 0; -+ p = class_buf; -+ -+ /* Add statement type */ -+ len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]); -+ if (len < 0 || len >= class_buf_len - buf_used) -+ continue; -+ -+ /* Add class entry */ -+ p += len; -+ buf_used += len; -+ len = snprintf(p, class_buf_len - buf_used, "%s ", -+ policydb->p_class_val_to_name[tclass - 1]); -+ if (len < 0 || len >= class_buf_len - buf_used) -+ continue; -+ -+ /* Add permission entries */ -+ p += len; -+ buf_used += len; -+ len = snprintf(p, class_buf_len - buf_used, "{%s } (", -+ sepol_av_to_string(policydb, tclass, constraint->permissions)); -+ if (len < 0 || len >= class_buf_len - buf_used) -+ continue; -+ break; -+ } -+ return class_buf; -+} -+ -+/* -+ * Modified version of constraint_expr_eval that will process each -+ * constraint as before but adds the information to text buffers that -+ * will hold various components. The expression will be in RPN format, -+ * therefore there is a stack based RPN to infix converter to produce -+ * the final readable constraint. -+ * -+ * Return the boolean value of a constraint expression -+ * when it is applied to the specified source and target - * security contexts. - * - * xcontext is a special beast... It is used by the validatetrans rules - * only. For these rules, scontext is the context before the transition, - * tcontext is the context after the transition, and xcontext is the context - * of the process performing the transition. All other callers of -- * constraint_expr_eval should pass in NULL for xcontext. -+ * constraint_expr_eval_reason should pass in NULL for xcontext. -+ * -+ * This function will also build a buffer as the constraint is processed -+ * for analysis. If this option is not required, then: -+ * 'tclass' should be '0' and r_buf MUST be NULL. - */ --static int constraint_expr_eval(context_struct_t * scontext, -+static int constraint_expr_eval_reason(context_struct_t * scontext, - context_struct_t * tcontext, - context_struct_t * xcontext, -- constraint_expr_t * cexpr) -+ sepol_security_class_t tclass, -+ constraint_node_t *constraint, -+ char **r_buf, -+ unsigned int flags) - { - uint32_t val1, val2; - context_struct_t *c; -@@ -136,56 +361,137 @@ static int constraint_expr_eval(context_struct_t * scontext, - int s[CEXPR_MAXDEPTH]; - int sp = -1; - -- for (e = cexpr; e; e = e->next) { -+ char tmp_buf[128]; -+ -+/* -+ * Define the s_t_x_num values that make up r1, t2 etc. in text strings -+ * Set 1 = source, 2 = target, 3 = xcontext for validatetrans -+ */ -+#define SOURCE 1 -+#define TARGET 2 -+#define XTARGET 3 -+ -+ int s_t_x_num = SOURCE; -+ -+ /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */ -+ int u_r_t = 0; -+ -+ char *name1, *name2; -+ char *src = NULL; -+ char *tgt = NULL; -+ -+ int rc = 0, x; -+ -+ char *class_buf = NULL; -+ -+ class_buf = get_class_info(tclass, constraint, xcontext); -+ if (!class_buf) { -+ ERR(NULL, "failed to allocate class buffer"); -+ return -ENOMEM; -+ } -+ -+ /* Original function but with buffer support */ -+ int expr_list_len = 0; -+ expr_counter = 0; -+ expr_list = NULL; -+ for (e = constraint->expr; e; e = e->next) { -+ /* Allocate a stack to hold expression buffer entries */ -+ if (expr_counter >= expr_list_len) { -+ char **new_expr_list = expr_list; -+ int new_expr_list_len; -+ -+ if (expr_list_len == 0) -+ new_expr_list_len = STACK_LEN; -+ else -+ new_expr_list_len = expr_list_len * 2; -+ -+ new_expr_list = realloc(expr_list, new_expr_list_len * sizeof(*expr_list)); -+ if (!new_expr_list) { -+ ERR(NULL, "failed to allocate expr buffer stack"); -+ rc = -ENOMEM; -+ goto out; -+ } -+ expr_list_len = new_expr_list_len; -+ expr_list = new_expr_list; -+ } -+ -+ /* -+ * malloc a buffer to store each expression text component. If the -+ * buffer is too small cat_expr_buf() will realloc extra space. -+ */ -+ expr_buf_len = EXPR_BUF_SIZE; -+ expr_list[expr_counter] = malloc(expr_buf_len); -+ if (!expr_list[expr_counter]) { -+ ERR(NULL, "failed to allocate expr buffer"); -+ rc = -ENOMEM; -+ goto out; -+ } -+ expr_buf_used = 0; -+ -+ /* Now process each expression of the constraint */ - switch (e->expr_type) { - case CEXPR_NOT: - BUG_ON(sp < 0); - s[sp] = !s[sp]; -+ cat_expr_buf(expr_list[expr_counter], "not"); - break; - case CEXPR_AND: - BUG_ON(sp < 1); - sp--; - s[sp] &= s[sp + 1]; -+ cat_expr_buf(expr_list[expr_counter], "and"); - break; - case CEXPR_OR: - BUG_ON(sp < 1); - sp--; - s[sp] |= s[sp + 1]; -+ cat_expr_buf(expr_list[expr_counter], "or"); - break; - case CEXPR_ATTR: - if (sp == (CEXPR_MAXDEPTH - 1)) -- return 0; -+ goto out; -+ - switch (e->attr) { - case CEXPR_USER: - val1 = scontext->user; - val2 = tcontext->user; -+ free(src); src = strdup("u1"); -+ free(tgt); tgt = strdup("u2"); - break; - case CEXPR_TYPE: - val1 = scontext->type; - val2 = tcontext->type; -+ free(src); src = strdup("t1"); -+ free(tgt); tgt = strdup("t2"); - break; - case CEXPR_ROLE: - val1 = scontext->role; - val2 = tcontext->role; - r1 = policydb->role_val_to_struct[val1 - 1]; - r2 = policydb->role_val_to_struct[val2 - 1]; -+ name1 = policydb->p_role_val_to_name[r1->s.value - 1]; -+ name2 = policydb->p_role_val_to_name[r2->s.value - 1]; -+ snprintf(tmp_buf, sizeof(tmp_buf), "r1=%s", name1); -+ free(src); src = strdup(tmp_buf); -+ snprintf(tmp_buf, sizeof(tmp_buf), "r2=%s ", name2); -+ free(tgt); tgt = strdup(tmp_buf); -+ - switch (e->op) { - case CEXPR_DOM: -- s[++sp] = -- ebitmap_get_bit(&r1->dominates, -- val2 - 1); -+ s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); -+ msgcat(src, tgt, "dom", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_DOMBY: -- s[++sp] = -- ebitmap_get_bit(&r2->dominates, -- val1 - 1); -+ s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); -+ msgcat(src, tgt, "domby", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_INCOMP: -- s[++sp] = -- (!ebitmap_get_bit -- (&r1->dominates, val2 - 1) -- && !ebitmap_get_bit(&r2->dominates, -- val1 - 1)); -+ s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1) -+ && !ebitmap_get_bit(&r2->dominates, val1 - 1)); -+ msgcat(src, tgt, "incomp", s[sp] == 0); -+ expr_counter++; - continue; - default: - break; -@@ -194,110 +500,327 @@ static int constraint_expr_eval(context_struct_t * scontext, - case CEXPR_L1L2: - l1 = &(scontext->range.level[0]); - l2 = &(tcontext->range.level[0]); -+ free(src); src = strdup("l1"); -+ free(tgt); tgt = strdup("l2"); - goto mls_ops; - case CEXPR_L1H2: - l1 = &(scontext->range.level[0]); - l2 = &(tcontext->range.level[1]); -+ free(src); src = strdup("l1"); -+ free(tgt); tgt = strdup("h2"); - goto mls_ops; - case CEXPR_H1L2: - l1 = &(scontext->range.level[1]); - l2 = &(tcontext->range.level[0]); -+ free(src); src = strdup("h1"); -+ free(tgt); tgt = strdup("L2"); - goto mls_ops; - case CEXPR_H1H2: - l1 = &(scontext->range.level[1]); - l2 = &(tcontext->range.level[1]); -+ free(src); src = strdup("h1"); -+ free(tgt); tgt = strdup("h2"); - goto mls_ops; - case CEXPR_L1H1: - l1 = &(scontext->range.level[0]); - l2 = &(scontext->range.level[1]); -+ free(src); src = strdup("l1"); -+ free(tgt); tgt = strdup("h1"); - goto mls_ops; - case CEXPR_L2H2: - l1 = &(tcontext->range.level[0]); - l2 = &(tcontext->range.level[1]); -- goto mls_ops; -- mls_ops: -+ free(src); src = strdup("l2"); -+ free(tgt); tgt = strdup("h2"); -+ mls_ops: - switch (e->op) { - case CEXPR_EQ: - s[++sp] = mls_level_eq(l1, l2); -+ msgcat(src, tgt, "eq", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_NEQ: - s[++sp] = !mls_level_eq(l1, l2); -+ msgcat(src, tgt, "neq", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_DOM: - s[++sp] = mls_level_dom(l1, l2); -+ msgcat(src, tgt, "dom", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_DOMBY: - s[++sp] = mls_level_dom(l2, l1); -+ msgcat(src, tgt, "domby", s[sp] == 0); -+ expr_counter++; - continue; - case CEXPR_INCOMP: - s[++sp] = mls_level_incomp(l2, l1); -+ msgcat(src, tgt, "incomp", s[sp] == 0); -+ expr_counter++; - continue; - default: - BUG(); -- return 0; -+ goto out; - } - break; - default: - BUG(); -- return 0; -+ goto out; - } - - switch (e->op) { - case CEXPR_EQ: - s[++sp] = (val1 == val2); -+ msgcat(src, tgt, "eq", s[sp] == 0); - break; - case CEXPR_NEQ: - s[++sp] = (val1 != val2); -+ msgcat(src, tgt, "neq", s[sp] == 0); - break; - default: - BUG(); -- return 0; -+ goto out; - } - break; - case CEXPR_NAMES: - if (sp == (CEXPR_MAXDEPTH - 1)) -- return 0; -+ goto out; -+ s_t_x_num = SOURCE; - c = scontext; -- if (e->attr & CEXPR_TARGET) -+ if (e->attr & CEXPR_TARGET) { -+ s_t_x_num = TARGET; - c = tcontext; -- else if (e->attr & CEXPR_XTARGET) { -+ } else if (e->attr & CEXPR_XTARGET) { -+ s_t_x_num = XTARGET; - c = xcontext; -- if (!c) { -- BUG(); -- return 0; -- } - } -- if (e->attr & CEXPR_USER) -+ if (!c) { -+ BUG(); -+ goto out; -+ } -+ if (e->attr & CEXPR_USER) { -+ u_r_t = CEXPR_USER; - val1 = c->user; -- else if (e->attr & CEXPR_ROLE) -+ name1 = policydb->p_user_val_to_name[val1 - 1]; -+ snprintf(tmp_buf, sizeof(tmp_buf), "u%d=%s ", -+ s_t_x_num, name1); -+ free(src); src = strdup(tmp_buf); -+ } -+ else if (e->attr & CEXPR_ROLE) { -+ u_r_t = CEXPR_ROLE; - val1 = c->role; -- else if (e->attr & CEXPR_TYPE) -+ name1 = policydb->p_role_val_to_name[val1 - 1]; -+ snprintf(tmp_buf, sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1); -+ free(src); src = strdup(tmp_buf); -+ } -+ else if (e->attr & CEXPR_TYPE) { -+ u_r_t = CEXPR_TYPE; - val1 = c->type; -+ name1 = policydb->p_type_val_to_name[val1 - 1]; -+ snprintf(tmp_buf, sizeof(tmp_buf), -+ "t%d=%s ", s_t_x_num, name1); -+ free(src); src = strdup(tmp_buf); -+ } - else { - BUG(); -- return 0; -+ goto out; - } - - switch (e->op) { - case CEXPR_EQ: -+ switch (u_r_t) { -+ case CEXPR_USER: -+ free(tgt); tgt=strdup("USER_ENTRY"); -+ break; -+ case CEXPR_ROLE: -+ free(tgt); tgt=strdup("ROLE_ENTRY"); -+ break; -+ case CEXPR_TYPE: -+ free(tgt); tgt=strdup("TYPE_ENTRY"); -+ break; -+ default: -+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); -+ break; -+ } -+ - s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); -+ msgcat(src, tgt, "eq", s[sp] == 0); -+ if (s[sp] == 0) { -+ get_names_list(e, u_r_t); -+ } - break; -+ - case CEXPR_NEQ: -+ switch (u_r_t) { -+ case CEXPR_USER: -+ free(tgt); tgt=strdup("USER_ENTRY"); -+ break; -+ case CEXPR_ROLE: -+ free(tgt); tgt=strdup("ROLE_ENTRY"); -+ break; -+ case CEXPR_TYPE: -+ free(tgt); tgt=strdup("TYPE_ENTRY"); -+ break; -+ default: -+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); -+ break; -+ } -+ - s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); -+ msgcat(src, tgt, "neq", s[sp] == 0); -+ if (s[sp] == 0) { -+ get_names_list(e, u_r_t); -+ } - break; - default: - BUG(); -- return 0; -+ goto out; - } - break; - default: - BUG(); -- return 0; -+ goto out; - } -+ expr_counter++; -+ } -+ -+ /* -+ * At this point each expression of the constraint is in -+ * expr_list[n+1] and in RPN format. Now convert to 'infix' -+ */ -+ -+ /* -+ * Save expr count but zero expr_counter to detect if 'BUG(); goto out;' -+ * was called as we need to release any used expr_list malloc's. Normally -+ * they are released by the RPN to infix code. -+ */ -+ int expr_count = expr_counter; -+ expr_counter = 0; -+ -+ /* -+ * The array of expression answer buffer pointers and counter. Generate -+ * the same number of answer buffer entries as expression buffers (as -+ * there will never be more required). -+ */ -+ char **answer_list; -+ int answer_counter = 0; -+ -+ answer_list = malloc(expr_count * sizeof(*answer_list)); -+ if (!answer_list) { -+ ERR(NULL, "failed to allocate answer stack"); -+ rc = -ENOMEM; -+ goto out; - } - -- BUG_ON(sp != 0); -- return s[0]; -+ /* The pop operands */ -+ char *a; -+ char *b; -+ int a_len, b_len; -+ -+ /* Convert constraint from RPN to infix notation. */ -+ for (x = 0; x != expr_count; x++) { -+ if (strncmp(expr_list[x], "and", 3) == 0 || strncmp(expr_list[x], -+ "or", 2) == 0) { -+ b = pop(); -+ b_len = strlen(b); -+ a = pop(); -+ a_len = strlen(a); -+ -+ /* get a buffer to hold the answer */ -+ answer_list[answer_counter] = malloc(a_len + b_len + 8); -+ if (!answer_list[answer_counter]) { -+ ERR(NULL, "failed to allocate answer buffer"); -+ rc = -ENOMEM; -+ goto out; -+ } -+ memset(answer_list[answer_counter], '\0', a_len + b_len + 8); -+ -+ sprintf(answer_list[answer_counter], "%s %s %s", a, expr_list[x], b); -+ push(answer_list[answer_counter++]); -+ free(a); -+ free(b); -+ } else if (strncmp(expr_list[x], "not", 3) == 0) { -+ b = pop(); -+ b_len = strlen(b); -+ -+ answer_list[answer_counter] = malloc(b_len + 8); -+ if (!answer_list[answer_counter]) { -+ ERR(NULL, "failed to allocate answer buffer"); -+ rc = -ENOMEM; -+ goto out; -+ } -+ memset(answer_list[answer_counter], '\0', b_len + 8); -+ -+ if (strncmp(b, "not", 3) == 0) -+ sprintf(answer_list[answer_counter], "%s (%s)", expr_list[x], b); -+ else -+ sprintf(answer_list[answer_counter], "%s%s", expr_list[x], b); -+ push(answer_list[answer_counter++]); -+ free(b); -+ } else { -+ push(expr_list[x]); -+ } -+ } -+ /* Get the final answer from tos and build constraint text */ -+ a = pop(); -+ -+ /* Constraint calculation: rc = 0 is denied, rc = 1 is granted */ -+ sprintf(tmp_buf,"Constraint %s\n", s[0] ? "GRANTED" : "DENIED"); -+ -+ int len, new_buf_len; -+ char *p, **new_buf = r_buf; -+ /* -+ * These contain the constraint components that are added to the -+ * callers reason buffer. -+ */ -+ char *buffers[] = { class_buf, a, "); ", tmp_buf, 0 }; -+ -+ /* -+ * This will add the constraints to the callers reason buffer (who is -+ * responsible for freeing the memory). It will handle any realloc's -+ * should the buffer be too short. -+ * The reason_buf_used and reason_buf_len counters are defined globally -+ * as multiple constraints can be in the buffer. -+ */ -+ if (r_buf && ((s[0] == 0) || ((s[0] == 1 && -+ (flags & SHOW_GRANTED) == SHOW_GRANTED)))) { -+ for (x = 0; buffers[x] != NULL; x++) { -+ while (1) { -+ p = *r_buf + reason_buf_used; -+ len = snprintf(p, reason_buf_len - reason_buf_used, "%s", buffers[x]); -+ if (len < 0 || len >= reason_buf_len - reason_buf_used) { -+ new_buf_len = reason_buf_len + REASON_BUF_SIZE; -+ *new_buf = realloc(*r_buf, new_buf_len); -+ if (!new_buf) { -+ ERR(NULL, "failed to realloc reason buffer"); -+ goto out1; -+ } -+ **r_buf = **new_buf; -+ reason_buf_len = new_buf_len; -+ continue; -+ } else { -+ reason_buf_used += len; -+ break; -+ } -+ } -+ } -+ } -+ -+out1: -+ rc = s[0]; -+ free(a); -+ -+out: -+ free(class_buf); -+ free(src); -+ free(tgt); -+ -+ if (expr_counter) { -+ for (x = 0; expr_list[x] != NULL; x++) -+ free(expr_list[x]); -+ } -+ return rc; - } - - /* -@@ -309,7 +832,9 @@ static int context_struct_compute_av(context_struct_t * scontext, - sepol_security_class_t tclass, - sepol_access_vector_t requested, - struct sepol_av_decision *avd, -- unsigned int *reason) -+ unsigned int *reason, -+ char **r_buf, -+ unsigned int flags) - { - constraint_node_t *constraint; - struct role_allow *ra; -@@ -384,8 +909,8 @@ static int context_struct_compute_av(context_struct_t * scontext, - constraint = tclass_datum->constraints; - while (constraint) { - if ((constraint->permissions & (avd->allowed)) && -- !constraint_expr_eval(scontext, tcontext, NULL, -- constraint->expr)) { -+ !constraint_expr_eval_reason(scontext, tcontext, NULL, -+ tclass, constraint, r_buf, flags)) { - avd->allowed = - (avd->allowed) & ~(constraint->permissions); - } -@@ -460,8 +985,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, - - constraint = tclass_datum->validatetrans; - while (constraint) { -- if (!constraint_expr_eval(ocontext, ncontext, tcontext, -- constraint->expr)) { -+ if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, -+ 0, constraint, NULL, 0)) { - return -EPERM; - } - constraint = constraint->next; -@@ -494,11 +1019,59 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, - } - - rc = context_struct_compute_av(scontext, tcontext, tclass, -- requested, avd, reason); -+ requested, avd, reason, NULL, 0); - out: - return rc; - } - -+/* -+ * sepol_compute_av_reason_buffer - the reason buffer is malloc'd to -+ * REASON_BUF_SIZE. If the buffer size is exceeded, then it is realloc'd -+ * in the constraint_expr_eval_reason() function. -+ */ -+int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, -+ sepol_security_id_t tsid, -+ sepol_security_class_t tclass, -+ sepol_access_vector_t requested, -+ struct sepol_av_decision *avd, -+ unsigned int *reason, -+ char **reason_buf, -+ unsigned int flags) -+{ -+ *reason_buf = malloc(REASON_BUF_SIZE); -+ if (!*reason_buf) { -+ ERR(NULL, "failed to allocate reason buffer"); -+ return -ENOMEM; -+ } -+ /* -+ * These are defined globally as the buffer can contain multiple -+ * constraint statements so need to keep track -+ */ -+ reason_buf_used = 0; -+ reason_buf_len = REASON_BUF_SIZE; -+ -+ context_struct_t *scontext = 0, *tcontext = 0; -+ int rc = 0; -+ -+ scontext = sepol_sidtab_search(sidtab, ssid); -+ if (!scontext) { -+ ERR(NULL, "unrecognized SID %d", ssid); -+ rc = -EINVAL; -+ goto out; -+ } -+ tcontext = sepol_sidtab_search(sidtab, tsid); -+ if (!tcontext) { -+ ERR(NULL, "unrecognized SID %d", tsid); -+ rc = -EINVAL; -+ goto out; -+ } -+ -+ rc = context_struct_compute_av(scontext, tcontext, tclass, -+ requested, avd, reason, reason_buf, flags); -+out: -+ return rc; -+} -+ - int hidden sepol_compute_av(sepol_security_id_t ssid, - sepol_security_id_t tsid, - sepol_security_class_t tclass, -@@ -511,6 +1084,70 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, - } - - /* -+ * Return a class ID associated with the class string specified by -+ * class_name. -+ */ -+int hidden sepol_class_name_to_id(const char *class_name, -+ sepol_security_class_t *tclass) -+{ -+ char *class = NULL; -+ sepol_security_class_t id; -+ -+ for (id = 1; ; id++) { -+ if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) { -+ ERR(NULL, "could not convert %s to class id", class_name); -+ return STATUS_ERR; -+ } -+ if ((strcmp(class, class_name)) == 0) { -+ *tclass = id; -+ return STATUS_SUCCESS; -+ } -+ } -+} -+ -+/* -+ * Return access vector bit associated with the class ID and permission -+ * string. -+ */ -+int hidden sepol_perm_name_to_av(sepol_security_class_t tclass, -+ const char *perm_name, -+ sepol_access_vector_t *av) -+{ -+ class_datum_t *tclass_datum; -+ perm_datum_t *perm_datum; -+ -+ if (!tclass || tclass > policydb->p_classes.nprim) { -+ ERR(NULL, "unrecognized class %d", tclass); -+ return -EINVAL; -+ } -+ tclass_datum = policydb->class_val_to_struct[tclass - 1]; -+ -+ /* Check for unique perms then the common ones (if any) */ -+ perm_datum = (perm_datum_t *) -+ hashtab_search(tclass_datum->permissions.table, -+ (hashtab_key_t)perm_name); -+ if (perm_datum != NULL) { -+ *av = 0x1 << (perm_datum->s.value - 1); -+ return STATUS_SUCCESS; -+ } -+ -+ if (tclass_datum->comdatum == NULL) -+ goto out; -+ -+ perm_datum = (perm_datum_t *) -+ hashtab_search(tclass_datum->comdatum->permissions.table, -+ (hashtab_key_t)perm_name); -+ -+ if (perm_datum != NULL) { -+ *av = 0x1 << (perm_datum->s.value - 1); -+ return STATUS_SUCCESS; -+ } -+out: -+ ERR(NULL, "could not convert %s to av bit", perm_name); -+ return STATUS_ERR; -+} -+ -+/* - * Write the security context string representation of - * the context associated with `sid' into a dynamically - * allocated string of the correct size. Set `*scontext' -@@ -1339,7 +1976,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, - rc = context_struct_compute_av(fromcon, &usercon, - SECCLASS_PROCESS, - PROCESS__TRANSITION, -- &avd, &reason); -+ &avd, &reason, NULL, 0); - if (rc || !(avd.allowed & PROCESS__TRANSITION)) - continue; - rc = sepol_sidtab_context_to_sid(sidtab, &usercon, -diff --git a/libsepol/src/write.c b/libsepol/src/write.c -index 55992f8..6fe73e6 100644 ---- a/libsepol/src/write.c -+++ b/libsepol/src/write.c -@@ -893,8 +893,11 @@ static int write_cons_helper(policydb_t * p, - if (ebitmap_write(&e->names, fp)) { - return POLICYDB_ERROR; - } -- if (p->policy_type != POLICY_KERN && -- type_set_write(e->type_names, fp)) { -+ if ((p->policy_type != POLICY_KERN && -+ type_set_write(e->type_names, fp)) || -+ (p->policy_type == POLICY_KERN && -+ (p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES) && -+ type_set_write(e->type_names, fp))) { - return POLICYDB_ERROR; - } - break; -diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile -index 3980799..6624804 100644 ---- a/policycoreutils/Makefile -+++ b/policycoreutils/Makefile -@@ -1,4 +1,4 @@ --SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui -+SUBDIRS = sepolicy setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui - - INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) - -diff --git a/policycoreutils/audit2allow/Makefile b/policycoreutils/audit2allow/Makefile -index 88635d4..fc290ea 100644 ---- a/policycoreutils/audit2allow/Makefile -+++ b/policycoreutils/audit2allow/Makefile -@@ -5,14 +5,19 @@ LIBDIR ?= $(PREFIX)/lib - MANDIR ?= $(PREFIX)/share/man - LOCALEDIR ?= /usr/share/locale - --all: ; -+all: audit2why -+ -+audit2why: -+ ln -sf audit2allow audit2why - - install: all - -mkdir -p $(BINDIR) - install -m 755 audit2allow $(BINDIR) -+ (cd $(BINDIR); ln -sf audit2allow audit2why) - install -m 755 sepolgen-ifgen $(BINDIR) - -mkdir -p $(MANDIR)/man1 - install -m 644 audit2allow.1 $(MANDIR)/man1/ -+ install -m 644 audit2why.1 $(MANDIR)/man1/ - - clean: - rm -f *~ -diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow -index 8e0c396..9bd66f5 100644 ---- a/policycoreutils/audit2allow/audit2allow -+++ b/policycoreutils/audit2allow/audit2allow -@@ -18,7 +18,7 @@ - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - # - --import sys -+import sys, os - - import sepolgen.audit as audit - import sepolgen.policygen as policygen -@@ -29,6 +29,8 @@ import sepolgen.defaults as defaults - import sepolgen.module as module - from sepolgen.sepolgeni18n import _ - import selinux.audit2why as audit2why -+import locale -+locale.setlocale(locale.LC_ALL, '') - - class AuditToPolicy: - VERSION = "%prog .1" -@@ -80,8 +82,7 @@ class AuditToPolicy: - parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") - parser.add_option("--debug", dest="debug", action="store_true", default=False, - help="leave generated modules for -M") -- -- parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False, -+ parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0])=="audit2why"), - help="Translates SELinux audit messages into a description of why the access was denied") - - options, args = parser.parse_args() -diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1 -new file mode 100644 -index 0000000..a9e8893 ---- /dev/null -+++ b/policycoreutils/audit2allow/audit2why.1 -@@ -0,0 +1 @@ -+.so man1/audit2allow.1 -diff --git a/policycoreutils/audit2why/Makefile b/policycoreutils/audit2why/Makefile -deleted file mode 100644 -index 63eb8b3..0000000 ---- a/policycoreutils/audit2why/Makefile -+++ /dev/null -@@ -1,18 +0,0 @@ --# Installation directories. --PREFIX ?= $(DESTDIR)/usr --BINDIR ?= $(PREFIX)/bin --MANDIR ?= $(PREFIX)/share/man -- --TARGETS=audit2why -- --all: $(TARGETS) -- --install: all -- -mkdir -p $(BINDIR) -- install -m 755 $(TARGETS) $(BINDIR) -- -mkdir -p $(MANDIR)/man1 -- install -m 644 audit2why.1 $(MANDIR)/man1/ -- --clean: -- --relabel: -diff --git a/policycoreutils/audit2why/audit2why b/policycoreutils/audit2why/audit2why -deleted file mode 100644 -index 21a72aa..0000000 ---- a/policycoreutils/audit2why/audit2why -+++ /dev/null -@@ -1,2 +0,0 @@ --#!/bin/sh --/usr/bin/audit2allow -w $* -diff --git a/policycoreutils/audit2why/audit2why.1 b/policycoreutils/audit2why/audit2why.1 -deleted file mode 100644 -index a9e8893..0000000 ---- a/policycoreutils/audit2why/audit2why.1 -+++ /dev/null -@@ -1 +0,0 @@ --.so man1/audit2allow.1 -diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile -index b5abbb9..1148b36 100644 ---- a/policycoreutils/gui/Makefile -+++ b/policycoreutils/gui/Makefile -@@ -1,7 +1,10 @@ - # Installation directories. - PREFIX ?= ${DESTDIR}/usr -+SYSCONFDIR ?= ${DESTDIR}/etc - BINDIR ?= $(PREFIX)/bin - SHAREDIR ?= $(PREFIX)/share/system-config-selinux -+DATADIR ?= $(PREFIX)/share -+PAMDIR ?= $(SYSCONFDIR)/pam.d - - TARGETS= \ - booleansPage.py \ -@@ -16,6 +19,7 @@ portsPage.py \ - semanagePage.py \ - statusPage.py \ - system-config-selinux.glade \ -+system-config-selinux.png \ - usersPage.py - - all: $(TARGETS) system-config-selinux.py polgengui.py -@@ -23,10 +27,21 @@ all: $(TARGETS) system-config-selinux.py polgengui.py - install: all - -mkdir -p $(SHAREDIR) - -mkdir -p $(BINDIR) -+ -mkdir -p $(DATADIR)/pixmaps -+ -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps -+ -mkdir -p $(SYSCONFDIR) -+ -mkdir -p $(PAMDIR) -+ -mkdir -p $(SYSCONFDIR)/security/console.apps/system-config-selinux - install -m 755 system-config-selinux.py $(SHAREDIR) - install -m 755 polgengui.py $(SHAREDIR) - install -m 755 sepolgen $(BINDIR) - install -m 644 $(TARGETS) $(SHAREDIR) -+ install -m 644 system-config-selinux.png $(DATADIR)/pixmaps -+ install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps -+ install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux -+ install -m 644 *.desktop $(DATADIR)/system-config-selinux -+ install -m 644 system-config-selinux.pam $(PAMDIR)/system-config-selinux -+ install -m 644 system-config-selinux.console $(SYSCONFDIR)/security/console.apps/system-config-selinux - - clean: - -diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop -new file mode 100644 -index 0000000..0c2f399 ---- /dev/null -+++ b/policycoreutils/gui/selinux-polgengui.desktop -@@ -0,0 +1,67 @@ -+[Desktop Entry] -+Name=SELinux Policy Generation Tool -+Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী -+Name[ca]=Eina de generació de polítiques del SELinux -+Name[da]=Regelsætgenereringsværktøj til SELinux -+Name[de]=Tool zur Erstellung von SELinux-Richtlinien -+Name[es]=Generador de Políticas de SELinux -+Name[fi]=SELinux-käytäntöjen generointityökalu -+Name[fr]=Outil de génération de stratégies SELinux -+Name[gu]=SELinux પોલિસી બનાવટ સાધન -+Name[hi]=SELinux पॉलिसी जनन औजार -+Name[it]=Tool di generazione della policy di SELinux -+Name[ja]=SELinux ポリシー生成ツール -+Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ -+Name[ko]=SELinux 정책 생성 도구 -+Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം -+Name[mr]=SELinux करार निर्माण साधन -+Name[nl]=SELinux tactiek generatie gereedschap -+Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ -+Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ -+Name[pl]=Narzędzie tworzenia polityki SELinuksa -+Name[pt]=Ferramenta de Geração de Políticas SELinux -+Name[pt_BR]=Ferramenta de criação de políticas do SELinux -+Name[ru]=Средство создания политики SELinux -+Name[sv]=Genereringsverktyg för SELinuxpolicy -+Name[ta]=SELinux பாலிசி உற்பத்தி கருவி -+Name[te]=SELinux నిర్వహణ -+Name[uk]=Утиліта генерації правил SELinux -+Name[zh_CN]=SELinux 策略生成工具 -+Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool) -+Comment=Generate SELinux policy modules -+Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন -+Comment[ca]=Genera els mòduls de les polítiques de SELinux -+Comment[da]=Generér SELinux-regelsætmodul -+Comment[de]=Tool zur Erstellung von SELinux-Richtlinien -+Comment[es]=Generar módulos de política de SELinux -+Comment[fi]=Generoi SELinuxin käytäntömoduuleja -+Comment[fr]=Génére des modules de stratégie SELinux -+Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો -+Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें -+Comment[it]=Genera moduli della politica di SELinux -+Comment[ja]=新しいポリシーモジュールの作成 -+Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು -+Comment[ko]=SELinux 정책 모듈 생성 -+Comment[ml]=SELinux യ പോളിസി ഘങ്ങള്‍ തയ്യാറാക്കുക -+Comment[mr]=SELinux करार घटके निर्माण करा -+Comment[nl]=Maak een SELinux tactiek module aan -+Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ -+Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ -+Comment[pl]=Tworzenie nowych modułów polityki SELinuksa -+Comment[pt]=Gerar módulos de políticas SELinux -+Comment[pt_BR]=Gerar módulos de política do SELinux -+Comment[ru]=Генерация модулей политики SELinux -+Comment[sv]=Generera SELinux-policymoduler -+Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும் -+Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము -+Comment[uk]=Створення модулів контролю доступу SELinux -+Comment[zh_CN]=生成 SELinux 策略模块 -+Comment[zh_TW]=產生 SELinux 政策模組 -+StartupNotify=true -+Icon=system-config-selinux -+Exec=/usr/bin/selinux-polgengui -+Type=Application -+Terminal=false -+Categories=System;Security; -+X-Desktop-File-Install-Version=0.2 -+Keywords=policy;security;selinux;avc;permission;mac; -diff --git a/policycoreutils/gui/system-config-selinux.console b/policycoreutils/gui/system-config-selinux.console -new file mode 100644 -index 0000000..42b48a3 ---- /dev/null -+++ b/policycoreutils/gui/system-config-selinux.console -@@ -0,0 +1,3 @@ -+USER=root -+PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py -+SESSION=true -diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop -new file mode 100644 -index 0000000..8822ce2 ---- /dev/null -+++ b/policycoreutils/gui/system-config-selinux.desktop -@@ -0,0 +1,67 @@ -+[Desktop Entry] -+Name=SELinux Management -+Name[bn_IN]=SELinux পরিচালনা -+Name[da]=Håndtering af SELinux -+Name[de]=SELinux-Management -+Name[ca]=Gestió de SELinux -+Name[es]=Administración de SELinux -+Name[fi]=SELinuxin ylläpito -+Name[fr]=Gestion de SELinux -+Name[gu]=SELinux સંચાલન -+Name[hi]=SELinux प्रबंधन -+Name[jp]=SELinux 管理 -+Name[it]=Gestione di SELinux -+Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ -+Name[ko]=SELinux 관리 -+Name[ml]=SELinux മാനേജ്മെന്റ് -+Name[mr]=SELinux मॅनेजमेंट -+Name[nl]=SELinux beheer -+Name[or]=SELinux ପରିଚାଳନା -+Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ -+Name[pl]=Zarządzanie SELinuksem -+Name[pt_BR]=Gerenciamento do SELinux -+Name[pt]=Gestão de SELinux -+Name[ru]=Управление SELinux -+Name[sv]=SELinux-hantering -+Name[ta]=SELinux மேலாண்மை -+Name[te]=SELinux నిర్వహణ -+Name[uk]=Керування SELinux -+Name[zh_CN]=SELinux 管理 -+Name[zh_TW]=SELinux 管理 -+Comment=Configure SELinux in a graphical setting -+Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন -+Comment[ca]=Configura SELinuc an mode de preferències gràfiques -+Comment[da]=Konfigurér SELinux i et grafisk miljø -+Comment[de]=SELinux in einer grafischen Einstellung konfigurieren -+Comment[es]=Defina SELinux en una configuración de interfaz gráfica -+Comment[fi]=Tee SELinuxin asetukset graafisesti -+Comment[fr]=Configure SELinux dans un environnement graphique -+Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો -+Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें -+Comment[it]=Configura SELinux in una impostazione grafica -+Comment[jp]=グラフィカルな設定画面で SELinux を設定する -+Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정 -+Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ -+Comment[ml]=ഒരു ഗ്രാഫിക്കല്‍ സജ്ജീകരണത്തില്‍ SELinux ക്രമീകരിയ്ക്കുക -+Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा -+Comment[nl]=Configureer SELinux in een grafische omgeving -+Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ -+Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ -+Comment[pl]=Konfiguracja SELinuksa w trybie graficznym -+Comment[pt]=Configurar o SELinux num ambiente gráfico -+Comment[pt_BR]=Configure o SELinux em uma configuração gráfica -+Comment[ru]=Настройка SELinux в графическом режиме -+Comment[sv]=Konfigurera SELinux i en grafisk miljö -+Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும் -+Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము -+Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом -+Comment[zh_CN]=在图形设置中配置 SELinux -+Comment[zh_TW]=在圖形話設定中配置 SELinux -+StartupNotify=true -+Icon=system-config-selinux -+Exec=/usr/bin/system-config-selinux -+Type=Application -+Terminal=false -+Categories=System;Security; -+X-Desktop-File-Install-Version=0.2 -+Keywords=policy;security;selinux;avc;permission;mac; -diff --git a/policycoreutils/gui/system-config-selinux.pam b/policycoreutils/gui/system-config-selinux.pam -new file mode 100644 -index 0000000..6a8c230 ---- /dev/null -+++ b/policycoreutils/gui/system-config-selinux.pam -@@ -0,0 +1,8 @@ -+#%PAM-1.0 -+auth sufficient pam_rootok.so -+auth sufficient pam_timestamp.so -+auth include system-auth -+session required pam_permit.so -+session optional pam_xauth.so -+session optional pam_timestamp.so -+account required pam_permit.so -diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png -new file mode 100644 -index 0000000..68ffcb7 -Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 8fbf2d0..3753ef4 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -680,7 +680,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, - security_context_t * tty_context, - security_context_t * new_tty_context) - { -- int fd; -+ int fd, rc; - int enforcing = security_getenforce(); - security_context_t tty_con = NULL; - security_context_t new_tty_con = NULL; -@@ -699,7 +699,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, - fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); - return fd; - } -- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ /* this craziness is to make sure we cann't block on open and deadlock */ -+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ if (rc) { -+ fprintf(stderr, _("Error! Could not clear O_NONBLOCK on %s\n"), ttyn); -+ close(fd); -+ return rc; -+ } - - if (fgetfilecon(fd, &tty_con) < 0) { - fprintf(stderr, _("%s! Could not get current context " -@@ -1010,9 +1016,9 @@ int main(int argc, char *argv[]) - int fd; - pid_t childPid = 0; - char *shell_argv0 = NULL; -+ int rc; - - #ifdef USE_PAM -- int rc; - int pam_status; /* pam return code */ - pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ - -@@ -1226,15 +1232,23 @@ int main(int argc, char *argv[]) - fd = open(ttyn, O_RDONLY | O_NONBLOCK); - if (fd != 0) - goto err_close_pam; -- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ if (rc) -+ goto err_close_pam; -+ - fd = open(ttyn, O_RDWR | O_NONBLOCK); - if (fd != 1) - goto err_close_pam; -- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ if (rc) -+ goto err_close_pam; -+ - fd = open(ttyn, O_RDWR | O_NONBLOCK); - if (fd != 2) - goto err_close_pam; -- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); -+ if (rc) -+ goto err_close_pam; - - } - /* -diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile -index a377996..9c1486e 100644 ---- a/policycoreutils/po/Makefile -+++ b/policycoreutils/po/Makefile -@@ -81,12 +81,16 @@ POTFILES = \ - ../sepolicy/sepolicy/templates/var_log.py \ - ../sepolicy/sepolicy/templates/var_run.py \ - ../sepolicy/sepolicy/templates/var_spool.py \ -+ booleans.py - - #default:: clean - - all:: $(MOFILES) - --$(POTFILE): $(POTFILES) -+booleans.py: -+ sepolicy booleans -a > booleans.py -+ -+$(POTFILE): $(POTFILES) booleans.py - $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) - @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ - rm -f $(NLSPACKAGE).po; \ -@@ -95,6 +99,7 @@ $(POTFILE): $(POTFILES) - fi; \ - - update-po: Makefile $(POTFILE) refresh-po -+ @rm -f booleans.py - - refresh-po: Makefile - for cat in $(POFILES); do \ -diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile -index 3074542..3b704d8 100644 ---- a/policycoreutils/restorecond/Makefile -+++ b/policycoreutils/restorecond/Makefile -@@ -5,6 +5,7 @@ LIBDIR ?= $(PREFIX)/lib - MANDIR = $(PREFIX)/share/man - AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart - DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services -+SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd - - autostart_DATA = sealertauto.desktop - INITDIR = $(DESTDIR)/etc/rc.d/init.d -@@ -39,7 +40,8 @@ install: all - install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop - -mkdir -p $(DBUSSERVICEDIR) - install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service -- -+ -mkdir -p $(SYSTEMDDIR)/system -+ install -m 644 restorecond.service $(SYSTEMDDIR)/system/ - relabel: install - /sbin/restorecon $(SBINDIR)/restorecond - -diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service -new file mode 100644 -index 0000000..11f4ffd ---- /dev/null -+++ b/policycoreutils/restorecond/restorecond.service -@@ -0,0 +1,12 @@ -+[Unit] -+Description=Restorecon maintaining path file context -+After=syslog.target -+ConditionPathExists=/etc/selinux/restorecond.conf -+ -+[Service] -+Type=oneshot -+ExecStart=/usr/sbin/restorecond -+RemainAfterExit=yes -+ -+[Install] -+WantedBy=multi-user.target -diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c -index 00a646f..2c28676 100644 ---- a/policycoreutils/restorecond/user.c -+++ b/policycoreutils/restorecond/user.c -@@ -54,6 +54,7 @@ static const char *PATH="/org/selinux/Restorecond"; - static const char *INTERFACE="org.selinux.RestorecondIface"; - static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'"; - -+static int local_lock_fd = -1; - - static DBusHandlerResult - signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data) -@@ -201,17 +202,18 @@ static int local_server() { - perror("asprintf"); - return -1; - } -- int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); -+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); - if (debug_mode) - g_warning ("Lock file: %s", ptr); - - free(ptr); -- if (fd < 0) { -+ if (local_lock_fd < 0) { - if (debug_mode) - perror("open"); - return -1; - } -- if (flock(fd, LOCK_EX | LOCK_NB) < 0) { -+ if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) { -+ close(local_lock_fd); - if (debug_mode) - perror("flock"); - return -1; -@@ -226,6 +228,12 @@ static int local_server() { - return 0; - } - -+static void end_local_server(void) { -+ if (local_lock_fd >= 0) -+ close(local_lock_fd); -+ local_lock_fd = -1; -+} -+ - int server(int master_fd, const char *watch_file) { - GMainLoop *loop; - -@@ -253,6 +261,7 @@ int server(int master_fd, const char *watch_file) { - g_main_loop_run (loop); - - end: -+ end_local_server(); - g_main_loop_unref (loop); - return 0; - } -diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox -index b629006..6631c2d 100644 ---- a/policycoreutils/sandbox/sandbox -+++ b/policycoreutils/sandbox/sandbox -@@ -243,7 +243,7 @@ class Sandbox: - copyfile(f, "/tmp", self.__tmpdir) - copyfile(f, "/var/tmp", self.__tmpdir) - -- def __setup_sandboxrc(self, wm = "/usr/bin/matchbox-window-manager -use_titlebar no"): -+ def __setup_sandboxrc(self, wm = "/usr/bin/openbox"): - execfile =self.__homedir + "/.sandboxrc" - fd = open(execfile, "w+") - if self.__options.session: -@@ -333,7 +333,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile - - parser.add_option("-W", "--windowmanager", dest="wm", - type="string", -- default="/usr/bin/matchbox-window-manager -use_titlebar no", -+ default="/usr/bin/openbox", - help=_("alternate window manager")) - - parser.add_option("-l", "--level", dest="level", -diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 -index 521afcd..a50eef2 100644 ---- a/policycoreutils/sandbox/sandbox.8 -+++ b/policycoreutils/sandbox/sandbox.8 -@@ -70,7 +70,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz - \fB\-W windowmanager\fR - Select alternative window manager to run within - .B sandbox -X. --Default to /usr/bin/matchbox-window-manager. -+Default to /usr/bin/openbox. - .TP - \fB\-X\fR - Create an X based Sandbox for gui apps, temporary files for -diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh -index 23de6f6..171bb05 100644 ---- a/policycoreutils/sandbox/sandboxX.sh -+++ b/policycoreutils/sandbox/sandboxX.sh -@@ -6,6 +6,20 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 - [ -z $2 ] && export DPI="96" || export DPI="$2" - trap "exit 0" HUP - -+mkdir -p ~/.config/openbox -+cat > ~/.config/openbox/rc.xml << EOF -+ -+ -+ -+ no -+ all -+ yes -+ -+ -+ -+EOF -+ - (/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF -diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index dbd5977..f10df39 100644 ---- a/policycoreutils/sandbox/seunshare.c -+++ b/policycoreutils/sandbox/seunshare.c -@@ -962,7 +962,7 @@ int main(int argc, char **argv) { - char *LANG = NULL; - int rc = -1; - -- if (unshare(CLONE_NEWNS) < 0) { -+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) { - perror(_("Failed to unshare")); - goto childerr; - } -diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile -index 201a988..f5d6e9d 100644 ---- a/policycoreutils/scripts/Makefile -+++ b/policycoreutils/scripts/Makefile -@@ -9,23 +9,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale - .PHONY: all genhomedircon - all: fixfiles genhomedircon chcat - --genhomedircon: -- @echo "#!/bin/sh" > genhomedircon -- @echo >> genhomedircon -- @if [ -z "${SEMODULE_PATH}" ]; then \ -- echo "${USRSBINDIR}/semodule -Bn" >> genhomedircon; \ -- else \ -- echo "${SEMODULE_PATH}/semodule -Bn" >> genhomedircon; \ -- fi -- - install: all - -mkdir -p $(BINDIR) - install -m 755 chcat $(BINDIR) - install -m 755 fixfiles $(SBINDIR) -- install -m 755 genhomedircon $(USRSBINDIR) - -mkdir -p $(MANDIR)/man8 - install -m 644 fixfiles.8 $(MANDIR)/man8/ -- install -m 644 genhomedircon.8 $(MANDIR)/man8/ - install -m 644 chcat.8 $(MANDIR)/man8/ - - clean: -diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 -deleted file mode 100644 -index 8ec509c..0000000 ---- a/policycoreutils/scripts/genhomedircon.8 -+++ /dev/null -@@ -1,24 +0,0 @@ --.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux" --.SH NAME --genhomedircon \- generate SELinux file context configuration entries for user home directories --.SH SYNOPSIS --.B genhomedircon --is a script that executes --.B semodule --to rebuild the currently active SELinux policy (without reloading it) and to create the --labels for each user home directory based on directory paths returned by calls to getpwent(). -- --The latter functionality depends on the "usepasswd" parameter being set to "true" (default) --in /etc/selinux/semanage.conf. -- --This script is usually executed by --.B semanage --although this default behavior can be optionally modified by setting to "true" the --"disable-genhomedircon" in /etc/selinux/semanage.conf. -- --.SH AUTHOR --This manual page was written by --.I Dan Walsh -- --.SH "SEE ALSO" --semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3) -diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile -new file mode 100644 -index 0000000..e15a877 ---- /dev/null -+++ b/policycoreutils/semanage/default_encoding/Makefile -@@ -0,0 +1,8 @@ -+all: -+ LDFLAGS="" python setup.py build -+ -+install: all -+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/ -+ -+clean: -+ rm -rf build *~ -diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c -new file mode 100644 -index 0000000..023b8f4 ---- /dev/null -+++ b/policycoreutils/semanage/default_encoding/default_encoding.c -@@ -0,0 +1,57 @@ -+/* -+ * Authors: -+ * John Dennis -+ * -+ * Copyright (C) 2009 Red Hat -+ * see file 'COPYING' for use and warranty information -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -+ */ -+ -+#include -+ -+PyDoc_STRVAR(setdefaultencoding_doc, -+"setdefaultencoding(encoding='utf-8')\n\ -+\n\ -+Set the current default string encoding used by the Unicode implementation.\n\ -+Defaults to utf-8." -+); -+ -+static PyObject * -+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds) -+{ -+ static char *kwlist[] = {"utf-8", NULL}; -+ char *encoding; -+ -+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding)) -+ return NULL; -+ -+ if (PyUnicode_SetDefaultEncoding(encoding)) -+ return NULL; -+ -+ Py_RETURN_NONE; -+} -+ -+static PyMethodDef methods[] = { -+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc}, -+ {NULL, NULL} /* sentinel */ -+}; -+ -+ -+PyMODINIT_FUNC -+initdefault_encoding_utf8(void) -+{ -+ PyUnicode_SetDefaultEncoding("utf-8"); -+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); -+} -diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py -new file mode 100644 -index 0000000..ccb6b8b ---- /dev/null -+++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py -@@ -0,0 +1,17 @@ -+# -+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 2 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program; if not, write to the Free Software -+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+# -diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py -new file mode 100644 -index 0000000..e2befdb ---- /dev/null -+++ b/policycoreutils/semanage/default_encoding/setup.py -@@ -0,0 +1,38 @@ -+# Authors: -+# John Dennis -+# -+# Copyright (C) 2009 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License as -+# published by the Free Software Foundation. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program; if not, write to the Free Software -+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -+ -+from distutils.core import setup, Extension -+ -+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c']) -+ -+setup(name = 'policycoreutils-default-encoding', -+ version = '0.1', -+ description = 'Forces the default encoding in Python to be utf-8', -+ long_description = 'Forces the default encoding in Python to be utf-8', -+ author = 'John Dennis', -+ author_email = 'jdennis@redhat.com', -+ maintainer = 'John Dennis', -+ maintainer_email = 'jdennis@redhat.com', -+ license = 'GPLv3+', -+ platforms = 'posix', -+ url = '', -+ download_url = '', -+ ext_modules = [default_encoding_utf8], -+ packages=["policycoreutils"], -+) -diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index 6e33c85..49e4709 100644 ---- a/policycoreutils/semanage/semanage -+++ b/policycoreutils/semanage/semanage -@@ -20,6 +20,7 @@ - # 02111-1307 USA - # - # -+import policycoreutils.default_encoding_utf8 - import sys, getopt, re - import seobject - import selinux -@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME) - try: - gettext.install(PROGNAME, - localedir="/usr/share/locale", -- unicode=False, -+ unicode=True, - codeset = 'utf-8') - except IOError: - import __builtin__ -diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index 85bc37f..02b1acd 100644 ---- a/policycoreutils/semanage/seobject.py -+++ b/policycoreutils/semanage/seobject.py -@@ -32,11 +32,10 @@ from IPy import IP - import gettext - gettext.bindtextdomain(PROGNAME, "/usr/share/locale") - gettext.textdomain(PROGNAME) --try: -- gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1) --except IOError: -- import __builtin__ -- __builtin__.__dict__['_'] = unicode -+ -+import gettext -+translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True) -+_=translation.ugettext - - import syslog - -@@ -461,7 +460,9 @@ class loginRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if exists: -- raise ValueError(_("Login mapping for %s is already defined") % name) -+ semanage_seuser_key_free(k) -+ return self.__modify(name, sename, serange) -+ - if name[0] == '%': - try: - grp.getgrnam(name[1:]) -@@ -731,7 +732,8 @@ class seluserRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if exists: -- raise ValueError(_("SELinux user %s is already defined") % name) -+ semanage_user_key_free(k) -+ return self.__modify(name, roles, selevel, serange, prefix) - - (rc, u) = semanage_user_create(self.sh) - if rc < 0: -@@ -1274,7 +1276,8 @@ class nodeRecords(semanageRecords): - - (rc, exists) = semanage_node_exists(self.sh, k) - if exists: -- raise ValueError(_("Addr %s already defined") % addr) -+ semanage_node_key_free(k) -+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype) - - (rc, node) = semanage_node_create(self.sh) - if rc < 0: -@@ -1475,7 +1478,8 @@ class interfaceRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not check if interface %s is defined") % interface) - if exists: -- raise ValueError(_("Interface %s already defined") % interface) -+ semanage_iface_key_free(k) -+ return self.__modify(interface, serange, ctype) - - (rc, iface) = semanage_iface_create(self.sh) - if rc < 0: -@@ -1777,7 +1781,8 @@ class fcontextRecords(semanageRecords): - raise ValueError(_("Could not check if file context for %s is defined") % target) - - if exists: -- raise ValueError(_("File context for %s already defined") % target) -+ semanage_fcontext_key_free(k) -+ return self.__modify(target, type, ftype, serange, seuser) - - (rc, fcontext) = semanage_fcontext_create(self.sh) - if rc < 0: -diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile -index 4c5243a..036c418 100644 ---- a/policycoreutils/semodule/Makefile -+++ b/policycoreutils/semodule/Makefile -@@ -11,7 +11,7 @@ LDLIBS = -lsepol -lselinux -lsemanage -L$(LIBDIR) - SEMODULE_OBJS = semodule.o - - .PHONY: all semodule_path --all: semodule semodule_path -+all: semodule semodule_path genhomedircon - - semodule_path: - @echo -n $(SBINDIR) > ../scripts/semodule_path -@@ -19,11 +19,16 @@ semodule_path: - semodule: $(SEMODULE_OBJS) - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) - -+genhomedircon: -+ ln -sf semodule genhomedircon -+ - install: all - -mkdir -p $(SBINDIR) - install -m 755 semodule $(SBINDIR) -+ (cd $(SBINDIR); ln -sf semodule genhomedircon) - test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 - install -m 644 semodule.8 $(MANDIR)/man8/ -+ install -m 644 genhomedircon.8 $(MANDIR)/man8/ - - relabel: - -diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8 -new file mode 100644 -index 0000000..8ec509c ---- /dev/null -+++ b/policycoreutils/semodule/genhomedircon.8 -@@ -0,0 +1,24 @@ -+.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux" -+.SH NAME -+genhomedircon \- generate SELinux file context configuration entries for user home directories -+.SH SYNOPSIS -+.B genhomedircon -+is a script that executes -+.B semodule -+to rebuild the currently active SELinux policy (without reloading it) and to create the -+labels for each user home directory based on directory paths returned by calls to getpwent(). -+ -+The latter functionality depends on the "usepasswd" parameter being set to "true" (default) -+in /etc/selinux/semanage.conf. -+ -+This script is usually executed by -+.B semanage -+although this default behavior can be optionally modified by setting to "true" the -+"disable-genhomedircon" in /etc/selinux/semanage.conf. -+ -+.SH AUTHOR -+This manual page was written by -+.I Dan Walsh -+ -+.SH "SEE ALSO" -+semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3) -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 17b4fa5..6947b37 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -19,6 +19,7 @@ - #include - #include - #include -+#include - - #include - -@@ -284,8 +285,12 @@ int main(int argc, char *argv[]) - int i, commit = 0; - int result; - int status = EXIT_FAILURE; -- -+ char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; - create_signal_handlers(); -+ if (strcmp(basename(argv[0]), "genhomedircon") == 0) { -+ argc = 3; -+ argv=genhomedirconargv; -+ } - parse_command_line(argc, argv); - - if (build) -diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..37cd5dd 100644 ---- a/policycoreutils/sepolicy/sepolicy/__init__.py -+++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -145,10 +145,7 @@ def policy(policy_file): - raise ValueError(_("Failed to read %s policy file") % policy_file) - - --policy_file = selinux.selinux_current_policy_path() --if not policy_file: -- policy_file = __get_installed_policy() -- -+policy_file = __get_installed_policy() - try: - policy(policy_file) - except ValueError, e: -diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 -index 80b6d6e..07c5ee2 100644 ---- a/policycoreutils/setfiles/restorecon.8 -+++ b/policycoreutils/setfiles/restorecon.8 -@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts. - - .SH "SYNOPSIS" - .B restorecon --.I [\-o outfilename] [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname... -+.I [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname... - .P - .B restorecon --.I \-f infilename [\-o outfilename] [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F] -+.I \-f infilename [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F] - - .SH "DESCRIPTION" - This manual page describes the -@@ -49,7 +49,7 @@ ignore files that do not exist. - don't change any file labels (passive check). - .TP - .B \-o outfilename --save list of files with incorrect context in outfilename. -+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. - .TP - .B \-p - show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.) -diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index 89d2a49..12bca43 100644 ---- a/policycoreutils/setfiles/setfiles.8 -+++ b/policycoreutils/setfiles/setfiles.8 -@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts. - - .SH "SYNOPSIS" - .B setfiles --.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... -+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... - .SH "DESCRIPTION" - This manual page describes the - .BR setfiles -@@ -57,7 +57,7 @@ log changes in file labels to syslog. - don't change any file labels (passive check). - .TP - .B \-o filename --save list of files with incorrect context in filename. -+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. - .TP - .B \-p - show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.) -diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c -index b11e49f..d3f02ae 100644 ---- a/policycoreutils/setfiles/setfiles.c -+++ b/policycoreutils/setfiles/setfiles.c -@@ -45,14 +45,14 @@ void usage(const char *const name) - { - if (iamrestorecon) { - fprintf(stderr, -- "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] pathname...\n" -- "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] -f filename\n", -+ "usage: %s [-iFnprRv0] [-e excludedir] pathname...\n" -+ "usage: %s [-iFnprRv0] [-e excludedir] -f filename\n", - name, name); - } else { - fprintf(stderr, -- "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file pathname...\n" -- "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file -f filename\n" -- "usage: %s -s [-dilnpqvFW] [-o filename] spec_file\n" -+ "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" -+ "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" -+ "usage: %s -s [-dilnpqvFW] spec_file\n" - "usage: %s -c policyfile spec_file\n", - name, name, name, name); - } -diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index d636091..9ca35a7 100644 ---- a/sepolgen/src/sepolgen/audit.py -+++ b/sepolgen/src/sepolgen/audit.py -@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage): - raise ValueError("Error during access vector computation") - - if self.type == audit2why.CONSTRAINT: -- self.data = [] -+ self.data = [ self.data ] - if self.scontext.user != self.tcontext.user: - self.data.append("user") - if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":