839 lines
32 KiB
Diff
839 lines
32 KiB
Diff
diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.19.1/include/selinux/selinux.h
|
|
--- nsalibselinux/include/selinux/selinux.h 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/include/selinux/selinux.h 2004-11-18 15:27:00.994561786 -0500
|
|
@@ -176,7 +176,7 @@
|
|
/* Match the specified media and against the media contexts
|
|
configuration and set *con to refer to the resulting context.
|
|
Caller must free con via freecon. */
|
|
-extern int matchmediacon(const char *path,
|
|
+extern int matchmediacon(const char *media,
|
|
security_context_t *con);
|
|
|
|
/*
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/checkPasswdAccess.3 libselinux-1.19.1/man/man3/checkPasswdAccess.3
|
|
--- nsalibselinux/man/man3/checkPasswdAccess.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/checkPasswdAccess.3 2004-11-18 15:27:00.995561673 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_compute_av.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_free.3 libselinux-1.19.1/man/man3/context_free.3
|
|
--- nsalibselinux/man/man3/context_free.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_free.3 2004-11-18 15:27:00.996561560 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_new.3 libselinux-1.19.1/man/man3/context_new.3
|
|
--- nsalibselinux/man/man3/context_new.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_new.3 2004-11-18 15:27:00.997561447 -0500
|
|
@@ -0,0 +1,53 @@
|
|
+.TH "context_new" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
|
|
+.SH "NAME"
|
|
+context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B #include <selinux/context.h>
|
|
+.br
|
|
+.B "context_t context_new(const char *" context_str );
|
|
+.br
|
|
+.B "const char * context_str(context_t " con );
|
|
+.br
|
|
+.B "void context_free(context_t " con );
|
|
+.br
|
|
+.B "const char * context_type_get(context_t " con );
|
|
+.br
|
|
+.B "const char * context_range_get(context_t " con );
|
|
+.br
|
|
+.B "const char * context_role_get(context_t " con );
|
|
+.br
|
|
+.B "const char * context_user_get(context_t " con );
|
|
+.br
|
|
+.B "const char * context_type_set(context_t " con ", const char* " type);
|
|
+.br
|
|
+.B "const char * context_range_set(context_t " con ", const char* " range);
|
|
+.br
|
|
+.B "const char * context_role_set(context_t " con ", const char* " role );
|
|
+.br
|
|
+.B "const char * context_user_set(context_t " con ", const char* " user );
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+ Functions to deal with security contexts in user space.
|
|
+
|
|
+context_new
|
|
+ Return a new context initialized to a context string
|
|
+
|
|
+context_str
|
|
+Return a pointer to the string value of the context_t
|
|
+Valid until the next call to context_str or context_free
|
|
+for the same context_t*
|
|
+
|
|
+context_free
|
|
+Free the storage used by a context
|
|
+
|
|
+context_type_get, context_range_get, context_role_get, context_user_get
|
|
+Get a pointer to the string value of a context component
|
|
+
|
|
+context_type_set, context_range_set, context_role_set, context_user_set
|
|
+Set a context component
|
|
+
|
|
+.SH "RETURN VALUE"
|
|
+On success, zero is returned. On failure, -1 is returned and errno is
|
|
+set appropriately.
|
|
+
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_range_get.3 libselinux-1.19.1/man/man3/context_range_get.3
|
|
--- nsalibselinux/man/man3/context_range_get.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_range_get.3 2004-11-18 15:27:00.998561335 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_range_set.3 libselinux-1.19.1/man/man3/context_range_set.3
|
|
--- nsalibselinux/man/man3/context_range_set.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_range_set.3 2004-11-18 15:27:00.999561222 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_role_get.3 libselinux-1.19.1/man/man3/context_role_get.3
|
|
--- nsalibselinux/man/man3/context_role_get.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_role_get.3 2004-11-18 15:27:01.035557160 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_role_set.3 libselinux-1.19.1/man/man3/context_role_set.3
|
|
--- nsalibselinux/man/man3/context_role_set.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_role_set.3 2004-11-18 15:27:01.036557048 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_type_get.3 libselinux-1.19.1/man/man3/context_type_get.3
|
|
--- nsalibselinux/man/man3/context_type_get.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_type_get.3 2004-11-18 15:27:01.037556935 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_type_set.3 libselinux-1.19.1/man/man3/context_type_set.3
|
|
--- nsalibselinux/man/man3/context_type_set.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_type_set.3 2004-11-18 15:27:01.038556822 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_user_get.3 libselinux-1.19.1/man/man3/context_user_get.3
|
|
--- nsalibselinux/man/man3/context_user_get.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_user_get.3 2004-11-18 15:27:01.040556596 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/context_user_set.3 libselinux-1.19.1/man/man3/context_user_set.3
|
|
--- nsalibselinux/man/man3/context_user_set.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/context_user_set.3 2004-11-18 15:27:01.041556483 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/context_new.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getcon.3 libselinux-1.19.1/man/man3/getcon.3
|
|
--- nsalibselinux/man/man3/getcon.3 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/man/man3/getcon.3 2004-11-18 15:27:01.042556371 -0500
|
|
@@ -8,7 +8,9 @@
|
|
.br
|
|
.BI "int getprevcon(security_context_t *" context );
|
|
.br
|
|
-.BI "int getpidcon(pid_t pid, security_context_t *" context );
|
|
+.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
|
|
+.br
|
|
+.BI "int getpeercon(int " fd ", security_context_t *" context);
|
|
|
|
.SH "DESCRIPTION"
|
|
.B getcon
|
|
@@ -21,6 +23,9 @@
|
|
.B getpidcon
|
|
returns the process context for the specified PID.
|
|
|
|
+.B getpeercon
|
|
+retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
|
|
+
|
|
.SH "RETURN VALUE"
|
|
On error -1 is returned. On success 0 is returned.
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_default_context_with_role.3 libselinux-1.19.1/man/man3/get_default_context_with_role.3
|
|
--- nsalibselinux/man/man3/get_default_context_with_role.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/get_default_context_with_role.3 2004-11-18 15:27:01.043556258 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/get_ordered_context_list.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getexeccon.3 libselinux-1.19.1/man/man3/getexeccon.3
|
|
--- nsalibselinux/man/man3/getexeccon.3 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/man/man3/getexeccon.3 2004-11-18 15:27:01.044556145 -0500
|
|
@@ -8,6 +8,8 @@
|
|
.BI "int getexeccon(security_context_t *" context );
|
|
.br
|
|
.BI "int setexeccon(security_context_t "context );
|
|
+.br
|
|
+.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
|
|
|
|
.SH "DESCRIPTION"
|
|
.B getexeccon
|
|
@@ -31,6 +33,11 @@
|
|
|
|
Note: Signal handlers that perform an execve must take care to
|
|
save, reset, and restore the exec context to avoid unexpected behaviors.
|
|
+.br
|
|
+
|
|
+.B rpm_execcon
|
|
+Execute a helper for rpm in an appropriate security context.
|
|
+
|
|
.SH "RETURN VALUE"
|
|
On error -1 is returned.
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/get_ordered_context_list.3 libselinux-1.19.1/man/man3/get_ordered_context_list.3
|
|
--- nsalibselinux/man/man3/get_ordered_context_list.3 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/man/man3/get_ordered_context_list.3 2004-11-18 15:27:01.045556032 -0500
|
|
@@ -1,6 +1,6 @@
|
|
.TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation"
|
|
.SH "NAME"
|
|
-get_ordered_context_list, get_default_context, query_user_context \- determine context(s) for user login sessions
|
|
+get_ordered_context_list, get_default_context, query_user_context, manual_user_enter_context, get_default_context_with_role, get_default_role \- determine context(s) for user login sessions
|
|
|
|
.SH "SYNOPSIS"
|
|
.B #include <selinux/selinux.h>
|
|
@@ -14,7 +14,10 @@
|
|
.BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon );
|
|
.sp
|
|
.BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon );
|
|
-
|
|
+.sp
|
|
+.BI "int get_default_type(const char *" role ", char **" type );
|
|
+.sp
|
|
+.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
|
|
|
|
.SH "DESCRIPTION"
|
|
.B get_ordered_context_list
|
|
@@ -40,6 +43,15 @@
|
|
allows the user to manually enter a context as a fallback if a list of
|
|
authorized contexts could not be obtained. Caller must free via freecon.
|
|
|
|
+.B get_default_type
|
|
+Get the default type (domain) for 'role' and set 'type' to refer to it.
|
|
+ Caller must free via free().
|
|
+
|
|
+.B get_default_context_with_role
|
|
+Given a list of authorized security contexts for the user,
|
|
+ query the user to select one and set *newcon to refer to it.
|
|
+ Caller must free via freecon.
|
|
+
|
|
.SH "RETURN VALUE"
|
|
0 for success and on error -1 is returned.
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/getpeercon.3 libselinux-1.19.1/man/man3/getpeercon.3
|
|
--- nsalibselinux/man/man3/getpeercon.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/getpeercon.3 2004-11-18 15:27:01.046555919 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/getcon.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/matchmediacon.3 libselinux-1.19.1/man/man3/matchmediacon.3
|
|
--- nsalibselinux/man/man3/matchmediacon.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/matchmediacon.3 2004-11-18 15:27:01.047555807 -0500
|
|
@@ -0,0 +1,26 @@
|
|
+.TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SE Linux API documentation"
|
|
+.SH "NAME"
|
|
+matchmediacon \- get the default security context for the specified mediatype from the policy.
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B #include <selinux/selinux.h>
|
|
+.sp
|
|
+.BI "int matchmediacon(const char *" media ", security_context_t *" con);"
|
|
+.br
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+.br
|
|
+.B matchmediacon
|
|
+matches the specified media type with the file contexts configuration and sets the security context "con" to refer to the resulting context.
|
|
+.sp
|
|
+.br
|
|
+.B Note:
|
|
+ Caller must free returned security context "con" using freecon.
|
|
+.SH "RETURN VALUE"
|
|
+Returns 0 on success or -1 otherwise.
|
|
+
|
|
+.SH Files
|
|
+/etc/selinux/POLICYTYPE/contexts/files/media
|
|
+
|
|
+.SH "SEE ALSO"
|
|
+.BR freecon "(3)
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/matchpathcon.3 libselinux-1.19.1/man/man3/matchpathcon.3
|
|
--- nsalibselinux/man/man3/matchpathcon.3 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/man/man3/matchpathcon.3 2004-11-18 15:27:01.049555581 -0500
|
|
@@ -5,17 +5,22 @@
|
|
.SH "SYNOPSIS"
|
|
.B #include <selinux/selinux.h>
|
|
.sp
|
|
-.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);"
|
|
+.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
|
|
.br
|
|
+.BI "void set_matchpathcon_printf(void (*f)(const char *fmt, ...));"
|
|
|
|
.SH "DESCRIPTION"
|
|
.br
|
|
.B matchpathcon
|
|
matches the specified pathname and mode against the file contexts configuration and sets the security context "con" to refer to the resulting context. "mode" can be 0 to disable mode matching, but should be provided whenever possible, as it may affect the matching.
|
|
-.sp
|
|
-.br
|
|
.B Note:
|
|
Caller must free returned security context "con" using freecon.
|
|
+
|
|
+.B set_matchpathcon_printf
|
|
+
|
|
+Set the function used by matchpathcon when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...).
|
|
+.sp
|
|
+.br
|
|
.SH "RETURN VALUE"
|
|
Returns 0 on success or -1 otherwise.
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/rpm_execcon.3 libselinux-1.19.1/man/man3/rpm_execcon.3
|
|
--- nsalibselinux/man/man3/rpm_execcon.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/rpm_execcon.3 2004-11-18 15:27:01.050555468 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/getexeccon.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_commit_booleans.3 libselinux-1.19.1/man/man3/security_commit_booleans.3
|
|
--- nsalibselinux/man/man3/security_commit_booleans.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_commit_booleans.3 2004-11-18 15:27:01.051555355 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_load_booleans.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_compute_av.3 libselinux-1.19.1/man/man3/security_compute_av.3
|
|
--- nsalibselinux/man/man3/security_compute_av.3 2004-10-20 16:31:36.000000000 -0400
|
|
+++ libselinux-1.19.1/man/man3/security_compute_av.3 2004-11-18 15:27:01.052555242 -0500
|
|
@@ -15,6 +15,8 @@
|
|
.BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
|
|
.sp
|
|
.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
|
|
+.sp
|
|
+.BI "int checkPasswdAccess(access_vector_t " requested );
|
|
|
|
.SH "DESCRIPTION"
|
|
.B security_compute_av
|
|
@@ -42,6 +44,9 @@
|
|
source context. Is mainly used by
|
|
.B get_ordered_context_list.
|
|
|
|
+.B checkPasswdAccess
|
|
+This functions is a helper functions that allows you to check for a permission in the passwd class.
|
|
+
|
|
.SH "RETURN VALUE"
|
|
0 for success and on error -1 is returned.
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_active.3 libselinux-1.19.1/man/man3/security_get_boolean_active.3
|
|
--- nsalibselinux/man/man3/security_get_boolean_active.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_get_boolean_active.3 2004-11-18 15:27:01.053555130 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_load_booleans.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_names.3 libselinux-1.19.1/man/man3/security_get_boolean_names.3
|
|
--- nsalibselinux/man/man3/security_get_boolean_names.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_get_boolean_names.3 2004-11-18 15:27:01.055554904 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_load_booleans.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_get_boolean_pending.3 libselinux-1.19.1/man/man3/security_get_boolean_pending.3
|
|
--- nsalibselinux/man/man3/security_get_boolean_pending.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_get_boolean_pending.3 2004-11-18 15:27:01.056554791 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_load_booleans.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_load_booleans.3 libselinux-1.19.1/man/man3/security_load_booleans.3
|
|
--- nsalibselinux/man/man3/security_load_booleans.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_load_booleans.3 2004-11-18 15:27:01.057554678 -0500
|
|
@@ -0,0 +1,69 @@
|
|
+.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
|
|
+.SH "NAME"
|
|
+security_load_booleans, security_set_boolean, security_commit_booleans,
|
|
+security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending
|
|
+.sp
|
|
+routines for manipulating SELinux boolean values
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B #include <selinux/selinux.h>
|
|
+.sp
|
|
+extern int security_load_booleans(char *path);
|
|
+.br
|
|
+extern int security_get_boolean_names(char ***names, int *len);
|
|
+.br
|
|
+extern int security_get_boolean_pending(const char *name);
|
|
+.br
|
|
+extern int security_get_boolean_active(const char *name);
|
|
+.br
|
|
+extern int security_set_boolean(const char *name, int value);
|
|
+.br
|
|
+extern int security_commit_booleans(void);
|
|
+
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+
|
|
+The SELinux policy can include conditional rules that are enabled or
|
|
+disabled based on the current values of a set of policy booleans.
|
|
+These policy booleans allow runtime modification of the security
|
|
+policy without having to load a new policy.
|
|
+
|
|
+The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once.
|
|
+
|
|
+security_load_booleans
|
|
+.br
|
|
+Load policy boolean settings.
|
|
+ Path may be NULL, in which case the booleans are loaded from
|
|
+ the active policy boolean configuration file.
|
|
+
|
|
+security_get_boolean_names
|
|
+.br
|
|
+Returns a list of boolean names, currently supported by the loaded policy.
|
|
+
|
|
+security_get_boolean_pending
|
|
+.br
|
|
+Return pending value for boolean
|
|
+
|
|
+security_get_boolean_active
|
|
+.br
|
|
+Return active value for boolean
|
|
+
|
|
+security_set_boolean
|
|
+.br
|
|
+Set the pending value for the boolean
|
|
+
|
|
+security_commit_booleans
|
|
+.br
|
|
+Commit all pending values for the booleans.
|
|
+
|
|
+security_set_boolean
|
|
+.br
|
|
+sets the current state of a particular SELinux boolean or a list of booleans
|
|
+to a given value. The value may be 1 or true to enable the boolean, or 0 or
|
|
+false to disable it.
|
|
+
|
|
+.SH AUTHOR
|
|
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
+
|
|
+.SH "SEE ALSO"
|
|
+getsebool(8), booleans(8), togglesebool(8)
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/security_set_boolean.3 libselinux-1.19.1/man/man3/security_set_boolean.3
|
|
--- nsalibselinux/man/man3/security_set_boolean.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/security_set_boolean.3 2004-11-18 15:27:01.059554453 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/security_load_booleans.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_binary_policy_path.3 libselinux-1.19.1/man/man3/selinux_binary_policy_path.3
|
|
--- nsalibselinux/man/man3/selinux_binary_policy_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_binary_policy_path.3 2004-11-18 15:27:01.060554340 -0500
|
|
@@ -0,0 +1,75 @@
|
|
+.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
|
|
+.SH "NAME"
|
|
+selinux_binary_policy_path,selinux_failsafe_context_path,selinux_removable_context_path,selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, selinux_contexts_path, selinux_booleans_path
|
|
+.sp
|
|
+These functions return the paths to specific files under the
|
|
+ policy root directory.
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B #include <selinux/selinux.h>
|
|
+.sp
|
|
+.br
|
|
+extern const char *selinux_binary_policy_path(void);
|
|
+.br
|
|
+extern const char *selinux_failsafe_context_path(void);
|
|
+.br
|
|
+extern const char *selinux_removable_context_path(void);
|
|
+.br
|
|
+extern const char *selinux_default_context_path(void);
|
|
+.br
|
|
+extern const char *selinux_user_contexts_path(void);
|
|
+.br
|
|
+extern const char *selinux_file_context_path(void);
|
|
+.br
|
|
+extern const char *selinux_media_context_path(void);
|
|
+.br
|
|
+extern const char *selinux_contexts_path(void);
|
|
+.br
|
|
+extern const char *selinux_booleans_path(void);
|
|
+
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+
|
|
+These functions return the paths to specific files under the
|
|
+ policy root directory.
|
|
+
|
|
+.br
|
|
+selinux_binary_policy_path
|
|
+.br
|
|
+Default Binary Policy
|
|
+.sp
|
|
+selinux_failsafe_context_path
|
|
+.br
|
|
+Default failsafe context file
|
|
+.sp
|
|
+selinux_removable_context_path
|
|
+.br
|
|
+Default removeable context file
|
|
+.sp
|
|
+selinux_default_context_path
|
|
+.br
|
|
+Default context used by login programs and daemons that assume user roles.
|
|
+.sp
|
|
+selinux_user_contexts_path
|
|
+.br
|
|
+Default user context file; used by login programs for default login context
|
|
+.sp
|
|
+selinux_file_context_path
|
|
+.br
|
|
+Default file context file used restorecon
|
|
+.sp
|
|
+selinux_media_context_path
|
|
+.br
|
|
+Default media context file use to set contexts on media devices (cdrom, floppies)
|
|
+.sp
|
|
+selinux_contexts_path
|
|
+.br
|
|
+Parent directory of context files
|
|
+.sp
|
|
+selinux_booleans_path
|
|
+.br
|
|
+Boolean file path, used by boolean manipulation tools
|
|
+
|
|
+.SH AUTHOR
|
|
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
+
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_booleans_path.3 libselinux-1.19.1/man/man3/selinux_booleans_path.3
|
|
--- nsalibselinux/man/man3/selinux_booleans_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_booleans_path.3 2004-11-18 15:27:01.061554227 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_contexts_path.3 libselinux-1.19.1/man/man3/selinux_contexts_path.3
|
|
--- nsalibselinux/man/man3/selinux_contexts_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_contexts_path.3 2004-11-18 15:27:01.062554114 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_default_context_path.3 libselinux-1.19.1/man/man3/selinux_default_context_path.3
|
|
--- nsalibselinux/man/man3/selinux_default_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_default_context_path.3 2004-11-18 15:27:01.064553889 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_failsafe_context_path.3 libselinux-1.19.1/man/man3/selinux_failsafe_context_path.3
|
|
--- nsalibselinux/man/man3/selinux_failsafe_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_failsafe_context_path.3 2004-11-18 15:27:01.065553776 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_file_context_path.3 libselinux-1.19.1/man/man3/selinux_file_context_path.3
|
|
--- nsalibselinux/man/man3/selinux_file_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_file_context_path.3 2004-11-18 15:27:01.066553663 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_media_context_path.3 libselinux-1.19.1/man/man3/selinux_media_context_path.3
|
|
--- nsalibselinux/man/man3/selinux_media_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_media_context_path.3 2004-11-18 15:27:01.067553550 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_removable_context_path.3 libselinux-1.19.1/man/man3/selinux_removable_context_path.3
|
|
--- nsalibselinux/man/man3/selinux_removable_context_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_removable_context_path.3 2004-11-18 15:27:01.072552986 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/selinux_user_contexts_path.3 libselinux-1.19.1/man/man3/selinux_user_contexts_path.3
|
|
--- nsalibselinux/man/man3/selinux_user_contexts_path.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/selinux_user_contexts_path.3 2004-11-18 15:27:01.073552873 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/selinux_binary_policy_path.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/set_matchpathcon_printf.3 libselinux-1.19.1/man/man3/set_matchpathcon_printf.3
|
|
--- nsalibselinux/man/man3/set_matchpathcon_printf.3 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man3/set_matchpathcon_printf.3 2004-11-18 15:27:01.075552648 -0500
|
|
@@ -0,0 +1 @@
|
|
+.so man3/matchpathcon.3
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/avcstat.8 libselinux-1.19.1/man/man8/avcstat.8
|
|
--- nsalibselinux/man/man8/avcstat.8 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man8/avcstat.8 2004-11-18 16:28:55.008507362 -0500
|
|
@@ -0,0 +1,28 @@
|
|
+.TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
|
|
+.SH "NAME"
|
|
+avcstat \- Display SELinux AVC statistics
|
|
+
|
|
+.SH "SYNOPSIS"
|
|
+.B avcstat
|
|
+.I [-c] [-f status_file] [interval]
|
|
+
|
|
+.SH "DESCRIPTION"
|
|
+.B avcstat
|
|
+
|
|
+Display SELinux AVC statistics. If the interval parameter is specified, the
|
|
+program will loop, displaying updated statistics every 'interval' seconds.
|
|
+Relative values are displayed by default.
|
|
+
|
|
+.SH OPTIONS
|
|
+.TP
|
|
+.B \-c
|
|
+Display the cumulative values.
|
|
+
|
|
+.TP
|
|
+.B \-f
|
|
+Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'.
|
|
+
|
|
+.SH AUTHOR
|
|
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
+The program was written by James Morris <jmorris@redhat.com>.
|
|
+
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/getsebool.8 libselinux-1.19.1/man/man8/getsebool.8
|
|
--- nsalibselinux/man/man8/getsebool.8 2004-11-02 14:26:19.000000000 -0500
|
|
+++ libselinux-1.19.1/man/man8/getsebool.8 2004-11-18 15:27:01.076552535 -0500
|
|
@@ -8,13 +8,12 @@
|
|
|
|
.SH "DESCRIPTION"
|
|
.B getsebool
|
|
-reports the current state of either a particular SELinux boolean or
|
|
-all SELinux booleans. The state consists of two values, the active
|
|
-value and the pending value. The active value indicates the value
|
|
-that is presently applied to the policy. The pending value indicates
|
|
+reports where a particular SELinux boolean or
|
|
+all SELinux booleans are active or inactive.
|
|
+In certain situations a boolean can be in one state with a pending
|
|
+change to the other state. getsebool will report this as a pending change.
|
|
+The pending value indicates
|
|
the value that will be applied upon the next boolean commit.
|
|
-Typically, these values will be the same; they only differ when in the
|
|
-middle of a boolean change transaction.
|
|
|
|
The setting of boolean values occurs in two stages; first the pending
|
|
value is changed, then the booleans are committed, causing their
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/avcstat.c libselinux-1.19.1/utils/avcstat.c
|
|
--- nsalibselinux/utils/avcstat.c 1969-12-31 19:00:00.000000000 -0500
|
|
+++ libselinux-1.19.1/utils/avcstat.c 2004-11-18 16:19:13.230149764 -0500
|
|
@@ -0,0 +1,224 @@
|
|
+/*
|
|
+ * avcstat - Display SELinux avc statistics.
|
|
+ *
|
|
+ * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License version 2,
|
|
+ * as published by the Free Software Foundation.
|
|
+ *
|
|
+ */
|
|
+#include <stdio.h>
|
|
+#include <stdlib.h>
|
|
+#include <libgen.h>
|
|
+#include <stdarg.h>
|
|
+#include <errno.h>
|
|
+#include <string.h>
|
|
+#include <fcntl.h>
|
|
+#include <unistd.h>
|
|
+#include <signal.h>
|
|
+#include <sys/types.h>
|
|
+#include <sys/stat.h>
|
|
+#include <sys/ioctl.h>
|
|
+#include <linux/limits.h>
|
|
+
|
|
+#define DEF_STAT_FILE "/avc/cache_stats"
|
|
+#define DEF_BUF_SIZE 8192
|
|
+#define HEADERS "lookups hits misses allocations reclaims frees"
|
|
+
|
|
+struct avc_cache_stats {
|
|
+ unsigned int lookups;
|
|
+ unsigned int hits;
|
|
+ unsigned int misses;
|
|
+ unsigned int allocations;
|
|
+ unsigned int reclaims;
|
|
+ unsigned int frees;
|
|
+};
|
|
+
|
|
+static int interval;
|
|
+static int rows;
|
|
+static char *progname;
|
|
+static char buf[DEF_BUF_SIZE];
|
|
+
|
|
+/* selinuxfs mount point */
|
|
+extern char *selinux_mnt;
|
|
+
|
|
+
|
|
+static void die(const char *msg, ...)
|
|
+{
|
|
+ va_list args;
|
|
+
|
|
+ fputs("ERROR: ", stderr);
|
|
+
|
|
+ va_start(args, msg);
|
|
+ vfprintf(stderr, msg, args);
|
|
+ va_end(args);
|
|
+
|
|
+ if (errno)
|
|
+ fprintf(stderr, ": %s", strerror(errno));
|
|
+
|
|
+ fputc('\n', stderr);
|
|
+ exit(1);
|
|
+}
|
|
+
|
|
+static void usage(void)
|
|
+{
|
|
+ printf("\nUsage: %s [-c] [-f status_file] [interval]\n\n", progname);
|
|
+ printf("Display SELinux AVC statistics. If the interval parameter is specified, the\n");
|
|
+ printf("program will loop, displaying updated statistics every \'interval\' seconds.\n");
|
|
+ printf("Relative values are displayed by default. Use the -c option to specify the\n");
|
|
+ printf("display of cumulative values. The -f option specifies the location of the\n");
|
|
+ printf("AVC statistics file, defaulting to \'%s\%s\'.\n\n", selinux_mnt, DEF_STAT_FILE);
|
|
+}
|
|
+
|
|
+static void set_window_rows(void)
|
|
+{
|
|
+ int ret;
|
|
+ struct winsize ws;
|
|
+
|
|
+ ret = ioctl(fileno(stdout), TIOCGWINSZ, &ws);
|
|
+ if (ret < 0 || ws.ws_row < 3)
|
|
+ ws.ws_row = 24;
|
|
+ rows = ws.ws_row;
|
|
+}
|
|
+
|
|
+static void sighandler(int num)
|
|
+{
|
|
+ if (num == SIGWINCH)
|
|
+ set_window_rows();
|
|
+}
|
|
+
|
|
+int main(int argc, char **argv)
|
|
+{
|
|
+ int fd, i, cumulative = 0;
|
|
+ struct sigaction sa;
|
|
+ char avcstatfile[PATH_MAX];
|
|
+ snprintf(avcstatfile, sizeof avcstatfile, "%s%s", selinux_mnt, DEF_STAT_FILE);
|
|
+ progname = basename(argv[0]);
|
|
+
|
|
+ while((i = getopt(argc, argv, "cf:h?-")) != -1) {
|
|
+ switch (i) {
|
|
+ case 'c':
|
|
+ cumulative = 1;
|
|
+ break;
|
|
+ case 'f':
|
|
+ strncpy(avcstatfile, optarg, sizeof avcstatfile);
|
|
+ break;
|
|
+ case 'h':
|
|
+ case '-':
|
|
+ usage();
|
|
+ exit(0);
|
|
+ default:
|
|
+ usage();
|
|
+ die("unrecognized parameter", i);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (optind < argc) {
|
|
+ char *arg = argv[optind];
|
|
+ unsigned int n = strtoul(arg, NULL, 10);
|
|
+
|
|
+ if (errno == ERANGE) {
|
|
+ usage();
|
|
+ die("invalid interval \'%s\'", arg);
|
|
+ }
|
|
+ if (n == 0) {
|
|
+ usage();
|
|
+ exit (0);
|
|
+ }
|
|
+ interval = n;
|
|
+ }
|
|
+
|
|
+ sa.sa_handler = sighandler;
|
|
+ sa.sa_flags = SA_RESTART;
|
|
+
|
|
+ i = sigaction(SIGWINCH, &sa, NULL);
|
|
+ if (i < 0)
|
|
+ die("sigaction");
|
|
+
|
|
+ set_window_rows();
|
|
+ fd = open(avcstatfile, O_RDONLY);
|
|
+ if (fd < 0)
|
|
+ die("open: \'%s\'", avcstatfile);
|
|
+
|
|
+ for (i = 0;; i++) {
|
|
+ char *line;
|
|
+ ssize_t ret, parsed = 0;
|
|
+ struct avc_cache_stats tot, rel, last;
|
|
+
|
|
+ memset(buf, 0, DEF_BUF_SIZE);
|
|
+ ret = read(fd, buf, DEF_BUF_SIZE);
|
|
+ if (ret < 0)
|
|
+ die("read");
|
|
+
|
|
+ if (ret == 0)
|
|
+ die("read: \'%s\': unexpected end of file", avcstatfile);
|
|
+
|
|
+ line = strtok(buf, "\n");
|
|
+ if (!line)
|
|
+ die("unable to parse \'%s\': end of line not found", avcstatfile);
|
|
+
|
|
+ if (strcmp(line, HEADERS))
|
|
+ die("unable to parse \'%s\': invalid headers", avcstatfile);
|
|
+
|
|
+ if (!i || !(i % (rows - 2)))
|
|
+ printf("%10s %10s %10s %10s %10s %10s\n", "lookups",
|
|
+ "hits", "misses", "allocs", "reclaims", "frees");
|
|
+
|
|
+ memset(&tot, 0, sizeof(tot));
|
|
+
|
|
+ while ((line = strtok(NULL, "\n"))) {
|
|
+ struct avc_cache_stats tmp;
|
|
+
|
|
+ ret = sscanf(line, "%u %u %u %u %u %u",
|
|
+ &tmp.lookups,
|
|
+ &tmp.hits,
|
|
+ &tmp.misses,
|
|
+ &tmp.allocations,
|
|
+ &tmp.reclaims,
|
|
+ &tmp.frees);
|
|
+ if (ret != 6)
|
|
+ die("unable to parse \'%s\': scan error", avcstatfile);
|
|
+
|
|
+ tot.lookups += tmp.lookups;
|
|
+ tot.hits += tmp.hits;
|
|
+ tot.misses += tmp.misses;
|
|
+ tot.allocations += tmp.allocations;
|
|
+ tot.reclaims += tmp.reclaims;
|
|
+ tot.frees += tmp.frees;
|
|
+ parsed = 1;
|
|
+ }
|
|
+
|
|
+ if (!parsed)
|
|
+ die("unable to parse \'%s\': no data", avcstatfile);
|
|
+
|
|
+ if (cumulative || (!cumulative && !i))
|
|
+ printf("%10u %10u %10u %10u %10u %10u\n",
|
|
+ tot.lookups, tot.hits, tot.misses,
|
|
+ tot.allocations, tot.reclaims, tot.frees);
|
|
+ else {
|
|
+ rel.lookups = tot.lookups - last.lookups;
|
|
+ rel.hits = tot.hits - last.hits;
|
|
+ rel.misses = tot.misses - last.misses;
|
|
+ rel.allocations = tot.allocations - last.allocations;
|
|
+ rel.reclaims = tot.reclaims - last.reclaims;
|
|
+ rel.frees = tot.frees - last.frees;
|
|
+ printf("%10u %10u %10u %10u %10u %10u\n",
|
|
+ rel.lookups, rel.hits, rel.misses,
|
|
+ rel.allocations, rel.reclaims, rel.frees);
|
|
+ }
|
|
+
|
|
+ if (!interval)
|
|
+ break;
|
|
+
|
|
+ memcpy(&last, &tot, sizeof(last));
|
|
+ sleep(interval);
|
|
+
|
|
+ ret = lseek(fd, 0, 0);
|
|
+ if (ret < 0)
|
|
+ die("lseek");
|
|
+ }
|
|
+
|
|
+ close(fd);
|
|
+ return 0;
|
|
+}
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getsebool.c libselinux-1.19.1/utils/getsebool.c
|
|
--- nsalibselinux/utils/getsebool.c 2004-11-09 09:13:54.000000000 -0500
|
|
+++ libselinux-1.19.1/utils/getsebool.c 2004-11-18 15:27:01.077552422 -0500
|
|
@@ -83,8 +83,14 @@
|
|
rc = -1;
|
|
goto out;
|
|
}
|
|
- printf("%s --> active: %d pending: %d\n", names[i],
|
|
- active, pending);
|
|
+ if (pending != active) {
|
|
+ printf("%s --> %s pending: %s\n", names[i],
|
|
+ ( active ? "active" : "inactive"),
|
|
+ ( pending ? "active" : "inactive"));
|
|
+ } else {
|
|
+ printf("%s --> %s\n", names[i],
|
|
+ ( active ? "active" : "inactive"));
|
|
+ }
|
|
}
|
|
|
|
out:
|
|
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setsebool.c libselinux-1.19.1/utils/setsebool.c
|
|
--- nsalibselinux/utils/setsebool.c 2004-11-09 09:13:54.000000000 -0500
|
|
+++ libselinux-1.19.1/utils/setsebool.c 2004-11-18 15:27:01.078552309 -0500
|
|
@@ -35,6 +35,8 @@
|
|
|
|
if (strcmp(argv[1], "-P") == 0) {
|
|
permanent = 1;
|
|
+ if (argc < 3)
|
|
+ usage();
|
|
start = 2;
|
|
}
|
|
else
|