diff --git a/libsemanage/man/Makefile b/libsemanage/man/Makefile index 8b2a2b9..852043d 100644 --- a/libsemanage/man/Makefile +++ b/libsemanage/man/Makefile @@ -1,9 +1,12 @@ # Installation directories. MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 all: install: all mkdir -p $(MAN3DIR) + mkdir -p $(MAN5DIR) install -m 644 man3/*.3 $(MAN3DIR) + install -m 644 man5/*.5 $(MAN5DIR) diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5 new file mode 100644 index 0000000..c60bdc6 --- /dev/null +++ b/libsemanage/man/man5/semanage.conf.5 @@ -0,0 +1,93 @@ +.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration" +.SH NAME +semanage.conf \- global configuration file for the SELinux Management library +.SH DESCRIPTION +.PP +The +.BR semanage.conf +file is usually located under the directory /etc/selinux and it is used for run-time configuration of the +behavior of the SELinux Management library. + +.PP +Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that +parameter. Anything after the "#" symbol is ignored similarly to empty lines. + +.PP +The following parameters are allowed: + +.RS +.TP +.B module-store +Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux +Management library writes to the SELinux policy module store directly (this is the default setting). +Otherwise a socket path or a server name can be used for the argument. +If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management +server. +If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server +to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate +the two fields). + +.TP +.B policy-version +When generating the policy, by default +.BR semanage +will set the policy version to POLICYDB_VERSION_MAX, as defined in . Change this setting if a different +version needs to be set for the policy. + +.TP +.B expand-check +Whether or not to check "neverallow" rules when executing all +.BR semanage +command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large +penalty in execution time if this option is enabled. + +.TP +.B file-mode +By default the permission mode for the run-time policy files is set to 0644. + +.TP +.B save-previous +It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to +either "true" or "false". By default it is set to "false" (the previous version is deleted). + +.TP +.B save-linked +It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store. +It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). + +.TP +.B usepasswd +Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". +By default it is set to "true". + +.TP +.B disable-genhomedircon +It controls whether or not the genhomedircon function is executed when using the +.BR semanage +command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent +to this option set to "false"). + +.TP +.B handle-unknown +This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy. +It can be set to "deny", "reject" or "allow". + +.TP +.B bzip-blocksize +It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block +size value is obtained after multiplication by 100000). + +.TP +.B bzip-small +When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and +by default it is set to "false". + +.SH "SEE ALSO" +.TP +semanage(8) +.PP + +.SH AUTHOR +This manual page was written by Guido Trentalancia . + +The SELinux management library was written by Tresys Technology LLC and Red Hat Inc. diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index 847d87e..2870fa8 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -314,6 +314,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) } if (strcmp(pwbuf->pw_dir, "/") == 0) continue; + if (strcmp(pwbuf->pw_dir, "/root") == 0) + continue; if (semanage_str_count(pwbuf->pw_dir, '/') <= 1) continue; if (!(path = strdup(pwbuf->pw_dir))) { @@ -829,6 +831,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s, * /root */ continue; } + if (strcmp(pwent->pw_dir, "/root") == 0) + continue; if (push_user_entry(&head, name, seuname, prefix, pwent->pw_dir, level) != STATUS_SUCCESS) { *errors = STATUS_ERR; diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index e322992..a223aa7 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -495,6 +495,7 @@ static int semanage_copy_file(const char *src, const char *dst, mode_t mode) int in, out, retval = 0, amount_read, n, errsv = errno; char tmp[PATH_MAX]; char buf[4192]; + mode_t mask; n = snprintf(tmp, PATH_MAX, "%s.tmp", dst); if (n < 0 || n >= PATH_MAX) @@ -506,13 +507,16 @@ static int semanage_copy_file(const char *src, const char *dst, mode_t mode) if (!mode) mode = S_IRUSR | S_IWUSR; - + + mask = umask(0); if ((out = open(tmp, O_WRONLY | O_CREAT | O_TRUNC, mode)) == -1) { + umask(mask); errsv = errno; close(in); retval = -1; goto out; } + umask(mask); while (retval == 0 && (amount_read = read(in, buf, sizeof(buf))) > 0) { if (write(out, buf, amount_read) < 0) { errsv = errno;