policycoreutils/policycoreutils-rhat.patch

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.29.26/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow	2005-12-08 12:52:44.000000000 -0500
+++ policycoreutils-1.29.26/audit2allow/audit2allow	2006-03-06 09:44:31.000000000 -0500
@@ -25,6 +25,118 @@
 #
 #  
 import commands, sys, os, pwd, string, getopt, re, selinux
+
+obj="(\{[^\}]*\}|[^ \t:]*)"
+allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
+
+awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
+        IFACEFILE=FILENAME\n\
+	IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
+	IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
+}\n\
+\n\
+/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\
+\n\
+  if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
+		ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
+		ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
+		print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
+	}\n\
+}\
+'
+
+class accessTrans:
+    def __init__(self):
+        self.dict={}
+	try:
+		fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt")
+	except IOError, error:
+		raise IOError("Reference policy generation requires the policy development package.\n%s" % error)
+        records=fd.read().split("\n")
+        regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
+        for r in records:
+            m=re.match(regexp,r)
+            if m!=None:
+                self.dict[m.groups()[0]] = m.groups()[1].split()
+        fd.close()
+    def get(self, var):
+        l=[]
+        for v in var:
+            if v in self.dict.keys():
+                l += self.dict[v]
+            else:
+                if v not in ("{", "}"):
+                    l.append(v)
+        return l
+
+class interfaces:
+    def __init__(self):
+        self.dict={}
+        trans=accessTrans()
+	(input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null")
+	input.write(awk_script)
+	input.close()
+	records=output.read().split("\n")
+	input.close()
+        if len(records) > 0:
+            regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
+            for r in records:
+                m=re.match(regexp,r)
+                if m==None:
+                    continue
+                else:
+                    val=m.groups()
+                file=os.path.basename(val[0]).split(".")[0]
+                iface=val[1]
+                Scon=val[2].split()
+                Tcon=val[3].split()
+                Class=val[4].split()
+                Access=trans.get(val[5].split())
+                for s in Scon:
+                    for t in Tcon:
+                        for c in Class:
+                            if (s, t, c) not in self.dict.keys():
+                                self.dict[(s, t, c)]=[]
+                            self.dict[(s, t, c)].append((Access, file, iface))
+    def out(self):
+        keys=self.dict.keys()
+        keys.sort()
+        for k in keys:
+            print k
+            for i in self.dict[k]:
+                print "\t", i
+                
+    def match(self, Scon, Tcon, Class, Access):
+        keys=self.dict.keys()
+        ret=[]
+        if (Scon, Tcon, Class) in keys:
+            for i in self.dict[(Scon, Tcon, Class)]:
+                if Access in i[0]:
+                    if i[2].find(Access) >= 0:
+                        ret.insert(0, i)
+                    else:
+                        ret.append(i)
+            return ret
+        if ("$1", Tcon, Class) in keys:
+            for i in self.dict[("$1", Tcon, Class)]:
+                if Access in i[0]:
+                    if i[2].find(Access) >= 0:
+                        ret.insert(0, i)
+                    else:
+                        ret.append(i)
+            return ret
+        if (Scon, "$1", Class) in keys:
+            for i in self.dict[(Scon, "$1", Class)]:
+                if Access in i[0]:
+                    if i[2].find(Access) >= 0:
+                        ret.insert(0, i)
+                    else:
+                        ret.append(i)
+            return ret
+        else:
+            return ret
+        
+
 class serule:
 	def __init__(self, type, source, target, seclass):
 		self.type=type
@@ -32,6 +144,8 @@
 		self.target=target
 		self.seclass=seclass
 		self.avcinfo={}
+		self.iface=None
+		
 	def add(self, avc):
 		for a in avc[0]:
 			if a not in self.avcinfo.keys():
@@ -67,6 +181,33 @@
 					ret=ret + " : " + i 
 		return ret
 		
+	def gen_reference_policy(self, iface):
+		ret=""
+		Scon=self.source
+		Tcon=self.gettarget()
+		Class=self.seclass
+		Access=self.getAccess()
+		m=iface.match(Scon,Tcon,Class,Access)
+		if len(m)==0:
+			return self.out()
+		else:
+			file=m[0][1]
+			ret="\n#%s\n"% self.out()
+			ret += "optional_policy(`%s', `\n" % m[0][1]
+			first=True
+			for i in m:
+				if file != i[1]:
+					ret += "')\ngen_require(`%s', `\n" % i[1]
+					file = i[1]
+					first=True
+				if first:
+					ret += "\t%s(%s)\n" % (i[2], Scon)
+					first=False
+				else:
+					ret += "#\t%s(%s)\n" % (i[2], Scon)
+			ret += "');"
+		return ret
+		
 	def gettarget(self):
 		if self.source == self.target:
 			return "self"
@@ -81,7 +222,12 @@
 		self.types=[]
 		self.roles=[]
 		self.load(input, te_ind)
-		
+		self.gen_ref_policy = False
+
+	def gen_reference_policy(self):
+		self.gen_ref_policy = True
+		self.iface=interfaces()
+
 	def warning(self, error):
 		sys.stderr.write("%s: " % sys.argv[0])
 		sys.stderr.write("%s\n" % error)
@@ -104,7 +250,8 @@
 			while line:
 				rec=line.split()
 				for i in rec:
-					if i=="avc:" or i=="message=avc:":
+					if i=="avc:" or i=="message=avc:" or i=="msg='avc:":
+
 						found=1
 					else:
 						avc.append(i)
@@ -166,7 +313,7 @@
 		self.add_seclass(seclass, access)
 		self.add_type(tcon)
 		self.add_type(scon)
-		if (type, scon, tcon, seclass) not in self.seRules.keys():
+		if (rule_type, scon, tcon, seclass) not in self.seRules.keys():
 			self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass)
 				
 		self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name ))
@@ -182,9 +329,10 @@
 		if "security_compute_sid" in avc:
 			return
 		
+		if "load_policy" in avc and self.last_reload:
+			self.seRules={}
+
 		if "granted" in avc:
-			if "load_policy" in avc and self.last_reload:
-				self.seRules={}
 			return
 		try:
 			for i in range (0, len(avc)):
@@ -292,7 +440,10 @@
 		keys=self.seRules.keys()
 		keys.sort()
 		for i in keys:
-			rec += self.seRules[i].out(verbose)+"\n"
+			if self.gen_ref_policy:
+				rec += self.seRules[i].gen_reference_policy(self.iface)+"\n"
+			else:
+				rec += self.seRules[i].out(verbose)+"\n"
 		return rec
 
 if __name__ == '__main__':
@@ -342,11 +493,12 @@
 		buildPP=0
 		input_ind=0
 		output_ind=0
+		ref_ind=False
 		te_ind=0
 
 		fc_file=""
 		gopts, cmds = getopt.getopt(sys.argv[1:],
-					    'adf:hi:lm:M:o:rtv',
+					    'adf:hi:lm:M:o:rtvR',
 					    ['all',
 					     'dmesg',
 					     'fcfile=',
@@ -356,6 +508,7 @@
 					     'module=',
 					     'output=',
 					     'requires',
+					     'reference',
 					     'tefile',
 					     'verbose'
 					     ])
@@ -397,6 +550,9 @@
 				if auditlogs:
 					usage()
 				te_ind=1
+			if o == "-R" or o == "--reference":
+				ref_ind=True
+				
 			if o == "-o" or o == "--output":
 				if module != ""  or a[0]=="-":
 					usage()
@@ -413,6 +569,10 @@
 			
 		out=seruleRecords(input, last_reload, verbose, te_ind)
 
+
+		if ref_ind:
+			out.gen_reference_policy()
+
 		if auditlogs:
 			input=os.popen("ausearch -m avc")
 			out.load(input)
@@ -423,15 +583,15 @@
 		output.flush()
 		if buildPP:
 			cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
-			print "Compiling policy: %s" % cmd
+			print "Compiling policy"
+			print cmd
 			rc=commands.getstatusoutput(cmd)
 			if rc[0]==0:
 				cmd="semodule_package -o %s.pp -m %s.mod" % (module, module)
-				print cmd
 				if fc_file != "":
 					cmd = "%s -f %s" % (cmd, fc_file)
 					
-				print "Building package: %s" % cmd
+				print cmd
 				rc=commands.getstatusoutput(cmd)
 				if rc[0]==0:
 					print ("\n******************** IMPORTANT ***********************\n")
@@ -446,6 +606,6 @@
 	except ValueError, error:
 		errorExit(error.args[0])
 	except IOError, error:
-		errorExit(error.args[1])
+		errorExit(error)
 	except KeyboardInterrupt, error:
 		sys.exit(0)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.29.26/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1	2005-12-01 10:11:27.000000000 -0500
+++ policycoreutils-1.29.26/audit2allow/audit2allow.1	2006-02-23 16:32:45.000000000 -0500
@@ -65,6 +65,9 @@
 .B "\-r" | "\-\-requires"
 Generate require output syntax for loadable modules.
 .TP
+.B "\-R" | "\-\-reference"
+Generate reference policy using installed macros
+.TP
 .B "\-t "  | "\-\-tefile"
 Indicates input file is a te (type enforcement) file.  This can be used to translate old te format to new policy format.
 .TP
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.26/scripts/chcat
--- nsapolicycoreutils/scripts/chcat	2006-01-27 01:16:33.000000000 -0500
+++ policycoreutils-1.29.26/scripts/chcat	2006-03-03 18:21:05.000000000 -0500
@@ -320,7 +320,7 @@
         if len(cats) > 1 and cats[1] != "s0":
             print "%s: %s" % (u, cats[1])
         else:
-            print "%s:" % u
+            print "%s: %s" % (u, cats[0])
             
 def error(msg):
     print "%s: %s" % (sys.argv[0], msg)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.26/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2006-01-04 13:07:46.000000000 -0500
+++ policycoreutils-1.29.26/scripts/fixfiles	2006-02-23 17:12:53.000000000 -0500
@@ -124,7 +124,10 @@
     exit $?
 fi
 if [ ! -z "$DIRS" ]; then
-    ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $1 -v $DIRS 2>&1 >> $LOGFILE
+    for d in ${DIRS} ; do find $d \
+		      ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune  -o -print; \
+	${RESTORECON} ${OUTFILES} ${FORCEFLAG} $1 -v -f - 2>&1 >> $LOGFILE
+    done
     exit $?
 fi
 LogReadOnly
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.26/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2006-02-16 13:35:28.000000000 -0500
+++ policycoreutils-1.29.26/semanage/semanage	2006-02-23 16:32:45.000000000 -0500
@@ -22,6 +22,9 @@
 #  
 import os, sys, getopt
 import seobject
+import selinux
+
+is_mls_enabled=selinux.is_selinux_mls_enabled()
 
 if __name__ == '__main__':
 
@@ -57,13 +60,13 @@
 		-p (named pipe) \n\n\
 \
 	-p, --proto      Port protocol (tcp or udp)\n\
-	-L, --level      Default SELinux Level\n\
+	-L, --level      Default SELinux Level (MLS/MCS Systems only)\n\
 	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")\n\
 	-T, --trans      SELinux Level Translation\n\n\
 \
 	-s, --seuser     SELinux User Name\n\
 	-t, --type       SELinux Type for the object\n\
-	-r, --range      MLS/MCS Security Range\n\
+	-r, --range      MLS/MCS Security Range (MLS/MCS Systems only\n\
 '
 		print message
 		sys.exit(1)
@@ -167,12 +170,16 @@
 				modify = 1
 				
 			if o == "-r" or o == '--range':
+				if is_mls_enabled == 0:
+					errorExit("range not supported on Non MLS machines")
 				serange = a
 
 			if o == "-l" or o == "--list":
 				list = 1
 
 			if o == "-L" or o == '--level':
+				if is_mls_enabled == 0:
+					errorExit("range not supported on Non MLS machines")
 				selevel = a
 
 			if o == "-p" or o == '--proto':
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.26/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2006-01-27 01:16:33.000000000 -0500
+++ policycoreutils-1.29.26/semanage/semanage.8	2006-02-23 16:32:45.000000000 -0500
@@ -46,7 +46,7 @@
 List the OBJECTS
 .TP
 .I                \-L, \-\-level
-Default SELinux Level for SELinux use. (s0)
+Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
 .TP
 .I                \-m, \-\-modify     
 Modify a OBJECT record NAME
@@ -58,7 +58,7 @@
 Protocol for the specified port (tcp|udp).
 .TP
 .I                \-r, \-\-range      
-MLS/MCS Security Range
+MLS/MCS Security Range (MLS/MCS Systems only)
 .TP
 .I                \-R, \-\-role
 SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.26/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-02-16 13:35:28.000000000 -0500
+++ policycoreutils-1.29.26/semanage/seobject.py	2006-03-03 18:20:37.000000000 -0500
@@ -21,9 +21,43 @@
 #
 #  
 
-import pwd, string, selinux, tempfile, os, re
+import pwd, string, selinux, tempfile, os, re, sys
 from semanage import *;
 
+is_mls_enabled=selinux.is_selinux_mls_enabled()
+import syslog
+try:
+	import audit
+	class logger:
+		def __init__(self):
+			self.audit_fd=audit.audit_open()
+
+		def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""):
+			audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],msg, name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success);
+except:
+	class logger:
+		def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""):
+			if success == 1:
+				message = "Successful: "
+			else:
+				message = "Failed: "
+			message += " %s name=%s" % (msg,name)
+			if sename != "":
+				message += " sename=" + sename
+			if old_sename != "":
+				message += " old_sename=" + old_sename
+			if serole != "":
+				message += " role=" + serole
+			if old_serole != "":
+				message += " old_role=" + old_serole
+			if serange != "":
+				message += " MLSRange=" + serange
+			if old_serange != "":
+				message += " old_MLSRange=" + old_serange
+			syslog.syslog(message);
+			
+mylog=logger()		
+
 def validate_level(raw):
 	sensitivity="s([0-9]|1[0-5])"
 	category="c(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])"
@@ -143,6 +177,7 @@
 	def __init__(self):
 		self.sh = semanage_handle_create()
 		self.semanaged = semanage_is_managed(self.sh)
+
 		if not self.semanaged:
 			semanage_handle_destroy(self.sh)
 			raise ValueError("SELinux policy is not managed or store cannot be accessed.")
@@ -162,127 +197,154 @@
 		semanageRecords.__init__(self)
 
 	def add(self, name, sename, serange):
-		if serange == "":
-			serange = "s0"
-		else:
-			serange = untranslate(serange)
+		if is_mls_enabled == 1:
+			if serange == "":
+				serange = "s0"
+			else:
+				serange = untranslate(serange)
 			
 		if sename == "":
 			sename = "user_u"
 			
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
-
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if exists:
-			raise ValueError("Login mapping for %s is already defined" % name)
 		try:
-			pwd.getpwnam(name)
-		except:
-			raise ValueError("Linux User %s does not exist" % name)
-			
-		(rc,u) = semanage_seuser_create(self.sh)
-		if rc < 0:
-			raise ValueError("Could not create login mapping for %s" % name)
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		rc = semanage_seuser_set_name(self.sh, u, name)
-		if rc < 0:
-			raise ValueError("Could not set name for %s" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if exists:
+				raise ValueError("Login mapping for %s is already defined" % name)
+			try:
+				pwd.getpwnam(name)
+			except:
+				raise ValueError("Linux User %s does not exist" % name)
 
-		rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
-		if rc < 0:
-			raise ValueError("Could not set MLS range for %s" % name)
+			(rc,u) = semanage_seuser_create(self.sh)
+			if rc < 0:
+				raise ValueError("Could not create login mapping for %s" % name)
 
-		rc = semanage_seuser_set_sename(self.sh, u, sename)
-		if rc < 0:
-			raise ValueError("Could not set SELinux user for %s" % name)
+			rc = semanage_seuser_set_name(self.sh, u, name)
+			if rc < 0:
+				raise ValueError("Could not set name for %s" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+			if rc < 0:
+				raise ValueError("Could not set MLS range for %s" % name)
 
-		rc = semanage_seuser_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not add login mapping for %s" % name)
+			rc = semanage_seuser_set_sename(self.sh, u, sename)
+			if rc < 0:
+				raise ValueError("Could not set SELinux user for %s" % name)
 
-		rc = semanage_commit(self.sh) 
-		if rc < 0:
-			raise ValueError("Could not add login mapping for %s" % name)
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
+			rc = semanage_seuser_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not add login mapping for %s" % name)
+
+			rc = semanage_commit(self.sh) 
+			if rc < 0:
+				raise ValueError("Could not add login mapping for %s" % name)
+
+		except ValueError, error:
+			mylog.log(0, "add SELinux user mapping", name, sename, "", serange);
+			raise error
+		
+		mylog.log(1, "add SELinux user mapping", name, sename, "", serange);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
 	def modify(self, name, sename = "", serange = ""):
-		if sename == "" and serange == "":
-			raise ValueError("Requires seuser or serange")
+		oldsename=""
+		oldserange=""
+		try:
+			if sename == "" and serange == "":
+				raise ValueError("Requires seuser or serange")
 
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is not defined" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is not defined" % name)
 
-		(rc,u) = semanage_seuser_query(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not query seuser for %s" % name)
+			(rc,u) = semanage_seuser_query(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not query seuser for %s" % name)
 
-		if serange != "":
-			semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
-		if sename != "":
-			semanage_seuser_set_sename(self.sh, u, sename)
+			oldserange=semanage_seuser_get_mlsrange(u)
+			oldsename=semanage_seuser_get_sename(u)
+			if serange != "":
+				semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+			else:
+				serange=oldserange
+			if sename != "":
+				semanage_seuser_set_sename(self.sh, u, sename)
+			else:
+				sename=oldsename
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not srart semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not srart semanage transaction")
 
-		rc = semanage_seuser_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not modify login mapping for %s" % name)
-	
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not modify login mapping for %s" % name)
+			rc = semanage_seuser_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not modify login mapping for %s" % name)
+
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not modify login mapping for %s" % name)
 
+		except ValueError, error:
+			mylog.log(0,"modify selinux user mapping", name, sename,"", serange, oldsename, "", oldserange);
+			raise error
+		
+		mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
 	def delete(self, name):
-		(rc,k) = semanage_seuser_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+		try:
+			(rc,k) = semanage_seuser_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is not defined" % name)
+			(rc,exists) = semanage_seuser_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is not defined" % name)
 
-		(rc,exists) = semanage_seuser_exists_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if login mapping for %s is defined" % name)
-		if not exists:
-			raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
+			(rc,exists) = semanage_seuser_exists_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if login mapping for %s is defined" % name)
+			if not exists:
+				raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_seuser_del_local(self.sh, k)
+			rc = semanage_seuser_del_local(self.sh, k)
 
-		if rc < 0:
-			raise ValueError("Could not delete login mapping for %s" % name)
+			if rc < 0:
+				raise ValueError("Could not delete login mapping for %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not delete login mapping for %s" % name)
-	
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not delete login mapping for %s" % name)
+
+		except ValueError, error:
+			mylog.log(0,"delete SELinux user mapping", name);
+			raise error
+		
+		mylog.log(1,"delete SELinux user mapping", name);
 		semanage_seuser_key_free(k)
 
 		
@@ -298,150 +360,179 @@
 		return ddict
 
 	def list(self,heading=1):
-		if heading:
-			print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
 		ddict=self.get_all()
 		keys=ddict.keys()
 		keys.sort()
-		for k in keys:
-			print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
+		if is_mls_enabled == 1:
+			if heading:
+				print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
+			for k in keys:
+				print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
+		else:
+			if heading:
+				print "\n%-25s %-25s\n" % ("Login Name", "SELinux User")
+			for k in keys:
+				print "%-25s %-25s %-25s" % (k, ddict[k][0])
 
 class seluserRecords(semanageRecords):
 	def __init__(self):
 		semanageRecords.__init__(self)
 
 	def add(self, name, roles, selevel, serange):
-		if serange == "":
-			serange = "s0"
-		else:
-			serange = untranslate(serange)
+		if is_mls_enabled == 1:
+			if serange == "":
+				serange = "s0"
+			else:
+				serange = untranslate(serange)
 			
-		if selevel == "":
-			selevel = "s0"
-		else:
-			selevel = untranslate(selevel)
-
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
-
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if exists:
-			raise ValueError("SELinux user %s is already defined" % name)
-
-		(rc,u) = semanage_user_create(self.sh)
-		if rc < 0:
-			raise ValueError("Could not create SELinux user for %s" % name)
+			if selevel == "":
+				selevel = "s0"
+			else:
+				selevel = untranslate(selevel)
+			
+		seroles=" ".join(roles)
+		try:
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		rc = semanage_user_set_name(self.sh, u, name)
-		if rc < 0:
-			raise ValueError("Could not set name for %s" % name)
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if exists:
+				raise ValueError("SELinux user %s is already defined" % name)
 
-		for r in roles:
-			rc = semanage_user_add_role(self.sh, u, r)
+			(rc,u) = semanage_user_create(self.sh)
 			if rc < 0:
-				raise ValueError("Could not add role %s for %s" % (r, name))
+				raise ValueError("Could not create SELinux user for %s" % name)
 
-		rc = semanage_user_set_mlsrange(self.sh, u, serange)
-		if rc < 0:
-			raise ValueError("Could not set MLS range for %s" % name)
+			rc = semanage_user_set_name(self.sh, u, name)
+			if rc < 0:
+				raise ValueError("Could not set name for %s" % name)
 
-		rc = semanage_user_set_mlslevel(self.sh, u, selevel)
-		if rc < 0:
-			raise ValueError("Could not set MLS level for %s" % name)
+			for r in roles:
+				rc = semanage_user_add_role(self.sh, u, r)
+				if rc < 0:
+					raise ValueError("Could not add role %s for %s" % (r, name))
+
+			if is_mls_enabled == 1:
+				rc = semanage_user_set_mlsrange(self.sh, u, serange)
+				if rc < 0:
+					raise ValueError("Could not set MLS range for %s" % name)
+
+				rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+				if rc < 0:
+					raise ValueError("Could not set MLS level for %s" % name)
 
-		(rc,key) = semanage_user_key_extract(self.sh,u)
-		if rc < 0:
-			raise ValueError("Could not extract key for %s" % name)
+			(rc,key) = semanage_user_key_extract(self.sh,u)
+			if rc < 0:
+				raise ValueError("Could not extract key for %s" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_user_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not add SELinux user %s" % name)
+			rc = semanage_user_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not add SELinux user %s" % name)
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
 
+		except ValueError, error:
+			mylog.log(0,"add SELinux user record", name, name, seroles, serange)
+			raise error
+		
+		mylog.log(1,"add SELinux user record", name, name, seroles, serange)
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
 	def modify(self, name, roles = [], selevel = "", serange = ""):
-		if len(roles) == 0  and serange == "" and selevel == "":
-			raise ValueError("Requires roles, level or range")
+		try:
+			if len(roles) == 0  and serange == "" and selevel == "":
+				if is_mls_enabled == 1:
+					raise ValueError("Requires roles, level or range")
+				else:
+					raise ValueError("Requires roles")
 
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if not exists:
-			raise ValueError("SELinux user %s is not defined" % name)
-		
-		(rc,u) = semanage_user_query(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not query user for %s" % name)
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if not exists:
+				raise ValueError("SELinux user %s is not defined" % name)
 
-		if serange != "":
-			semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
-		if selevel != "":
-			semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
-			
-		if len(roles) != 0:
-			for r in roles:
-				semanage_user_add_role(self.sh, u, r)
+			(rc,u) = semanage_user_query(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not query user for %s" % name)
 
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			if serange != "":
+				semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+			if selevel != "":
+				semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
+			if len(roles) != 0:
+				for r in roles:
+					semanage_user_add_role(self.sh, u, r)
 
-		rc = semanage_user_modify_local(self.sh, k, u)
-		if rc < 0:
-			raise ValueError("Could not modify SELinux user %s" % name)
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not modify SELinux user %s" % name)
+			rc = semanage_user_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not modify SELinux user %s" % name)
+
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not modify SELinux user %s" % name)
+
+		except ValueError, error:
+			mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
+			raise error
 		
+		mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
 	def delete(self, name):
-		(rc,k) = semanage_user_key_create(self.sh, name)
-		if rc < 0:
-			raise ValueError("Could not create a key for %s" % name)
-
-		(rc,exists) = semanage_user_exists(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)		
-		if not exists:
-			raise ValueError("SELinux user %s is not defined" % name)
+		try:
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
+			
+			(rc,exists) = semanage_user_exists(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)		
+			if not exists:
+				raise ValueError("SELinux user %s is not defined" % name)
 
-		(rc,exists) = semanage_user_exists_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not check if SELinux user %s is defined" % name)
-		if not exists:
-			raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
+			(rc,exists) = semanage_user_exists_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not check if SELinux user %s is defined" % name)
+			if not exists:
+				raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
 			
-		rc = semanage_begin_transaction(self.sh)
-		if rc < 0:
-			raise ValueError("Could not start semanage transaction")
+			rc = semanage_begin_transaction(self.sh)
+			if rc < 0:
+				raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_user_del_local(self.sh, k)
-		if rc < 0:
-			raise ValueError("Could not delete SELinux user %s" % name)
+			rc = semanage_user_del_local(self.sh, k)
+			if rc < 0:
+				raise ValueError("Could not delete SELinux user %s" % name)
 
-		rc = semanage_commit(self.sh)
-		if rc < 0:
-			raise ValueError("Could not delete SELinux user %s" % name)
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not delete SELinux user %s" % name)
+		except ValueError, error:
+			mylog.log(0,"delete SELinux user record", name)
+			raise error
 		
+		mylog.log(1,"delete SELinux user record", name)
 		semanage_user_key_free(k)		
 
 	def get_all(self):
@@ -462,14 +553,20 @@
 		return ddict
 
 	def list(self, heading=1):
-		if heading:
-			print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
-			print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
 		ddict=self.get_all()
 		keys=ddict.keys()
 		keys.sort()
-		for k in keys:
-			print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2])
+		if is_mls_enabled == 1:
+			if heading:
+				print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
+				print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
+			for k in keys:
+				print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2])
+		else:
+			if heading:
+				print "%-15s %s\n" % ("SELinux User", "SELinux Roles")
+			for k in keys:
+				print "%-15s %s" % (k, ddict[k][2])
 
 class portRecords(semanageRecords):
 	def __init__(self):
@@ -500,10 +597,11 @@
 		return ( k, proto_d, low, high )
 
 	def add(self, port, proto, serange, type):
-		if serange == "":
-			serange="s0"
-		else:
-			serange=untranslate(serange)
+		if is_mls_enabled == 1:
+			if serange == "":
+				serange="s0"
+			else:
+				serange=untranslate(serange)
 			
 		if type == "":
 			raise ValueError("Type is required")
@@ -564,7 +662,10 @@
 
 	def modify(self, port, proto, serange, setype):
 		if serange == "" and setype == "":
-			raise ValueError("Requires setype or serange")
+			if is_mls_enabled == 1:
+				raise ValueError("Requires setype or serange")
+			else:
+				raise ValueError("Requires setype")
 
 		( k, proto_d, low, high ) = self.__genkey(port, proto)
 
@@ -688,10 +789,11 @@
 		semanageRecords.__init__(self)
 
 	def add(self, interface, serange, ctype):
-		if serange == "":
-			serange="s0"
-		else:
-			serange=untranslate(serange)
+		if is_mls_enabled == 1:
+			if serange == "":
+				serange="s0"
+			else:
+				serange=untranslate(serange)
 			
 		if ctype == "":
 			raise ValueError("SELinux Type is required")
@@ -869,14 +971,14 @@
 		self.file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE;
 		
 		
-	def add(self, target, type, ftype="", serange="s0", seuser="system_u"):
+	def add(self, target, type, ftype="", serange="", seuser="system_u"):
 		if seuser == "":
 			seuser="system_u"
-			
-		if serange == "":
-			serange="s0"
-		else:
-			serange=untranslate(serange)
+		if is_mls_enabled == 1:
+			if serange == "":
+				serange="s0"
+			else:
+				serange=untranslate(serange)
 			
 		if type == "":
 			raise ValueError("SELinux Type is required")
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/Makefile policycoreutils-1.29.26/setsebool/Makefile
--- nsapolicycoreutils/setsebool/Makefile	2005-11-04 15:37:49.000000000 -0500
+++ policycoreutils-1.29.26/setsebool/Makefile	2006-02-25 06:56:54.000000000 -0500
@@ -17,6 +17,8 @@
 install: all
 	-mkdir -p $(SBINDIR)
 	install -m 755 setsebool $(SBINDIR)
+	-mkdir -p $(MANDIR)/man8
+	install -m 644 setsebool.8 $(MANDIR)/man8/
 
 relabel: