From 08594f6d5f76b623f3bacbd35bb89b6980ae9ecd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 13 Feb 2008 20:55:23 +0000 Subject: [PATCH] * Wed Feb 13 2008 Dan Walsh 2.0.43-1 - Update to upstream * Merged fix fixfiles option processing from Vaclav Ovsik. - Added existing users, staff and user_t users to polgengui --- .cvsignore | 1 + policycoreutils-gui.patch | 840 ++++++++++++++++++++++++++------------ policycoreutils.spec | 9 +- sources | 2 +- 4 files changed, 596 insertions(+), 256 deletions(-) diff --git a/.cvsignore b/.cvsignore index 6d874d8..d07109c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -174,3 +174,4 @@ policycoreutils-2.0.38.tgz policycoreutils-2.0.39.tgz policycoreutils-2.0.41.tgz policycoreutils-2.0.42.tgz +policycoreutils-2.0.43.tgz diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 2ae5dfa..c8036db 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -941,8 +941,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.42/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.42/gui/polgen.glade 2008-02-05 16:09:43.000000000 -0500 -@@ -0,0 +1,3012 @@ ++++ policycoreutils-2.0.42/gui/polgen.glade 2008-02-13 15:08:32.000000000 -0500 +@@ -0,0 +1,3222 @@ + + + @@ -1055,7 +1055,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ False ++ True ++ True + True + GTK_POS_TOP + False @@ -1123,259 +1124,394 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + 0 + + -+ ++ + True -+ 0 -+ 0.5 -+ GTK_SHADOW_NONE ++ False ++ 0 + + -+ ++ + True -+ 0.5 -+ 0.5 -+ 1 -+ 1 -+ 0 -+ 0 -+ 12 -+ 0 ++ 0 ++ 0.5 ++ GTK_SHADOW_NONE + + -+ ++ + True -+ False -+ 0 ++ 0.5 ++ 0.5 ++ 1 ++ 1 ++ 0 ++ 0 ++ 12 ++ 0 + + -+ ++ + True -+ Standard Init Daemon are daemons started on boot via init scripts. Usually requires a script in /etc/rc.d/init.d -+ True -+ Standard Init Daemon -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ -+ -+ 0 -+ False -+ False -+ -+ ++ False ++ 0 + -+ -+ -+ True -+ Internet Services Daemon are daemons started by xinetd -+ True -+ Internet Services Daemon (inetd) -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ ++ ++ ++ True ++ Standard Init Daemon are daemons started on boot via init scripts. Usually requires a script in /etc/rc.d/init.d ++ True ++ Standard Init Daemon ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ ++ ++ 0 ++ False ++ False ++ ++ + -+ -+ -+ True -+ Web Applications/Script (CGI) CGI scripts started by the web server (apache) -+ True -+ Web Application/Script (CGI) -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ ++ ++ ++ True ++ Internet Services Daemon are daemons started by xinetd ++ True ++ Internet Services Daemon (inetd) ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ + -+ -+ -+ True -+ User Application are any application that you would like to confine that is started by a user -+ True -+ User Application -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton ++ ++ ++ True ++ Web Applications/Script (CGI) CGI scripts started by the web server (apache) ++ True ++ Web Application/Script (CGI) ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ User Application are any application that you would like to confine that is started by a user ++ True ++ User Application ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ + -+ -+ 0 -+ False -+ False -+ + + + -+ -+ + -+ -+ -+ True -+ <b>Applications</b> -+ False -+ True -+ GTK_JUSTIFY_LEFT -+ False -+ False -+ 0.5 -+ 0.5 -+ 0 -+ 0 -+ PANGO_ELLIPSIZE_NONE -+ -1 -+ False -+ 0 ++ ++ ++ True ++ <b>Applications</b> ++ False ++ True ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ label_item ++ ++ + + -+ label_item ++ 0 ++ True ++ True + + -+ -+ -+ 0 -+ True -+ True -+ -+ -+ -+ -+ -+ True -+ 0 -+ 0.5 -+ GTK_SHADOW_NONE + + -+ ++ + True -+ 0.5 -+ 0.5 -+ 1 -+ 1 -+ 0 -+ 0 -+ 12 -+ 0 ++ 0 ++ 0.5 ++ GTK_SHADOW_NONE + + -+ ++ + True -+ False -+ 0 ++ 0.5 ++ 0.5 ++ 1 ++ 1 ++ 0 ++ 0 ++ 12 ++ 0 + + -+ ++ + True -+ Select X Windows login role, if this is a user who will login to a machine via X -+ True -+ X Windows Login User Role -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ ++ False ++ 0 + -+ -+ -+ True -+ Select Terminal Login User Role, if this user will login to a machine only via a terminal or remote login -+ True -+ Terminal Login User Role -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ ++ ++ ++ True ++ Modify an existing login user record. ++ True ++ Existing User Roles ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ + -+ -+ -+ True -+ Select Root Administrator User Role, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly. -+ True -+ Root Administrator User Role -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton ++ ++ ++ True ++ This user will login to a machine only via a terminal or remote login. By default this user will have no setuid, no networking, no su, no sudo. ++ True ++ Minimal Terminal User Role ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ This user can login to a machine via X or terminal. By default this user will have no setuid, no networking, no sudo, no su ++ True ++ Minimal X Windows User Role ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ User with full networking, no setuid applications without transition, no sudo, no su. ++ True ++ User Role ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ User with full networking, no setuid applications without transition, no su, can sudo to Root Administration Roles ++ True ++ Admin User Role ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ + -+ -+ 0 -+ False -+ False -+ + + + ++ ++ ++ ++ True ++ <b>Login Users</b> ++ False ++ True ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ label_item ++ ++ + ++ ++ 0 ++ True ++ True ++ + + + -+ ++ + True -+ <b>Users</b> -+ False -+ True -+ GTK_JUSTIFY_LEFT -+ False -+ False -+ 0.5 -+ 0.5 -+ 0 -+ 0 -+ PANGO_ELLIPSIZE_NONE -+ -1 -+ False -+ 0 ++ 0 ++ 0.5 ++ GTK_SHADOW_NONE ++ ++ ++ ++ True ++ 0.5 ++ 0.5 ++ 1 ++ 1 ++ 0 ++ 0 ++ 12 ++ 0 ++ ++ ++ ++ True ++ False ++ 0 ++ ++ ++ ++ True ++ Select Root Administrator User Role, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly. ++ True ++ Root Admin User Role ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ True ++ <b>Root Users</b> ++ False ++ True ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ label_item ++ ++ + + -+ label_item ++ 0 ++ True ++ True + + + @@ -1651,6 +1787,57 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + ++ ++ True ++ Select user roles that you want to customize ++ ++ ++ ++ 16 ++ True ++ False ++ 6 ++ ++ ++ ++ True ++ True ++ GTK_POLICY_ALWAYS ++ GTK_POLICY_ALWAYS ++ GTK_SHADOW_IN ++ GTK_CORNER_TOP_LEFT ++ ++ ++ ++ True ++ Select the user roles that will transiton to this applications domains. ++ True ++ False ++ False ++ False ++ True ++ False ++ False ++ False ++ ++ ++ ++ ++ 0 ++ True ++ True ++ ++ ++ ++ ++ ++ ++ False ++ True ++ ++ ++ ++ + + True + label28 @@ -2917,6 +3104,29 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + ++ ++ True ++ label51 ++ False ++ False ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ tab ++ ++ ++ ++ + + True + Select files/directories that the application manages @@ -3957,15 +4167,15 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.42/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.42/gui/polgengui.py 2008-02-05 16:11:32.000000000 -0500 -@@ -0,0 +1,610 @@ ++++ policycoreutils-2.0.42/gui/polgengui.py 2008-02-13 15:08:28.000000000 -0500 +@@ -0,0 +1,649 @@ +#!/usr/bin/python -E +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux +# +# Dan Walsh +# -+# Copyright 2007 Red Hat, Inc. ++# Copyright 2007, 2008 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by @@ -4063,18 +4273,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + START_PAGE = 0 + SELECT_TYPE_PAGE = 1 + APP_PAGE = 2 -+ TRANSITION_PAGE = 3 -+ USER_TRANSITION_PAGE = 4 -+ ADMIN_PAGE = 5 -+ ROLE_PAGE = 6 -+ IN_NET_PAGE = 7 -+ OUT_NET_PAGE = 8 -+ COMMON_APPS_PAGE = 9 -+ FILES_PAGE = 10 -+ BOOLEAN_PAGE = 11 -+ SELECT_DIR_PAGE = 12 -+ GEN_POLICY_PAGE = 13 -+ GEN_USER_POLICY_PAGE = 14 ++ EXISTING_USER_PAGE = 3 ++ TRANSITION_PAGE = 4 ++ USER_TRANSITION_PAGE = 5 ++ ADMIN_PAGE = 6 ++ ROLE_PAGE = 7 ++ IN_NET_PAGE = 8 ++ OUT_NET_PAGE = 9 ++ COMMON_APPS_PAGE = 10 ++ FILES_PAGE = 11 ++ BOOLEAN_PAGE = 12 ++ SELECT_DIR_PAGE = 13 ++ GEN_POLICY_PAGE = 14 ++ GEN_USER_POLICY_PAGE = 15 + + def __init__(self): + self.xml = xml @@ -4105,6 +4316,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + for i in polgen.USERS: + self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] + self.pages[polgen.RUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.USER_TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] ++ self.pages[polgen.LUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] ++ ++ self.pages[polgen.EUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.EXISTING_USER_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] ++ + for i in polgen.APPLICATIONS: + self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_POLICY_PAGE] + self.pages[polgen.USER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.USER_TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_POLICY_PAGE] @@ -4159,6 +4374,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + col = gtk.TreeViewColumn(_("Role"), gtk.CellRendererText(), text = 0) + self.role_treeview.append_column(col) + ++ self.existing_user_treeview = self.xml.get_widget("existing_user_treeview") ++ self.existing_user_store = gtk.ListStore(gobject.TYPE_STRING) ++ self.existing_user_treeview.set_model(self.existing_user_store) ++ self.existing_user_store.set_sort_column_id(0, gtk.SORT_ASCENDING) ++ col = gtk.TreeViewColumn(_("Existing_User"), gtk.CellRendererText(), text = 0) ++ self.existing_user_treeview.append_column(col) ++ + roles = commands.getoutput("/usr/bin/seinfo -r").split()[2:] + for i in roles: + iter = self.role_store.append() @@ -4185,6 +4407,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + for i in polgen.get_users(): + iter = self.user_transition_store.append() + self.user_transition_store.set_value(iter, 0, i) ++ iter = self.existing_user_store.append() ++ self.existing_user_store.set_value(iter, 0, i) + + self.admin_treeview = self.xml.get_widget("admin_treeview") + self.admin_store = gtk.ListStore(gobject.TYPE_STRING) @@ -4197,7 +4421,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + for i in polgen.methods: + m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i) + if len(m) > 0: -+ if "%s_exec_t" % m[0] in self.types and "user_%s_t" % m[0] in self.types: ++ if "%s_exec_t" % m[0] in self.types: + iter = self.transition_store.append() + self.transition_store.set_value(iter, 0, m[0]) + continue @@ -4232,6 +4456,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + if self.on_name_page_next(): + return + ++ if self.pages[type][self.current_page] == self.EXISTING_USER_PAGE: ++ if self.on_existing_user_page_next(): ++ return ++ + if self.pages[type][self.current_page] == self.SELECT_DIR_PAGE: + outputdir = self.output_entry.get_text() + if not os.path.isdir(outputdir): @@ -4291,7 +4519,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + dlg.destroy() + + def get_name(self): -+ return self.name_entry.get_text() ++ if self.existing_user_radiobutton.get_active(): ++ store, iter = self.existing_user_treeview.get_selection().get_selected() ++ if iter == None: ++ raise(_("You must select a user")) ++ return store.get_value(iter, 0) ++ else: ++ return self.name_entry.get_text() + + def get_type(self): + if self.cgi_radiobutton.get_active(): @@ -4302,12 +4536,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + return polgen.DAEMON + if self.inetd_radiobutton.get_active(): + return polgen.INETD -+ if self.xwindows_login_user_radiobutton.get_active(): ++ if self.login_user_radiobutton.get_active(): ++ return polgen.LUSER ++ if self.admin_user_radiobutton.get_active(): ++ return polgen.AUSER ++ if self.xwindows_user_radiobutton.get_active(): + return polgen.XUSER -+ if self.terminal_login_user_radiobutton.get_active(): ++ if self.terminal_user_radiobutton.get_active(): + return polgen.TUSER + if self.root_user_radiobutton.get_active(): + return polgen.RUSER ++ if self.existing_user_radiobutton.get_active(): ++ return polgen.EUSER + + def generate_policy(self, *args): + outputdir = self.output_entry.get_text() @@ -4462,9 +4702,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.output_entry.set_text(os.getcwd()) + self.xml.get_widget("output_button").connect("clicked",self.output_button_clicked) + -+ self.xwindows_login_user_radiobutton = self.xml.get_widget("xwindows_login_user_radiobutton") -+ self.terminal_login_user_radiobutton = self.xml.get_widget("terminal_login_user_radiobutton") ++ self.xwindows_user_radiobutton = self.xml.get_widget("xwindows_user_radiobutton") ++ self.terminal_user_radiobutton = self.xml.get_widget("terminal_user_radiobutton") + self.root_user_radiobutton = self.xml.get_widget("root_user_radiobutton") ++ self.login_user_radiobutton = self.xml.get_widget("login_user_radiobutton") ++ self.admin_user_radiobutton = self.xml.get_widget("admin_user_radiobutton") ++ self.existing_user_radiobutton = self.xml.get_widget("existing_user_radiobutton") + + self.user_radiobutton = self.xml.get_widget("user_radiobutton") + self.init_radiobutton = self.xml.get_widget("init_radiobutton") @@ -4543,6 +4786,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.init_script_entry.set_sensitive(self.init_radiobutton.get_active()) + self.init_script_button.set_sensitive(self.init_radiobutton.get_active()) + ++ def on_existing_user_page_next(self, *args): ++ store, iter = self.view.get_selection().get_selected() ++ if iter != None: ++ self.error(_("You must select a user")) ++ return True ++ + def on_name_page_next(self, *args): + name=self.name_entry.get_text() + if name == "": @@ -4571,9 +4820,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.42/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.42/gui/polgen.py 2008-02-05 16:11:48.000000000 -0500 -@@ -0,0 +1,835 @@ -+# Copyright (C) 2007 Red Hat ++++ policycoreutils-2.0.42/gui/polgen.py 2008-02-13 15:08:24.000000000 -0500 +@@ -0,0 +1,879 @@ ++#!/usr/bin/python ++# ++# Copyright (C) 2007, 2008 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy @@ -4665,9 +4916,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +CGI = 3 +XUSER = 4 +TUSER = 5 -+RUSER = 6 ++LUSER = 6 ++AUSER = 7 ++EUSER = 8 ++RUSER = 9 ++ +APPLICATIONS = [ DAEMON, INETD, USER, CGI ] -+USERS = [ XUSER, TUSER, RUSER ] ++USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] + +def verify_ports(ports): + if ports == "": @@ -4712,9 +4967,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.DEFAULT_DIRS["/var/log"] = ["var_log", [], var_log]; + self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]; + -+ self.DEFAULT_TYPES = (( self.generate_daemon_types, self.generate_daemon_rules), ( self.generate_inetd_types, self.generate_inetd_rules), ( self.generate_userapp_types, self.generate_userapp_rules), ( self.generate_cgi_types, self.generate_cgi_rules), ( self.generate_x_login_user_types, self.generate_x_login_user_rules), ( self.generate_login_user_types, self.generate_login_user_rules), ( self.generate_root_user_types, self.generate_root_user_rules)) ++ self.DEFAULT_TYPES = (\ ++( self.generate_daemon_types, self.generate_daemon_rules), \ ++( self.generate_inetd_types, self.generate_inetd_rules), \ ++( self.generate_userapp_types, self.generate_userapp_rules), \ ++( self.generate_cgi_types, self.generate_cgi_rules), \ ++( self.generate_x_login_user_types, self.generate_x_login_user_rules), \ ++( self.generate_min_login_user_types, self.generate_login_user_rules), \ ++( self.generate_login_user_types, self.generate_login_user_rules), \ ++( self.generate_admin_user_types, self.generate_login_user_rules), \ ++( self.generate_existing_user_types, self.generate_existing_user_rules), \ ++( self.generate_root_user_types, self.generate_root_user_rules)) + if name == "": -+ raise ValueError(_("You must enter a name for your confined process")) ++ raise ValueError(_("You must enter a name for your confined process/user")) + if type == CGI: + self.name = "httpd_%s_script" % name + else: @@ -5066,9 +5331,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_inetd_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_types) + ++ def generate_min_login_user_types(self): ++ return re.sub("TEMPLATETYPE", self.name, user.te_min_login_user_types) ++ + def generate_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_types) + ++ def generate_admin_user_types(self): ++ return re.sub("TEMPLATETYPE", self.name, user.te_admin_user_types) ++ ++ def generate_existing_user_types(self): ++ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) ++ + def generate_x_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types) + @@ -5111,6 +5385,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) + ++ def generate_existing_user_rules(self): ++ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules) ++ + def generate_x_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules) + @@ -5170,7 +5447,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + def generate_roles_rules(self): + newte = "" -+ if self.type in ( TUSER, XUSER): ++ if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): + roles = "" + if len(self.roles) > 0: + newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules) @@ -5243,7 +5520,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + def generate_user_sh(self): + newsh = "" -+ if self.type in ( TUSER, XUSER): ++ if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): + roles = "" + for role in self.roles: + roles += " %s_r" % role @@ -5254,7 +5531,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return newsh + + def generate_sh(self): -+ newsh = re.sub("TEMPLATETYPE", self.file_name, script.compile) ++ temp = re.sub("TEMPLATETYPE", self.file_name, script.compile) ++ if self.type == RUSER: ++ newsh = re.sub("TEMPLATEFILE", "my%s" % self.file_name, temp) ++ else: ++ newsh = re.sub("TEMPLATEFILE", self.file_name, temp) + if self.program != "": + newsh += re.sub("FILENAME", self.program, script.restorecon) + if self.initscript != "": @@ -5281,14 +5562,20 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return newsh + + def write_te(self, out_dir): -+ tefile = "%s/%s.te" % (out_dir, self.file_name) ++ if self.type == EUSER: ++ tefile = "%s/my%s.te" % (out_dir, self.file_name) ++ else: ++ tefile = "%s/%s.te" % (out_dir, self.file_name) + fd = open(tefile, "w") + fd.write(self.generate_te()) + fd.close() + return tefile + + def write_sh(self, out_dir): -+ shfile = "%s/%s.sh" % (out_dir, self.file_name) ++ if self.type == EUSER: ++ shfile = "%s/my%s.sh" % (out_dir, self.file_name) ++ else: ++ shfile = "%s/%s.sh" % (out_dir, self.file_name) + fd = open(shfile, "w") + fd.write(self.generate_sh()) + fd.close() @@ -5296,14 +5583,20 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return shfile + + def write_if(self, out_dir): -+ iffile = "%s/%s.if" % (out_dir, self.file_name) ++ if self.type == EUSER: ++ iffile = "%s/my%s.if" % (out_dir, self.file_name) ++ else: ++ iffile = "%s/%s.if" % (out_dir, self.file_name) + fd = open(iffile, "w") + fd.write(self.generate_if()) + fd.close() + return iffile + + def write_fc(self,out_dir): -+ fcfile = "%s/%s.fc" % (out_dir, self.file_name) ++ if self.type == EUSER: ++ fcfile = "%s/my%s.fc" % (out_dir, self.file_name) ++ else: ++ fcfile = "%s/%s.fc" % (out_dir, self.file_name) + if self.type in APPLICATIONS: + fd = open(fcfile, "w") + fd.write(self.generate_fc()) @@ -10546,7 +10839,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.42/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.42/gui/templates/script.py 2008-02-05 16:09:43.000000000 -0500 ++++ policycoreutils-2.0.42/gui/templates/script.py 2008-02-13 15:09:17.000000000 -0500 @@ -0,0 +1,91 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -10590,7 +10883,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then -+ time=`ls -l --time-style="+%x %X" TEMPLATETYPE.te | awk '{ printf "%s %s", $6, $7 }'` ++ time=`ls -l --time-style="+%x %X" TEMPLATEFILE.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se TEMPLATETYPE` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" @@ -10599,7 +10892,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" -+ echo -e "$rules" | audit2allow -R >> TEMPLATETYPE.te ++ echo -e "$rules" | audit2allow -R >> TEMPLATEFILE.te + # Fall though and rebuild policy + else + exit 0 @@ -10620,7 +10913,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py +echo "Building and Loading Policy" +set -x +make -f /usr/share/selinux/devel/Makefile -+/usr/sbin/semodule -i TEMPLATETYPE.pp ++/usr/sbin/semodule -i TEMPLATEFILE.pp + +""" + @@ -10787,8 +11080,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.42/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.42/gui/templates/user.py 2008-02-05 16:10:54.000000000 -0500 -@@ -0,0 +1,141 @@ ++++ policycoreutils-2.0.42/gui/templates/user.py 2008-02-13 15:51:31.000000000 -0500 +@@ -0,0 +1,182 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -10820,6 +11113,28 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +# Declarations +# + ++userdom_unpriv_user_template(TEMPLATETYPE) ++""" ++ ++te_admin_user_types="""\ ++policy_module(TEMPLATETYPE,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++userdom_admin_login_user_template(TEMPLATETYPE) ++""" ++ ++te_min_login_user_types="""\ ++policy_module(TEMPLATETYPE,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ +userdom_restricted_user_template(TEMPLATETYPE) +""" + @@ -10834,6 +11149,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +userdom_restricted_xwindows_user_template(TEMPLATETYPE) +""" + ++te_existing_user_types="""\ ++policy_module(myTEMPLATETYPE,1.0.0) ++ ++gen_require(` ++ type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t, TEMPLATETYPE_tty_device_t; ++ role TEMPLATETYPE_r; ++') ++ ++""" ++ +te_root_user_types="""\ + +policy_module(TEMPLATETYPE,1.0.0) @@ -10855,6 +11180,15 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po + +""" + ++te_existing_user_rules="""\ ++ ++######################################## ++# ++# TEMPLATETYPE customized policy ++# ++ ++""" ++ +te_x_login_user_rules="""\ + +######################################## diff --git a/policycoreutils.spec b/policycoreutils.spec index 002a135..93fb2e2 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -5,8 +5,8 @@ %define sepolgenver 1.0.11 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.0.42 -Release: 3%{?dist} +Version: 2.0.43 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -192,6 +192,11 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Wed Feb 13 2008 Dan Walsh 2.0.43-1 +- Update to upstream + * Merged fix fixfiles option processing from Vaclav Ovsik. +- Added existing users, staff and user_t users to polgengui + * Fri Feb 8 2008 Dan Walsh 2.0.42-3 - Add messages for audit2allow DONTAUDIT diff --git a/sources b/sources index 513fd1d..db5f72c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 3fed5cd04ee67c0f86e3cc6825261819 sepolgen-1.0.11.tgz -f6c0318b5142ee58a8ea98abc5a90506 policycoreutils-2.0.42.tgz +ea60bf5f1cb06e1bc677ffaa5f18d258 policycoreutils-2.0.43.tgz