diff --git a/.cvsignore b/.cvsignore index 1e0aa57..af0d16c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -66,3 +66,4 @@ policycoreutils-1.27.23.tgz policycoreutils-1.27.26.tgz policycoreutils-1.27.27.tgz policycoreutils-1.27.28.tgz +policycoreutils-1.27.29.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 632f0bb..ff85230 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,490 +1,305 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.28/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2005-09-12 16:33:30.000000000 -0400 -+++ policycoreutils-1.27.28/audit2allow/audit2allow 2005-11-17 10:26:24.000000000 -0500 -@@ -1,7 +1,12 @@ --#!/usr/bin/perl +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.29/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2005-11-28 21:47:54.000000000 -0500 ++++ policycoreutils-1.27.29/audit2allow/audit2allow 2005-11-29 00:04:31.000000000 -0500 +@@ -24,7 +24,7 @@ + # 02111-1307 USA + # + # +-import commands, sys, os, pwd, string, getopt, re ++import commands, sys, os, pwd, string, getopt, re, selinux + class allow: + def __init__(self, source, target, seclass): + self.source=source +@@ -81,6 +81,11 @@ + self.roles=[] + self.load(input) + ++ def warning(self, error): ++ sys.stderr.write("%s: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % error) ++ sys.stderr.flush() ++ + def load(self, input): + avc=[] + found=0 +@@ -114,43 +119,47 @@ + if "load_policy" in avc and self.last_reload: + self.allowRules={} + return +- for i in range (0, len(avc)): +- if avc[i]=="{": +- i=i+1 +- while i ] [[-m|-M] ] [-o ]\n\ + -a, --all read input from audit and message log, conflicts with -i\n\ +@@ -313,15 +328,17 @@ + if buildPP: + print ("Generating type enforcment file: %s.te" % module) + output.write(out.out(requires, module)) ++ output.flush() + if buildPP: +- print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module)) +- rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module)) ++ cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) ++ print "Compiling policy: %s" % cmd ++ rc=commands.getstatusoutput(cmd) + if rc[0]==0: + print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) + rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) + if rc[0]==0: +- print ("\n*************** IMPORTANT ***********************\n") +- print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module) ++ print ("\n******************** IMPORTANT ***********************\n") ++ print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) + else: + errorExit(rc[1]) + else: +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.29/audit2allow/audit2allow.1 +--- nsapolicycoreutils/audit2allow/audit2allow.1 2005-09-12 16:33:30.000000000 -0400 ++++ policycoreutils-1.27.29/audit2allow/audit2allow.1 2005-11-29 00:04:31.000000000 -0500 +@@ -30,26 +30,38 @@ + .RI [ options "] " + .SH OPTIONS + .TP +-.B "\-\-help" ++.B "\-a" | "\-\-all" ++Read input from audit and message log, conflicts with -i ++.TP ++.B "\-h" | "\-\-help" + Print a short usage message + .TP +-.B "\-d" ++.B "\-d" | "\-\-dmesg" + Read input from output of + .I /bin/dmesg. + Note that audit messages are not available via dmesg when + auditd is running; use -i /var/log/audit/audit.log instead. + .TP +-.B "\-v" ++.B "\-v" | "\-\-verbose" + Turn on verbose output + .TP +-.B "\-l" ++.B "\-l" | "\-\-lastreload" + read input only after last policy reload + .TP +-.B "\-i " ++.B "\-r" | "\-\-requires" ++Generate require output syntax for loadable modules. ++.TP ++.B "\-m " | "\-\-module " ++Generate module/require output ++.TP ++.B "\-M " ++Generate loadable module package, conflicts with -o ++.TP ++.B "\-i " | "\-\-input " + read input from + .I + .TP +-.B "\-o " ++.B "\-o " | "\-\-output " + append output to + .I + .SH DESCRIPTION +@@ -76,18 +88,66 @@ + .PP + .SH EXAMPLE + .nf +-$ cd /etc/selinux/$(SELINUXTYPE)/src/policy +-$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te +- +-$ make load ++.B Traditional Syntax ++cat /var/log/audit/audit.log.1 | audit2allow ++allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++ ++ ++.B Using audit2allow to generate module syntax ++ ++$ cat /var/log/audit/audit.log | audit2allow -m local ++module local 1.0; ++ ++require { ++ role system_r; ++ ++ ++ class fifo_file { getattr ioctl }; ++ ++ ++ type cupsd_config_t; ++ type unconfined_t; ++ }; ++ ++ ++allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++ ++.B Building a loadable module ++ ++$ /usr/bin/audit2allow -m local -i /var/log/audit/audit.log >> local.te ++ ++# Compile the module ++$ checkmodule -M -m -o local.mod local.te ++# Create the package ++$ semodule_package -o local.pp -m local.mod ++# Load the module into the kernel ++$ semodule -i local.mod ++ ++.B Building a loadable module automatically ++$ cat /var/log/audit/audit.log | audit2allow -M local ++Generating type enforcment file: local.te ++Compiling policy: checkmodule -M -m -o local.mod local.te ++Building package: semodule_package -o local.pp -m local.mod ++ ++******************** IMPORTANT *********************** ++ ++In order to load this newly created policy package into the kernel, ++you are required to execute ++ ++semodule -i local.pp ++ + .fi + .PP + .SH AUTHOR + This manual page was written by + .I Manoj Srivastava , +-for the Debian GNU/Linux system. The ++for the Debian GNU/Linux system. It was updated by Dan Walsh ++.PP ++The + .B audit2allow + utility has contributions from several people, including + .I Justin R. Smith + and + .I Yuichi Nakamura. ++and ++.I Dan Walsh +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/Makefile policycoreutils-1.27.29/Makefile +--- nsapolicycoreutils/Makefile 2005-11-07 09:41:21.000000000 -0500 ++++ policycoreutils-1.27.29/Makefile 2005-11-29 00:04:31.000000000 -0500 +@@ -1,4 +1,4 @@ +-SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po ++SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po + + all install relabel clean: + @for subdir in $(SUBDIRS); do \ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/Makefile policycoreutils-1.27.29/semanage/Makefile +--- nsapolicycoreutils/semanage/Makefile 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.29/semanage/Makefile 2005-11-29 00:04:31.000000000 -0500 +@@ -0,0 +1,19 @@ ++# Installation directories. ++PREFIX ?= ${DESTDIR}/usr ++SBINDIR ?= $(PREFIX)/sbin ++MANDIR = $(PREFIX)/share/man ++ ++TARGETS=semanage ++ ++all: $(TARGETS) ++ ++install: all ++ [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 ++ -mkdir -p $(SBINDIR) ++ install -m 755 semanage $(SBINDIR) ++ install -m 644 semanage.8 $(MANDIR)/man8 ++ ++clean: ++ rm -f semanage ++ ++relabel: +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.27.29/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.29/semanage/semanage 2005-11-29 00:04:52.000000000 -0500 +@@ -0,0 +1,377 @@ +#! /usr/bin/env python +# Copyright (C) 2005 Red Hat +# see file 'COPYING' for use and warranty information +# -+# Audit2allow is a rewrite of prior perl script. -+# -+# Based off original audit2allow perl script: which credits - # newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) -+# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) - # - # This program is free software; you can redistribute it and/or - # modify it under the terms of the GNU General Public License as -@@ -17,148 +22,316 @@ - # along with this program; if not, write to the Free Software - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA - # 02111-1307 USA --# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) -- -- --$load_policy_pattern="avc:.*granted.*{.*load_policy.*}"; -- --while ($opt = shift @ARGV) { -- if ($opt eq "-d") { $read_dmesg++; } -- elsif ($opt eq "-v") { $verbose++; } -- elsif ($opt eq "-i") { $input = shift @ARGV; } -- elsif ($opt eq "-o") { $output= shift @ARGV; } -- elsif ($opt eq "-l") { $load_policy++; } -- elsif ($opt eq "--help") { &printUsage; } -- else { print "unknown option, '$opt'\n\n"; &printUsage; } --} -- --if ($read_dmesg && $input) { -- print "Error, can't read from both dmesg and $input\n\n"; -- &printUsage; --} -- --if ($read_dmesg) { open (IN, "/bin/dmesg|"); } --elsif ($input) { open (IN, "$input"); } --else { open (IN, "-"); } # STDIN -- --if ($output) { open (OUT, ">>$output"); } --else { open (OUT, ">-"); } # STDOUT -- --if($load_policy){ #store logs after last "load_policy" in @log_buf -- while ($line = ) { -- if($line=~/$load_policy_pattern/) { -- #stored logs are unnecessary -- undef @log_buf; -- } -- else -- { -- push @log_buf,$line; -- } -- } --} -- --while ($line=&readNewline) { -- next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/); -- @types=split /\ /,$line; -- $info=""; -- $group=""; -- $command=""; -- foreach $i(0..$#types){ -- next if($types[$i]!~/[=\{]/); -- if($types[$i]=~/^\{/){ -- $j=$i+1; -- while($types[$j]!~/\}/){ -- $command.=" $types[$j]"; -- $j++; -- } -- next; -- } -- my($a,$b) = split /=/,$types[$i]; -- -- next if($a eq "pid"); -- next if($a eq "dev"); -- next if($a eq "ino"); -+# -+# -+import commands, sys, os, pwd, string, getopt, re -+class allow: -+ def __init__(self, source, target, seclass): -+ self.source=source -+ self.target=target -+ self.seclass=seclass -+ self.avcinfo={} -+ def add(self, avc): -+ for a in avc[0]: -+ if a not in self.avcinfo.keys(): -+ self.avcinfo[a]=[] -+ -+ self.avcinfo[a].append(avc[1:]) -+ -+ def getAccess(self): -+ if len(self.avcinfo.keys()) == 1: -+ for i in self.avcinfo.keys(): -+ return i -+ else: -+ keys=self.avcinfo.keys() -+ keys.sort() -+ ret="{" -+ for i in keys: -+ ret=ret + " " + i -+ ret=ret+" }" -+ return ret -+ def out(self, verbose=0): -+ ret="" -+ ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess()) -+ if verbose: -+ keys=self.avcinfo.keys() -+ keys.sort() -+ for i in keys: -+ for x in self.avcinfo[i]: -+ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] -+ if len(x[1]): -+ ret=ret+"COMM=%s " % x[1] -+ if len(x[2]): -+ ret=ret+"NAME=%s " % x[2] -+ ret=ret + " : " + i -+ return ret -+ -+ def gettarget(self): -+ if self.source == self.target: -+ return "self" -+ else: -+ return self.target - -- if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){ -- if($a ne "tclass"){ -- my($c,$c,$c) = split /:/, $b; -- $b=$c; -- } -- $b=~s/\n//; -- $group.="|$b"; -- next; -- } -- $b=~s/:\[\d+\]//; -- $a=uc $a; -- $info.="$a=$b "; -- } -- -- my($c,$c,$c,$c) = split /\|/, $group; -- $info=~s/\ $c=\S+\ //gi; -- # escape regexp patterns -- -- $info=~s/([^\w])/\\$1/g; -- -- @atypes=split /\ /,$command; -- foreach $i(0..$#atypes){ -- $rules{$group}{$atypes[$i]}++; -- } -- -- $info.=" "; -- if($occur{$group}!~$info){ -- $occur{$group}.="\t#$info: $command\n"; -- } -- else{ -- my ($a,$b) = split /$info:\ /, $occur{$group}; -- my ($temp) = split /\n/, $b; -+class allowRecords: -+ def __init__(self, input, last_reload=0, verbose=0): -+ self.last_reload=last_reload -+ self.allowRules={} -+ self.seclasses={} -+ self.types=[] -+ self.roles=[] -+ self.load(input) -+ -+ def load(self, input): -+ avc=[] -+ found=0 -+ line = input.readline() -+ while line: -+ rec=line.split() -+ for i in rec: -+ if i=="avc:" or i=="message=avc:": -+ found=1 -+ else: -+ avc.append(i) -+ if found: -+ self.add(avc) -+ found=0 -+ avc=[] -+ line = input.readline() -+ -+ -+ def add(self,avc): -+ scon="" -+ tcon="" -+ seclass="" -+ comm="" -+ name="" -+ msg="" -+ access=[] -+ if "security_compute_sid" in avc: -+ return -+ -+ if "granted" in avc: -+ if "load_policy" in avc and self.last_reload: -+ self.allowRules={} -+ return -+ for i in range (0, len(avc)): -+ if avc[i]=="{": -+ i=i+1 -+ while i; -- } -- return $newline; --} -- --sub printUsage { -- print "audit2allow [-d] [-v] [-l] [-i ] [-o ] -- -d read input from output of /bin/dmesg -- -v verbose output -- -l read input only after last \"load_policy\" -- -i read input from -- -o append output to \n"; -- exit; --} -- -+ def out(self, require=0, module=""): -+ rec="" -+ if len(self.allowRules.keys())==0: -+ raise(ValueError("No AVC messages found.")) -+ if module!="": -+ rec += self.gen_module(module) -+ rec += self.gen_requires() -+ else: -+ if requires: -+ rec+=self.gen_requires() -+ -+ for i in self.allowRules.keys(): -+ rec += self.allowRules[i].out(verbose)+"\n" -+ return rec -+ -+if __name__ == '__main__': -+ -+ def usage(): -+ print 'audit2allow [-adhilrv] [-i ] [[-m|-M] ] [-o ]\n\ -+ -a, --all read input from audit and message log, conflicts with -i\n\ -+ -d, --dmesg read input from output of /bin/dmesg\n\ -+ -h, --help display this message\n\ -+ -i, --input read input from conflicts with -a\n\ -+ -l, --lastreload read input only after last \"load_policy\"\n\ -+ -m, --module generate module/require output \n\ -+ -M generate loadable module package, conflicts with -o\n\ -+ -o, --output append output to , conflicts with -M\n\ -+ -r, --requires generate require output \n\ -+ -v, --verbose verbose output\n\ -+ ' -+ sys.exit(1) -+ -+ def errorExit(error): -+ sys.stderr.write("%s: " % sys.argv[0]) -+ sys.stderr.write("%s\n" % error) -+ sys.stderr.flush() -+ sys.exit(1) -+ -+ # -+ # -+ # -+ try: -+ last_reload=0 -+ input=sys.stdin -+ output=sys.stdout -+ module="" -+ requires=0 -+ verbose=0 -+ auditlogs=0 -+ buildPP=0 -+ input_ind=0 -+ output_ind=0 -+ gopts, cmds = getopt.getopt(sys.argv[1:], -+ 'adhi:lm:M:o:rv', -+ ['all', -+ 'dmesg', -+ 'help', -+ 'input=', -+ 'lastreload', -+ 'module=', -+ 'output=', -+ 'requires' -+ 'verbose' -+ ]) -+ for o,a in gopts: -+ if o == "-a" or o == "--all": -+ if input_ind: -+ usage() -+ input=open("/var/log/messages", "r") -+ auditlogs=1 -+ if o == "-d" or o == "--dmesg": -+ input=os.popen("/bin/dmesg", "r") -+ if o == "-h" or o == "--help": -+ usage() -+ if o == "-i"or o == "--input": -+ if auditlogs: -+ usage() -+ input_ind=1 -+ input=open(a, "r") -+ if o == '--lastreload' or o == "-l": -+ last_reload=1 -+ if o == "-m" or o == "--module": -+ if module != "": -+ usage() -+ module=a -+ if o == "-M": -+ if module != "" or output_ind: -+ usage() -+ module=a -+ outfile=a+".te" -+ buildPP=1 -+ output=open(outfile, "w") -+ if o == "-r" or o == "--requires": -+ requires=1 -+ if o == "-o" or o == "--output": -+ if module != "": -+ usage() -+ output=open(a, "a") -+ output_ind=1 -+ if o == "-v" or o == "--verbose": -+ verbose=1 -+ if len(cmds) != 0: -+ usage() -+ out=allowRecords(input, last_reload, verbose) -+ if auditlogs: -+ input=open("/var/log/audit/audit.log", "r") -+ out.load(input) -+ if buildPP: -+ print ("Generating type enforcment file: %s.te" % module) -+ output.write(out.out(requires, module)) -+ if buildPP: -+ print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module)) -+ rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module)) -+ if rc[0]==0: -+ print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) -+ rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) -+ if rc[0]==0: -+ print ("\n*************** IMPORTANT ***********************\n") -+ print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module) -+ else: -+ errorExit(rc[1]) -+ else: -+ errorExit(rc[1]) -+ -+ except getopt.error, error: -+ errorExit("Options Error " + error.msg) -+ except ValueError, error: -+ errorExit(error.args[0]) -+ except IOError, error: -+ errorExit(error.args[1]) -+ except KeyboardInterrupt, error: -+ sys.exit(0) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.perl policycoreutils-1.27.28/audit2allow/audit2allow.perl ---- nsapolicycoreutils/audit2allow/audit2allow.perl 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.28/audit2allow/audit2allow.perl 2005-11-16 22:33:25.000000000 -0500 -@@ -0,0 +1,164 @@ -+#!/usr/bin/perl -+ -+# Adapted from: -+# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) ++# semanage is a tool for managing SELinux configuration files +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as @@ -500,326 +315,572 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow. +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA -+# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) ++# ++# ++import commands, sys, os, pwd, string, getopt, pwd ++from semanage import *; ++class loginRecords: ++ def __init__(self): ++ self.sh=semanage_handle_create() ++ self.semanaged=semanage_is_managed(self.sh) ++ if self.semanaged: ++ semanage_connect(self.sh) ++ ++ def add(self, name, sename, serange): ++ (rc,k)=semanage_seuser_key_create(self.sh, name) ++ (rc,exists)= semanage_seuser_exists(self.sh, k) ++ if exists: ++ raise ValueError("SELinux User %s mapping already defined" % name) ++ try: ++ pwd.getpwname(name) ++ except: ++ raise ValueError("Linux User %s does not exist" % name) ++ ++ (rc,u)= semanage_seuser_create(self.sh) ++ semanage_seuser_set_name(self.sh, u, name) ++ semanage_seuser_set_mlsrange(self.sh, u, serange) ++ semanage_seuser_set_sename(self.sh, u, sename) ++ semanage_begin_transaction(self.sh) ++ semanage_seuser_add(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to add SELinux user mapping") ++ ++ def modify(self, name, sename="", serange=""): ++ (rc,k)=semanage_seuser_key_create(self.sh, name) ++ (rc,u)= semanage_seuser_query(self.sh, k) ++ if rc !=0 : ++ raise ValueError("SELinux user %s mapping is not defined." % name) ++ if sename == "" and serange=="": ++ raise ValueError("Requires, seuser or serange") ++ if serange != "": ++ semanage_seuser_set_mlsrange(self.sh, u, serange) ++ if sename != "": ++ semanage_seuser_set_sename(self.sh, u, sename) ++ semanage_begin_transaction(self.sh) ++ semanage_seuser_modify(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to modify SELinux user mapping") ++ ++ ++ def delete(self, name): ++ (rc,k)=semanage_seuser_key_create(self.sh, name) ++ (rc,exists)= semanage_seuser_exists(self.sh, k) ++ if rc !=0 : ++ raise ValueError("SELinux user %s mapping is not defined." % name) ++ semanage_begin_transaction(self.sh) ++ semanage_seuser_del(self.sh, k) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("SELinux User %s mapping not defined" % name) ++ ++ def list(self): ++ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") ++ (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) ++ for idx in range(self.usize): ++ u=semanage_seuser_by_idx(self.ulist, idx) ++ name=semanage_seuser_get_name(u) ++ ++ print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) ++ ++class seluserRecords: ++ def __init__(self): ++ roles=[] ++ self.sh=semanage_handle_create() ++ self.semanaged=semanage_is_managed(self.sh) ++ if self.semanaged: ++ semanage_connect(self.sh) ++ ++ def add(self, name, roles, selevel, serange): ++ (rc,k)=semanage_user_key_create(self.sh, name) ++ (rc,exists)= semanage_user_exists(self.sh, k) ++ if exists: ++ raise ValueError("Seuser %s already defined" % name) ++ (rc,u)= semanage_user_create(self.sh) ++ semanage_user_set_name(self.sh, u, name) ++ for r in roles: ++ semanage_user_add_role(self.sh, u, r) ++ semanage_user_set_mlsrange(self.sh, u, serange) ++ semanage_user_set_mlslevel(self.sh, u, selevel) ++ (rc,key) = semanage_user_key_extract(self.sh,u) ++ semanage_begin_transaction(self.sh) ++ semanage_user_add_local(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to add SELinux user") ++ ++ self.dict[name]=seluser(name, roles, selevel, serange) ++ ++ def modify(self, name, roles=[], selevel="", serange=""): ++ (rc,k)=semanage_user_key_create(self.sh, name) ++ (rc,exists)= semanage_user_exists(self.sh, k) ++ if not exists: ++ raise ValueError("user %s is not defined" % name) ++ (rc,u)= semanage_user_query(self.sh, k) ++ if rc !=0 : ++ raise ValueError("User %s is not defined." % name) ++ if len(roles) == 0 and serange=="" and selevel=="": ++ raise ValueError("Requires, roles, level or range") ++ if serange != "": ++ semanage_user_set_mlsrange(self.sh, u, serange) ++ if selevel != "": ++ semanage_user_set_mlslevel(self.sh, u, selevel) ++ if len(roles) != 0: ++ for r in roles: ++ print r ++ semanage_user_add_role(self.sh, u, r) ++ semanage_begin_transaction(self.sh) ++ semanage_user_modify_local(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to modify SELinux user") ++ ++ ++ def delete(self, name): ++ (rc,k)=semanage_user_key_create(self.sh, name) ++ (rc,exists)= semanage_user_exists(self.sh, k) ++ if not exists: ++ raise ValueError("user %s is not defined" % name) ++ semanage_begin_transaction(self.sh) ++ semanage_user_del_local(self.sh, k) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Login User %s not defined" % name) ++ ++ def list(self): ++ print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") ++ print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") ++ (status, self.ulist, self.usize) = semanage_user_list(self.sh) ++ for idx in range(self.usize): ++ u=semanage_user_by_idx(self.ulist, idx) ++ name=semanage_user_get_name(u) ++ (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) ++ roles="" ++ ++ if rlist_size: ++ roles+=char_by_idx(rlist, 0) ++ for ridx in range (1,rlist_size): ++ roles+=" " + char_by_idx(rlist, ridx) ++ print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) ++ ++class portRecords: ++ def __init__(self): ++ self.dict={} ++ self.sh=semanage_handle_create() ++ self.semanaged=semanage_is_managed(self.sh) ++ if self.semanaged: ++ semanage_connect(self.sh) ++ ++ def add(self, name, type): ++ (rc,k)=semanage_port_key_create(self.sh, name) ++ (rc,exists)= semanage_port_exists(self.sh, k) ++ if exists: ++ raise ValueError("User %s already defined" % name) ++ (rc,u)= semanage_port_create(self.sh) ++ semanage_port_set_name(self.sh, u, name) ++ semanage_port_set_mlsrange(self.sh, u, serange) ++ semanage_port_set_sename(self.sh, u, sename) ++ semanage_begin_transaction(self.sh) ++ semanage_port_add(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to add port") ++ ++ def modify(self, name, type): ++ (rc,k)=semanage_port_key_create(self.sh, name) ++ (rc,u)= semanage_port_query(self.sh, k) ++ if rc !=0 : ++ raise ValueError("User %s is not defined." % name) ++ if sename == "" and serange=="": ++ raise ValueError("Requires, port or serange") ++ if serange != "": ++ semanage_port_set_mlsrange(self.sh, u, serange) ++ if sename != "": ++ semanage_port_set_sename(self.sh, u, sename) ++ semanage_begin_transaction(self.sh) ++ semanage_port_modify(self.sh, k, u) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Failed to add port") ++ ++ def delete(self, name): ++ (rc,k)=semanage_port_key_create(self.sh, name) ++ semanage_begin_transaction(self.sh) ++ semanage_port_del(self.sh, k) ++ if semanage_commit(self.sh) != 0: ++ raise ValueError("Port %s not defined" % name) ++ ++ def list(self): ++ (status, self.plist, self.psize) = semanage_port_list(self.sh) ++ print "%-25s %s\n" % ("SELinux Port Name", "Port Number") ++ for idx in range(self.psize): ++ u=semanage_port_by_idx(self.plist, idx) ++ name=semanage_port_get_name(u) ++ print "%20s %d" % ( name, semanage_port_get_number(u)) ++ ++if __name__ == '__main__': ++ ++ def usage(message=""): ++ print '\ ++semanage user [-admsRrh] SELINUX_USER\n\ ++semanage login [-admsrh] LOGIN_NAME\n\ ++semanage port [-admth] SELINUX_PORT_NAME\n\ ++ -a, --add Add a OBJECT record NAME\n\ ++ -d, --delete Delete a OBJECT record NAME\n\ ++ -h, --help display this message\n\ ++ -l, --list List the OBJECTS\n\ ++ -m, --modify Modify a OBJECT record NAME\n\ ++ -r, --range MLS/MCS Security Range\n\ ++ -R, --roles SELinux Roles (Separate by spaces)\n\ ++ -s, --seuser SELinux user name\n\ ++ -t, --type SELinux Type for the object\n\ ++ -v, --verbose verbose output\n\ ++' ++ print message ++ sys.exit(1) ++ ++ def errorExit(error): ++ sys.stderr.write("%s: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % error) ++ sys.stderr.flush() ++ sys.exit(1) ++ ++ # ++ # ++ # ++ try: ++ objectlist=("login", "user", "port") ++ input=sys.stdin ++ output=sys.stdout ++ serange="s0" ++ selevel="s0" ++ roles="" ++ seuser="" ++ type="" ++ add=0 ++ modify=0 ++ delete=0 ++ list=0 ++ if len(sys.argv) < 3: ++ usage("Requires 2 or more arguments") ++ ++ object=sys.argv[1] ++ if object not in objectlist: ++ usage("%s not defined" % object) ++ ++ args=sys.argv[2:] ++ gopts, cmds = getopt.getopt(args, ++ 'adlhms:R:r:t:v', ++ ['add', ++ 'delete', ++ 'help', ++ 'list', ++ 'modify', ++ 'seuser=', ++ 'range=', ++ 'roles=', ++ 'type=', ++ 'verbose' ++ ]) ++ for o,a in gopts: ++ if o == "-a" or o == "--add": ++ if modify or delete: ++ usage() ++ add=1 ++ ++ if o == "-d" or o == "--delese": ++ if modify or add: ++ usage() ++ delete=1 ++ if o == "-h" or o == "--help": ++ usage() ++ ++ if o == "-m"or o == "--modify": ++ if delete or add: ++ usage() ++ modify=1 ++ ++ if o == "-r" or o == '--range': ++ serange=a ++ ++ if o == "-R" or o == '--roles': ++ roles=a ++ ++ if o == "-t" or o == "--type": ++ type=a ++ ++ if o == "-l" or o == "--list": ++ list=1 ++ ++ if o == "-s" or o == "--seuser": ++ seuser=a ++ ++ if o == "-v" or o == "--verbose": ++ verbose=1 ++ ++ if object == "login": ++ OBJECT=loginRecords() ++ ++ if object == "user": ++ OBJECT=seluserRecords() ++ ++ if object == "port": ++ OBJECT=portRecords() ++ ++ if list: ++ OBJECT.list() ++ sys.exit(0); ++ ++ if len(cmds) != 1: ++ usage() ++ ++ name=cmds[0] ++ ++ if add: ++ if object == "login": ++ OBJECT.add(name, seuser, serange) ++ ++ if object == "user": ++ rlist=roles.split() ++ print rlist ++ OBJECT.add(name, rlist, selevel, serange) ++ ++ if object == "port": ++ OBJECT.add(name, type) ++ ++ OBJECT.list() ++ sys.exit(0); ++ ++ if modify: ++ if object == "login": ++ OBJECT.modify(name, seuser, serange) ++ ++ if object == "user": ++ rlist=roles.split() ++ print rlist ++ OBJECT.modify(name, rlist, selevel, serange) ++ ++ if object == "port": ++ OBJECT.modify(name, type) ++ sys.exit(0); ++ OBJECT.list() ++ sys.exit(0); ++ ++ if delete: ++ OBJECT.delete(name) ++ sys.exit(0); ++ usage() ++ ++ except getopt.error, error: ++ errorExit("Options Error " + error.msg) ++ except ValueError, error: ++ errorExit(error.args[0]) ++ except IOError, error: ++ errorExit(error.args[1]) ++ except KeyboardInterrupt, error: ++ sys.exit(0) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.27.29/semanage/semanage.8 +--- nsapolicycoreutils/semanage/semanage.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.29/semanage/semanage.8 2005-11-29 00:04:31.000000000 -0500 +@@ -0,0 +1,57 @@ ++.TH "semanage" "8" "2005111103" "" "" ++.SH "NAME" ++semanage \- SELinux Policy Management tool ++ ++.SH "SYNOPSIS" ++.B semanage OBJECTTYPE [\-admsrh] OBJECT ++.B semanage login [\-admsrh] login_name ++.br ++.B semanage seuser [\-admsrh] selinux_name ++.br ++.B semanage port [\-admth] port_number ++.P ++This tool is used to manage configuration of the SELinux policy ++ ++.SH "DESCRIPTION" ++This manual page describes the ++.BR semanage ++program. ++.br ++This tool is used to manage configuration of SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. + + -+$load_policy_pattern="avc:.*granted.*{.*load_policy.*}"; ++.SH "OPTIONS" ++.TP ++ \-a, \-\-add ++.P ++Add a OBJECT record NAME ++.B \-d, \-\-delete ++.P ++Delete a OBJECT record NAME ++.B \-h, \-\-help ++.P ++display this message ++.B \-l, \-\-list ++.P ++List the OBJECTS ++.B \-m, \-\-modify ++.P ++Modify a OBJECT record NAME ++.B \-r, \-\-range ++.P ++MLS/MCS Security Range ++.B \-s, \-\-seuser ++.P ++SELinux user name ++.B \-t, \-\-type ++.P ++SELinux Type for the object ++.B \-v, \-\-verbose ++.P ++verbose output + -+while ($opt = shift @ARGV) { -+ if ($opt eq "-d") { $read_dmesg++; } -+ elsif ($opt eq "-v") { $verbose++; } -+ elsif ($opt eq "-i") { $input = shift @ARGV; } -+ elsif ($opt eq "-o") { $output= shift @ARGV; } -+ elsif ($opt eq "-l") { $load_policy++; } -+ elsif ($opt eq "--help") { &printUsage; } -+ else { print "unknown option, '$opt'\n\n"; &printUsage; } -+} ++.SH "AUTHOR" ++This man page was written by Daniel Walsh . + -+if ($read_dmesg && $input) { -+ print "Error, can't read from both dmesg and $input\n\n"; -+ &printUsage; -+} + -+if ($read_dmesg) { open (IN, "/bin/dmesg|"); } -+elsif ($input) { open (IN, "$input"); } -+else { open (IN, "-"); } # STDIN + -+if ($output) { open (OUT, ">>$output"); } -+else { open (OUT, ">-"); } # STDOUT -+ -+if($load_policy){ #store logs after last "load_policy" in @log_buf -+ while ($line = ) { -+ if($line=~/$load_policy_pattern/) { -+ #stored logs are unnecessary -+ undef @log_buf; -+ } -+ else -+ { -+ push @log_buf,$line; -+ } -+ } -+} -+ -+while ($line=&readNewline) { -+ next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/); -+ @types=split /\ /,$line; -+ $info=""; -+ $group=""; -+ $command=""; -+ foreach $i(0..$#types){ -+ next if($types[$i]!~/[=\{]/); -+ if($types[$i]=~/^\{/){ -+ $j=$i+1; -+ while($types[$j]!~/\}/){ -+ $command.=" $types[$j]"; -+ $j++; -+ } -+ next; -+ } -+ my($a,$b) = split /=/,$types[$i]; -+ -+ next if($a eq "pid"); -+ next if($a eq "dev"); -+ next if($a eq "ino"); -+ -+ if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){ -+ if($a ne "tclass"){ -+ my($c,$c,$c) = split /:/, $b; -+ $b=$c; -+ } -+ $b=~s/\n//; -+ $group.="|$b"; -+ next; -+ } -+ $b=~s/:\[\d+\]//; -+ $a=uc $a; -+ $info.="$a=$b "; -+ } -+ -+ my($c,$c,$c,$c) = split /\|/, $group; -+ $info=~s/\ $c=\S+\ //gi; -+ # escape regexp patterns -- -+ $info=~s/([^\w])/\\$1/g; -+ -+ @atypes=split /\ /,$command; -+ foreach $i(0..$#atypes){ -+ $rules{$group}{$atypes[$i]}++; -+ } -+ -+ $info.=" "; -+ if($occur{$group}!~$info){ -+ $occur{$group}.="\t#$info: $command\n"; -+ } -+ else{ -+ my ($a,$b) = split /$info:\ /, $occur{$group}; -+ my ($temp) = split /\n/, $b; -+ -+ @com=split /\ /, $command; -+ foreach $i(1..$#com){ -+ $b=" $com[$i]$b" if($temp!~$com[$i]); -+ } -+ $occur{$group}="$a$info: $b"; -+ } -+} -+ -+# done with the input file -+# now generate the rules -+foreach $k (sort keys %rules) -+{ -+ my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k; -+ if ($scontext eq $tcontext) { -+ $tcontext = 'self'; -+ } -+ print OUT "allow $scontext $tcontext:$tclass"; -+ -+ my $access_types = $rules{$k}; -+ $len=(keys %$access_types); -+ if ($len gt 2 ) { print OUT " {"; } -+ foreach $t (sort keys %$access_types) { -+ if ($t ne "") {print OUT " $t";} -+ } -+ if ($len gt 2 ) { print OUT " }"; } -+ print OUT ";\n"; -+ $occur{$k} =~ s/\\(.)/$1/g; # de-escape string -+ print OUT "$occur{$k}\n" if ($verbose); -+} -+ -+exit; -+ -+sub readNewline { -+ if($load_policy){ -+ $newline=shift @log_buf; -+ }else{ -+ $newline=; -+ } -+ return $newline; -+} -+ -+sub printUsage { -+ print "audit2allow [-d] [-v] [-l] [-i ] [-o ] -+ -d read input from output of /bin/dmesg -+ -v verbose output -+ -l read input only after last \"load_policy\" -+ -i read input from -+ -o append output to \n"; -+ exit; -+} -+ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.28/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2005-11-16 15:27:46.000000000 -0500 -+++ policycoreutils-1.27.28/scripts/genhomedircon 2005-11-16 23:21:23.000000000 -0500 -@@ -29,7 +29,9 @@ - import commands, sys, os, pwd, string, getopt, re - from semanage import *; +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.8 policycoreutils-1.27.29/sestatus/sestatus.8 +--- nsapolicycoreutils/sestatus/sestatus.8 2005-09-12 16:33:30.000000000 -0400 ++++ policycoreutils-1.27.29/sestatus/sestatus.8 2005-11-29 00:04:31.000000000 -0500 +@@ -1,10 +1,10 @@ +-.TH "sestatus" "8" "2002031409" "" "" ++.TH "sestatus" "8" "2005111103" "" "" + .SH "NAME" + sestatus \- SELinux status tool --EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] -+fd=open("/etc/shells", 'r') -+VALID_SHELLS=fd.read().split('\n') -+fd.close() + .SH "SYNOPSIS" + .B sestatus +-.I [\-v] ++.I [\-v] [\-b] + .P + This tool is used to get the status of a system running SELinux. - def getStartingUID(): - starting_uid = sys.maxint -@@ -63,12 +65,7 @@ - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) -- else: -- #rc[0] == 256 means the file was there, we read it, but the grep didn't match -- if rc[0] != 256: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") -- sys.stderr.flush() +@@ -33,6 +33,10 @@ + Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of + symlinks. + ++.B \-b ++.P ++Display the current state of booleans. + - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] -@@ -76,12 +73,7 @@ - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) -- else: -- #rc[0] == 256 means the file was there, we read it, but the grep didn't match -- if rc[0] != 256: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n") -- sys.stderr.flush() + + .SH "FILES" + /etc/sestatus.conf +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.c policycoreutils-1.27.29/sestatus/sestatus.c +--- nsapolicycoreutils/sestatus/sestatus.c 2005-09-12 16:33:30.000000000 -0400 ++++ policycoreutils-1.27.29/sestatus/sestatus.c 2005-11-29 00:04:31.000000000 -0500 +@@ -178,19 +178,33 @@ + char **bools; + int nbool; + ++ int verbose=0; ++ int show_bools=0; + - if ret == []: - ret.append("/home") - return ret -@@ -240,9 +232,8 @@ - if rc[0] == 0: - prefix_regex = rc[1].split("\n") - else: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to grep/cut/the file contexts\n") -- sys.stderr.flush() -+ warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContectFile())) + - exists=1 - for regex in prefix_regex: - #match a trailing (/*)? which is actually a bug in rpc_pipefs -@@ -272,7 +263,7 @@ - ulist = pwd.getpwall() - for u in ulist: - if u[2] >= starting_uid and \ -- not u[6] in EXCLUDE_LOGINS and \ -+ u[6] in VALID_SHELLS and \ - u[5] != "/" and \ - string.count(u[5], "/") > 1: - homedir = u[5][:string.rfind(u[5], "/")] -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-1.27.28/semodule/semodule.c ---- nsapolicycoreutils/semodule/semodule.c 2005-11-08 20:32:51.000000000 -0500 -+++ policycoreutils-1.27.28/semodule/semodule.c 2005-11-17 11:02:35.000000000 -0500 -@@ -38,7 +38,7 @@ - static int num_commands = 0; + /* policy */ + const char *pol_name; + char *pol_path; - /* options given on command line */ --static int quiet; -+static int verbose; - static int reload; - static int no_reload; - static int build; -@@ -122,7 +122,7 @@ - printf(" -s,--store name of the store to operate on\n"); - printf(" -n,--noreload do not reload policy after commit\n"); - printf(" -h,--help print this message and quit\n"); -- printf(" -q,--quiet be quiet\n"); -+ printf(" -v,--verbose be verbose\n"); - } +- opt=getopt(argc, argv, "v"); +- if(opt == '?') { +- /* invalid option */ +- printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); +- printf(" -v Verbose check of process and file contexts.\n"); +- printf("\nWithout options, show SELinux status.\n"); +- return -1; ++ while (1) { ++ opt=getopt(argc, argv, "vb"); ++ if (opt == -1) ++ break; ++ switch (opt) { ++ case 'v': ++ verbose=1; ++ break; ++ case 'b': ++ show_bools=1; ++ break; ++ default: ++ /* invalid option */ ++ printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); ++ printf(" -v Verbose check of process and file contexts.\n"); ++ printf("\nWithout options, show SELinux status.\n"); ++ return -1; ++ } + } +- + printf_tab("SELinux status:"); + rc=is_selinux_enabled(); - /* Sets the global mode variable to new_mode, but only if no other -@@ -157,7 +157,7 @@ - {"help", 0, NULL, 'h'}, - {"install", required_argument, NULL, 'i'}, - {"list-modules", 0, NULL, 'l'}, -- {"quiet", 0, NULL, 'q'}, -+ {"verbose", 0, NULL, 'v'}, - {"remove", required_argument, NULL, 'r'}, - {"upgrade", required_argument, NULL, 'u'}, - {"reload", 0, NULL, 'R'}, -@@ -166,7 +166,7 @@ - {NULL, 0, NULL, 0} - }; - int i; -- quiet = 0; -+ verbose = 0; - reload = 0; - no_reload = 0; - while ((i = getopt_long(argc, argv, "s:b:hi:lqr:u:RnB", opts, NULL)) != -1) { -@@ -175,7 +175,7 @@ - case 'h': usage(argv[0]); exit(0); - case 'i': set_mode(INSTALL_M, optarg); break; - case 'l': set_mode(LIST_M, NULL); break; -- case 'q': quiet = 1; break; -+ case 'v': verbose = 1; break; - case 'r': set_mode(REMOVE_M, optarg); break; - case 'u': set_mode(UPGRADE_M,optarg); break; - case 's': set_store(optarg); break; -@@ -266,28 +266,28 @@ - } - switch (mode) { - case INSTALL_M: { -- if (!quiet) { -+ if (verbose) { - printf("Attempting to install module '%s':\n", mode_arg); - } - result = semanage_module_install(sh, data, data_len); - break; - } - case UPGRADE_M: { -- if (!quiet) { -+ if (verbose) { - printf("Attempting to upgrade module '%s':\n", mode_arg); - } - result = semanage_module_upgrade(sh, data, data_len); - break; - } - case BASE_M: { -- if (!quiet) { -+ if (verbose) { - printf("Attempting to install base module '%s':\n", mode_arg); - } - result = semanage_module_install_base(sh, data, data_len); - break; - } - case REMOVE_M: { -- if (!quiet) { -+ if (verbose) { - printf("Attempting to remove module '%s':\n", mode_arg); - } - result = semanage_module_remove(sh, mode_arg); -@@ -296,7 +296,7 @@ - case LIST_M: { - semanage_module_info_t *modinfo; - int num_modules; -- if (!quiet) { -+ if (verbose) { - printf("Attempting to list active modules:\n"); - } - if ((result = semanage_module_list(sh, &modinfo, &num_modules)) >= 0) { -@@ -328,13 +328,13 @@ - fprintf(stderr, "Failed!\n"); - goto cleanup; - } -- else if (!quiet) { -+ else if (verbose) { - printf("Ok: return value of %d.\n", result); - } - } - - if (commit) { -- if (!quiet) { -+ if (verbose) { - printf("Committing changes:\n"); - } - if (no_reload) { -@@ -347,7 +347,7 @@ - fprintf(stderr, "Failed!\n"); - goto cleanup; - } -- else if (commit && !quiet) { -+ else if (commit && verbose) { - printf("Ok: transaction number %d.\n", result); - } +@@ -266,32 +280,34 @@ + printf("error (%s)\n", strerror(errno)); + } + +- /* show booleans */ +- if(security_get_boolean_names(&bools,&nbool) >= 0) { +- printf("\nPolicy booleans:\n"); +- +- for( i=0 ; i COL) +- COL=strlen(bools[i])+1; +- } +- for( i=0 ; i= 0) { ++ printf("\nPolicy booleans:\n"); ++ ++ for( i=0 ; i COL) ++ COL=strlen(bools[i])+1; ++ } ++ for( i=0 ; i= %{libsepolver} libsemanage-devel >= %{libsemanagever} +BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff -Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} +Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python BuildRoot: %{_tmppath}/%{name}-buildroot %description @@ -61,6 +61,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/setfiles %{_sbindir}/setsebool %{_sbindir}/semodule +%{_sbindir}/semanage %{_sbindir}/load_policy %{_sbindir}/audit2why %{_sbindir}/genhomedircon @@ -74,6 +75,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/semodule_package %{_mandir}/man8/restorecon.8.gz %{_mandir}/man8/sestatus.8.gz +%{_mandir}/man8/semanage.8.gz %{_mandir}/man8/setfiles.8.gz %{_mandir}/man8/fixfiles.8.gz %{_mandir}/man8/load_policy.8.gz @@ -89,6 +91,14 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Nov 28 2005 Dan Walsh 1.27.29-3 +- Update to match NSA + * Merged audit2allow python script from Dan Walsh. + (old script moved to audit2allow.perl, will be removed later). + * Merged genhomedircon fixes from Dan Walsh. + * Merged semodule quieting patch from Dan Walsh + (inverts default, use -v to restore original behavior). + * Thu Nov 17 2005 Dan Walsh 1.27.28-3 - Audit2allow * Add more error checking diff --git a/sources b/sources index d40219c..1fe3b3d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b07eb927454989b6d4f458a70a38d357 policycoreutils-1.27.28.tgz +6ab0e30653c286b06e12d36ea9203ac8 policycoreutils-1.27.29.tgz