diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 1f055f2..f9d32ec 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,55 +1,485 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.15/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2006-01-27 20:35:37.000000000 -0500 -+++ policycoreutils-1.29.15/scripts/genhomedircon 2006-01-30 11:49:16.000000000 -0500 -@@ -38,6 +38,17 @@ - except: - VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.18/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500 ++++ policycoreutils-1.29.18/semanage/seobject.py 2006-02-03 09:57:03.000000000 -0500 +@@ -21,8 +21,11 @@ + # + # -+def grep(file, var): -+ ret="" -+ fd=open(file, 'r') +-import pwd, string, selinux, tempfile, os, re ++import pwd, string, selinux, tempfile, os, re, sys + from semanage import *; ++import audit + -+ for i in fd.read().split('\n'): -+ if re.search(var, i, 0) != None: -+ ret=i -+ break -+ fd.close() -+ return ret -+ - def findval(file, var, delim=""): - val="" - try: -@@ -87,6 +98,12 @@ - - if ret == []: - ret.append("/home") -+ -+ # Add /export/home if it exists -+ # Some customers use this for automounted homedirs -+ if os.path.exists("/export/home"): -+ ret.append("/export/home") -+ - return ret ++audit_fd=audit.audit_open() - def getSELinuxType(directory): -@@ -168,9 +185,9 @@ - return "user_r" - return name - def getOldRole(self, role): -- rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=") -+ rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role) - if rc == "": -- rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=") -+ rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role) - if rc != "": - user=rc.split() - role = user[3] -@@ -259,7 +276,7 @@ - return ret + def validate_level(raw): + sensitivity="s([0-9]|1[0-5])" +@@ -170,119 +173,143 @@ + if sename == "": + sename = "user_u" + +- (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) +- +- (rc,exists) = semanage_seuser_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if login mapping for %s is defined" % name) +- if exists: +- raise ValueError("Login mapping for %s is already defined" % name) + try: +- pwd.getpwnam(name) +- except: +- raise ValueError("Linux User %s does not exist" % name) +- +- (rc,u) = semanage_seuser_create(self.sh) +- if rc < 0: +- raise ValueError("Could not create login mapping for %s" % name) ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) - def genHomeDirContext(self): -- if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "": -+ if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "": - warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate()); - warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root)."); - users = self.getUsers() +- rc = semanage_seuser_set_name(self.sh, u, name) +- if rc < 0: +- raise ValueError("Could not set name for %s" % name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if login mapping for %s is defined" % name) ++ if exists: ++ raise ValueError("Login mapping for %s is already defined" % name) ++ try: ++ pwd.getpwnam(name) ++ except: ++ raise ValueError("Linux User %s does not exist" % name) + +- rc = semanage_seuser_set_mlsrange(self.sh, u, serange) +- if rc < 0: +- raise ValueError("Could not set MLS range for %s" % name) ++ (rc,u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError("Could not create login mapping for %s" % name) + +- rc = semanage_seuser_set_sename(self.sh, u, sename) +- if rc < 0: +- raise ValueError("Could not set SELinux user for %s" % name) ++ rc = semanage_seuser_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError("Could not set name for %s" % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not start semanage transaction") ++ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError("Could not set MLS range for %s" % name) + +- rc = semanage_seuser_modify_local(self.sh, k, u) +- if rc < 0: +- raise ValueError("Could not add login mapping for %s" % name) ++ rc = semanage_seuser_set_sename(self.sh, u, sename) ++ if rc < 0: ++ raise ValueError("Could not set SELinux user for %s" % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not add login mapping for %s" % name) ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not start semanage transaction") + ++ rc = semanage_seuser_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError("Could not add login mapping for %s" % name) ++ ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not add login mapping for %s" % name) ++ ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error ++ ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping", ++ name, 0, "", "", "", 1); + semanage_seuser_key_free(k) + semanage_seuser_free(u) + + def modify(self, name, sename = "", serange = ""): +- if sename == "" and serange == "": +- raise ValueError("Requires seuser or serange") ++ try: ++ if sename == "" and serange == "": ++ raise ValueError("Requires seuser or serange") + +- (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) + +- (rc,exists) = semanage_seuser_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if login mapping for %s is defined" % name) +- if not exists: +- raise ValueError("Login mapping for %s is not defined" % name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if login mapping for %s is defined" % name) ++ if not exists: ++ raise ValueError("Login mapping for %s is not defined" % name) + +- (rc,u) = semanage_seuser_query(self.sh, k) +- if rc < 0: +- raise ValueError("Could not query seuser for %s" % name) ++ (rc,u) = semanage_seuser_query(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not query seuser for %s" % name) + +- if serange != "": +- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) +- if sename != "": +- semanage_seuser_set_sename(self.sh, u, sename) ++ if serange != "": ++ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) ++ if sename != "": ++ semanage_seuser_set_sename(self.sh, u, sename) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not srart semanage transaction") ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not srart semanage transaction") + +- rc = semanage_seuser_modify_local(self.sh, k, u) +- if rc < 0: +- raise ValueError("Could not modify login mapping for %s" % name) +- +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not modify login mapping for %s" % name) ++ rc = semanage_seuser_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError("Could not modify login mapping for %s" % name) + ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not modify login mapping for %s" % name) ++ ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error ++ ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", ++ name, 0, "", "", "", 1); + semanage_seuser_key_free(k) + semanage_seuser_free(u) + + def delete(self, name): +- (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) ++ try: ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) + +- (rc,exists) = semanage_seuser_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if login mapping for %s is defined" % name) +- if not exists: +- raise ValueError("Login mapping for %s is not defined" % name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if login mapping for %s is defined" % name) ++ if not exists: ++ raise ValueError("Login mapping for %s is not defined" % name) + +- (rc,exists) = semanage_seuser_exists_local(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if login mapping for %s is defined" % name) +- if not exists: +- raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) ++ (rc,exists) = semanage_seuser_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if login mapping for %s is defined" % name) ++ if not exists: ++ raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not start semanage transaction") ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not start semanage transaction") + +- rc = semanage_seuser_del_local(self.sh, k) ++ rc = semanage_seuser_del_local(self.sh, k) + +- if rc < 0: +- raise ValueError("Could not delete login mapping for %s" % name) ++ if rc < 0: ++ raise ValueError("Could not delete login mapping for %s" % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not delete login mapping for %s" % name) +- ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not delete login mapping for %s" % name) ++ ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error ++ ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping", ++ name, 0, "", "", "", 1); + semanage_seuser_key_free(k) + + +@@ -322,127 +349,150 @@ + else: + selevel = untranslate(selevel) + +- (rc,k) = semanage_user_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) ++ try: ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) + +- (rc,exists) = semanage_user_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if SELinux user %s is defined" % name) +- if exists: +- raise ValueError("SELinux user %s is already defined" % name) ++ (rc,exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if SELinux user %s is defined" % name) ++ if exists: ++ raise ValueError("SELinux user %s is already defined" % name) + +- (rc,u) = semanage_user_create(self.sh) +- if rc < 0: +- raise ValueError("Could not create SELinux user for %s" % name) ++ (rc,u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError("Could not create SELinux user for %s" % name) + +- rc = semanage_user_set_name(self.sh, u, name) +- if rc < 0: +- raise ValueError("Could not set name for %s" % name) ++ rc = semanage_user_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError("Could not set name for %s" % name) + +- for r in roles: +- rc = semanage_user_add_role(self.sh, u, r) ++ for r in roles: ++ rc = semanage_user_add_role(self.sh, u, r) ++ if rc < 0: ++ raise ValueError("Could not add role %s for %s" % (r, name)) ++ ++ rc = semanage_user_set_mlsrange(self.sh, u, serange) + if rc < 0: +- raise ValueError("Could not add role %s for %s" % (r, name)) ++ raise ValueError("Could not set MLS range for %s" % name) + +- rc = semanage_user_set_mlsrange(self.sh, u, serange) +- if rc < 0: +- raise ValueError("Could not set MLS range for %s" % name) ++ rc = semanage_user_set_mlslevel(self.sh, u, selevel) ++ if rc < 0: ++ raise ValueError("Could not set MLS level for %s" % name) + +- rc = semanage_user_set_mlslevel(self.sh, u, selevel) +- if rc < 0: +- raise ValueError("Could not set MLS level for %s" % name) ++ (rc,key) = semanage_user_key_extract(self.sh,u) ++ if rc < 0: ++ raise ValueError("Could not extract key for %s" % name) + +- (rc,key) = semanage_user_key_extract(self.sh,u) +- if rc < 0: +- raise ValueError("Could not extract key for %s" % name) ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not start semanage transaction") + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not start semanage transaction") ++ rc = semanage_user_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError("Could not add SELinux user %s" % name) + +- rc = semanage_user_modify_local(self.sh, k, u) +- if rc < 0: +- raise ValueError("Could not add SELinux user %s" % name) ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not add SELinux user %s" % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not add SELinux user %s" % name) ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error + ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record", ++ name, 0, "", "", "", 1); + semanage_user_key_free(k) + semanage_user_free(u) + + def modify(self, name, roles = [], selevel = "", serange = ""): +- if len(roles) == 0 and serange == "" and selevel == "": +- raise ValueError("Requires roles, level or range") ++ try: ++ if len(roles) == 0 and serange == "" and selevel == "": ++ raise ValueError("Requires roles, level or range") + +- (rc,k) = semanage_user_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) + +- (rc,exists) = semanage_user_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if SELinux user %s is defined" % name) +- if not exists: +- raise ValueError("SELinux user %s is not defined" % name) +- +- (rc,u) = semanage_user_query(self.sh, k) +- if rc < 0: +- raise ValueError("Could not query user for %s" % name) ++ (rc,exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if SELinux user %s is defined" % name) ++ if not exists: ++ raise ValueError("SELinux user %s is not defined" % name) + +- if serange != "": +- semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) +- if selevel != "": +- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) +- +- if len(roles) != 0: +- for r in roles: +- semanage_user_add_role(self.sh, u, r) ++ (rc,u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not query user for %s" % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not start semanage transaction") ++ if serange != "": ++ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) ++ if selevel != "": ++ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) ++ ++ if len(roles) != 0: ++ for r in roles: ++ semanage_user_add_role(self.sh, u, r) + +- rc = semanage_user_modify_local(self.sh, k, u) +- if rc < 0: +- raise ValueError("Could not modify SELinux user %s" % name) ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not start semanage transaction") + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not modify SELinux user %s" % name) +- ++ rc = semanage_user_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError("Could not modify SELinux user %s" % name) ++ ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not modify SELinux user %s" % name) ++ ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error ++ ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record", ++ name, 0, "", "", "", 1); + semanage_user_key_free(k) + semanage_user_free(u) + + def delete(self, name): +- (rc,k) = semanage_user_key_create(self.sh, name) +- if rc < 0: +- raise ValueError("Could not create a key for %s" % name) +- +- (rc,exists) = semanage_user_exists(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if SELinux user %s is defined" % name) +- if not exists: +- raise ValueError("SELinux user %s is not defined" % name) ++ try: ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) ++ ++ (rc,exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if SELinux user %s is defined" % name) ++ if not exists: ++ raise ValueError("SELinux user %s is not defined" % name) + +- (rc,exists) = semanage_user_exists_local(self.sh, k) +- if rc < 0: +- raise ValueError("Could not check if SELinux user %s is defined" % name) +- if not exists: +- raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) ++ (rc,exists) = semanage_user_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not check if SELinux user %s is defined" % name) ++ if not exists: ++ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError("Could not start semanage transaction") ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError("Could not start semanage transaction") + +- rc = semanage_user_del_local(self.sh, k) +- if rc < 0: +- raise ValueError("Could not delete SELinux user %s" % name) ++ rc = semanage_user_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError("Could not delete SELinux user %s" % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError("Could not delete SELinux user %s" % name) ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not delete SELinux user %s" % name) ++ except ValueError, error: ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], ++ name, 0, "", "", "", 0); ++ raise error + ++ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record", ++ name, 0, "", "", "", 1); + semanage_user_key_free(k) + + def get_all(self): diff --git a/policycoreutils.spec b/policycoreutils.spec index 3923785..9ac648e 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -4,15 +4,15 @@ Summary: SELinux policy core utilities. Name: policycoreutils Version: 1.29.18 -Release: 1 +Release: 2 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -#Patch: policycoreutils-rhat.patch +Patch: policycoreutils-rhat.patch BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff -Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils +Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python BuildRoot: %{_tmppath}/%{name}-buildroot %description @@ -34,7 +34,7 @@ context. %prep %setup -q -#%patch -p1 -b .rhat +%patch -p1 -b .rhat %build make LOG_AUDIT_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all @@ -98,6 +98,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Fri Feb 3 2006 Dan Walsh 1.29.18-2 +- Add auditing to semanage + * Thu Feb 2 2006 Dan Walsh 1.29.18-1 - Update from upstream * Merged clone record on set_con patch from Ivan Gyurdiev.