* Fri Sep 28 2007 Dan Walsh <dwalsh@redhat.com> 2.0.27-5

- Additional checkboxes for application policy
This commit is contained in:
Daniel J Walsh 2007-10-02 20:21:53 +00:00
parent 76680e0455
commit 25ac073f85
2 changed files with 280 additions and 56 deletions

View File

@ -937,8 +937,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.27/gui/polgen.glade
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/polgen.glade 2007-09-28 15:35:53.000000000 -0400
@@ -0,0 +1,2461 @@
+++ policycoreutils-2.0.27/gui/polgen.glade 2007-10-02 16:15:50.000000000 -0400
@@ -0,0 +1,2583 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
+
@ -1071,7 +1071,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+Shell script (sh) - used to compile and install the policy. </property>
+ </widget>
+ <packing>
+ <property name="tab_expand">False</property>
+ <property name="tab_expand">True</property>
+ <property name="tab_fill">True</property>
+ </packing>
+ </child>
@ -1102,7 +1102,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="select_type_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Select type of the application/user to be confined</property>
+ <property name="title" translatable="yes">Select type of the application/user role to be confined</property>
+ <signal name="next" handler="on_select_type_page_next" last_modification_time="Sat, 04 Aug 2007 11:39:15 GMT"/>
+
+ <child internal-child="vbox">
@ -1288,9 +1288,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkRadioButton" id="xwindows_login_user_radiobutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Select XWindows login user, if this is a user who will login to a machine via X</property>
+ <property name="tooltip" translatable="yes">Select X Windows login role, if this is a user who will login to a machine via X</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">XWindows Login User</property>
+ <property name="label" translatable="yes">X Windows Login User Role</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -1309,9 +1309,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkRadioButton" id="terminal_login_user_radiobutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Select Terminal Login User, if this user will login to a machine only via a terminal or remote login</property>
+ <property name="tooltip" translatable="yes">Select Terminal Login User Role, if this user will login to a machine only via a terminal or remote login</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Terminal Login User</property>
+ <property name="label" translatable="yes">Terminal Login User Role</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -1330,9 +1330,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkRadioButton" id="root_user_radiobutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Select Root User, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly.</property>
+ <property name="tooltip" translatable="yes">Select Root Administrator User Role, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly.</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Root User</property>
+ <property name="label" translatable="yes">Root Administrator User Role</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -1423,7 +1423,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="app_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Enter name of application/user to be confined</property>
+ <property name="title" translatable="yes">Enter name of application or user role to be confined</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="druid-vbox5">
@ -1514,7 +1514,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkEntry" id="name_entry">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter unique type name for the confined user or application.</property>
+ <property name="tooltip" translatable="yes">Enter unique name for the confined application or user role.</property>
+ <property name="can_focus">True</property>
+ <property name="editable">True</property>
+ <property name="visibility">True</property>
@ -1672,7 +1672,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="transition_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Select additional domains to which this user will transition</property>
+ <property name="title" translatable="yes">Select additional domains to which this user role will transition</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="vbox13">
@ -1693,7 +1693,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkTreeView" id="transition_treeview">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Select the applications domains that you would like this user to transition to.</property>
+ <property name="tooltip" translatable="yes">Select the applications domains that you would like this user role to transition to.</property>
+ <property name="can_focus">True</property>
+ <property name="headers_visible">False</property>
+ <property name="rules_hint">False</property>
@ -1746,7 +1746,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="user_transition_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Select user types that will transition to this domain</property>
+ <property name="title" translatable="yes">Select user roles that will transition to this domain</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="vbox13">
@ -1767,7 +1767,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkTreeView" id="user_transition_treeview">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Select the user types that will transiton to this applications domains.</property>
+ <property name="tooltip" translatable="yes">Select the user roles that will transiton to this applications domains.</property>
+ <property name="can_focus">True</property>
+ <property name="headers_visible">False</property>
+ <property name="rules_hint">False</property>
@ -1820,7 +1820,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="admin_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Select additional domains that this user will administer</property>
+ <property name="title" translatable="yes">Select additional domains that this user role will administer</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="vbox13">
@ -1968,7 +1968,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="in_net_page">
+ <property name="visible">True</property>
+ <property name="title" translatable="yes">Enter network ports that application/user listens to</property>
+ <property name="title" translatable="yes">Enter network ports that application/user role listens to</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="druid-vbox6">
@ -2011,7 +2011,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkCheckButton" id="in_tcp_all_checkbutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Allows confined application/user to bind to any tcp port</property>
+ <property name="tooltip" translatable="yes">Allows confined application/user role to bind to any tcp port</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">All</property>
+ <property name="use_underline">True</property>
@ -2051,7 +2051,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkCheckButton" id="in_tcp_unreserved_checkbutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Allow application/user to bind to any tcp ports &gt; 1024</property>
+ <property name="tooltip" translatable="yes">Allow application/user role to bind to any tcp ports &gt; 1024</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Unreserved Ports (&gt; 1024)</property>
+ <property name="use_underline">True</property>
@ -2109,7 +2109,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkEntry" id="in_tcp_entry">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of tcp ports or ranges of ports that application/user binds to. Example: 612, 650-660</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of tcp ports or ranges of ports that application/user role binds to. Example: 612, 650-660</property>
+ <property name="can_focus">True</property>
+ <property name="editable">True</property>
+ <property name="visibility">True</property>
@ -2201,7 +2201,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkCheckButton" id="in_udp_all_checkbutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Allows confined application/user to bind to any udp port</property>
+ <property name="tooltip" translatable="yes">Allows confined application/user role to bind to any udp port</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">All</property>
+ <property name="use_underline">True</property>
@ -2221,7 +2221,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkCheckButton" id="in_udp_reserved_checkbutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Allow application/user to call bindresvport with 0. Binding to port 600-1024</property>
+ <property name="tooltip" translatable="yes">Allow application/user role to call bindresvport with 0. Binding to port 600-1024</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">600-1024</property>
+ <property name="use_underline">True</property>
@ -2241,7 +2241,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkCheckButton" id="in_udp_unreserved_checkbutton">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of udp ports or ranges of ports that application/user binds to. Example: 612, 650-660</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of udp ports or ranges of ports that application/user role binds to. Example: 612, 650-660</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Unreserved Ports (&gt;1024)</property>
+ <property name="use_underline">True</property>
@ -2299,7 +2299,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkEntry" id="in_udp_entry">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Allows application/user to bind to any udp ports &gt; 1024</property>
+ <property name="tooltip" translatable="yes">Allows application/user role to bind to any udp ports &gt; 1024</property>
+ <property name="can_focus">True</property>
+ <property name="editable">True</property>
+ <property name="visibility">True</property>
@ -2391,8 +2391,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GnomeDruidPageStandard" id="out_net_page">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of tcp ports that application/user connects to. </property>
+ <property name="title" translatable="yes"></property>
+ <property name="title" translatable="yes">Enter network ports that application/user role connects to</property>
+
+ <child internal-child="vbox">
+ <widget class="GtkVBox" id="druid-vbox7">
@ -2491,7 +2490,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkEntry" id="out_tcp_entry">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of tcp ports or ranges of ports that application/user connects to. Example: 612, 650-660</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of tcp ports or ranges of ports that application/user role connects to. Example: 612, 650-660</property>
+ <property name="can_focus">True</property>
+ <property name="editable">True</property>
+ <property name="visibility">True</property>
@ -2623,7 +2622,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkEntry" id="out_udp_entry">
+ <property name="visible">True</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of udp ports or ranges of ports that application/user connects to. Example: 612, 650-660</property>
+ <property name="tooltip" translatable="yes">Enter a comma separated list of udp ports or ranges of ports that application/user role connects to. Example: 612, 650-660</property>
+ <property name="can_focus">True</property>
+ <property name="editable">True</property>
+ <property name="visibility">True</property>
@ -2727,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <widget class="GtkCheckButton" id="syslog_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Application uses syslog to log messages </property>
+ <property name="label" translatable="yes">Writes syslog messages </property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -2746,7 +2745,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <widget class="GtkCheckButton" id="tmp_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Application uses /tmp to Create/Manipulate temporary files</property>
+ <property name="label" translatable="yes">Create/Manipulate temporary files in /tmp</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -2765,7 +2764,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <widget class="GtkCheckButton" id="pam_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Application uses Pam for authentication</property>
+ <property name="label" translatable="yes">Uses Pam for authentication</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -2784,7 +2783,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <widget class="GtkCheckButton" id="uid_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Application uses nsswitch or translates UID's (daemons that run as non root)</property>
+ <property name="label" translatable="yes">Uses nsswitch or getpw* calls</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
@ -2798,6 +2797,83 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GtkCheckButton" id="dbus_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Uses dbus</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </widget>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GtkCheckButton" id="audit_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Sends audit messages</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </widget>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GtkCheckButton" id="terminal_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Interacts with the terminal</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </widget>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GtkCheckButton" id="sendmail_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes">Sends email</property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </widget>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ </widget>
+ <packing>
+ <property name="padding">0</property>
@ -3284,12 +3360,58 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ </child>
+
+ <child>
+ <widget class="GnomeDruidPageEdge" id="role_finish_page">
+ <property name="visible">True</property>
+ <property name="position">GNOME_EDGE_FINISH</property>
+ <property name="title" translatable="yes">Generated Policy Files</property>
+ <property name="text" translatable="yes">This tool will generate the following:
+Type Enforcement(te), File Context(fc), Interface(if), Shell Script(sh)
+Execute shell script to compile/install and relabel files/directories.
+Use semanage or useradd to map Linux login users to user roles.
+Put the machine in permissive mode (setenforce 0).
+Login as the user and test this user role.
+Use audit2allow -R to generate additional rules for the te file.
+</property>
+ </widget>
+ <packing>
+ <property name="tab_expand">True</property>
+ <property name="tab_fill">True</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GtkLabel" id="label46">
+ <property name="visible">True</property>
+ <property name="label" translatable="yes"></property>
+ <property name="use_underline">False</property>
+ <property name="use_markup">False</property>
+ <property name="justify">GTK_JUSTIFY_LEFT</property>
+ <property name="wrap">False</property>
+ <property name="selectable">False</property>
+ <property name="xalign">0.5</property>
+ <property name="yalign">0.5</property>
+ <property name="xpad">0</property>
+ <property name="ypad">0</property>
+ <property name="ellipsize">PANGO_ELLIPSIZE_NONE</property>
+ <property name="width_chars">-1</property>
+ <property name="single_line_mode">False</property>
+ <property name="angle">0</property>
+ </widget>
+ <packing>
+ <property name="type">tab</property>
+ </packing>
+ </child>
+
+ <child>
+ <widget class="GnomeDruidPageEdge" id="finish_page">
+ <property name="visible">True</property>
+ <property name="position">GNOME_EDGE_FINISH</property>
+ <property name="title" translatable="yes">Generated Policy Files</property>
+ <property name="text" translatable="yes">This tool will generate the following: Type Enforcement(te), File Context(fc), Interface(if), Shell Script(sh).
+Execute shell script to compile/install and relabel files/directories. Now you can put the machine in permissive mode (setenforce 0).
+ <property name="text" translatable="yes">This tool will generate the following:
+Type Enforcement(te), File Context(fc), Interface(if), Shell Script(sh)
+
+Execute shell script to compile/install and relabel files/directories.
+Put the machine in permissive mode (setenforce 0).
+Run/restart the application to generate avc messages.
+Use audit2allow -R to generate additional rules for the te file.
+</property>
@ -3402,8 +3524,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.27/gui/polgengui.py
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/polgengui.py 2007-09-28 15:36:01.000000000 -0400
@@ -0,0 +1,495 @@
+++ policycoreutils-2.0.27/gui/polgengui.py 2007-10-02 16:15:59.000000000 -0400
@@ -0,0 +1,496 @@
+#!/usr/bin/python
+#
+# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
@ -3491,7 +3613,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ COMMON_APPS_PAGE = 9
+ FILES_PAGE = 10
+ GEN_POLICY_PAGE = 11
+ FINISH_PAGE = 12
+ GEN_USER_POLICY_PAGE = 12
+ FINISH_PAGE = 13
+
+ def __init__(self):
+ self.xml = xml
@ -3510,8 +3633,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ self.notebook = xml.get_widget ("notebook1")
+ self.pages={}
+ for i in polgen.USERS:
+ self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLICY_PAGE, self.FINISH_PAGE]
+ self.pages[polgen.RUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLICY_PAGE, self.FINISH_PAGE]
+ self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_USER_POLICY_PAGE, self.FINISH_PAGE]
+ self.pages[polgen.RUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_USER_POLICY_PAGE, self.FINISH_PAGE]
+ for i in polgen.APPLICATIONS:
+ self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE,self.GEN_POLICY_PAGE, self.FINISH_PAGE ]
+ self.pages[polgen.USER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.USER_TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE,self.GEN_POLICY_PAGE, self.FINISH_PAGE ]
@ -3901,8 +4024,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.27/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/polgen.py 2007-09-28 15:36:04.000000000 -0400
@@ -0,0 +1,759 @@
+++ policycoreutils-2.0.27/gui/polgen.py 2007-10-02 16:15:54.000000000 -0400
@@ -0,0 +1,808 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -4057,8 +4180,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.out_udp = [False, False, False, []]
+ self.use_tmp = False
+ self.use_uid = False
+ self.use_pam = False
+ self.use_syslog = False
+ self.use_pam = False
+ self.use_dbus = False
+ self.use_audit = False
+ self.use_terminal = False
+ self.use_mail = False
+ self.files = {}
+ self.dirs = {}
+ self.found_tcp_ports=[]
@ -4144,6 +4271,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ def set_use_pam(self, val):
+ self.use_pam = val == True
+
+ def set_use_dbus(self, val):
+ self.use_dbus = val == True
+
+ def set_use_audit(self, val):
+ self.use_audit = val == True
+
+ def set_use_terminal(self, val):
+ self.use_terminal = val == True
+
+ def set_use_mail(self, val):
+ self.use_mail = val == True
+
+ def set_use_tmp(self, val):
+ if self.type not in APPLICATIONS:
+ raise ValueError(_("USER Types autoomatically get a tmp type"))
@ -4174,6 +4313,24 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules)
+ return newte
+
+ def generate_audit_rules(self):
+ newte =""
+ if self.use_audit:
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_audit_rules)
+ return newte
+
+ def generate_dbus_rules(self):
+ newte =""
+ if self.use_dbus:
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_dbus_rules)
+ return newte
+
+ def generate_mail_rules(self):
+ newte =""
+ if self.use_mail:
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules)
+ return newte
+
+ def generate_network_action(self, protocol, action, port_name):
+ line = ""
+ method = "corenet_%s_%s_%s" % (protocol, action, port_name)
@ -4408,6 +4565,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+
+ return newif
+
+ def generate_terminal_if(self):
+ newif =""
+ if self.use_terminal:
+ newif = re.sub("TEMPLATETYPE", self.name, executable.if_terminal_rules)
+ return newif
+
+
+ def generate_if(self):
+ newif = ""
+ if self.program != "":
@ -4424,6 +4588,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ break
+ newif += self.generate_user_if()
+ newif += self.generate_admin_if()
+ newif += self.generate_terminal_if()
+
+ return newif
+
@ -4469,6 +4634,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ newte += self.generate_uid_rules()
+ newte += self.generate_syslog_rules()
+ newte += self.generate_pam_rules()
+ newte += self.generate_dbus_rules()
+ newte += self.generate_audit_rules()
+ newte += self.generate_mail_rules()
+ newte += self.generate_roles_rules()
+ newte += self.generate_transition_rules()
+ newte += self.generate_admin_rules()
@ -4638,6 +4806,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.add_dir("/var/lib/daemon")
+ mypolicy.add_dir("/etc/daemon")
+ mypolicy.add_dir("/etc/daemon/special")
+ mypolicy.set_use_uid(True)
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_use_audit(True)
+ mypolicy.set_use_dbus(True)
+ mypolicy.set_use_terminal(True)
+ mypolicy.set_use_mail(True)
+ mypolicy.set_out_tcp(0,"8000")
+ print mypolicy.generate("/var/tmp")
+
@ -4649,9 +4824,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy = policy("myxuser", XUSER)
+ mypolicy.set_in_tcp(1, 1, 1, "28920")
+ mypolicy.set_in_udp(0, 0, 1, "1513")
+ mypolicy.set_use_uid(True)
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_transition_domains(["mozilla"])
+ print mypolicy.generate("/var/tmp")
+
@ -9114,8 +9286,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.27/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/templates/executable.py 2007-09-28 15:36:45.000000000 -0400
@@ -0,0 +1,291 @@
+++ policycoreutils-2.0.27/gui/templates/executable.py 2007-10-02 16:16:31.000000000 -0400
@@ -0,0 +1,342 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -9260,6 +9432,23 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+auth_domtrans_chk_passwd(TEMPLATETYPE_t)
+"""
+
+te_mail_rules="""
+mta_send_mail(TEMPLATETYPE_t)
+"""
+
+te_dbus_rules="""
+optional_policy(`
+ allow TEMPLATETYPE_t self:dbus send_msg;
+ dbus_system_bus_client_template(TEMPLATETYPE,TEMPLATETYPE_t)
+ dbus_connect_system_bus(TEMPLATETYPE_t)
+ dbus_send_system_bus(TEMPLATETYPE_t)
+')
+"""
+
+te_audit_rules="""
+logging_send_audit_msgs(TEMPLATETYPE_t)
+"""
+
+te_userapp_trans_rules="""
+optional_policy(`
+ gen_require(`
@ -9298,6 +9487,40 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+
+"""
+
+if_terminal_rules="""
+########################################
+## <summary>
+## Execute TEMPLATETYPE programs in the TEMPLATETYPE domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the TEMPLATETYPE domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the TEMPLATETYPE domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`TEMPLATETYPE_run',`
+ gen_require(`
+ type TEMPLATETYPE_t;
+ ')
+
+ TEMPLATETYPE_domtrans($1)
+ role $2 types TEMPLATETYPE_t;
+ allow TEMPLATETYPE_t $3:chr_file rw_term_perms;
+')
+
+"""
+
+if_user_program_rules="""
+########################################
+## <summary>
@ -9386,7 +9609,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+"""
+
+if_initscript_admin="""
+ # Allow $1 to restart the apache service
+ # Allow TEMPLATETYPE_t to restart the apache service
+ TEMPLATETYPE_script_domtrans($2)
+ domain_system_change_exemption($2)
+ role_transition $3 TEMPLATETYPE_script_exec_t system_r;
@ -9847,8 +10070,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.27/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/templates/user.py 2007-09-27 11:20:32.000000000 -0400
@@ -0,0 +1,139 @@
+++ policycoreutils-2.0.27/gui/templates/user.py 2007-10-02 16:16:50.000000000 -0400
@@ -0,0 +1,137 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -9986,8 +10209,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
+te_newrole_rules="""
+seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+"""
+
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.27/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.27/gui/templates/var_lib.py 2007-09-27 11:20:32.000000000 -0400

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.27
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -199,6 +199,9 @@ if [ "$1" -ge "1" ]; then
fi
%changelog
* Fri Sep 28 2007 Dan Walsh <dwalsh@redhat.com> 2.0.27-5
- Additional checkboxes for application policy
* Fri Sep 28 2007 Dan Walsh <dwalsh@redhat.com> 2.0.27-4
- Allow policy writer to select user types to transition to there users