rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-5

Browse Source 
- More fixes for chcat
This commit is contained in:
Daniel J Walsh 2005-12-20 22:42:38 +00:00
parent 7e64d5bb54
commit 3646f657eb
2 changed files with 351 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

349
policycoreutils-rhat.patch
View File

@ -1,6 +1,234 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.2/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2005-12-14 14:16:50.000000000 -0500
+++ policycoreutils-1.29.2/scripts/chcat 2005-12-20 17:12:59.000000000 -0500
@@ -39,11 +39,11 @@
print("Can not modify sensitivity levels using '+' on %s" % f)
if len(clist) > 1:
- cats=clist[1].split(",")
- if cat in cats:
+ if cat in clist[1:]:
print "%s is already in %s" % (f, orig)
continue
- cats.append(cat)
+ clist.append(cat)
+ cats=clist[1:]
cats.sort()
cat_string=cats[0]
for c in cats[1:]:
@@ -73,14 +73,13 @@
continue
if len(clist) > 1:
- cats=clist[1].split(",")
- if cat not in cats:
+ if cat not in clist[1:]:
print "%s is not in %s" % (f, orig)
continue
- cats.remove(cat)
- if len(cats) > 0:
- cat=cats[0]
- for c in cats[1:]:
+ clist.remove(cat)
+ if len(clist) > 1:
+ cat=clist[1]
+ for c in clist[2:]:
cat="%s,%s" % (cat, c)
else:
cat=""
@@ -91,7 +90,7 @@
if len(cat) == 0:
cmd='chcon -l %s %s' % (sensitivity, f)
else:
- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f)
+ cmd='chcon -l %s:%s %s' % (sensitivity,cat, f)
rc=commands.getstatusoutput(cmd)
if rc[0] != 0:
print rc[1]
@@ -101,18 +100,17 @@
def chcat_replace(orig, newcat, files):
errors=0
if len(newcat) == 1:
- if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16):
- sensitivity=newcat[0]
- cmd='chcon -l %s ' % newcat[0]
- else:
- cmd='chcon -l s0:%s ' % newcat[0]
+ sensitivity=newcat[0]
+ cmd='chcon -l %s ' % newcat[0]
else:
sensitivity=newcat[0]
- cat=newcat[1]
- cmd='chcon -l %s:%s ' % (sensitivity, cat)
+ cmd='chcon -l %s:%s' % (sensitivity, newcat[1])
+ for cat in newcat[2:]:
+ cmd='%s,%s' % (cmd, cat)
for f in files:
cmd = "%s %s" % (cmd, f)
+
rc=commands.getstatusoutput(cmd)
if rc[0] != 0:
print rc[1]
@@ -134,44 +132,73 @@
raise ValueError("Can not combine +/- with other types of categories")
return replace_ind
+def isSensitivity(sensitivity):
+ if sensitivity[0] == "s" and sensitivity[1:].isdigit() and int(sensitivity[1:]) in range(0,16):
+ return 1
+ else:
+ return 0
+
+def expandCats(cats):
+ newcats=[]
+ for c in cats:
+ if c.find(".") != -1:
+ c=c.split(".")
+ for i in range(int(c[0][1:]), int(c[1][1:])+1):
+ x=("c%d" % i)
+ if x not in newcats:
+ newcats.append("c%d" % i)
+ else:
+ for i in c.split(","):
+ if i not in newcats:
+ newcats.append(i)
+ return newcats
+
def translate(cats):
newcat=[]
+ if len(cats) == 0:
+ newcat.append("s0")
+ return newcat
for c in cats:
(rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c)
rlist=raw.split(":")[3:]
- if len(rlist) > 1:
- if len(newcat) == 0:
- newcat.append(rlist[0])
- else:
- if newcat[0] != rlist[0]:
- raise ValueError("Can not have multiple sensitivities")
- newcat.append(rlist[1])
- else:
- if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16):
-
- if len(newcat) == 0:
- newcat.append(rlist[0])
- else:
- if newcat[0] != rlist[0]:
- raise ValueError("Can not have multiple sensitivities")
- else:
- if len(newcat) == 0:
- newcat.append("s0")
- else:
- if newcat[0] != "s0":
- raise ValueError("Can not have multiple sensitivities")
- newcat.append(rlist[0])
-
+ tlist=[]
+ if isSensitivity(rlist[0])==0:
+ tlist.append("s0")
+ for i in expandCats(rlist):
+ tlist.append(i)
+ else:
+ tlist.append(rlist[0])
+ for i in expandCats(rlist[1:]):
+ tlist.append(i)
+ if len(newcat) == 0:
+ newcat.append(tlist[0])
+ else:
+ if newcat[0] != tlist[0]:
+ raise ValueError("Can not have multiple sensitivities")
+ for i in tlist[1:]:
+ newcat.append(i)
return newcat
def usage():
print "Usage %s CATEGORY File ..." % sys.argv[0]
print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0]
print "Usage %s -d File ..." % sys.argv[0]
+ print "Usage %s -l" % sys.argv[0]
print "Use -- to end option list. For example"
print "chcat -- -CompanyConfidential /docs/businessplan.odt."
sys.exit(1)
+def listcats():
+ fd = open(selinux.selinux_translations_path())
+ for l in fd.read().split("\n"):
+ if l.startswith("#"):
+ continue
+ if l.find("=")!=-1:
+ rec=l.split("=")
+ print "%-30s %s" % tuple(rec)
+ fd.close()
+ return 0
+
def error(msg):
print "%s: %s" % (sys.argv[0], msg)
sys.exit(1)
@@ -184,10 +211,12 @@
error("Requires an SELinux enabled system")
delete_ind=0
+ list_ind=0
try:
gopts, cmds = getopt.getopt(sys.argv[1:],
- 'dh',
- ['help',
+ 'dhl',
+ ['list',
+ 'help',
'delete'])
for o,a in gopts:
@@ -195,8 +224,10 @@
usage()
if o == "-d" or o == "--delete":
delete_ind=1
+ if o == "-l" or o == "--list":
+ list_ind=1
- if len(cmds) < 1:
+ if list_ind==0 and len(cmds) < 1:
usage()
except:
usage()
@@ -204,6 +235,8 @@
if delete_ind:
sys.exit(chcat_replace(["s0"], ["s0"], cmds))
+ if list_ind:
+ sys.exit(listcats())
if len(cmds) < 2:
usage()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.2/scripts/chcat.8
--- nsapolicycoreutils/scripts/chcat.8 2005-12-08 12:52:47.000000000 -0500
+++ policycoreutils-1.29.2/scripts/chcat.8 2005-12-20 13:42:21.000000000 -0500
@@ -11,6 +11,9 @@
.B chcat
[\fI-d\fR] \fIFILE\fR...
.br
+.B chcat
+[\fI-l\fR]
+.br
.PP
Change/Remove the security CATEGORY for each FILE.
.PP
@@ -18,6 +21,9 @@
.TP
\fB\-d\fR
delete the category from each file.
+.TP
+\fB\-l\fR
+list available categories.
.SH "SEE ALSO"
.TP
chcon(1), selinux(8)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-20 06:32:04.000000000 -0500
+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-20 17:41:53.000000000 -0500
@@ -26,64 +26,73 @@
#
#
@ -145,9 +373,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
- if rc[0] == 0:
- user=rc[1].split()
+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s" %s' % role, "=")
+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=")
+ if rc == "":
+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s" %s' % role, "=")
+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=")
+ if rc != "":
+ user=rc.split()
role = user[3]
@ -326,3 +554,118 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
except IndexError, error:
- errorExit("IndexError")
+ errorExit("IndexError %s" % error)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners
--- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/selisteners 2005-12-20 09:54:52.000000000 -0500
@@ -0,0 +1,37 @@
+#! /usr/bin/env python
+# Copyright (C) 2005 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# listeners - this script finds all processes listening on a TCP or UDP Port
+# configuration entries for user home directories based on their
+# default roles and is run when building the policy. Specifically, we
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+# generic and user-specific values.
+#
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
+#
+# ASSUMPTIONS:
+#
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
+# set up the home directory context for each real user.
+#
+# If a user has more than one role, genhomedircon uses the first role in the list.
+#
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
+# are always "real" (including root, in the default configuration).
+#
+#
+import commands, string
+import selinux
+rc=commands.getstatusoutput("netstat -aptul")
+out=rc[1].split("\n")
+for i in out:
+ x=i.split()
+ y=x[-1].split("/")
+ if len(y)==2:
+ pid=string.atoi(y[0])
+ print "%s %-40s %-10s\t%-20s\t%s" % (x[0], x[3], pid,y[1],selinux.getpidcon(pid)[1])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/chcat_test policycoreutils-1.29.2/scripts/tests/chcat_test
--- nsapolicycoreutils/scripts/tests/chcat_test 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/tests/chcat_test 2005-12-20 17:12:23.000000000 -0500
@@ -0,0 +1,43 @@
+#!/bin/sh -x
+#
+# You must copy the setrans.conf file in place before testing
+#
+chcat -l
+rm -f /tmp/chcat_test
+touch /tmp/chcat_test
+chcat -d /tmp/chcat_test
+chcat -d /tmp/chcat_test
+chcat -- -Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat Payroll,Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll,+Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll,-Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll,+Marketing,+NDA_Yoyodyne /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Marketing,-NDA_Yoyodyne /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1,c2 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1.c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0:c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0:c2,+c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.conf policycoreutils-1.29.2/scripts/tests/setrans.conf
--- nsapolicycoreutils/scripts/tests/setrans.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/tests/setrans.conf 2005-12-20 17:05:16.000000000 -0500
@@ -0,0 +1,23 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c255. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c255=SystemLow-SystemHigh
+s0:c0.c255=SystemHigh
+s0:c0=Company_Confidential
+s0:c1=Marketing
+s0:c2=Payroll
+s0:c3=NDA_Yoyodyne

7
policycoreutils.spec
View File

@ -1,10 +1,10 @@
%define libsepolver 1.11.1-1
%define libsemanagever 1.5.3-1
%define libselinuxver 1.29.2-1
%define libselinuxver 1.29.2-3
Summary: SELinux policy core utilities.
Name: policycoreutils
Version: 1.29.2
Release: 4
Release: 5
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog
* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-5
- More fixes for chcat
* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-4
- Add try catch for files that may not exists