From 4c107ae3b83728ed61c73e1077998cf8b5020576 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Feb 2006 17:04:04 +0000 Subject: [PATCH] * Tue Feb 07 2006 Dan Walsh 1.29.20-2 - Fix auditing to semanage - Change genhomedircon to use new prefix interface in libselinux --- policycoreutils-rhat.patch | 277 +++++++++++++++++++++++++++---------- policycoreutils.spec | 11 +- 2 files changed, 211 insertions(+), 77 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 73446c8..b449d5b 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,7 +1,27 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500 -+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-07 10:36:38.000000000 -0500 -@@ -170,7 +170,7 @@ ++++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-09 10:27:15.000000000 -0500 +@@ -4,7 +4,7 @@ + # + # genhomedircon - this script is used to generate file context + # configuration entries for user home directories based on their +-# default roles and is run when building the policy. Specifically, we ++# default prefixes and is run when building the policy. Specifically, we + # replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with + # generic and user-specific values. + # +@@ -15,9 +15,7 @@ + # The file CONTEXTDIR/files/homedir_template exists. This file is used to + # set up the home directory context for each real user. + # +-# If a user has more than one role, genhomedircon uses the first role in the list. +-# +-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user ++# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user + # + # "Real" users (as opposed to system users) are those whose UID is greater than + # or equal STARTING_UID (usually 500) and whose login is not a member of +@@ -170,37 +168,34 @@ def heading(self): ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] if self.semanaged: @@ -10,18 +30,130 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po else: ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") return ret -@@ -196,7 +196,7 @@ - return role + +- def defaultrole(self, name): ++ def get_default_prefix(self, name): + for idx in range(self.usize): + user = semanage_user_by_idx(self.ulist, idx) + if semanage_user_get_name(user) == name: +- if name == "staff_u" or name == "root" and self.type != "targeted": +- return "staff_r" +- else: +- return "user_r" ++ return semanage_user_get_prefix(user) + return name +- def getOldRole(self, role): +- rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role) ++ def get_old_prefix(self, user): ++ rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user) + if rc == "": +- rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role) ++ rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user) + if rc != "": + user=rc.split() +- role = user[3] +- if role == "{": +- role = user[4] +- return role ++ prefix = user[3] ++ if prefix == "{": ++ prefix = user[4] ++ if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"): ++ prefix = prefix[:-2] ++ return prefix - def adduser(self, udict, user, seuser, role): +- def adduser(self, udict, user, seuser, role): - if seuser == "user_u" or user == "__default__": ++ def adduser(self, udict, user, seuser, prefix): + if seuser == "user_u" or user == "__default__" or user == "system_u": return - # !!! chooses first role in the list to use in the file context !!! - if role[-2:] == "_r" or role[-2:] == "_u": +- # !!! chooses first role in the list to use in the file context !!! +- if role[-2:] == "_r" or role[-2:] == "_u": +- role = role[:-2] ++ # !!! chooses first prefix in the list to use in the file context !!! + try: + home = pwd.getpwnam(user)[5] + if home == "/": +@@ -217,7 +212,7 @@ + return + prefs = {} + prefs["seuser"] = seuser +- prefs["role"] = role ++ prefs["prefix"] = prefix + prefs["home"] = home + udict[user] = prefs + +@@ -229,7 +224,7 @@ + user=[] + seuser = semanage_seuser_by_idx(list, idx) + seusername=semanage_seuser_get_sename(seuser) +- self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername)) ++ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername)) + + else: + try: +@@ -242,8 +237,8 @@ + if len(user) < 2: + continue + +- role=self.getOldRole(user[1]) +- self.adduser(udict, user[0], user[1], role) ++ prefix=self.get_old_prefix(user[1]) ++ self.adduser(udict, user[0], user[1], prefix) + fd.close() + except IOError, error: + # Must be install so force add of root +@@ -251,40 +246,37 @@ + + return udict + +- def getHomeDirContext(self, user, seuser, home, role): ++ def getHomeDirContext(self, user, seuser, home, prefix): + ret="\n\n#\n# Home Context for user %s\n#\n\n" % user + fd=open(self.getHomeDirTemplate(), 'r') + for i in fd.read().split('\n'): + if i.startswith("HOME_DIR") == 1: + i=i.replace("HOME_DIR", home) +- i=i.replace("ROLE", role) ++ i=i.replace("ROLE", prefix) + i=i.replace("system_u", seuser) + ret = ret+i+"\n" + fd.close() + return ret + +- def getUserContext(self, user, sel_user, role): ++ def getUserContext(self, user, sel_user, prefix): + ret="" + fd=open(self.getHomeDirTemplate(), 'r') + for i in fd.read().split('\n'): + if i.find("USER") == 1: + i=i.replace("USER", user) +- i=i.replace("ROLE", role) ++ i=i.replace("ROLE", prefix) + i=i.replace("system_u", sel_user) + ret=ret+i+"\n" + fd.close() + return ret + + def genHomeDirContext(self): +- if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "": +- warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate()); +- warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root)."); + users = self.getUsers() + ret="" +- # Fill in HOME and ROLE for users that are defined ++ # Fill in HOME and prefix for users that are defined + for u in users.keys(): +- ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"]) +- ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"]) ++ ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"]) ++ ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"]) + return ret+"\n" + + def checkExists(self, home): diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500 -+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-07 10:35:46.000000000 -0500 ++++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500 @@ -21,8 +21,11 @@ # # @@ -35,7 +167,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol def validate_level(raw): sensitivity="s([0-9]|1[0-5])" -@@ -170,119 +173,143 @@ +@@ -170,119 +173,145 @@ if sename == "": sename = "user_u" @@ -117,18 +249,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not add login mapping for %s" % name) + + except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0); + raise error + -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping", -+ name, 0, "", "", "", 1); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) def modify(self, name, sename = "", serange = ""): - if sename == "" and serange == "": - raise ValueError("Requires seuser or serange") ++ oldsename="" ++ oldserange="" + try: + if sename == "" and serange == "": + raise ValueError("Requires seuser or serange") @@ -162,10 +294,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol - semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) - if sename != "": - semanage_seuser_set_sename(self.sh, u, sename) ++ oldserange=semanage_seuser_get_mlsrange(u) ++ oldsename=semanage_seuser_get_sename(u) + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) ++ else: ++ serange=oldserange + if sename != "": + semanage_seuser_set_sename(self.sh, u, sename) ++ else: ++ sename=oldsename - rc = semanage_begin_transaction(self.sh) - if rc < 0: @@ -184,18 +322,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) - ++ + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) -+ + + except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0); + raise error -+ -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", -+ name, 0, "", "", "", 1); ++ ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -254,109 +390,107 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not delete login mapping for %s" % name) + + except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0); + raise error -+ -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping", -+ name, 0, "", "", "", 1); ++ ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1); semanage_seuser_key_free(k) -@@ -322,127 +349,150 @@ +@@ -322,127 +351,145 @@ else: selevel = untranslate(selevel) - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) -+ try: -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - +- - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if exists: - raise ValueError("SELinux user %s is already defined" % name) ++ seroles=" ".join(roles) ++ try: ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError("Could not create a key for %s" % name) + +- (rc,u) = semanage_user_create(self.sh) +- if rc < 0: +- raise ValueError("Could not create SELinux user for %s" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if exists: + raise ValueError("SELinux user %s is already defined" % name) -- (rc,u) = semanage_user_create(self.sh) +- rc = semanage_user_set_name(self.sh, u, name) - if rc < 0: -- raise ValueError("Could not create SELinux user for %s" % name) +- raise ValueError("Could not set name for %s" % name) + (rc,u) = semanage_user_create(self.sh) + if rc < 0: + raise ValueError("Could not create SELinux user for %s" % name) -- rc = semanage_user_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError("Could not set name for %s" % name) -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError("Could not set name for %s" % name) - - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) -+ for r in roles: -+ rc = semanage_user_add_role(self.sh, u, r) -+ if rc < 0: -+ raise ValueError("Could not add role %s for %s" % (r, name)) -+ -+ rc = semanage_user_set_mlsrange(self.sh, u, serange) ++ rc = semanage_user_set_name(self.sh, u, name) if rc < 0: - raise ValueError("Could not add role %s for %s" % (r, name)) -+ raise ValueError("Could not set MLS range for %s" % name) ++ raise ValueError("Could not set name for %s" % name) - rc = semanage_user_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) -+ rc = semanage_user_set_mlslevel(self.sh, u, selevel) -+ if rc < 0: -+ raise ValueError("Could not set MLS level for %s" % name) ++ for r in roles: ++ rc = semanage_user_add_role(self.sh, u, r) ++ if rc < 0: ++ raise ValueError("Could not add role %s for %s" % (r, name)) - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError("Could not set MLS level for %s" % name) -+ (rc,key) = semanage_user_key_extract(self.sh,u) ++ rc = semanage_user_set_mlsrange(self.sh, u, serange) + if rc < 0: -+ raise ValueError("Could not extract key for %s" % name) ++ raise ValueError("Could not set MLS range for %s" % name) - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError("Could not extract key for %s" % name) -+ rc = semanage_begin_transaction(self.sh) ++ rc = semanage_user_set_mlslevel(self.sh, u, selevel) + if rc < 0: -+ raise ValueError("Could not start semanage transaction") ++ raise ValueError("Could not set MLS level for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") -+ rc = semanage_user_modify_local(self.sh, k, u) ++ (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: -+ raise ValueError("Could not add SELinux user %s" % name) ++ raise ValueError("Could not extract key for %s" % name) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) -+ rc = semanage_commit(self.sh) ++ rc = semanage_begin_transaction(self.sh) + if rc < 0: -+ raise ValueError("Could not add SELinux user %s" % name) ++ raise ValueError("Could not start semanage transaction") - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) -+ except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); -+ raise error ++ rc = semanage_user_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError("Could not add SELinux user %s" % name) ++ ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError("Could not add SELinux user %s" % name) -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record", -+ name, 0, "", "", "", 1); ++ except ValueError, error: ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0); ++ raise error ++ ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1); semanage_user_key_free(k) semanage_user_free(u) @@ -423,7 +557,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not modify SELinux user %s" % name) -- + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify SELinux user %s" % name) @@ -433,12 +566,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not modify SELinux user %s" % name) + + except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0); + raise error -+ -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record", -+ name, 0, "", "", "", 1); + ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1); semanage_user_key_free(k) semanage_user_free(u) @@ -495,12 +626,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) + except ValueError, error: -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0], -+ name, 0, "", "", "", 0); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0); + raise error -+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record", -+ name, 0, "", "", "", 1); ++ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1); semanage_user_key_free(k) def get_all(self): diff --git a/policycoreutils.spec b/policycoreutils.spec index e533a8a..886d1ec 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,11 @@ +%define libauditver 1.1.4-3 %define libsepolver 1.11.13-1 -%define libsemanagever 1.5.21-1 +%define libsemanagever 1.5.21-2 %define libselinuxver 1.29.7-1 Summary: SELinux policy core utilities. Name: policycoreutils Version: 1.29.20 -Release: 1 +Release: 2 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -12,7 +13,7 @@ Patch: policycoreutils-rhat.patch BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff -Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python +Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python >= %{libauditver} BuildRoot: %{_tmppath}/%{name}-buildroot %description @@ -97,6 +98,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python2.4/site-packages/seobject.py* %changelog +* Tue Feb 07 2006 Dan Walsh 1.29.20-2 +- Fix auditing to semanage +- Change genhomedircon to use new prefix interface in libselinux + * Tue Feb 07 2006 Dan Walsh 1.29.20-1 - Update from upstream * Merged seuser/user_extra support patch to semodule_package