* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2
- Fix auditing to semanage - Change genhomedircon to use new prefix interface in libselinux
This commit is contained in:
parent
49470329fc
commit
4c107ae3b8
@ -1,7 +1,27 @@
|
|||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
|
||||||
--- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500
|
--- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500
|
||||||
+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-07 10:36:38.000000000 -0500
|
+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-09 10:27:15.000000000 -0500
|
||||||
@@ -170,7 +170,7 @@
|
@@ -4,7 +4,7 @@
|
||||||
|
#
|
||||||
|
# genhomedircon - this script is used to generate file context
|
||||||
|
# configuration entries for user home directories based on their
|
||||||
|
-# default roles and is run when building the policy. Specifically, we
|
||||||
|
+# default prefixes and is run when building the policy. Specifically, we
|
||||||
|
# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
|
||||||
|
# generic and user-specific values.
|
||||||
|
#
|
||||||
|
@@ -15,9 +15,7 @@
|
||||||
|
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
|
||||||
|
# set up the home directory context for each real user.
|
||||||
|
#
|
||||||
|
-# If a user has more than one role, genhomedircon uses the first role in the list.
|
||||||
|
-#
|
||||||
|
-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
|
||||||
|
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
|
||||||
|
#
|
||||||
|
# "Real" users (as opposed to system users) are those whose UID is greater than
|
||||||
|
# or equal STARTING_UID (usually 500) and whose login is not a member of
|
||||||
|
@@ -170,37 +168,34 @@
|
||||||
def heading(self):
|
def heading(self):
|
||||||
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
||||||
if self.semanaged:
|
if self.semanaged:
|
||||||
@ -10,18 +30,130 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
|
|||||||
else:
|
else:
|
||||||
ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
|
ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
|
||||||
return ret
|
return ret
|
||||||
@@ -196,7 +196,7 @@
|
|
||||||
return role
|
|
||||||
|
|
||||||
def adduser(self, udict, user, seuser, role):
|
- def defaultrole(self, name):
|
||||||
|
+ def get_default_prefix(self, name):
|
||||||
|
for idx in range(self.usize):
|
||||||
|
user = semanage_user_by_idx(self.ulist, idx)
|
||||||
|
if semanage_user_get_name(user) == name:
|
||||||
|
- if name == "staff_u" or name == "root" and self.type != "targeted":
|
||||||
|
- return "staff_r"
|
||||||
|
- else:
|
||||||
|
- return "user_r"
|
||||||
|
+ return semanage_user_get_prefix(user)
|
||||||
|
return name
|
||||||
|
- def getOldRole(self, role):
|
||||||
|
- rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role)
|
||||||
|
+ def get_old_prefix(self, user):
|
||||||
|
+ rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
|
||||||
|
if rc == "":
|
||||||
|
- rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role)
|
||||||
|
+ rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
|
||||||
|
if rc != "":
|
||||||
|
user=rc.split()
|
||||||
|
- role = user[3]
|
||||||
|
- if role == "{":
|
||||||
|
- role = user[4]
|
||||||
|
- return role
|
||||||
|
+ prefix = user[3]
|
||||||
|
+ if prefix == "{":
|
||||||
|
+ prefix = user[4]
|
||||||
|
+ if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
|
||||||
|
+ prefix = prefix[:-2]
|
||||||
|
+ return prefix
|
||||||
|
|
||||||
|
- def adduser(self, udict, user, seuser, role):
|
||||||
- if seuser == "user_u" or user == "__default__":
|
- if seuser == "user_u" or user == "__default__":
|
||||||
|
+ def adduser(self, udict, user, seuser, prefix):
|
||||||
+ if seuser == "user_u" or user == "__default__" or user == "system_u":
|
+ if seuser == "user_u" or user == "__default__" or user == "system_u":
|
||||||
return
|
return
|
||||||
# !!! chooses first role in the list to use in the file context !!!
|
- # !!! chooses first role in the list to use in the file context !!!
|
||||||
if role[-2:] == "_r" or role[-2:] == "_u":
|
- if role[-2:] == "_r" or role[-2:] == "_u":
|
||||||
|
- role = role[:-2]
|
||||||
|
+ # !!! chooses first prefix in the list to use in the file context !!!
|
||||||
|
try:
|
||||||
|
home = pwd.getpwnam(user)[5]
|
||||||
|
if home == "/":
|
||||||
|
@@ -217,7 +212,7 @@
|
||||||
|
return
|
||||||
|
prefs = {}
|
||||||
|
prefs["seuser"] = seuser
|
||||||
|
- prefs["role"] = role
|
||||||
|
+ prefs["prefix"] = prefix
|
||||||
|
prefs["home"] = home
|
||||||
|
udict[user] = prefs
|
||||||
|
|
||||||
|
@@ -229,7 +224,7 @@
|
||||||
|
user=[]
|
||||||
|
seuser = semanage_seuser_by_idx(list, idx)
|
||||||
|
seusername=semanage_seuser_get_sename(seuser)
|
||||||
|
- self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
|
||||||
|
+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
|
||||||
|
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
@@ -242,8 +237,8 @@
|
||||||
|
if len(user) < 2:
|
||||||
|
continue
|
||||||
|
|
||||||
|
- role=self.getOldRole(user[1])
|
||||||
|
- self.adduser(udict, user[0], user[1], role)
|
||||||
|
+ prefix=self.get_old_prefix(user[1])
|
||||||
|
+ self.adduser(udict, user[0], user[1], prefix)
|
||||||
|
fd.close()
|
||||||
|
except IOError, error:
|
||||||
|
# Must be install so force add of root
|
||||||
|
@@ -251,40 +246,37 @@
|
||||||
|
|
||||||
|
return udict
|
||||||
|
|
||||||
|
- def getHomeDirContext(self, user, seuser, home, role):
|
||||||
|
+ def getHomeDirContext(self, user, seuser, home, prefix):
|
||||||
|
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
|
||||||
|
fd=open(self.getHomeDirTemplate(), 'r')
|
||||||
|
for i in fd.read().split('\n'):
|
||||||
|
if i.startswith("HOME_DIR") == 1:
|
||||||
|
i=i.replace("HOME_DIR", home)
|
||||||
|
- i=i.replace("ROLE", role)
|
||||||
|
+ i=i.replace("ROLE", prefix)
|
||||||
|
i=i.replace("system_u", seuser)
|
||||||
|
ret = ret+i+"\n"
|
||||||
|
fd.close()
|
||||||
|
return ret
|
||||||
|
|
||||||
|
- def getUserContext(self, user, sel_user, role):
|
||||||
|
+ def getUserContext(self, user, sel_user, prefix):
|
||||||
|
ret=""
|
||||||
|
fd=open(self.getHomeDirTemplate(), 'r')
|
||||||
|
for i in fd.read().split('\n'):
|
||||||
|
if i.find("USER") == 1:
|
||||||
|
i=i.replace("USER", user)
|
||||||
|
- i=i.replace("ROLE", role)
|
||||||
|
+ i=i.replace("ROLE", prefix)
|
||||||
|
i=i.replace("system_u", sel_user)
|
||||||
|
ret=ret+i+"\n"
|
||||||
|
fd.close()
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def genHomeDirContext(self):
|
||||||
|
- if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "":
|
||||||
|
- warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
|
||||||
|
- warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
|
||||||
|
users = self.getUsers()
|
||||||
|
ret=""
|
||||||
|
- # Fill in HOME and ROLE for users that are defined
|
||||||
|
+ # Fill in HOME and prefix for users that are defined
|
||||||
|
for u in users.keys():
|
||||||
|
- ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
|
||||||
|
- ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
|
||||||
|
+ ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
|
||||||
|
+ ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
|
||||||
|
return ret+"\n"
|
||||||
|
|
||||||
|
def checkExists(self, home):
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
|
||||||
--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500
|
--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500
|
||||||
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-07 10:35:46.000000000 -0500
|
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500
|
||||||
@@ -21,8 +21,11 @@
|
@@ -21,8 +21,11 @@
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
@ -35,7 +167,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
|
|
||||||
def validate_level(raw):
|
def validate_level(raw):
|
||||||
sensitivity="s([0-9]|1[0-5])"
|
sensitivity="s([0-9]|1[0-5])"
|
||||||
@@ -170,119 +173,143 @@
|
@@ -170,119 +173,145 @@
|
||||||
if sename == "":
|
if sename == "":
|
||||||
sename = "user_u"
|
sename = "user_u"
|
||||||
|
|
||||||
@ -117,18 +249,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
+ raise ValueError("Could not add login mapping for %s" % name)
|
+ raise ValueError("Could not add login mapping for %s" % name)
|
||||||
+
|
+
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
|
||||||
+ name, 0, "", "", "", 0);
|
|
||||||
+ raise error
|
+ raise error
|
||||||
+
|
+
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping",
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
|
||||||
+ name, 0, "", "", "", 1);
|
|
||||||
semanage_seuser_key_free(k)
|
semanage_seuser_key_free(k)
|
||||||
semanage_seuser_free(u)
|
semanage_seuser_free(u)
|
||||||
|
|
||||||
def modify(self, name, sename = "", serange = ""):
|
def modify(self, name, sename = "", serange = ""):
|
||||||
- if sename == "" and serange == "":
|
- if sename == "" and serange == "":
|
||||||
- raise ValueError("Requires seuser or serange")
|
- raise ValueError("Requires seuser or serange")
|
||||||
|
+ oldsename=""
|
||||||
|
+ oldserange=""
|
||||||
+ try:
|
+ try:
|
||||||
+ if sename == "" and serange == "":
|
+ if sename == "" and serange == "":
|
||||||
+ raise ValueError("Requires seuser or serange")
|
+ raise ValueError("Requires seuser or serange")
|
||||||
@ -162,10 +294,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
||||||
- if sename != "":
|
- if sename != "":
|
||||||
- semanage_seuser_set_sename(self.sh, u, sename)
|
- semanage_seuser_set_sename(self.sh, u, sename)
|
||||||
|
+ oldserange=semanage_seuser_get_mlsrange(u)
|
||||||
|
+ oldsename=semanage_seuser_get_sename(u)
|
||||||
+ if serange != "":
|
+ if serange != "":
|
||||||
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
||||||
|
+ else:
|
||||||
|
+ serange=oldserange
|
||||||
+ if sename != "":
|
+ if sename != "":
|
||||||
+ semanage_seuser_set_sename(self.sh, u, sename)
|
+ semanage_seuser_set_sename(self.sh, u, sename)
|
||||||
|
+ else:
|
||||||
|
+ sename=oldsename
|
||||||
|
|
||||||
- rc = semanage_begin_transaction(self.sh)
|
- rc = semanage_begin_transaction(self.sh)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
@ -184,18 +322,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
+ rc = semanage_seuser_modify_local(self.sh, k, u)
|
+ rc = semanage_seuser_modify_local(self.sh, k, u)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not modify login mapping for %s" % name)
|
+ raise ValueError("Could not modify login mapping for %s" % name)
|
||||||
|
+
|
||||||
+ rc = semanage_commit(self.sh)
|
+ rc = semanage_commit(self.sh)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not modify login mapping for %s" % name)
|
+ raise ValueError("Could not modify login mapping for %s" % name)
|
||||||
+
|
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
|
||||||
+ name, 0, "", "", "", 0);
|
|
||||||
+ raise error
|
+ raise error
|
||||||
+
|
+
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping",
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
|
||||||
+ name, 0, "", "", "", 1);
|
|
||||||
semanage_seuser_key_free(k)
|
semanage_seuser_key_free(k)
|
||||||
semanage_seuser_free(u)
|
semanage_seuser_free(u)
|
||||||
|
|
||||||
@ -254,109 +390,107 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
+ raise ValueError("Could not delete login mapping for %s" % name)
|
+ raise ValueError("Could not delete login mapping for %s" % name)
|
||||||
+
|
+
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
|
||||||
+ name, 0, "", "", "", 0);
|
|
||||||
+ raise error
|
+ raise error
|
||||||
+
|
+
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping",
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
|
||||||
+ name, 0, "", "", "", 1);
|
|
||||||
semanage_seuser_key_free(k)
|
semanage_seuser_key_free(k)
|
||||||
|
|
||||||
|
|
||||||
@@ -322,127 +349,150 @@
|
@@ -322,127 +351,145 @@
|
||||||
else:
|
else:
|
||||||
selevel = untranslate(selevel)
|
selevel = untranslate(selevel)
|
||||||
|
|
||||||
- (rc,k) = semanage_user_key_create(self.sh, name)
|
- (rc,k) = semanage_user_key_create(self.sh, name)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not create a key for %s" % name)
|
- raise ValueError("Could not create a key for %s" % name)
|
||||||
+ try:
|
-
|
||||||
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
||||||
+ if rc < 0:
|
|
||||||
+ raise ValueError("Could not create a key for %s" % name)
|
|
||||||
|
|
||||||
- (rc,exists) = semanage_user_exists(self.sh, k)
|
- (rc,exists) = semanage_user_exists(self.sh, k)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
||||||
- if exists:
|
- if exists:
|
||||||
- raise ValueError("SELinux user %s is already defined" % name)
|
- raise ValueError("SELinux user %s is already defined" % name)
|
||||||
|
+ seroles=" ".join(roles)
|
||||||
|
+ try:
|
||||||
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError("Could not create a key for %s" % name)
|
||||||
|
|
||||||
|
- (rc,u) = semanage_user_create(self.sh)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError("Could not create SELinux user for %s" % name)
|
||||||
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
||||||
+ if exists:
|
+ if exists:
|
||||||
+ raise ValueError("SELinux user %s is already defined" % name)
|
+ raise ValueError("SELinux user %s is already defined" % name)
|
||||||
|
|
||||||
- (rc,u) = semanage_user_create(self.sh)
|
- rc = semanage_user_set_name(self.sh, u, name)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not create SELinux user for %s" % name)
|
- raise ValueError("Could not set name for %s" % name)
|
||||||
+ (rc,u) = semanage_user_create(self.sh)
|
+ (rc,u) = semanage_user_create(self.sh)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not create SELinux user for %s" % name)
|
+ raise ValueError("Could not create SELinux user for %s" % name)
|
||||||
|
|
||||||
- rc = semanage_user_set_name(self.sh, u, name)
|
|
||||||
- if rc < 0:
|
|
||||||
- raise ValueError("Could not set name for %s" % name)
|
|
||||||
+ rc = semanage_user_set_name(self.sh, u, name)
|
|
||||||
+ if rc < 0:
|
|
||||||
+ raise ValueError("Could not set name for %s" % name)
|
|
||||||
|
|
||||||
- for r in roles:
|
- for r in roles:
|
||||||
- rc = semanage_user_add_role(self.sh, u, r)
|
- rc = semanage_user_add_role(self.sh, u, r)
|
||||||
+ for r in roles:
|
+ rc = semanage_user_set_name(self.sh, u, name)
|
||||||
+ rc = semanage_user_add_role(self.sh, u, r)
|
|
||||||
+ if rc < 0:
|
|
||||||
+ raise ValueError("Could not add role %s for %s" % (r, name))
|
|
||||||
+
|
|
||||||
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
|
||||||
if rc < 0:
|
if rc < 0:
|
||||||
- raise ValueError("Could not add role %s for %s" % (r, name))
|
- raise ValueError("Could not add role %s for %s" % (r, name))
|
||||||
+ raise ValueError("Could not set MLS range for %s" % name)
|
+ raise ValueError("Could not set name for %s" % name)
|
||||||
|
|
||||||
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not set MLS range for %s" % name)
|
- raise ValueError("Could not set MLS range for %s" % name)
|
||||||
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
+ for r in roles:
|
||||||
|
+ rc = semanage_user_add_role(self.sh, u, r)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not set MLS level for %s" % name)
|
+ raise ValueError("Could not add role %s for %s" % (r, name))
|
||||||
|
|
||||||
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not set MLS level for %s" % name)
|
- raise ValueError("Could not set MLS level for %s" % name)
|
||||||
+ (rc,key) = semanage_user_key_extract(self.sh,u)
|
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not extract key for %s" % name)
|
+ raise ValueError("Could not set MLS range for %s" % name)
|
||||||
|
|
||||||
- (rc,key) = semanage_user_key_extract(self.sh,u)
|
- (rc,key) = semanage_user_key_extract(self.sh,u)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not extract key for %s" % name)
|
- raise ValueError("Could not extract key for %s" % name)
|
||||||
+ rc = semanage_begin_transaction(self.sh)
|
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not start semanage transaction")
|
+ raise ValueError("Could not set MLS level for %s" % name)
|
||||||
|
|
||||||
- rc = semanage_begin_transaction(self.sh)
|
- rc = semanage_begin_transaction(self.sh)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not start semanage transaction")
|
- raise ValueError("Could not start semanage transaction")
|
||||||
+ rc = semanage_user_modify_local(self.sh, k, u)
|
+ (rc,key) = semanage_user_key_extract(self.sh,u)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not add SELinux user %s" % name)
|
+ raise ValueError("Could not extract key for %s" % name)
|
||||||
|
|
||||||
- rc = semanage_user_modify_local(self.sh, k, u)
|
- rc = semanage_user_modify_local(self.sh, k, u)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not add SELinux user %s" % name)
|
- raise ValueError("Could not add SELinux user %s" % name)
|
||||||
+ rc = semanage_commit(self.sh)
|
+ rc = semanage_begin_transaction(self.sh)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not add SELinux user %s" % name)
|
+ raise ValueError("Could not start semanage transaction")
|
||||||
|
|
||||||
- rc = semanage_commit(self.sh)
|
- rc = semanage_commit(self.sh)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not add SELinux user %s" % name)
|
- raise ValueError("Could not add SELinux user %s" % name)
|
||||||
+ except ValueError, error:
|
+ rc = semanage_user_modify_local(self.sh, k, u)
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ if rc < 0:
|
||||||
+ name, 0, "", "", "", 0);
|
+ raise ValueError("Could not add SELinux user %s" % name)
|
||||||
+ raise error
|
+
|
||||||
|
+ rc = semanage_commit(self.sh)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError("Could not add SELinux user %s" % name)
|
||||||
|
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record",
|
+ except ValueError, error:
|
||||||
+ name, 0, "", "", "", 1);
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
|
||||||
|
+ raise error
|
||||||
|
+
|
||||||
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
|
||||||
semanage_user_key_free(k)
|
semanage_user_key_free(k)
|
||||||
semanage_user_free(u)
|
semanage_user_free(u)
|
||||||
|
|
||||||
@ -423,7 +557,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
- rc = semanage_commit(self.sh)
|
- rc = semanage_commit(self.sh)
|
||||||
- if rc < 0:
|
- if rc < 0:
|
||||||
- raise ValueError("Could not modify SELinux user %s" % name)
|
- raise ValueError("Could not modify SELinux user %s" % name)
|
||||||
-
|
|
||||||
+ rc = semanage_user_modify_local(self.sh, k, u)
|
+ rc = semanage_user_modify_local(self.sh, k, u)
|
||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not modify SELinux user %s" % name)
|
+ raise ValueError("Could not modify SELinux user %s" % name)
|
||||||
@ -433,12 +566,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
+ raise ValueError("Could not modify SELinux user %s" % name)
|
+ raise ValueError("Could not modify SELinux user %s" % name)
|
||||||
+
|
+
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
|
||||||
+ name, 0, "", "", "", 0);
|
|
||||||
+ raise error
|
+ raise error
|
||||||
+
|
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record",
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
|
||||||
+ name, 0, "", "", "", 1);
|
|
||||||
semanage_user_key_free(k)
|
semanage_user_key_free(k)
|
||||||
semanage_user_free(u)
|
semanage_user_free(u)
|
||||||
|
|
||||||
@ -495,12 +626,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
|
|||||||
+ if rc < 0:
|
+ if rc < 0:
|
||||||
+ raise ValueError("Could not delete SELinux user %s" % name)
|
+ raise ValueError("Could not delete SELinux user %s" % name)
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
|
||||||
+ name, 0, "", "", "", 0);
|
|
||||||
+ raise error
|
+ raise error
|
||||||
|
|
||||||
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record",
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
|
||||||
+ name, 0, "", "", "", 1);
|
|
||||||
semanage_user_key_free(k)
|
semanage_user_key_free(k)
|
||||||
|
|
||||||
def get_all(self):
|
def get_all(self):
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
|
%define libauditver 1.1.4-3
|
||||||
%define libsepolver 1.11.13-1
|
%define libsepolver 1.11.13-1
|
||||||
%define libsemanagever 1.5.21-1
|
%define libsemanagever 1.5.21-2
|
||||||
%define libselinuxver 1.29.7-1
|
%define libselinuxver 1.29.7-1
|
||||||
Summary: SELinux policy core utilities.
|
Summary: SELinux policy core utilities.
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 1.29.20
|
Version: 1.29.20
|
||||||
Release: 1
|
Release: 2
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -12,7 +13,7 @@ Patch: policycoreutils-rhat.patch
|
|||||||
|
|
||||||
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}
|
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}
|
||||||
PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
|
PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
|
||||||
Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python
|
Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python >= %{libauditver}
|
||||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -97,6 +98,10 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%{_libdir}/python2.4/site-packages/seobject.py*
|
%{_libdir}/python2.4/site-packages/seobject.py*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2
|
||||||
|
- Fix auditing to semanage
|
||||||
|
- Change genhomedircon to use new prefix interface in libselinux
|
||||||
|
|
||||||
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-1
|
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-1
|
||||||
- Update from upstream
|
- Update from upstream
|
||||||
* Merged seuser/user_extra support patch to semodule_package
|
* Merged seuser/user_extra support patch to semodule_package
|
||||||
|
Loading…
Reference in New Issue
Block a user