* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2

- Fix auditing to semanage - Change genhomedircon to use new prefix interface in libselinux
2006-02-10 17:04:04 +00:00 · 2006-02-10 17:04:04 +00:00 · 4c107ae3b8
commit 4c107ae3b8
parent 49470329fc
2 changed files with 211 additions and 77 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,7 +1,27 @@
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
 --- nsapolicycoreutils/scripts/genhomedircon	2006-01-30 18:32:39.000000000 -0500
-+++ policycoreutils-1.29.20/scripts/genhomedircon	2006-02-07 10:36:38.000000000 -0500
+++ policycoreutils-1.29.20/scripts/genhomedircon	2006-02-09 10:27:15.000000000 -0500
-@@ -170,7 +170,7 @@
+@@ -4,7 +4,7 @@
 #
 # genhomedircon - this script is used to generate file context
 # configuration entries for user home directories based on their
 -# default roles and is run when building the policy. Specifically, we
 +# default prefixes and is run when building the policy. Specifically, we
 # replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
 # generic and user-specific values.
 #
@@ -15,9 +15,7 @@
 # The file CONTEXTDIR/files/homedir_template exists.  This file is used to
 # set up the home directory context for each real user.
 # 
 -# If a user has more than one role, genhomedircon uses the first role in the list.
 -#
 -# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
 +# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
 #
 # "Real" users (as opposed to system users) are those whose UID is greater than
 #  or equal STARTING_UID (usually 500) and whose login is not a member of
@@ -170,37 +168,34 @@
 	def heading(self):
 		ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
 		if self.semanaged:
@ -10,18 +30,130 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
 		else:
 			ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
 		return ret
@@ -196,7 +196,7 @@
 		return role
- 	def adduser(self, udict, user, seuser, role):
+-	def defaultrole(self, name):
 +	def get_default_prefix(self, name):
 		for idx in range(self.usize):
 			user = semanage_user_by_idx(self.ulist, idx)
 			if semanage_user_get_name(user) == name:
 -				if name == "staff_u" or name == "root" and self.type != "targeted":
 -					return "staff_r"
 -				else:
 -					return "user_r"
 +				return semanage_user_get_prefix(user)
 		return name
 -	def getOldRole(self, role):
 -		rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role)
 +	def get_old_prefix(self, user):
 +		rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
 		if rc == "":					    
 -			rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role)
 +			rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
 		if rc != "":
 			user=rc.split()
 -			role = user[3]
 -			if role == "{":
 -				role = user[4]
 -		return role
 +			prefix = user[3]
 +			if prefix == "{":
 +				prefix = user[4]
 +		if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
 +			prefix = prefix[:-2]
 +		return prefix
 -	def adduser(self, udict, user, seuser, role):
 -		if seuser == "user_u" or user == "__default__":
 +	def adduser(self, udict, user, seuser, prefix):
 +		if seuser == "user_u" or user == "__default__" or user == "system_u":
 			return
- 		# !!! chooses first role in the list to use in the file context !!!
+-		# !!! chooses first role in the list to use in the file context !!!
- 		if role[-2:] == "_r" or role[-2:] == "_u":
+-		if role[-2:] == "_r" or role[-2:] == "_u":
 -			role = role[:-2]
 +		# !!! chooses first prefix in the list to use in the file context !!!
 		try:
 			home = pwd.getpwnam(user)[5]
 			if home == "/":
@@ -217,7 +212,7 @@
 				return
 		prefs = {}
 		prefs["seuser"] = seuser
 -		prefs["role"] = role
 +		prefs["prefix"] = prefix
 		prefs["home"] = home
 		udict[user] = prefs
@@ -229,7 +224,7 @@
 				user=[]
 				seuser = semanage_seuser_by_idx(list, idx)
 				seusername=semanage_seuser_get_sename(seuser)
 -				self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
 +				self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
 		else:
 			try:
@@ -242,8 +237,8 @@
 					if len(user) < 2:
 						continue
 -					role=self.getOldRole(user[1])
 -					self.adduser(udict, user[0], user[1], role)
 +					prefix=self.get_old_prefix(user[1])
 +					self.adduser(udict, user[0], user[1], prefix)
 				fd.close()
 			except IOError, error:
 				# Must be install so force add of root
@@ -251,40 +246,37 @@
 		return udict
 -	def getHomeDirContext(self, user, seuser, home, role):
 +	def getHomeDirContext(self, user, seuser, home, prefix):
 		ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
 		fd=open(self.getHomeDirTemplate(), 'r')
 		for i in  fd.read().split('\n'):
 			if i.startswith("HOME_DIR") == 1:
 				i=i.replace("HOME_DIR", home)
 -				i=i.replace("ROLE", role)
 +				i=i.replace("ROLE", prefix)
 				i=i.replace("system_u", seuser)
 				ret = ret+i+"\n"
 		fd.close()
 		return ret
 -	def getUserContext(self, user, sel_user, role):
 +	def getUserContext(self, user, sel_user, prefix):
 		ret=""
 		fd=open(self.getHomeDirTemplate(), 'r')
 		for i in  fd.read().split('\n'):
 			if i.find("USER") == 1:
 				i=i.replace("USER", user)
 -				i=i.replace("ROLE", role)
 +				i=i.replace("ROLE", prefix)
 				i=i.replace("system_u", sel_user)
 				ret=ret+i+"\n"
 		fd.close()
 		return ret
 	def genHomeDirContext(self):
 -		if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "":
 -			warning("genhomedircon:  Warning!  No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
 -			warning("genhomedircon:  You must manually update file_contexts.homedirs for any non-user_r users (including root).");
 		users = self.getUsers()
 		ret=""
 -		# Fill in HOME and ROLE for users that are defined
 +		# Fill in HOME and prefix for users that are defined
 		for u in users.keys():
 -			ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
 -			ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
 +			ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
 +			ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
 		return ret+"\n"
 	def checkExists(self, home):
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2006-02-02 12:08:04.000000000 -0500
-+++ policycoreutils-1.29.20/semanage/seobject.py	2006-02-07 10:35:46.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py	2006-02-10 11:48:59.000000000 -0500
@@ -21,8 +21,11 @@
 #
 #  
@ -35,7 +167,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 def validate_level(raw):
 	sensitivity="s([0-9]|1[0-5])"
-@@ -170,119 +173,143 @@
+@@ -170,119 +173,145 @@
 		if sename == "":
 			sename = "user_u"
@ -117,18 +249,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not add login mapping for %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
 +						     name, 0, "", "", "", 0);
 +			raise error
 +		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping",
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
 +					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 	def modify(self, name, sename = "", serange = ""):
 -		if sename == "" and serange == "":
 -			raise ValueError("Requires seuser or serange")
 +		oldsename=""
 +		oldserange=""
 +		try:
 +			if sename == "" and serange == "":
 +				raise ValueError("Requires seuser or serange")
@ -162,10 +294,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 -			semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
 -		if sename != "":
 -			semanage_seuser_set_sename(self.sh, u, sename)
 +			oldserange=semanage_seuser_get_mlsrange(u)
 +			oldsename=semanage_seuser_get_sename(u)
 +			if serange != "":
 +				semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
 +			else:
 +				serange=oldserange
 +			if sename != "":
 +				semanage_seuser_set_sename(self.sh, u, sename)
 +			else:
 +				sename=oldsename
 -		rc = semanage_begin_transaction(self.sh)
 -		if rc < 0:
@ -184,18 +322,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +			rc = semanage_seuser_modify_local(self.sh, k, u)
 +			if rc < 0:
 +				raise ValueError("Could not modify login mapping for %s" % name)
- 
+
 +			rc = semanage_commit(self.sh)
 +			if rc < 0:
 +				raise ValueError("Could not modify login mapping for %s" % name)
-+
+ 
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
 +						     name, 0, "", "", "", 0);
 +			raise error
 +		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping",
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
 +					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
@ -254,109 +390,107 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not delete login mapping for %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
 +						     name, 0, "", "", "", 0);
 +			raise error
 +		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping",
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
 +					     name, 0, "", "", "", 1);
 		semanage_seuser_key_free(k)
-@@ -322,127 +349,150 @@
+@@ -322,127 +351,145 @@
 		else:
 			selevel = untranslate(selevel)
 -		(rc,k) = semanage_user_key_create(self.sh, name)
 -		if rc < 0:
 -			raise ValueError("Could not create a key for %s" % name)
-+		try:
+-
 +			(rc,k) = semanage_user_key_create(self.sh, name)
 +			if rc < 0:
 +				raise ValueError("Could not create a key for %s" % name)
 -		(rc,exists) = semanage_user_exists(self.sh, k)
 -		if rc < 0:
 -			raise ValueError("Could not check if SELinux user %s is defined" % name)
 -		if exists:
 -			raise ValueError("SELinux user %s is already defined" % name)
 +		seroles=" ".join(roles)
 +		try:
 +			(rc,k) = semanage_user_key_create(self.sh, name)
 +			if rc < 0:
 +				raise ValueError("Could not create a key for %s" % name)
 -		(rc,u) = semanage_user_create(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not create SELinux user for %s" % name)
 +			(rc,exists) = semanage_user_exists(self.sh, k)
 +			if rc < 0:
 +				raise ValueError("Could not check if SELinux user %s is defined" % name)
 +			if exists:
 +				raise ValueError("SELinux user %s is already defined" % name)
-		(rc,u) = semanage_user_create(self.sh)
+-		rc = semanage_user_set_name(self.sh, u, name)
 -		if rc < 0:
-			raise ValueError("Could not create SELinux user for %s" % name)
+-			raise ValueError("Could not set name for %s" % name)
 +			(rc,u) = semanage_user_create(self.sh)
 +			if rc < 0:
 +				raise ValueError("Could not create SELinux user for %s" % name)
 -		rc = semanage_user_set_name(self.sh, u, name)
 -		if rc < 0:
 -			raise ValueError("Could not set name for %s" % name)
 +			rc = semanage_user_set_name(self.sh, u, name)
 +			if rc < 0:
 +				raise ValueError("Could not set name for %s" % name)
 -		for r in roles:
 -			rc = semanage_user_add_role(self.sh, u, r)
-+			for r in roles:
+			rc = semanage_user_set_name(self.sh, u, name)
 +				rc = semanage_user_add_role(self.sh, u, r)
 +				if rc < 0:
 +					raise ValueError("Could not add role %s for %s" % (r, name))
 +
 +			rc = semanage_user_set_mlsrange(self.sh, u, serange)
 			if rc < 0:
 -				raise ValueError("Could not add role %s for %s" % (r, name))
-+				raise ValueError("Could not set MLS range for %s" % name)
+				raise ValueError("Could not set name for %s" % name)
 -		rc = semanage_user_set_mlsrange(self.sh, u, serange)
 -		if rc < 0:
 -			raise ValueError("Could not set MLS range for %s" % name)
-+			rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+			for r in roles:
-+			if rc < 0:
+				rc = semanage_user_add_role(self.sh, u, r)
-+				raise ValueError("Could not set MLS level for %s" % name)
+				if rc < 0:
 +					raise ValueError("Could not add role %s for %s" % (r, name))
 -		rc = semanage_user_set_mlslevel(self.sh, u, selevel)
 -		if rc < 0:
 -			raise ValueError("Could not set MLS level for %s" % name)
-+			(rc,key) = semanage_user_key_extract(self.sh,u)
+			rc = semanage_user_set_mlsrange(self.sh, u, serange)
 +			if rc < 0:
-+				raise ValueError("Could not extract key for %s" % name)
+				raise ValueError("Could not set MLS range for %s" % name)
 -		(rc,key) = semanage_user_key_extract(self.sh,u)
 -		if rc < 0:
 -			raise ValueError("Could not extract key for %s" % name)
-+			rc = semanage_begin_transaction(self.sh)
+			rc = semanage_user_set_mlslevel(self.sh, u, selevel)
 +			if rc < 0:
-+				raise ValueError("Could not start semanage transaction")
+				raise ValueError("Could not set MLS level for %s" % name)
 -		rc = semanage_begin_transaction(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not start semanage transaction")
-+			rc = semanage_user_modify_local(self.sh, k, u)
+			(rc,key) = semanage_user_key_extract(self.sh,u)
 +			if rc < 0:
-+				raise ValueError("Could not add SELinux user %s" % name)
+				raise ValueError("Could not extract key for %s" % name)
 -		rc = semanage_user_modify_local(self.sh, k, u)
 -		if rc < 0:
 -			raise ValueError("Could not add SELinux user %s" % name)
-+			rc = semanage_commit(self.sh)
+			rc = semanage_begin_transaction(self.sh)
 +			if rc < 0:
-+				raise ValueError("Could not add SELinux user %s" % name)
+				raise ValueError("Could not start semanage transaction")
 -		rc = semanage_commit(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not add SELinux user %s" % name)
-+		except ValueError, error:
+			rc = semanage_user_modify_local(self.sh, k, u)
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			if rc < 0:
-+						     name, 0, "", "", "", 0);
+				raise ValueError("Could not add SELinux user %s" % name)
-+			raise error
+
 +			rc = semanage_commit(self.sh)
 +			if rc < 0:
 +				raise ValueError("Could not add SELinux user %s" % name)
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record",
+		except ValueError, error:
-+					     name, 0, "", "", "", 1);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
 +			raise error
 +		
 +		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
@ -423,7 +557,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 -		rc = semanage_commit(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not modify SELinux user %s" % name)
 -		
 +			rc = semanage_user_modify_local(self.sh, k, u)
 +			if rc < 0:
 +				raise ValueError("Could not modify SELinux user %s" % name)
@ -433,12 +566,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not modify SELinux user %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
 +						     name, 0, "", "", "", 0);
 +			raise error
-+
+ 		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record",
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
 +					     name, 0, "", "", "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
@ -495,12 +626,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +			if rc < 0:
 +				raise ValueError("Could not delete SELinux user %s" % name)
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
 +						     name, 0, "", "", "", 0);
 +			raise error
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record",
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
 +					     name, 0, "", "", "", 1);
 		semanage_user_key_free(k)		
 	def get_all(self):
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -1,10 +1,11 @@
 %define libauditver 1.1.4-3
 %define libsepolver 1.11.13-1
-%define libsemanagever 1.5.21-1
+%define libsemanagever 1.5.21-2
 %define libselinuxver 1.29.7-1
 Summary: SELinux policy core utilities.
 Name: policycoreutils
 Version: 1.29.20
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -12,7 +13,7 @@ Patch: policycoreutils-rhat.patch
 BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} 
 PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
-Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python
+Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python >=  %{libauditver} 
 BuildRoot: %{_tmppath}/%{name}-buildroot
 %description
@ -97,6 +98,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/python2.4/site-packages/seobject.py*
 %changelog
 * Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2
 - Fix auditing to semanage
 - Change genhomedircon to use new prefix interface in libselinux
 * Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-1
 - Update from upstream
 	* Merged seuser/user_extra support patch to semodule_package