From 4c352814553c995dc826a92f69dceaaf6b625566 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 27 Dec 2005 15:08:31 +0000 Subject: [PATCH] * Tue Dec 27 2005 Dan Walsh 1.29.2-9 - Fixes for semanage, patch from Ivan and added a test script --- policycoreutils-rhat.patch | 448 ++++++++++++++++++++++++++++++++++++- policycoreutils.spec | 5 +- 2 files changed, 444 insertions(+), 9 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index b12dad4..b942574 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -228,7 +228,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policyco chcon(1), selinux(8) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-23 19:35:20.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-27 08:54:19.000000000 -0500 @@ -1,4 +1,4 @@ -#! /usr/bin/env python +#! /usr/bin/python @@ -555,7 +555,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po else: homedirs.append(homedir) -@@ -333,7 +359,7 @@ +@@ -333,7 +359,3 @@ except getopt.error, error: errorExit("Options Error %s " % error) @@ -563,10 +563,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po - errorExit("ValueError %s" % error) -except IndexError, error: - errorExit("IndexError") -+#except ValueError, error: -+# errorExit("ValueError %s" % error) -+#except IndexError, error: -+# errorExit("IndexError %s" % error) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners --- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.29.2/scripts/selisteners 2005-12-22 16:29:28.000000000 -0500 @@ -684,8 +680,28 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.co +s0:c3=NDA_Yoyodyne diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.2/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2005-11-29 10:55:01.000000000 -0500 -+++ policycoreutils-1.29.2/semanage/semanage 2005-12-24 07:16:12.000000000 -0500 -@@ -35,7 +35,7 @@ ++++ policycoreutils-1.29.2/semanage/semanage 2005-12-27 10:04:46.000000000 -0500 +@@ -24,22 +24,27 @@ + from semanage import *; + class loginRecords: + def __init__(self): +- self.sh=semanage_handle_create() +- self.semanaged=semanage_is_managed(self.sh) ++ self.sh = semanage_handle_create() ++ self.semanaged = semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, sename, serange): +- (rc,k)=semanage_seuser_key_create(self.sh, name) +- (rc,exists)= semanage_seuser_exists(self.sh, k) ++ if serange == "": ++ serange = "s0" ++ if sename == "": ++ sename = "user_u" ++ ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) if exists: raise ValueError("SELinux User %s mapping already defined" % name) try: @@ -694,3 +710,419 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policy except: raise ValueError("Linux User %s does not exist" % name) +- (rc,u)= semanage_seuser_create(self.sh) ++ (rc,u) = semanage_seuser_create(self.sh) + semanage_seuser_set_name(self.sh, u, name) + semanage_seuser_set_mlsrange(self.sh, u, serange) + semanage_seuser_set_sename(self.sh, u, sename) +@@ -48,12 +53,13 @@ + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add SELinux user mapping") + +- def modify(self, name, sename="", serange=""): +- (rc,k)=semanage_seuser_key_create(self.sh, name) +- (rc,u)= semanage_seuser_query(self.sh, k) +- if rc !=0 : ++ def modify(self, name, sename = "", serange = ""): ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if not exists: + raise ValueError("SELinux user %s mapping is not defined." % name) +- if sename == "" and serange=="": ++ (rc,u) = semanage_seuser_query(self.sh, k) ++ if sename == "" and serange == "": + raise ValueError("Requires, seuser or serange") + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, serange) +@@ -66,9 +72,9 @@ + + + def delete(self, name): +- (rc,k)=semanage_seuser_key_create(self.sh, name) +- (rc,exists)= semanage_seuser_exists(self.sh, k) +- if rc !=0 : ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if not exists: + raise ValueError("SELinux user %s mapping is not defined." % name) + semanage_begin_transaction(self.sh) + semanage_seuser_del(self.sh, k) +@@ -79,25 +85,29 @@ + print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") + (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) + for idx in range(self.usize): +- u=semanage_seuser_by_idx(self.ulist, idx) +- name=semanage_seuser_get_name(u) ++ u = semanage_seuser_by_idx(self.ulist, idx) ++ name = semanage_seuser_get_name(u) + + print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) + + class seluserRecords: + def __init__(self): +- roles=[] +- self.sh=semanage_handle_create() +- self.semanaged=semanage_is_managed(self.sh) ++ roles = [] ++ self.sh = semanage_handle_create() ++ self.semanaged = semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, roles, selevel, serange): +- (rc,k)=semanage_user_key_create(self.sh, name) +- (rc,exists)= semanage_user_exists(self.sh, k) ++ if serange == "": ++ serange = "s0" ++ if selevel == "": ++ selevel = "s0" ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if exists: + raise ValueError("Seuser %s already defined" % name) +- (rc,u)= semanage_user_create(self.sh) ++ (rc,u) = semanage_user_create(self.sh) + semanage_user_set_name(self.sh, u, name) + for r in roles: + semanage_user_add_role(self.sh, u, r) +@@ -109,17 +119,13 @@ + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add SELinux user") + +- self.dict[name]=seluser(name, roles, selevel, serange) +- +- def modify(self, name, roles=[], selevel="", serange=""): +- (rc,k)=semanage_user_key_create(self.sh, name) +- (rc,exists)= semanage_user_exists(self.sh, k) ++ def modify(self, name, roles = [], selevel = "", serange = ""): ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if not exists: + raise ValueError("user %s is not defined" % name) +- (rc,u)= semanage_user_query(self.sh, k) +- if rc !=0 : +- raise ValueError("User %s is not defined." % name) +- if len(roles) == 0 and serange=="" and selevel=="": ++ (rc,u) = semanage_user_query(self.sh, k) ++ if len(roles) == 0 and serange == "" and selevel == "": + raise ValueError("Requires, roles, level or range") + if serange != "": + semanage_user_set_mlsrange(self.sh, u, serange) +@@ -127,17 +133,15 @@ + semanage_user_set_mlslevel(self.sh, u, selevel) + if len(roles) != 0: + for r in roles: +- print r + semanage_user_add_role(self.sh, u, r) + semanage_begin_transaction(self.sh) + semanage_user_modify_local(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to modify SELinux user") +- + + def delete(self, name): +- (rc,k)=semanage_user_key_create(self.sh, name) +- (rc,exists)= semanage_user_exists(self.sh, k) ++ (rc,k) = semanage_user_key_create(self.sh, name) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if not exists: + raise ValueError("user %s is not defined" % name) + semanage_begin_transaction(self.sh) +@@ -150,31 +154,30 @@ + print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") + (status, self.ulist, self.usize) = semanage_user_list(self.sh) + for idx in range(self.usize): +- u=semanage_user_by_idx(self.ulist, idx) +- name=semanage_user_get_name(u) ++ u = semanage_user_by_idx(self.ulist, idx) ++ name = semanage_user_get_name(u) + (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) +- roles="" ++ roles = "" + + if rlist_size: +- roles+=char_by_idx(rlist, 0) ++ roles += char_by_idx(rlist, 0) + for ridx in range (1,rlist_size): +- roles+=" " + char_by_idx(rlist, ridx) ++ roles += " " + char_by_idx(rlist, ridx) + print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) + + class portRecords: + def __init__(self): +- self.dict={} +- self.sh=semanage_handle_create() +- self.semanaged=semanage_is_managed(self.sh) ++ self.sh = semanage_handle_create() ++ self.semanaged = semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, type): +- (rc,k)=semanage_port_key_create(self.sh, name) +- (rc,exists)= semanage_port_exists(self.sh, k) ++ (rc,k) = semanage_port_key_create(self.sh, name) ++ (rc,exists) = semanage_port_exists(self.sh, k) + if exists: + raise ValueError("User %s already defined" % name) +- (rc,u)= semanage_port_create(self.sh) ++ (rc,u) = semanage_port_create(self.sh) + semanage_port_set_name(self.sh, u, name) + semanage_port_set_mlsrange(self.sh, u, serange) + semanage_port_set_sename(self.sh, u, sename) +@@ -184,11 +187,11 @@ + raise ValueError("Failed to add port") + + def modify(self, name, type): +- (rc,k)=semanage_port_key_create(self.sh, name) +- (rc,u)= semanage_port_query(self.sh, k) +- if rc !=0 : ++ (rc,k) = semanage_port_key_create(self.sh, name) ++ (rc,u) = semanage_port_query(self.sh, k) ++ if rc != 0 : + raise ValueError("User %s is not defined." % name) +- if sename == "" and serange=="": ++ if sename == "" and serange == "": + raise ValueError("Requires, port or serange") + if serange != "": + semanage_port_set_mlsrange(self.sh, u, serange) +@@ -200,7 +203,7 @@ + raise ValueError("Failed to add port") + + def delete(self, name): +- (rc,k)=semanage_port_key_create(self.sh, name) ++ (rc,k) = semanage_port_key_create(self.sh, name) + semanage_begin_transaction(self.sh) + semanage_port_del(self.sh, k) + if semanage_commit(self.sh) != 0: +@@ -210,13 +213,13 @@ + (status, self.plist, self.psize) = semanage_port_list(self.sh) + print "%-25s %s\n" % ("SELinux Port Name", "Port Number") + for idx in range(self.psize): +- u=semanage_port_by_idx(self.plist, idx) +- name=semanage_port_get_name(u) ++ u = semanage_port_by_idx(self.plist, idx) ++ name = semanage_port_get_name(u) + print "%20s %d" % ( name, semanage_port_get_number(u)) + + if __name__ == '__main__': + +- def usage(message=""): ++ def usage(message = ""): + print '\ + semanage user [-admsRrh] SELINUX_USER\n\ + semanage login [-admsrh] LOGIN_NAME\n\ +@@ -245,26 +248,26 @@ + # + # + try: +- objectlist=("login", "user", "port") +- input=sys.stdin +- output=sys.stdout +- serange="s0" +- selevel="s0" +- roles="" +- seuser="" +- type="" +- add=0 +- modify=0 +- delete=0 +- list=0 ++ objectlist = ("login", "user", "port") ++ input = sys.stdin ++ output = sys.stdout ++ serange = "" ++ selevel = "" ++ roles = "" ++ seuser = "" ++ ++ add = 0 ++ modify = 0 ++ delete = 0 ++ list = 0 + if len(sys.argv) < 3: + usage("Requires 2 or more arguments") + +- object=sys.argv[1] ++ object = sys.argv[1] + if object not in objectlist: + usage("%s not defined" % object) + +- args=sys.argv[2:] ++ args = sys.argv[2:] + gopts, cmds = getopt.getopt(args, + 'adlhms:R:r:t:v', + ['add', +@@ -282,46 +285,46 @@ + if o == "-a" or o == "--add": + if modify or delete: + usage() +- add=1 ++ add = 1 + + if o == "-d" or o == "--delese": + if modify or add: + usage() +- delete=1 ++ delete = 1 + if o == "-h" or o == "--help": + usage() + + if o == "-m"or o == "--modify": + if delete or add: + usage() +- modify=1 ++ modify = 1 + + if o == "-r" or o == '--range': +- serange=a ++ serange = a + + if o == "-R" or o == '--roles': +- roles=a ++ roles = a + + if o == "-t" or o == "--type": +- type=a ++ type = a + + if o == "-l" or o == "--list": +- list=1 ++ list = 1 + + if o == "-s" or o == "--seuser": +- seuser=a ++ seuser = a + + if o == "-v" or o == "--verbose": +- verbose=1 ++ verbose = 1 + + if object == "login": +- OBJECT=loginRecords() ++ OBJECT = loginRecords() + + if object == "user": +- OBJECT=seluserRecords() ++ OBJECT = seluserRecords() + + if object == "port": +- OBJECT=portRecords() ++ OBJECT = portRecords() + + if list: + OBJECT.list() +@@ -330,21 +333,22 @@ + if len(cmds) != 1: + usage() + +- name=cmds[0] ++ name = cmds[0] + + if add: + if object == "login": + OBJECT.add(name, seuser, serange) + + if object == "user": +- rlist=roles.split() +- print rlist ++ rlist = roles.split() ++ if len(rlist) == 0: ++ raise ValueError("You must specify a role") ++ + OBJECT.add(name, rlist, selevel, serange) + + if object == "port": + OBJECT.add(name, type) + +- OBJECT.list() + sys.exit(0); + + if modify: +@@ -352,14 +356,12 @@ + OBJECT.modify(name, seuser, serange) + + if object == "user": +- rlist=roles.split() +- print rlist ++ rlist = roles.split() + OBJECT.modify(name, rlist, selevel, serange) + + if object == "port": + OBJECT.modify(name, type) + sys.exit(0); +- OBJECT.list() + sys.exit(0); + + if delete: +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/tests/semanage_test policycoreutils-1.29.2/semanage/tests/semanage_test +--- nsapolicycoreutils/semanage/tests/semanage_test 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.2/semanage/tests/semanage_test 2005-12-27 10:07:15.000000000 -0500 +@@ -0,0 +1,67 @@ ++#!/bin/sh -x ++# ++# This is a test script for the semanage command ++# ++echo " ++ ++******************** semanage List Failue test ************************ ++" ++semanage -l ++echo " ++ ++******************** semanage Mapping test ************************ ++" ++echo " * Mapping List test" ++semanage login -l ++echo " * Add mapping exist test" ++semanage login -a root ++echo " * Add new test" ++echo " * Add selinux login to selinux user mapping, username wrong" ++semanage login -a semanage_test1 ++userdel -r semanage_test1 2> /dev/null ++useradd semanage_test1 ++echo " * Add selinux login to selinux user mapping, Bad SELinux User" ++semanage login -a -s BadUser semanage_test1 ++echo " * Add selinux login to selinux user mapping, username correct" ++semanage login -a semanage_test1 ++semanage login -l ++userdel -r semanage_test1 ++echo " * remove selinux login to selinux user mapping, username wrong" ++semanage login -d semanage_test2 ++echo " * remove selinux login to selinux user mapping, username correct" ++semanage login -d semanage_test1 ++semanage login -l ++ ++echo " ++ ++******************** semanage SELinux User test ************************ ++" ++echo " * SELinux User List test" ++semanage user -l ++echo " * Add SELinux User exist test: Fail because root exist" ++semanage user -a -R user_r root ++echo " * Add SELinux User exist test: Fail because no role specified" ++semanage user -a -r s0 semanage_test1 ++echo " * Add selinux user semanage_test1: Success" ++semanage user -a -R user_r -r s0 semanage_test1 ++semanage user -l ++echo " * Modify selinux user semanage_test1 Failue bad range" ++semanage user -m -r BadRange semanage_test1 ++echo " * Modify selinux user semanage_test1 Failue bad role" ++semanage user -m -R BadRole semanage_test1 ++echo " * Modify selinux user semanage_test1" ++semanage user -m -r s0:c1,c5 semanage_test1 ++semanage user -l ++echo " * Delete selinux user semanage_test2: Fail does not exist" ++semanage user -d semanage_test2 ++echo " * Delete selinux user semanage_test1" ++semanage user -d semanage_test1 ++semanage user -l ++ ++#echo " ++# ++#******************** semanage SELinux ports test ************************ ++#" ++#semanage port -l ++#semanage port -a httpd_port_t ++#semanage port -d httpd_port_t diff --git a/policycoreutils.spec b/policycoreutils.spec index 63ddf37..a3256d1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -4,7 +4,7 @@ Summary: SELinux policy core utilities. Name: policycoreutils Version: 1.29.2 -Release: 8 +Release: 9 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Tue Dec 27 2005 Dan Walsh 1.29.2-9 +- Fixes for semanage, patch from Ivan and added a test script + * Sat Dec 24 2005 Dan Walsh 1.29.2-8 - Fix getpwnam call