rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Add -N qualifier to semanage, setsebool and semodule to allow you to update

Browse Source 
- policy without reloading it into the kernel.
This commit is contained in:
Dan Walsh 2012-05-08 16:32:53 -04:00
parent 3348eaa82b
commit 4f5186ec4f
2 changed files with 379 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

390
policycoreutils-rhat.patch
View File

@ -13614,7 +13614,7 @@ index 0000000..398c6f2
+"""
diff --git a/policycoreutils/gui/templates/var_cache.py b/policycoreutils/gui/templates/var_cache.py
new file mode 100644
index 0000000..84b342f
index 0000000..8efc1d9
--- /dev/null
+++ b/policycoreutils/gui/templates/var_cache.py
@@ -0,0 +1,132 @@
@ -13690,7 +13690,7 @@ index 0000000..84b342f
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, TEMPLATETYPE_cache_t TEMPLATETYPE_cache_t)
+ read_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
+')
+
+########################################
@ -245858,7 +245858,7 @@ index 0000000..e2befdb
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index 0c7c186..1986ab1 100644
index 0c7c186..d21f9c6 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -1,5 +1,5 @@
@ -245885,7 +245885,98 @@ index 0c7c186..1986ab1 100644
codeset = 'utf-8')
except IOError:
import __builtin__
@@ -283,11 +284,9 @@ Object-specific Options (see above):
@@ -52,16 +53,16 @@ if __name__ == '__main__':
semanage [ -S store ] -i [ input_file | - ]
semanage [ -S store ] -o [ output_file | - ]
-semanage login -{a|d|m|l|D|E} [-nsr] login_name | %groupname
-semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
-semanage port -{a|d|m|l|D|E} [-ntr] [ -p proto ] port | port_range
-semanage interface -{a|d|m|l|D|E} [-ntr] interface_spec
-semanage module -{a|d|m} [--enable|--disable] module
-semanage node -{a|d|m|l|D|E} [-ntr] [ -p protocol ] [-M netmask] addr
-semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
-semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
-semanage permissive -{d|a|l} [-n] type
-semanage dontaudit [ on | off ]
+semanage login -{a|d|m|l|D|E} [-Nnsr] login_name | %groupname
+semanage user -{a|d|m|l|D|E} [-LNnrRP] selinux_name
+semanage port -{a|d|m|l|D|E} [-Nntr] [ -p proto ] port | port_range
+semanage interface -{a|d|m|l|D|E} [-Nntr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] [-N] module
+semanage node -{a|d|m|l|D|E} [-Nntr] [ -p protocol ] [-M netmask] addr
+semanage fcontext -{a|d|m|l|D|E} [-Nefnrst] file_spec
+semanage boolean -{d|m} [--on|--off|-1|-0] [-N] -F boolean | boolean_file
+semanage permissive -{d|a|l} [-Nn] type
+semanage dontaudit [ on | off ] [-N]
Primary Options:
@@ -94,6 +95,7 @@ Object-specific Options (see above):
-F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask
+ -N, --noreload Do not reload policy after commit
-e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
@@ -119,22 +121,22 @@ Object-specific Options (see above):
valid_option["login"] = []
valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
valid_option["user"] = []
- valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
+ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix', '-N', '--noreload' ]
valid_option["port"] = []
- valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
+ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' , '-N', '--noreload' ]
valid_option["interface"] = []
- valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
+ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-N', '--noreload' ]
valid_option["node"] = []
- valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol', '-N', '--noreload' ]
valid_option["module"] = []
- valid_option["module"] += valid_everyone + [ '--enable', '--disable']
+ valid_option["module"] += valid_everyone + [ '--enable', '--disable', '-N', '--noreload' ]
valid_option["fcontext"] = []
- valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
+ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range', '-N', '--noreload' ]
valid_option["dontaudit"] = [ '-S', '--store' ]
valid_option["boolean"] = []
- valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
+ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file", '-N', '--noreload' ]
valid_option["permissive"] = []
- valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' , '-N', '--noreload' ]
return valid_option
def mkargv(line):
@@ -197,6 +199,7 @@ Object-specific Options (see above):
seuser = ""
prefix = "user"
heading = True
+ reload = True
value = None
add = False
modify = False
@@ -222,7 +225,7 @@ Object-specific Options (see above):
try:
gopts, cmds = getopt.getopt(args,
- '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
+ '01adEe:f:i:lhmNnp:s:FCDR:L:r:t:P:S:M:',
['add',
'delete',
'deleteall',
@@ -237,6 +240,7 @@ Object-specific Options (see above):
'list',
'modify',
'noheading',
+ 'noreload',
'localist',
'off',
'on',
@@ -283,11 +287,9 @@ Object-specific Options (see above):
equal = a
if o == "--enable":
@ -245897,6 +245988,32 @@ index 0c7c186..1986ab1 100644
disable = True
if o == "-F" or o == "--file":
@@ -299,6 +301,9 @@ Object-specific Options (see above):
if o == "-n" or o == "--noheading":
heading = False
+ if o == "-N" or o == "--noreload":
+ reload = False
+
if o == "-C" or o == "--locallist":
locallist = True
@@ -380,6 +385,7 @@ Object-specific Options (see above):
OBJECT.list(heading, locallist)
return
+ OBJECT.set_reload(reload)
if deleteall:
OBJECT.deleteall()
return
@@ -554,6 +560,7 @@ Object-specific Options (see above):
trans.start()
for l in fd.readlines():
process_args(mkargv(l))
+ trans.set_reload(reload)
trans.finish()
else:
process_args(sys.argv[1:])
diff --git a/policycoreutils/semanage/semanage-bash-completion.sh b/policycoreutils/semanage/semanage-bash-completion.sh
index ff1285a..edefd9a 100644
--- a/policycoreutils/semanage/semanage-bash-completion.sh
@ -245911,10 +246028,47 @@ index ff1285a..edefd9a 100644
__get_permissive_opts () { echo '$ALL_OPTS -a --add -d --delete' ; }
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index c5e18d9..9e086d1 100644
index c5e18d9..c1e70ae 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -44,9 +44,13 @@ Manage network node type definitions
@@ -14,54 +14,58 @@ Input local customizations
Manage booleans. Booleans allow the administrator to modify the confinement of
processes based on his configuration.
.br
-.B semanage boolean [\-S store] \-{d|m|l|D} [\-n] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
Manage SELinux confined users (Roles and levels for an SELinux user)
.br
-.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnPrR] selinux_name
+.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name
Manage login mappings between linux users and SELinux confined users.
.br
-.B semanage login [\-S store] \-{a|d|m|l|D} [\-nrs] login_name | %groupname
+.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname
Manage policy modules.
.br
-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name
+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
Manage network port type definitions
.br
-.B semanage port [\-S store] \-{a|d|m|l|D} [\-nrt] [\-p proto] port | port_range
+.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range
.br
Manage network interface type definitions
.br
-.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nrt] interface_spec
+.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec
Manage network node type definitions
.br
-.B semanage node [\-S store] -{a|d|m|l|D} [-nrt] [ -p protocol ] [-M netmask] address
+.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
.br
Manage file context mapping definitions
.br
@ -245922,14 +246076,32 @@ index c5e18d9..9e086d1 100644
+.B semanage fcontext [\-S store] \-{l} [\-Cn]
.br
-.B semanage fcontext [\-S store] \-{a|d|m|l|D} [\-n] \-e replacement target
+.B semanage fcontext [\-S store] \-D
+.B semanage fcontext [\-S store] \-D [\-N]
+.br
+.B semanage fcontext [\-S store] \-{a|d|m} [\-frst] file_spec
+.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec
+.br
+.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target
.br
Manage processes type enforcement mode
.br
-.B semanage permissive [\-S store] \-{a|d|l|D} [\-n] type
+.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type
.br
Disable/Enable dontaudit rules in policy
.br
-.B semanage dontaudit [\-S store] [ on | off ]
+.B semanage dontaudit [\-N] [\-S store] [ on | off ]
.P
Execute multiple commands within a single transaction.
.br
-.B semanage [\-S store] \-i command-file
+.B semanage [\-S store] [\-N] \-i command-file
.br
.SH "DESCRIPTION"
@@ -128,7 +132,7 @@ List the OBJECTS
List only locally defined settings, not base policy settings.
.TP
@ -245939,7 +246111,15 @@ index c5e18d9..9e086d1 100644
.TP
.I \-m, \-\-modify
Modify a OBJECT record NAME
@@ -144,6 +148,8 @@ Protocol for the specified port (tcp|udp) or internet protocol version for the s
@@ -139,11 +143,16 @@ Network Mask
.I \-n, \-\-noheading
Do not print heading when listing OBJECTS.
.TP
+.B \-N,\-\-noreload
+do not reload policy after commit
+.TP
.I \-p, \-\-proto
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
.TP
.I \-r, \-\-range
MLS/MCS Security Range (MLS/MCS Systems only)
@ -245949,7 +246129,7 @@ index c5e18d9..9e086d1 100644
.I \-R, \-\-role
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 9745102..28cf30e 100644
index 9745102..13b5843 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -30,11 +30,10 @@ from IPy import IP
@ -245968,7 +246148,34 @@ index 9745102..28cf30e 100644
import syslog
@@ -483,7 +482,9 @@ class loginRecords(semanageRecords):
@@ -203,7 +202,7 @@ class semanageRecords:
store = None
def __init__(self, store):
global handle
-
+ self.reload = True
self.sh = self.get_handle(store)
rc, localstore = selinux.selinux_getpolicytype()
@@ -212,6 +211,9 @@ class semanageRecords:
else:
self.mylog = nulllogger()
+ def set_reload(self, reload):
+ self.reload = reload
+
def get_handle(self, store):
global is_mls_enabled
@@ -269,6 +271,7 @@ class semanageRecords:
def commit(self):
if semanageRecords.transaction:
return
+ semanage_set_reload(self.sh, self.reload)
rc = semanage_commit(self.sh)
if rc < 0:
self.mylog.commit(0)
@@ -483,7 +486,9 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@ -245979,7 +246186,7 @@ index 9745102..28cf30e 100644
if name[0] == '%':
try:
grp.getgrnam(name[1:])
@@ -728,7 +729,8 @@ class seluserRecords(semanageRecords):
@@ -728,7 +733,8 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
@ -245989,7 +246196,7 @@ index 9745102..28cf30e 100644
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
@@ -1252,7 +1254,8 @@ class nodeRecords(semanageRecords):
@@ -1252,7 +1258,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@ -245999,7 +246206,7 @@ index 9745102..28cf30e 100644
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
@@ -1450,7 +1453,8 @@ class interfaceRecords(semanageRecords):
@@ -1450,7 +1457,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@ -246009,7 +246216,7 @@ index 9745102..28cf30e 100644
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
@@ -1733,7 +1737,8 @@ class fcontextRecords(semanageRecords):
@@ -1733,7 +1741,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@ -246019,7 +246226,7 @@ index 9745102..28cf30e 100644
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
@@ -1920,6 +1925,10 @@ class fcontextRecords(semanageRecords):
@@ -1920,6 +1929,10 @@ class fcontextRecords(semanageRecords):
for k in keys:
if fcon_dict[k]:
l.append("-a -f '%s' -t %s '%s'" % (k[1], fcon_dict[k][2], k[0]))
@ -246030,6 +246237,51 @@ index 9745102..28cf30e 100644
return l
def list(self, heading = 1, locallist = 0 ):
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 9fb2b78..9f911fb 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -53,7 +53,7 @@ display list of installed modules (other than base)
.B \-s,\-\-store
name of the store to operate on
.TP
-.B \-n,\-\-noreload
+.B \-n,\-\-noreload,\-N
do not reload policy after commit
.TP
.B \-h,\-\-help
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 764d476..17b4fa5 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -114,7 +114,7 @@ static void usage(char *progname)
(" -l,--list-modules display list of installed modules\n");
printf("Other options:\n");
printf(" -s,--store name of the store to operate on\n");
- printf(" -n,--noreload do not reload policy after commit\n");
+ printf(" -N,-n,--noreload do not reload policy after commit\n");
printf(" -h,--help print this message and quit\n");
printf(" -v,--verbose be verbose\n");
printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
@@ -175,7 +175,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
create_store = 0;
while ((i =
- getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBDP", opts,
+ getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnNBDP", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -218,6 +218,9 @@ static void parse_command_line(int argc, char **argv)
case 'n':
no_reload = 1;
break;
+ case 'N':
+ no_reload = 1;
+ break;
case 'B':
build = 1;
break;
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9a7d315..1b59e2f 100644
--- a/policycoreutils/setfiles/restore.c
@ -246666,3 +246918,109 @@ index fa0cd6a..f64ee16 100644
+ free(r_opts.rootpath);
exit(errors);
}
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 2b66bad..38abeb8 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -4,7 +4,7 @@ setsebool \- set SELinux boolean value
.SH "SYNOPSIS"
.B setsebool
-.I "[ -P ] boolean value | bool1=val1 bool2=val2 ..."
+.I "[ -PN ] boolean value | bool1=val1 bool2=val2 ..."
.SH "DESCRIPTION"
.B setsebool
@@ -18,6 +18,9 @@ are not changed.
If the -P option is given, all pending values are written to
the policy file on disk. So they will be persistent across reboots.
+If the -N option is given, the policy on disk is not reloaded into the kernel.
+
+
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Tresys Technology.
diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
index d6c041b..ba118f3 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
@@ -6,6 +6,7 @@
#include <fcntl.h>
#include <errno.h>
#include <syslog.h>
+#include <getopt.h>
#include <pwd.h>
#include <selinux/selinux.h>
#include <semanage/handle.h>
@@ -15,13 +16,14 @@
#include <errno.h>
int permanent = 0;
+int reload = 1;
int setbool(char **list, size_t start, size_t end);
void usage(void)
{
fputs
- ("\nUsage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n",
+ ("\nUsage: setsebool [ -NP ] boolean value | bool1=val1 bool2=val2...\n\n",
stderr);
exit(1);
}
@@ -29,7 +31,7 @@ void usage(void)
int main(int argc, char **argv)
{
size_t rc, start;
-
+ int clflag; /* holds codes for command line flags */
if (argc < 2)
usage();
@@ -38,14 +40,30 @@ int main(int argc, char **argv)
return 1;
}
- if (strcmp(argv[1], "-P") == 0) {
- permanent = 1;
- if (argc < 3)
+ while (1) {
+ clflag = getopt(argc, argv, "PN");
+ if (clflag == -1)
+ break;
+
+ switch (clflag) {
+ case 'P':
+ permanent = 1;
+ break;
+ case 'N':
+ reload = 0;
+ break;
+ default:
usage();
- start = 2;
- } else
- start = 1;
+ break;
+ }
+ }
+
+ if (argc - optind < 1) {
+ fprintf(stderr, "Error: boolean name required\n");
+ usage();
+ }
+ start = argc-optind;
/* Check to see which way we are being called. If a '=' is passed,
we'll enforce the list syntax. If not we'll enforce the original
syntax for backward compatibility. */
@@ -165,7 +183,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean = NULL;
}
- semanage_set_reload(handle, 0);
+ semanage_set_reload(handle, reload);
if (semanage_commit(handle) < 0)
goto err;

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.11
Release: 11%{?dist}
Release: 12%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -340,6 +340,10 @@ fi
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Tue May 8 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-12
- Add -N qualifier to semanage, setsebool and semodule to allow you to update
- policy without reloading it into the kernel.
* Thu May 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-11
- add some definition to the standard types available for sandboxes