From 51c06b5513e251bc4dfefa528167e7bcf2627d29 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 8 Aug 2008 21:04:55 +0000 Subject: [PATCH] * Thu Aug 7 2008 Dan Walsh 2.0.54-5 - Fixes for multiple transactions --- policycoreutils-rhat.patch | 242 +++++++++++++++++++++++-------------- policycoreutils.spec | 4 +- 2 files changed, 155 insertions(+), 91 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 43888dd..c5bb9e0 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -328,7 +328,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po - sys.exit(0) diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.54/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2008-08-05 09:58:26.000000000 -0400 -+++ policycoreutils-2.0.54/semanage/seobject.py 2008-08-07 10:57:22.000000000 -0400 ++++ policycoreutils-2.0.54/semanage/seobject.py 2008-08-08 17:02:42.000000000 -0400 @@ -26,7 +26,6 @@ PROGNAME="policycoreutils" import sepolgen.module as module @@ -412,11 +412,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po + else: + self.sh=get_handle(store) + self.transaction = False -+ -+ def deleteall(self): -+ raise ValueError(_("Not yet implemented")) - rc = semanage_connect(self.sh) ++ def deleteall(self): ++ raise ValueError(_("Not yet implemented")) ++ + def begin(self): + if self.transaction: + return @@ -512,32 +512,95 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -387,7 +387,6 @@ +@@ -387,153 +387,145 @@ if sename == "": sename = "user_u" - try: - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) -@@ -425,115 +424,108 @@ - if rc < 0: - raise ValueError(_("Could not set SELinux user for %s") % name) +- (rc,k) = semanage_seuser_key_create(self.sh, name) +- if rc < 0: +- raise ValueError(_("Could not create a key for %s") % name) ++ (rc,k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) + +- (rc,exists) = semanage_seuser_exists(self.sh, k) +- if rc < 0: +- raise ValueError(_("Could not check if login mapping for %s is defined") % name) +- if exists: +- raise ValueError(_("Login mapping for %s is already defined") % name) +- if name[0] == '%': +- try: +- grp.getgrnam(name[1:]) +- except: +- raise ValueError(_("Linux Group %s does not exist") % name[1:]) +- else: +- try: +- pwd.getpwnam(name) +- except: +- raise ValueError(_("Linux User %s does not exist") % name) ++ (rc,exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if login mapping for %s is defined") % name) ++ if exists: ++ raise ValueError(_("Login mapping for %s is already defined") % name) ++ if name[0] == '%': ++ try: ++ grp.getgrnam(name[1:]) ++ except: ++ raise ValueError(_("Linux Group %s does not exist") % name[1:]) ++ else: ++ try: ++ pwd.getpwnam(name) ++ except: ++ raise ValueError(_("Linux User %s does not exist") % name) + +- (rc,u) = semanage_seuser_create(self.sh) +- if rc < 0: +- raise ValueError(_("Could not create login mapping for %s") % name) ++ (rc,u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) + +- rc = semanage_seuser_set_name(self.sh, u, name) +- if rc < 0: +- raise ValueError(_("Could not set name for %s") % name) ++ rc = semanage_seuser_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) + +- if serange != "": +- rc = semanage_seuser_set_mlsrange(self.sh, u, serange) +- if rc < 0: +- raise ValueError(_("Could not set MLS range for %s") % name) ++ if serange != "": ++ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS range for %s") % name) + +- rc = semanage_seuser_set_sename(self.sh, u, sename) +- if rc < 0: +- raise ValueError(_("Could not set SELinux user for %s") % name) ++ rc = semanage_seuser_set_sename(self.sh, u, sename) ++ if rc < 0: ++ raise ValueError(_("Could not set SELinux user for %s") % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError(_("Could not start semanage transaction")) -- - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not add login mapping for %s") % name) ++ rc = semanage_seuser_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError(_("Could not add login mapping for %s") % name) -- rc = semanage_commit(self.sh) +- rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError(_("Could not add login mapping for %s") % name) + semanage_seuser_key_free(k) + semanage_seuser_free(u) -+ + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add login mapping for %s") % name) + def add(self, name, sename, serange): + try: + self.begin() @@ -723,12 +786,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) -- -- (rc,exists) = semanage_user_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if SELinux user %s is defined") % name) -- if exists: -- raise ValueError(_("SELinux user %s is already defined") % name) + if len(roles) < 1: + raise ValueError(_("You must add at least one role for %s") % name) + @@ -736,39 +793,45 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) -- (rc,u) = semanage_user_create(self.sh) +- (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: -- raise ValueError(_("Could not create SELinux user for %s") % name) +- raise ValueError(_("Could not check if SELinux user %s is defined") % name) +- if exists: +- raise ValueError(_("SELinux user %s is already defined") % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if exists: + raise ValueError(_("SELinux user %s is already defined") % name) -- rc = semanage_user_set_name(self.sh, u, name) +- (rc,u) = semanage_user_create(self.sh) - if rc < 0: -- raise ValueError(_("Could not set name for %s") % name) +- raise ValueError(_("Could not create SELinux user for %s") % name) + (rc,u) = semanage_user_create(self.sh) + if rc < 0: + raise ValueError(_("Could not create SELinux user for %s") % name) +- rc = semanage_user_set_name(self.sh, u, name) +- if rc < 0: +- raise ValueError(_("Could not set name for %s") % name) ++ rc = semanage_user_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) + - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) - if rc < 0: - raise ValueError(_("Could not add role %s for %s") % (r, name)) -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) - -- if is_mls_enabled == 1: -- rc = semanage_user_set_mlsrange(self.sh, u, serange) -- if rc < 0: -- raise ValueError(_("Could not set MLS range for %s") % name) + for r in roles: + rc = semanage_user_add_role(self.sh, u, r) + if rc < 0: + raise ValueError(_("Could not add role %s for %s") % (r, name)) +- if is_mls_enabled == 1: +- rc = semanage_user_set_mlsrange(self.sh, u, serange) +- if rc < 0: +- raise ValueError(_("Could not set MLS range for %s") % name) +- - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError(_("Could not set MLS level for %s") % name) @@ -843,33 +906,58 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) - +- - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if not exists: - raise ValueError(_("SELinux user %s is not defined") % name) -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) -+ if not exists: -+ raise ValueError(_("SELinux user %s is not defined") % name) - +- - (rc,u) = semanage_user_query(self.sh, k) - if rc < 0: - raise ValueError(_("Could not query user for %s") % name) -+ (rc,u) = semanage_user_query(self.sh, k) ++ (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not query user for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) - oldserange = semanage_user_get_mlsrange(u) - (rc, rlist) = semanage_user_get_roles(self.sh, u) - if rc >= 0: - oldroles = string.join(rlist, ' '); - newroles = newroles + ' ' + oldroles; +- +- +- if serange != "": +- semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) +- if selevel != "": +- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) +- +- if prefix != "": +- semanage_user_set_prefix(self.sh, u, prefix) +- +- if len(roles) != 0: +- for r in rlist: +- if r not in roles: +- semanage_user_del_role(u, r) +- for r in roles: +- if r not in rlist: +- semanage_user_add_role(self.sh, u, r) ++ (rc,exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is not defined") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) ++ (rc,u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query user for %s") % name) + +- rc = semanage_user_modify_local(self.sh, k, u) +- if rc < 0: +- raise ValueError(_("Could not modify SELinux user %s") % name) + oldserange = semanage_user_get_mlsrange(u) + (rc, rlist) = semanage_user_get_roles(self.sh, u) + if rc >= 0: @@ -893,62 +981,38 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po + if r not in rlist: + semanage_user_add_role(self.sh, u, r) +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify SELinux user %s") % name) + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not modify SELinux user %s") % name) -- if serange != "": -- semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) -- if selevel != "": -- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) -- -- if prefix != "": -- semanage_user_set_prefix(self.sh, u, prefix) -- -- if len(roles) != 0: -- for r in rlist: -- if r not in roles: -- semanage_user_del_role(u, r) -- for r in roles: -- if r not in rlist: -- semanage_user_add_role(self.sh, u, r) +- except ValueError, error: +- mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) +- raise error + semanage_user_key_free(k) + semanage_user_free(u) -+ -+ mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) + + mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError(_("Could not start semanage transaction")) - -- rc = semanage_user_modify_local(self.sh, k, u) -- if rc < 0: -- raise ValueError(_("Could not modify SELinux user %s") % name) -- -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError(_("Could not modify SELinux user %s") % name) -+ def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): -+ try: -+ self.begin() -+ self.__modify(name, roles, selevel, serange, prefix) -+ self.commit() - - except ValueError, error: -- mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) -+ mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "") - raise error -- -- mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) -- - semanage_user_key_free(k) - semanage_user_free(u) - def delete(self, name): -- try: ++ def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): + try: - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) ++ self.begin() ++ self.__modify(name, roles, selevel, serange, prefix) ++ self.commit() ++ ++ except ValueError, error: ++ mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "") ++ raise error ++ + def __delete(self, name): + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: diff --git a/policycoreutils.spec b/policycoreutils.spec index d6e6a2b..ad1de41 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.54 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -192,7 +192,7 @@ if [ "$1" -ge "1" ]; then fi %changelog -* Thu Aug 7 2008 Dan Walsh 2.0.54-4 +* Thu Aug 7 2008 Dan Walsh 2.0.54-5 - Fixes for multiple transactions * Wed Aug 6 2008 Dan Walsh 2.0.54-2