diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 9d3222c..a3b9e27 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,308 +1,232 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.28/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2005-12-01 10:11:27.000000000 -0500 -+++ policycoreutils-1.28/audit2allow/audit2allow 2005-12-07 15:30:48.000000000 -0500 -@@ -355,7 +355,7 @@ - 'lastreload', - 'module=', - 'output=', -- 'requires' -+ 'requires', - 'tefile', - 'verbose' - ]) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.28/restorecon/restorecon.8 ---- nsapolicycoreutils/restorecon/restorecon.8 2005-02-02 13:31:48.000000000 -0500 -+++ policycoreutils-1.28/restorecon/restorecon.8 2005-12-07 15:32:14.000000000 -0500 -@@ -29,7 +29,7 @@ - .B \-e directory - directory to exclude (repeat option for more than one directory.) - .TP --.B \-R -+.B \-R \-r - change files and directories file labels recursively - .TP - .B \-n -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.28/restorecon/restorecon.c ---- nsapolicycoreutils/restorecon/restorecon.c 2005-09-20 14:13:05.000000000 -0400 -+++ policycoreutils-1.28/restorecon/restorecon.c 2005-12-07 15:31:40.000000000 -0500 -@@ -112,7 +112,7 @@ - void usage(const char * const name) - { - fprintf(stderr, -- "usage: %s [-Rnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name); -+ "usage: %s [-rRnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name); - exit(1); - } - int restore(char *filename) { -@@ -271,11 +271,12 @@ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.1/scripts/chcat +--- nsapolicycoreutils/scripts/chcat 2005-12-08 12:52:47.000000000 -0500 ++++ policycoreutils-1.29.1/scripts/chcat 2005-12-09 18:20:29.000000000 -0500 +@@ -25,26 +25,20 @@ + import commands, sys, os, pwd, string, getopt, re, selinux - memset(buf,0, sizeof(buf)); + def chcat_add(orig, newcat, files): ++ if len(newcat) == 1: ++ raise ValueError("Requires at least one category") + errors=0 +- cmd='chcon -l ' +- if len(newcat) > 1: +- sensitivity=newcat[0] +- cat=newcat[1] +- else: +- sensitivity=0 +- cat=newcat[0] +- +- ++ sensitivity=newcat[0] ++ cat=newcat[1] ++ cmd='chcon -l %s' % sensitivity + for f in files: +- (rc, con) = selinux.getfilecon(f) +- (rc, raw) = selinux.selinux_trans_to_raw_context(con) +- clist=raw.split(":")[3:] +- if sensitivity == 0: +- sensitivity = clist[0] +- if len(clist) > 1: +- if clist[0] != sensitivity: ++ (rc, c) = selinux.getfilecon(f) ++ con=c.split(":")[3:] ++ clist = translate(con) ++ if sensitivity != clist[0]: + print("Can not modify sensitivity levels using '+' on %s" % f) +- continue ++ ++ if len(clist) > 1: + cats=clist[1].split(",") + if cat in cats: + print "%s is already in %s" % (f, orig) +@@ -64,23 +58,21 @@ + return errors -- while ((opt = getopt(argc, argv, "FRnvf:o:e:")) > 0) { -+ while ((opt = getopt(argc, argv, "FrRnvf:o:e:")) > 0) { - switch (opt) { - case 'n': - change = 0; - break; -+ case 'r': - case 'R': - recurse = 1; - break; -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.28/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.28/scripts/chcat 2005-12-08 11:31:57.000000000 -0500 -@@ -0,0 +1,191 @@ -+#! /usr/bin/env python -+# Copyright (C) 2005 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# chcat is a script that allows you modify the Security label on a file -+# -+#` Author: Daniel Walsh -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License as -+# published by the Free Software Foundation; either version 2 of -+# the License, or (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program; if not, write to the Free Software -+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA -+# 02111-1307 USA -+# -+# -+import commands, sys, os, pwd, string, getopt, re, selinux + def chcat_remove(orig, newcat, files): ++ if len(newcat) == 1: ++ raise ValueError("Requires at least one category") + errors=0 +- if len(newcat) > 1: +- sensitivity=newcat[0] +- cat=newcat[1] +- else: +- sensitivity=0 +- cat=newcat[0] ++ sensitivity=newcat[0] ++ cat=newcat[1] + -+def chcat_add(orig, newcat, files): -+ errors=0 -+ cmd='chcon -l ' -+ if len(newcat) > 1: -+ sensitivity=newcat[0] -+ cat=newcat[1] -+ else: -+ sensitivity=0 -+ cat=newcat[0] -+ -+ -+ for f in files: -+ (rc, con) = selinux.getfilecon(f) -+ (rc, raw) = selinux.selinux_trans_to_raw_context(con) -+ clist=raw.split(":")[3:] -+ if sensitivity == 0: -+ sensitivity = clist[0] -+ if len(clist) > 1: -+ if clist[0] != sensitivity: -+ print("Can not modify sensitivity levels using '+' on %s" % f) -+ continue -+ cats=clist[1].split(",") -+ if cat in cats: -+ print "%s is already in %s" % (f, orig) -+ continue -+ cats.append(cat) -+ cats.sort() -+ cat_string=cats[0] -+ for c in cats[1:]: -+ cat_string="%s,%s" % (cat_string, c) -+ else: -+ cat_string=cat -+ cmd='chcon -l %s:%s %s' % (sensitivity, cat_string, f) -+ rc=commands.getstatusoutput(cmd) -+ if rc[0] != 0: -+ print rc[1] -+ errors+=1 -+ return errors -+ -+def chcat_remove(orig, newcat, files): -+ errors=0 -+ if len(newcat) > 1: -+ sensitivity=newcat[0] -+ cat=newcat[1] -+ else: -+ sensitivity=0 -+ cat=newcat[0] -+ for f in files: -+ (rc, con) = selinux.getfilecon(f) -+ (rc, raw) = selinux.selinux_trans_to_raw_context(con) -+ clist=raw.split(":")[3:] -+ if sensitivity == 0: -+ sensitivity = clist[0] -+ if len(clist) > 1: -+ if clist[0] != sensitivity: -+ print("Can not modify sensitivity levels using '+' on %s" % f) -+ continue -+ cats=clist[1].split(",") -+ if cat not in cats: -+ print "%s is not in %s" % (f, orig) -+ continue -+ cats.remove(cat) -+ if len(cats) > 0: -+ cat=cats[0] -+ for c in cats[1:]: -+ cat="%s,%s" % (cat, c) -+ else: -+ cat="" -+ else: -+ print "%s is not in %s" % (f, orig) -+ continue -+ -+ if len(cat) == 0: -+ cmd='chcon -l %s %s' % (sensitivity, f) -+ else: -+ cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) -+ rc=commands.getstatusoutput(cmd) -+ if rc[0] != 0: -+ print rc[1] -+ errors+=1 -+ return errors -+ -+def chcat(context, files): -+ errors=0 -+ for c in context: -+ if len(c) > 0 and c[0] == "+": -+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) -+ rlist=raw.split(":") -+ errors += chcat_add(c[1:], rlist[3:], files) -+ continue -+ if len(c) > 0 and c[0] == "-": -+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) -+ rlist=raw.split(":") -+ errors += chcat_remove(c[1:], rlist[3:], files) -+ continue -+ -+ cmd='chcon -l "%s"' % c -+ for f in files: -+ cmd = "%s %s" % (cmd, f) + for f in files: +- (rc, con) = selinux.getfilecon(f) +- (rc, raw) = selinux.selinux_trans_to_raw_context(con) +- clist=raw.split(":")[3:] +- if sensitivity == 0: +- sensitivity = clist[0] +- if len(clist) > 1: +- if clist[0] != sensitivity: ++ (rc, c) = selinux.getfilecon(f) ++ con=c.split(":")[3:] ++ clist = translate(con) ++ if sensitivity != clist[0]: + print("Can not modify sensitivity levels using '+' on %s" % f) + continue + -+ rc=commands.getstatusoutput(cmd) -+ if rc[0] != 0: -+ print rc[1] -+ errors += 1 -+ return errors -+ -+def usage(): -+ print "Usage %s CATEGORY File ..." % sys.argv[0] -+ print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0] -+ print "Usage %s -d File ..." % sys.argv[0] -+ print "Use -- to end option list. For example" -+ print "chcat -- -CompanyConfidential /docs/businessplan.odt." -+ sys.exit(1) -+ -+def error(msg): -+ print "%s: %s" % (sys.argv[0], msg) -+ sys.exit(1) -+ -+if __name__ == '__main__': -+ if selinux.is_selinux_mls_enabled() != 1: -+ error("Requires a mls enabled system") -+ -+ if selinux.is_selinux_enabled() != 1: -+ error("Requires an SELinux enabled system") -+ -+ delete_ind=0 -+ try: -+ gopts, cmds = getopt.getopt(sys.argv[1:], -+ 'dh', -+ ['help', -+ 'delete']) -+ -+ for o,a in gopts: -+ if o == "-h" or o == "--help": -+ usage() -+ if o == "-d" or o == "--delete": -+ delete_ind=1 -+ -+ if len(cmds) < 1: -+ usage() -+ except: -+ usage() -+ if delete_ind: -+ sys.exit(chcat([""], cmds)) -+ -+ if len(cmds) < 2: -+ usage() -+ -+ cats=cmds[0].split(",") -+ set_ind=0 -+ mod_ind=0 -+ for i in cats: -+ if i[0]=='+' or i[0]=="-": -+ mod_ind=1 -+ if set_ind == 1: -+ error("You can not use '%s' with previous categories" % i) ++ if len(clist) > 1: + cats=clist[1].split(",") + if cat not in cats: + print "%s is not in %s" % (f, orig) +@@ -108,51 +100,69 @@ + + def chcat_replace(orig, newcat, files): + errors=0 +- if len(newcat) > 1: ++ if len(newcat) == 1: ++ if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16): ++ sensitivity=newcat[0] ++ cmd='chcon -l %s ' % newcat[0] + else: -+ if mod_ind == 1 or set_ind==1: -+ error("You can not use '%s' with previous categories" % i) -+ set_ind=1 ++ cmd='chcon -l s0:%s ' % newcat[0] ++ else: + sensitivity=newcat[0] + cat=newcat[1] + cmd='chcon -l %s:%s ' % (sensitivity, cat) +- for f in files: +- cmd = "%s %s" % (cmd, f) +- +- rc=commands.getstatusoutput(cmd) +- if rc[0] != 0: +- print rc[1] +- errors += 1 +- else: +- cat=newcat[0] +- for f in files: +- (rc, con) = selinux.getfilecon(f) +- (rc, raw) = selinux.selinux_trans_to_raw_context(con) +- clist=raw.split(":")[3:] +- sensitivity=clist[0] +- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) +- rc=commands.getstatusoutput(cmd) +- if rc[0] != 0: +- print rc[1] +- errors+=1 + ++ for f in files: ++ cmd = "%s %s" % (cmd, f) ++ rc=commands.getstatusoutput(cmd) ++ if rc[0] != 0: ++ print rc[1] ++ errors += 1 + -+ files=cmds[1:] -+ sys.exit(chcat(cats, files)) + return errors + +-def chcat(cats, files): +- errors=0 ++def check_replace(cats): ++ plus_ind=0 ++ replace_ind=0 + for c in cats: +- if len(c) > 0 and c[0] == "+": +- (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) +- rlist=raw.split(":") +- errors += chcat_add(c[1:], rlist[3:], files) +- continue +- if len(c) > 0 and c[0] == "-": +- (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) +- rlist=raw.split(":") +- errors += chcat_remove(c[1:], rlist[3:], files) +- continue ++ if len(c) > 0 and ( c[0] == "+" or c[0] == "-" ): ++ if replace_ind: ++ raise ValueError("Can not combine +/- with other types of categories") ++ plus_ind=1 ++ else: ++ replace_ind=1 ++ if plus_ind: ++ raise ValueError("Can not combine +/- with other types of categories") ++ return replace_ind + ++def translate(cats): ++ newcat=[] ++ for c in cats: + (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c) +- rlist=raw.split(":") +- errors += chcat_replace(c[1:], rlist[3:], files) +- +- return errors ++ rlist=raw.split(":")[3:] ++ if len(rlist) > 1: ++ if len(newcat) == 0: ++ newcat.append(rlist[0]) ++ else: ++ if newcat[0] != rlist[0]: ++ raise ValueError("Can not have multiple sensitivities") ++ newcat.append(rlist[1]) ++ else: ++ if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16): ++ ++ if len(newcat) == 0: ++ newcat.append(rlist[0]) ++ else: ++ if newcat[0] != rlist[0]: ++ raise ValueError("Can not have multiple sensitivities") ++ else: ++ if len(newcat) == 0: ++ newcat.append("s0") ++ else: ++ if newcat[0] != "s0": ++ raise ValueError("Can not have multiple sensitivities") ++ newcat.append(rlist[0]) ++ ++ return newcat + + def usage(): + print "Usage %s CATEGORY File ..." % sys.argv[0] +@@ -190,26 +200,36 @@ + usage() + except: + usage() + + if delete_ind: +- sys.exit(chcat([""], cmds)) ++ sys.exit(chcat_replace(["s0"], ["s0"], cmds)) + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.28/scripts/chcat.8 ---- nsapolicycoreutils/scripts/chcat.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.28/scripts/chcat.8 2005-12-07 15:30:48.000000000 -0500 -@@ -0,0 +1,29 @@ -+.TH CHCAT "8" "September 2005" "chcat" "User Commands" -+.SH NAME -+chcat \- change file security category -+.SH SYNOPSIS -+.B chcat -+\fICATEGORY FILE\fR... -+.br -+.B chcat -+\fI[[+|-]CATEGORY],...] FILE\fR... -+.br -+.B chcat -+[\fI-d\fR] \fIFILE\fR... -+.br -+.PP -+Change/Remove the security CATEGORY for each FILE. -+.PP -+Use +/- to add/remove categories from a FILE. -+.TP -+\fB\-d\fR -+delete the category from each file. -+.SH "SEE ALSO" -+.TP -+chcon(1), selinux(8) -+.PP -+.br -+This script wraps the chcon command. -+.SH "FILES" -+/etc/selinux/{SELINUXTYPE}/setrans.conf -+ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.28/scripts/Makefile ---- nsapolicycoreutils/scripts/Makefile 2005-01-28 15:24:12.000000000 -0500 -+++ policycoreutils-1.28/scripts/Makefile 2005-12-07 15:30:48.000000000 -0500 -@@ -1,20 +1,23 @@ - # Installation directories. - PREFIX ?= ${DESTDIR}/usr --BINDIR ?= $(PREFIX)/sbin -+BINDIR ?= $(PREFIX)/bin -+SBINDIR ?= $(PREFIX)/sbin - MANDIR ?= $(PREFIX)/share/man - LOCALEDIR ?= /usr/share/locale --TARGETS=genhomedircon -+TARGETS=genhomedircon + if len(cmds) < 2: + usage() + +- cats=cmds[0].split(",") + set_ind=0 ++ cats=cmds[0].split(",") + mod_ind=0 +- for i in cats: +- if i[0]=='+' or i[0]=="-": +- mod_ind=1 +- if set_ind == 1: +- error("You can not use '%s' with previous categories" % i) +- else: +- if mod_ind == 1 or set_ind==1: +- error("You can not use '%s' with previous categories" % i) +- set_ind=1 +- ++ errors=0 + files=cmds[1:] +- sys.exit(chcat(cats, files)) ++ try: ++ if check_replace(cats): ++ errors=chcat_replace(cats,translate(cats), files) ++ else: ++ for c in cats: ++ l=[] ++ l.append(c[1:]) ++ if len(c) > 0 and c[0] == "+": ++ errors += chcat_add(c[1:],translate(l), files) ++ continue ++ if len(c) > 0 and c[0] == "-": ++ errors += chcat_remove(c[1:],translate(l), files) ++ continue ++ except ValueError, e: ++ error(e) ++ ++ sys.exit(errors) ++ - all: $(TARGETS) fixfiles - - install: all - -mkdir -p $(BINDIR) -- install -m 755 $(TARGETS) $(BINDIR) -+ install -m 755 $(TARGETS) $(SBINDIR) -+ install -m 755 chcat $(BINDIR) - install -m 755 fixfiles $(DESTDIR)/sbin - -mkdir -p $(MANDIR)/man8 - install -m 644 fixfiles.8 $(MANDIR)/man8/ - install -m 644 genhomedircon.8 $(MANDIR)/man8/ -+ install -m 644 chcat.8 $(MANDIR)/man8/ - - clean: diff --git a/policycoreutils.spec b/policycoreutils.spec index b8a2a58..74f8c88 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -4,11 +4,11 @@ Summary: SELinux policy core utilities. Name: policycoreutils Version: 1.29.1 -Release: 1.1 +Release: 2 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -#Patch: policycoreutils-rhat.patch +Patch: policycoreutils-rhat.patch BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff @@ -34,7 +34,7 @@ context. %prep %setup -q -#%patch -p1 -b .rhat +%patch -p1 -b .rhat %build make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all @@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Thu Dec 8 2005 Dan Walsh 1.29.1-2 +- More fixes to chcat + * Fri Dec 09 2005 Jesse Keating - rebuilt