rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-2

Browse Source 
- More fixes to chcat
This commit is contained in:
Daniel J Walsh 2005-12-09 23:23:03 +00:00
parent 2905d6f85a
commit 5375535149
2 changed files with 227 additions and 300 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

488
policycoreutils-rhat.patch
View File

@ -1,308 +1,232 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.28/audit2allow/audit2allow diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.1/scripts/chcat
--- nsapolicycoreutils/audit2allow/audit2allow 2005-12-01 10:11:27.000000000 -0500 --- nsapolicycoreutils/scripts/chcat 2005-12-08 12:52:47.000000000 -0500
+++ policycoreutils-1.28/audit2allow/audit2allow 2005-12-07 15:30:48.000000000 -0500 +++ policycoreutils-1.29.1/scripts/chcat 2005-12-09 18:20:29.000000000 -0500
@@ -355,7 +355,7 @@ @@ -25,26 +25,20 @@
'lastreload', import commands, sys, os, pwd, string, getopt, re, selinux
'module=',
'output=',
- 'requires'
+ 'requires',
'tefile',
'verbose'
])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.28/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8 2005-02-02 13:31:48.000000000 -0500
+++ policycoreutils-1.28/restorecon/restorecon.8 2005-12-07 15:32:14.000000000 -0500
@@ -29,7 +29,7 @@
.B \-e directory
directory to exclude (repeat option for more than one directory.)
.TP
-.B \-R
+.B \-R \-r
change files and directories file labels recursively
.TP
.B \-n
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.28/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2005-09-20 14:13:05.000000000 -0400
+++ policycoreutils-1.28/restorecon/restorecon.c 2005-12-07 15:31:40.000000000 -0500
@@ -112,7 +112,7 @@
void usage(const char * const name)
{
fprintf(stderr,
- "usage: %s [-Rnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
+ "usage: %s [-rRnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
exit(1);
}
int restore(char *filename) {
@@ -271,11 +271,12 @@
memset(buf,0, sizeof(buf)); def chcat_add(orig, newcat, files):
+ if len(newcat) == 1:
- while ((opt = getopt(argc, argv, "FRnvf:o:e:")) > 0) { + raise ValueError("Requires at least one category")
+ while ((opt = getopt(argc, argv, "FrRnvf:o:e:")) > 0) { errors=0
switch (opt) { - cmd='chcon -l '
case 'n': - if len(newcat) > 1:
change = 0; - sensitivity=newcat[0]
break; - cat=newcat[1]
+ case 'r': - else:
case 'R': - sensitivity=0
recurse = 1; - cat=newcat[0]
break; -
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.28/scripts/chcat -
--- nsapolicycoreutils/scripts/chcat 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.28/scripts/chcat 2005-12-08 11:31:57.000000000 -0500
@@ -0,0 +1,191 @@
+#! /usr/bin/env python
+# Copyright (C) 2005 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# chcat is a script that allows you modify the Security label on a file
+#
+#` Author: Daniel Walsh <dwalsh@redhat.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+#
+import commands, sys, os, pwd, string, getopt, re, selinux
+
+def chcat_add(orig, newcat, files):
+ errors=0
+ cmd='chcon -l '
+ if len(newcat) > 1:
+ sensitivity=newcat[0] + sensitivity=newcat[0]
+ cat=newcat[1] + cat=newcat[1]
+ else: + cmd='chcon -l %s' % sensitivity
+ sensitivity=0 for f in files:
+ cat=newcat[0] - (rc, con) = selinux.getfilecon(f)
- (rc, raw) = selinux.selinux_trans_to_raw_context(con)
- clist=raw.split(":")[3:]
- if sensitivity == 0:
- sensitivity = clist[0]
- if len(clist) > 1:
- if clist[0] != sensitivity:
+ (rc, c) = selinux.getfilecon(f)
+ con=c.split(":")[3:]
+ clist = translate(con)
+ if sensitivity != clist[0]:
print("Can not modify sensitivity levels using '+' on %s" % f)
- continue
+ +
+
+ for f in files:
+ (rc, con) = selinux.getfilecon(f)
+ (rc, raw) = selinux.selinux_trans_to_raw_context(con)
+ clist=raw.split(":")[3:]
+ if sensitivity == 0:
+ sensitivity = clist[0]
+ if len(clist) > 1: + if len(clist) > 1:
+ if clist[0] != sensitivity: cats=clist[1].split(",")
+ print("Can not modify sensitivity levels using '+' on %s" % f) if cat in cats:
+ continue print "%s is already in %s" % (f, orig)
+ cats=clist[1].split(",") @@ -64,23 +58,21 @@
+ if cat in cats: return errors
+ print "%s is already in %s" % (f, orig)
+ continue def chcat_remove(orig, newcat, files):
+ cats.append(cat) + if len(newcat) == 1:
+ cats.sort() + raise ValueError("Requires at least one category")
+ cat_string=cats[0] errors=0
+ for c in cats[1:]: - if len(newcat) > 1:
+ cat_string="%s,%s" % (cat_string, c) - sensitivity=newcat[0]
+ else: - cat=newcat[1]
+ cat_string=cat - else:
+ cmd='chcon -l %s:%s %s' % (sensitivity, cat_string, f) - sensitivity=0
+ rc=commands.getstatusoutput(cmd) - cat=newcat[0]
+ if rc[0] != 0:
+ print rc[1]
+ errors+=1
+ return errors
+
+def chcat_remove(orig, newcat, files):
+ errors=0
+ if len(newcat) > 1:
+ sensitivity=newcat[0] + sensitivity=newcat[0]
+ cat=newcat[1] + cat=newcat[1]
+ else: +
+ sensitivity=0 for f in files:
+ cat=newcat[0] - (rc, con) = selinux.getfilecon(f)
+ for f in files: - (rc, raw) = selinux.selinux_trans_to_raw_context(con)
+ (rc, con) = selinux.getfilecon(f) - clist=raw.split(":")[3:]
+ (rc, raw) = selinux.selinux_trans_to_raw_context(con) - if sensitivity == 0:
+ clist=raw.split(":")[3:] - sensitivity = clist[0]
+ if sensitivity == 0: - if len(clist) > 1:
+ sensitivity = clist[0] - if clist[0] != sensitivity:
+ (rc, c) = selinux.getfilecon(f)
+ con=c.split(":")[3:]
+ clist = translate(con)
+ if sensitivity != clist[0]:
print("Can not modify sensitivity levels using '+' on %s" % f)
continue
+
+ if len(clist) > 1: + if len(clist) > 1:
+ if clist[0] != sensitivity: cats=clist[1].split(",")
+ print("Can not modify sensitivity levels using '+' on %s" % f) if cat not in cats:
+ continue print "%s is not in %s" % (f, orig)
+ cats=clist[1].split(",") @@ -108,51 +100,69 @@
+ if cat not in cats:
+ print "%s is not in %s" % (f, orig) def chcat_replace(orig, newcat, files):
+ continue errors=0
+ cats.remove(cat) - if len(newcat) > 1:
+ if len(cats) > 0: + if len(newcat) == 1:
+ cat=cats[0] + if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16):
+ for c in cats[1:]: + sensitivity=newcat[0]
+ cat="%s,%s" % (cat, c) + cmd='chcon -l %s ' % newcat[0]
+ else: + else:
+ cat="" + cmd='chcon -l s0:%s ' % newcat[0]
+ else: + else:
+ print "%s is not in %s" % (f, orig) sensitivity=newcat[0]
+ continue cat=newcat[1]
+ cmd='chcon -l %s:%s ' % (sensitivity, cat)
+ if len(cat) == 0: - for f in files:
+ cmd='chcon -l %s %s' % (sensitivity, f) - cmd = "%s %s" % (cmd, f)
+ else: -
+ cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) - rc=commands.getstatusoutput(cmd)
+ rc=commands.getstatusoutput(cmd) - if rc[0] != 0:
+ if rc[0] != 0: - print rc[1]
+ print rc[1] - errors += 1
+ errors+=1 - else:
+ return errors - cat=newcat[0]
+ - for f in files:
+def chcat(context, files): - (rc, con) = selinux.getfilecon(f)
+ errors=0 - (rc, raw) = selinux.selinux_trans_to_raw_context(con)
+ for c in context: - clist=raw.split(":")[3:]
+ if len(c) > 0 and c[0] == "+": - sensitivity=clist[0]
+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) - cmd='chcon -l %s:%s %s' % (sensitivity, cat, f)
+ rlist=raw.split(":") - rc=commands.getstatusoutput(cmd)
+ errors += chcat_add(c[1:], rlist[3:], files) - if rc[0] != 0:
+ continue - print rc[1]
+ if len(c) > 0 and c[0] == "-": - errors+=1
+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
+ rlist=raw.split(":")
+ errors += chcat_remove(c[1:], rlist[3:], files)
+ continue
+
+ cmd='chcon -l "%s"' % c
+ for f in files: + for f in files:
+ cmd = "%s %s" % (cmd, f) + cmd = "%s %s" % (cmd, f)
+
+ rc=commands.getstatusoutput(cmd) + rc=commands.getstatusoutput(cmd)
+ if rc[0] != 0: + if rc[0] != 0:
+ print rc[1] + print rc[1]
+ errors += 1 + errors += 1
+ return errors
+ +
+def usage(): return errors
+ print "Usage %s CATEGORY File ..." % sys.argv[0]
+ print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0] -def chcat(cats, files):
+ print "Usage %s -d File ..." % sys.argv[0] - errors=0
+ print "Use -- to end option list. For example" +def check_replace(cats):
+ print "chcat -- -CompanyConfidential /docs/businessplan.odt." + plus_ind=0
+ sys.exit(1) + replace_ind=0
+ for c in cats:
+def error(msg): - if len(c) > 0 and c[0] == "+":
+ print "%s: %s" % (sys.argv[0], msg) - (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
+ sys.exit(1) - rlist=raw.split(":")
+ - errors += chcat_add(c[1:], rlist[3:], files)
+if __name__ == '__main__': - continue
+ if selinux.is_selinux_mls_enabled() != 1: - if len(c) > 0 and c[0] == "-":
+ error("Requires a mls enabled system") - (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
+ - rlist=raw.split(":")
+ if selinux.is_selinux_enabled() != 1: - errors += chcat_remove(c[1:], rlist[3:], files)
+ error("Requires an SELinux enabled system") - continue
+ + if len(c) > 0 and ( c[0] == "+" or c[0] == "-" ):
+ delete_ind=0 + if replace_ind:
+ try: + raise ValueError("Can not combine +/- with other types of categories")
+ gopts, cmds = getopt.getopt(sys.argv[1:], + plus_ind=1
+ 'dh',
+ ['help',
+ 'delete'])
+
+ for o,a in gopts:
+ if o == "-h" or o == "--help":
+ usage()
+ if o == "-d" or o == "--delete":
+ delete_ind=1
+
+ if len(cmds) < 1:
+ usage()
+ except:
+ usage()
+ if delete_ind:
+ sys.exit(chcat([""], cmds))
+
+ if len(cmds) < 2:
+ usage()
+
+ cats=cmds[0].split(",")
+ set_ind=0
+ mod_ind=0
+ for i in cats:
+ if i[0]=='+' or i[0]=="-":
+ mod_ind=1
+ if set_ind == 1:
+ error("You can not use '%s' with previous categories" % i)
+ else: + else:
+ if mod_ind == 1 or set_ind==1: + replace_ind=1
+ error("You can not use '%s' with previous categories" % i) + if plus_ind:
+ set_ind=1 + raise ValueError("Can not combine +/- with other types of categories")
+ return replace_ind
+def translate(cats):
+ newcat=[]
+ for c in cats:
(rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c)
- rlist=raw.split(":")
- errors += chcat_replace(c[1:], rlist[3:], files)
-
- return errors
+ rlist=raw.split(":")[3:]
+ if len(rlist) > 1:
+ if len(newcat) == 0:
+ newcat.append(rlist[0])
+ else:
+ if newcat[0] != rlist[0]:
+ raise ValueError("Can not have multiple sensitivities")
+ newcat.append(rlist[1])
+ else:
+ if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16):
+ +
+ files=cmds[1:] + if len(newcat) == 0:
+ sys.exit(chcat(cats, files)) + newcat.append(rlist[0])
+ else:
+ if newcat[0] != rlist[0]:
+ raise ValueError("Can not have multiple sensitivities")
+ else:
+ if len(newcat) == 0:
+ newcat.append("s0")
+ else:
+ if newcat[0] != "s0":
+ raise ValueError("Can not have multiple sensitivities")
+ newcat.append(rlist[0])
+ +
+ return newcat
def usage():
print "Usage %s CATEGORY File ..." % sys.argv[0]
@@ -190,26 +200,36 @@
usage()
except:
usage()
+ +
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.28/scripts/chcat.8 if delete_ind:
--- nsapolicycoreutils/scripts/chcat.8 1969-12-31 19:00:00.000000000 -0500 - sys.exit(chcat([""], cmds))
+++ policycoreutils-1.28/scripts/chcat.8 2005-12-07 15:30:48.000000000 -0500 + sys.exit(chcat_replace(["s0"], ["s0"], cmds))
@@ -0,0 +1,29 @@
+.TH CHCAT "8" "September 2005" "chcat" "User Commands"
+.SH NAME
+chcat \- change file security category
+.SH SYNOPSIS
+.B chcat
+\fICATEGORY FILE\fR...
+.br
+.B chcat
+\fI[[+|-]CATEGORY],...] FILE\fR...
+.br
+.B chcat
+[\fI-d\fR] \fIFILE\fR...
+.br
+.PP
+Change/Remove the security CATEGORY for each FILE.
+.PP
+Use +/- to add/remove categories from a FILE.
+.TP
+\fB\-d\fR
+delete the category from each file.
+.SH "SEE ALSO"
+.TP
+chcon(1), selinux(8)
+.PP
+.br
+This script wraps the chcon command.
+.SH "FILES"
+/etc/selinux/{SELINUXTYPE}/setrans.conf
+ +
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.28/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2005-01-28 15:24:12.000000000 -0500
+++ policycoreutils-1.28/scripts/Makefile 2005-12-07 15:30:48.000000000 -0500
@@ -1,20 +1,23 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
-BINDIR ?= $(PREFIX)/sbin
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-TARGETS=genhomedircon if len(cmds) < 2:
+TARGETS=genhomedircon usage()
all: $(TARGETS) fixfiles - cats=cmds[0].split(",")
set_ind=0
+ cats=cmds[0].split(",")
mod_ind=0
- for i in cats:
- if i[0]=='+' or i[0]=="-":
- mod_ind=1
- if set_ind == 1:
- error("You can not use '%s' with previous categories" % i)
- else:
- if mod_ind == 1 or set_ind==1:
- error("You can not use '%s' with previous categories" % i)
- set_ind=1
-
+ errors=0
files=cmds[1:]
- sys.exit(chcat(cats, files))
+ try:
+ if check_replace(cats):
+ errors=chcat_replace(cats,translate(cats), files)
+ else:
+ for c in cats:
+ l=[]
+ l.append(c[1:])
+ if len(c) > 0 and c[0] == "+":
+ errors += chcat_add(c[1:],translate(l), files)
+ continue
+ if len(c) > 0 and c[0] == "-":
+ errors += chcat_remove(c[1:],translate(l), files)
+ continue
+ except ValueError, e:
+ error(e)
+
+ sys.exit(errors)
+
install: all
-mkdir -p $(BINDIR)
- install -m 755 $(TARGETS) $(BINDIR)
+ install -m 755 $(TARGETS) $(SBINDIR)
+ install -m 755 chcat $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
-mkdir -p $(MANDIR)/man8
install -m 644 fixfiles.8 $(MANDIR)/man8/
install -m 644 genhomedircon.8 $(MANDIR)/man8/
+ install -m 644 chcat.8 $(MANDIR)/man8/
clean:

9
policycoreutils.spec
View File

@ -4,11 +4,11 @@
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.29.1 Version: 1.29.1
Release: 1.1 Release: 2
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
#Patch: policycoreutils-rhat.patch Patch: policycoreutils-rhat.patch
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}
PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
@ -34,7 +34,7 @@ context.
%prep %prep
%setup -q %setup -q
#%patch -p1 -b .rhat %patch -p1 -b .rhat
%build %build
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all
@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog %changelog
* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-2
- More fixes to chcat
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt - rebuilt