rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-2

Browse Source 
- More fixes to chcat
This commit is contained in:
Daniel J Walsh 2005-12-09 23:23:03 +00:00
parent 2905d6f85a
commit 5375535149
2 changed files with 227 additions and 300 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

504
policycoreutils-rhat.patch
View File

@ -1,308 +1,232 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.28/audit2allow/audit2allow diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.1/scripts/chcat
--- nsapolicycoreutils/audit2allow/audit2allow 2005-12-01 10:11:27.000000000 -0500 --- nsapolicycoreutils/scripts/chcat 2005-12-08 12:52:47.000000000 -0500
+++ policycoreutils-1.28/audit2allow/audit2allow 2005-12-07 15:30:48.000000000 -0500 +++ policycoreutils-1.29.1/scripts/chcat 2005-12-09 18:20:29.000000000 -0500
@@ -355,7 +355,7 @@ @@ -25,26 +25,20 @@
'lastreload', import commands, sys, os, pwd, string, getopt, re, selinux
'module=',
'output=',
- 'requires'
+ 'requires',
'tefile',
'verbose'
])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.28/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8 2005-02-02 13:31:48.000000000 -0500
+++ policycoreutils-1.28/restorecon/restorecon.8 2005-12-07 15:32:14.000000000 -0500
@@ -29,7 +29,7 @@
.B \-e directory
directory to exclude (repeat option for more than one directory.)
.TP
-.B \-R
+.B \-R \-r
change files and directories file labels recursively
.TP
.B \-n
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.28/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2005-09-20 14:13:05.000000000 -0400
+++ policycoreutils-1.28/restorecon/restorecon.c 2005-12-07 15:31:40.000000000 -0500
@@ -112,7 +112,7 @@
void usage(const char * const name)
{
fprintf(stderr,
- "usage: %s [-Rnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
+ "usage: %s [-rRnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
exit(1);
}
int restore(char *filename) {
@@ -271,11 +271,12 @@
memset(buf,0, sizeof(buf)); def chcat_add(orig, newcat, files):
+ if len(newcat) == 1:
- while ((opt = getopt(argc, argv, "FRnvf:o:e:")) > 0) { + raise ValueError("Requires at least one category")
+ while ((opt = getopt(argc, argv, "FrRnvf:o:e:")) > 0) { errors=0
switch (opt) { - cmd='chcon -l '
case 'n': - if len(newcat) > 1:
change = 0; - sensitivity=newcat[0]
break; - cat=newcat[1]
+ case 'r': - else:
case 'R': - sensitivity=0
recurse = 1; - cat=newcat[0]
break; -
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.28/scripts/chcat -
--- nsapolicycoreutils/scripts/chcat 1969-12-31 19:00:00.000000000 -0500 + sensitivity=newcat[0]
+++ policycoreutils-1.28/scripts/chcat 2005-12-08 11:31:57.000000000 -0500 + cat=newcat[1]
@@ -0,0 +1,191 @@ + cmd='chcon -l %s' % sensitivity
+#! /usr/bin/env python for f in files:
+# Copyright (C) 2005 Red Hat - (rc, con) = selinux.getfilecon(f)
+# see file 'COPYING' for use and warranty information - (rc, raw) = selinux.selinux_trans_to_raw_context(con)
+# - clist=raw.split(":")[3:]
+# chcat is a script that allows you modify the Security label on a file - if sensitivity == 0:
+# - sensitivity = clist[0]
+#` Author: Daniel Walsh <dwalsh@redhat.com> - if len(clist) > 1:
+# - if clist[0] != sensitivity:
+# This program is free software; you can redistribute it and/or + (rc, c) = selinux.getfilecon(f)
+# modify it under the terms of the GNU General Public License as + con=c.split(":")[3:]
+# published by the Free Software Foundation; either version 2 of + clist = translate(con)
+# the License, or (at your option) any later version. + if sensitivity != clist[0]:
+# print("Can not modify sensitivity levels using '+' on %s" % f)
+# This program is distributed in the hope that it will be useful, - continue
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+#
+import commands, sys, os, pwd, string, getopt, re, selinux
+ +
+def chcat_add(orig, newcat, files):
+ errors=0
+ cmd='chcon -l '
+ if len(newcat) > 1:
+ sensitivity=newcat[0]
+ cat=newcat[1]
+ else:
+ sensitivity=0
+ cat=newcat[0]
+
+
+ for f in files:
+ (rc, con) = selinux.getfilecon(f)
+ (rc, raw) = selinux.selinux_trans_to_raw_context(con)
+ clist=raw.split(":")[3:]
+ if sensitivity == 0:
+ sensitivity = clist[0]
+ if len(clist) > 1: + if len(clist) > 1:
+ if clist[0] != sensitivity: cats=clist[1].split(",")
+ print("Can not modify sensitivity levels using '+' on %s" % f) if cat in cats:
+ continue print "%s is already in %s" % (f, orig)
+ cats=clist[1].split(",") @@ -64,23 +58,21 @@
+ if cat in cats: return errors
+ print "%s is already in %s" % (f, orig)
+ continue def chcat_remove(orig, newcat, files):
+ cats.append(cat) + if len(newcat) == 1:
+ cats.sort() + raise ValueError("Requires at least one category")
+ cat_string=cats[0] errors=0
+ for c in cats[1:]: - if len(newcat) > 1:
+ cat_string="%s,%s" % (cat_string, c) - sensitivity=newcat[0]
- cat=newcat[1]
- else:
- sensitivity=0
- cat=newcat[0]
+ sensitivity=newcat[0]
+ cat=newcat[1]
+
for f in files:
- (rc, con) = selinux.getfilecon(f)
- (rc, raw) = selinux.selinux_trans_to_raw_context(con)
- clist=raw.split(":")[3:]
- if sensitivity == 0:
- sensitivity = clist[0]
- if len(clist) > 1:
- if clist[0] != sensitivity:
+ (rc, c) = selinux.getfilecon(f)
+ con=c.split(":")[3:]
+ clist = translate(con)
+ if sensitivity != clist[0]:
print("Can not modify sensitivity levels using '+' on %s" % f)
continue
+
+ if len(clist) > 1:
cats=clist[1].split(",")
if cat not in cats:
print "%s is not in %s" % (f, orig)
@@ -108,51 +100,69 @@
def chcat_replace(orig, newcat, files):
errors=0
- if len(newcat) > 1:
+ if len(newcat) == 1:
+ if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16):
+ sensitivity=newcat[0]
+ cmd='chcon -l %s ' % newcat[0]
+ else: + else:
+ cat_string=cat + cmd='chcon -l s0:%s ' % newcat[0]
+ cmd='chcon -l %s:%s %s' % (sensitivity, cat_string, f)
+ rc=commands.getstatusoutput(cmd)
+ if rc[0] != 0:
+ print rc[1]
+ errors+=1
+ return errors
+
+def chcat_remove(orig, newcat, files):
+ errors=0
+ if len(newcat) > 1:
+ sensitivity=newcat[0]
+ cat=newcat[1]
+ else: + else:
+ sensitivity=0 sensitivity=newcat[0]
+ cat=newcat[0] cat=newcat[1]
cmd='chcon -l %s:%s ' % (sensitivity, cat)
- for f in files:
- cmd = "%s %s" % (cmd, f)
-
- rc=commands.getstatusoutput(cmd)
- if rc[0] != 0:
- print rc[1]
- errors += 1
- else:
- cat=newcat[0]
- for f in files:
- (rc, con) = selinux.getfilecon(f)
- (rc, raw) = selinux.selinux_trans_to_raw_context(con)
- clist=raw.split(":")[3:]
- sensitivity=clist[0]
- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc=commands.getstatusoutput(cmd)
- if rc[0] != 0:
- print rc[1]
- errors+=1
+ for f in files: + for f in files:
+ (rc, con) = selinux.getfilecon(f) + cmd = "%s %s" % (cmd, f)
+ (rc, raw) = selinux.selinux_trans_to_raw_context(con) + rc=commands.getstatusoutput(cmd)
+ clist=raw.split(":")[3:] + if rc[0] != 0:
+ if sensitivity == 0: + print rc[1]
+ sensitivity = clist[0] + errors += 1
+ if len(clist) > 1: +
+ if clist[0] != sensitivity: return errors
+ print("Can not modify sensitivity levels using '+' on %s" % f)
+ continue -def chcat(cats, files):
+ cats=clist[1].split(",") - errors=0
+ if cat not in cats: +def check_replace(cats):
+ print "%s is not in %s" % (f, orig) + plus_ind=0
+ continue + replace_ind=0
+ cats.remove(cat) for c in cats:
+ if len(cats) > 0: - if len(c) > 0 and c[0] == "+":
+ cat=cats[0] - (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
+ for c in cats[1:]: - rlist=raw.split(":")
+ cat="%s,%s" % (cat, c) - errors += chcat_add(c[1:], rlist[3:], files)
- continue
- if len(c) > 0 and c[0] == "-":
- (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
- rlist=raw.split(":")
- errors += chcat_remove(c[1:], rlist[3:], files)
- continue
+ if len(c) > 0 and ( c[0] == "+" or c[0] == "-" ):
+ if replace_ind:
+ raise ValueError("Can not combine +/- with other types of categories")
+ plus_ind=1
+ else:
+ replace_ind=1
+ if plus_ind:
+ raise ValueError("Can not combine +/- with other types of categories")
+ return replace_ind
+def translate(cats):
+ newcat=[]
+ for c in cats:
(rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c)
- rlist=raw.split(":")
- errors += chcat_replace(c[1:], rlist[3:], files)
-
- return errors
+ rlist=raw.split(":")[3:]
+ if len(rlist) > 1:
+ if len(newcat) == 0:
+ newcat.append(rlist[0])
+ else: + else:
+ cat="" + if newcat[0] != rlist[0]:
+ raise ValueError("Can not have multiple sensitivities")
+ newcat.append(rlist[1])
+ else: + else:
+ print "%s is not in %s" % (f, orig) + if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16):
+ continue
+ +
+ if len(cat) == 0: + if len(newcat) == 0:
+ cmd='chcon -l %s %s' % (sensitivity, f) + newcat.append(rlist[0])
+ else: + else:
+ cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) + if newcat[0] != rlist[0]:
+ rc=commands.getstatusoutput(cmd) + raise ValueError("Can not have multiple sensitivities")
+ if rc[0] != 0: + else:
+ print rc[1] + if len(newcat) == 0:
+ errors+=1 + newcat.append("s0")
+ return errors + else:
+ if newcat[0] != "s0":
+ raise ValueError("Can not have multiple sensitivities")
+ newcat.append(rlist[0])
+ +
+def chcat(context, files): + return newcat
+ errors=0
+ for c in context: def usage():
+ if len(c) > 0 and c[0] == "+": print "Usage %s CATEGORY File ..." % sys.argv[0]
+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) @@ -190,26 +200,36 @@
+ rlist=raw.split(":") usage()
+ errors += chcat_add(c[1:], rlist[3:], files) except:
+ continue usage()
+ if len(c) > 0 and c[0] == "-":
+ (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:])
+ rlist=raw.split(":")
+ errors += chcat_remove(c[1:], rlist[3:], files)
+ continue
+ +
+ cmd='chcon -l "%s"' % c if delete_ind:
+ for f in files: - sys.exit(chcat([""], cmds))
+ cmd = "%s %s" % (cmd, f) + sys.exit(chcat_replace(["s0"], ["s0"], cmds))
+
+ rc=commands.getstatusoutput(cmd)
+ if rc[0] != 0:
+ print rc[1]
+ errors += 1
+ return errors
+
+def usage():
+ print "Usage %s CATEGORY File ..." % sys.argv[0]
+ print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0]
+ print "Usage %s -d File ..." % sys.argv[0]
+ print "Use -- to end option list. For example"
+ print "chcat -- -CompanyConfidential /docs/businessplan.odt."
+ sys.exit(1)
+
+def error(msg):
+ print "%s: %s" % (sys.argv[0], msg)
+ sys.exit(1)
+
+if __name__ == '__main__':
+ if selinux.is_selinux_mls_enabled() != 1:
+ error("Requires a mls enabled system")
+
+ if selinux.is_selinux_enabled() != 1:
+ error("Requires an SELinux enabled system")
+
+ delete_ind=0
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:],
+ 'dh',
+ ['help',
+ 'delete'])
+
+ for o,a in gopts:
+ if o == "-h" or o == "--help":
+ usage()
+ if o == "-d" or o == "--delete":
+ delete_ind=1
+
+ if len(cmds) < 1:
+ usage()
+ except:
+ usage()
+ if delete_ind:
+ sys.exit(chcat([""], cmds))
+
+ if len(cmds) < 2:
+ usage()
+ +
if len(cmds) < 2:
usage()
- cats=cmds[0].split(",")
set_ind=0
+ cats=cmds[0].split(",") + cats=cmds[0].split(",")
+ set_ind=0 mod_ind=0
+ mod_ind=0 - for i in cats:
+ for i in cats: - if i[0]=='+' or i[0]=="-":
+ if i[0]=='+' or i[0]=="-": - mod_ind=1
+ mod_ind=1 - if set_ind == 1:
+ if set_ind == 1: - error("You can not use '%s' with previous categories" % i)
+ error("You can not use '%s' with previous categories" % i) - else:
- if mod_ind == 1 or set_ind==1:
- error("You can not use '%s' with previous categories" % i)
- set_ind=1
-
+ errors=0
files=cmds[1:]
- sys.exit(chcat(cats, files))
+ try:
+ if check_replace(cats):
+ errors=chcat_replace(cats,translate(cats), files)
+ else: + else:
+ if mod_ind == 1 or set_ind==1: + for c in cats:
+ error("You can not use '%s' with previous categories" % i) + l=[]
+ set_ind=1 + l.append(c[1:])
+ if len(c) > 0 and c[0] == "+":
+ errors += chcat_add(c[1:],translate(l), files)
+ continue
+ if len(c) > 0 and c[0] == "-":
+ errors += chcat_remove(c[1:],translate(l), files)
+ continue
+ except ValueError, e:
+ error(e)
+ +
+ files=cmds[1:] + sys.exit(errors)
+ sys.exit(chcat(cats, files))
+ +
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.28/scripts/chcat.8
--- nsapolicycoreutils/scripts/chcat.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.28/scripts/chcat.8 2005-12-07 15:30:48.000000000 -0500
@@ -0,0 +1,29 @@
+.TH CHCAT "8" "September 2005" "chcat" "User Commands"
+.SH NAME
+chcat \- change file security category
+.SH SYNOPSIS
+.B chcat
+\fICATEGORY FILE\fR...
+.br
+.B chcat
+\fI[[+|-]CATEGORY],...] FILE\fR...
+.br
+.B chcat
+[\fI-d\fR] \fIFILE\fR...
+.br
+.PP
+Change/Remove the security CATEGORY for each FILE.
+.PP
+Use +/- to add/remove categories from a FILE.
+.TP
+\fB\-d\fR
+delete the category from each file.
+.SH "SEE ALSO"
+.TP
+chcon(1), selinux(8)
+.PP
+.br
+This script wraps the chcon command.
+.SH "FILES"
+/etc/selinux/{SELINUXTYPE}/setrans.conf
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.28/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2005-01-28 15:24:12.000000000 -0500
+++ policycoreutils-1.28/scripts/Makefile 2005-12-07 15:30:48.000000000 -0500
@@ -1,20 +1,23 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
-BINDIR ?= $(PREFIX)/sbin
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-TARGETS=genhomedircon
+TARGETS=genhomedircon
all: $(TARGETS) fixfiles
install: all
-mkdir -p $(BINDIR)
- install -m 755 $(TARGETS) $(BINDIR)
+ install -m 755 $(TARGETS) $(SBINDIR)
+ install -m 755 chcat $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
-mkdir -p $(MANDIR)/man8
install -m 644 fixfiles.8 $(MANDIR)/man8/
install -m 644 genhomedircon.8 $(MANDIR)/man8/
+ install -m 644 chcat.8 $(MANDIR)/man8/
clean:

9
policycoreutils.spec
View File

@ -4,11 +4,11 @@
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.29.1 Version: 1.29.1
Release: 1.1 Release: 2
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
#Patch: policycoreutils-rhat.patch Patch: policycoreutils-rhat.patch
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}
PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
@ -34,7 +34,7 @@ context.
%prep %prep
%setup -q %setup -q
#%patch -p1 -b .rhat %patch -p1 -b .rhat
%build %build
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all
@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog %changelog
* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-2
- More fixes to chcat
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt - rebuilt